Skip to main content

PHP

24744 CVEs product

Monthly

CVE-2025-69061 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion.This issue affects MoveMe: from n/a through <= 1.2.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69060 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion.This issue affects uReach: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69059 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69058 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion.This issue affects PartyMaker: from n/a through <= 1.1.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69057 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Eldon eldon allows PHP Local File Inclusion.This issue affects Eldon: from n/a through <= 1.0. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69052 CRITICAL Act Now

FmeAddons Registration & Login with Mobile Phone Number for WooCommerce has a missing authorization vulnerability allowing unauthenticated access to protected functionality.

WordPress PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-69050 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion.This issue affects Overworld: from n/a through <= 1.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69049 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Töbel tobel allows PHP Local File Inclusion.This issue affects Töbel: from n/a through <= 1.6. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69047 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech MaxShop sw_maxshop allows PHP Local File Inclusion.This issue affects MaxShop: from n/a through <= 3.6.20. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69046 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion.This issue affects iRecco Core: from n/a through <= 1.3.6. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69045 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FooEvents FooEvents for WooCommerce fooevents allows SQL Injection.This issue affects FooEvents for WooCommerce: from n/a through <= 1.20.4. [CVSS 8.5 HIGH]

WordPress SQLi PHP
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-69044 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Vango vango allows PHP Local File Inclusion.This issue affects Vango: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]

PHP Golang LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69043 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Rashy rashy allows PHP Local File Inclusion.This issue affects Rashy: from n/a through <= 1.1.3. [CVSS 8.2 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-69042 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion.This issue affects Lindo: from n/a through <= 1.2.5. [CVSS 8.2 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-69041 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Dekoro dekoro allows PHP Local File Inclusion.This issue affects Dekoro: from n/a through <= 1.0.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-69040 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bfres bfres allows PHP Local File Inclusion.This issue affects Bfres: from n/a through <= 1.2.1. [CVSS 8.2 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-69039 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bailly bailly allows PHP Local File Inclusion.This issue affects Bailly: from n/a through <= 1.3.4. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-69038 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Hyori hyori allows PHP Local File Inclusion.This issue affects Hyori: from n/a through <= 1.3.6. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69037 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Pippo pippo allows PHP Local File Inclusion.This issue affects Pippo: from n/a through <= 1.2.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69005 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion.This issue affects Search & Go: from n/a through <= 2.8. [CVSS 8.1 HIGH]

PHP Golang LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69004 HIGH This Week

XpeedStudio Bajaar - Highly Customizable WooCommerce WordPress Theme bajaar is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68986 CRITICAL Act Now

Miion WordPress theme by zozothemes has an unrestricted file upload vulnerability allowing unauthenticated web shell deployment and server compromise.

WordPress PHP RCE
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-68913 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Miion miion allows PHP Local File Inclusion.This issue affects Miion: from n/a through <= 1.2.7. [CVSS 7.5 HIGH]

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68910 CRITICAL Act Now

Blogzee WordPress theme by blazethemes has an unrestricted file upload vulnerability — the fourth blazethemes product affected by the same shared vulnerable upload component.

WordPress PHP RCE
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-68909 CRITICAL Act Now

Blogistic WordPress theme by blazethemes has an unrestricted file upload vulnerability enabling attackers to deploy web shells for persistent server access.

WordPress PHP RCE
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-68908 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in temash Barberry barberry allows PHP Local File Inclusion.This issue affects Barberry: from n/a through <= 2.9.9.87. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68905 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion.This issue affects JNews - Pay Writer: from n/a through <= 11.0.0. [CVSS 7.5 HIGH]

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68884 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS.This issue affects WP Simple Redirect: from n/a through <= 1.1. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68510 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeGoods Photography photography allows PHP Local File Inclusion.This issue affects Photography: from n/a through < 7.7.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68041 HIGH This Week

codisto Omnichannel for WooCommerce codistoconnect is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68011 HIGH This Week

GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68008 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67968 CRITICAL Act Now

Real Homes CRM WordPress plugin has an unrestricted file upload allowing web shell deployment for persistent remote code execution.

WordPress PHP RCE
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-67957 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion.This issue affects Listivo Core: from n/a through <= 2.3.77. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67955 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-67946 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scriptsbundle AdForest adforest allows PHP Local File Inclusion.This issue affects AdForest: from n/a through <= 6.0.11. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67941 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion.This issue affects The Aisle: from n/a through < 2.9.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67940 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Powerlift powerlift allows PHP Local File Inclusion.This issue affects Powerlift: from n/a through < 3.2.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67938 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.This issue affects Biagiotti: from n/a through < 3.5.2. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67626 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery.This issue affects WP SEO Search: from n/a through <= 1.1. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67616 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion.This issue affects Mella: from n/a through <= 1.2.29. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67615 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Myour myour allows PHP Local File Inclusion.This issue affects Myour: from n/a through <= 1.5.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-63017 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion.This issue affects WerkStatt Plugin: from n/a through <= 1.6.6. [CVSS 7.5 HIGH]

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-62056 CRITICAL Act Now

News Event WordPress theme by blazethemes has an unrestricted file upload allowing web shell deployment and remote code execution.

WordPress PHP RCE
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2025-62050 CRITICAL Act Now

Blogmatic WordPress theme by blazethemes has an unrestricted file upload vulnerability allowing attackers to upload web shells for persistent server access.

WordPress PHP RCE
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2025-54003 HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) that allows unauthenticated attackers to execute arbitrary remote PHP code on the server.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-50003 HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability allowing attackers to include malicious remote PHP files for unauthenticated code execution.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49994 HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) enabling unauthenticated remote code execution through crafted include paths.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-47474 HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability allowing unauthenticated attackers to include and execute arbitrary remote PHP files on the server.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67684 HIGH This Week

Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. [CVSS 7.2 HIGH]

PHP RCE LFI Path Traversal Quick.Cart
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2026-23873 CRITICAL POC Act Now

HUSTOJ online judge system has a CSV injection vulnerability in all versions that allows code execution through crafted submissions exported to spreadsheets.

Linux PHP MySQL Hustoj
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2021-47872 HIGH POC This Week

SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD GitHub Exploit-DB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2021-47871 HIGH POC This Week

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. [CVSS 8.8 HIGH]

PHP SSH
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2021-47778 HIGH POC This Week

GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. [CVSS 7.2 HIGH]

PHP RCE Code Injection Getsimplecms
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
1.1%
CVE-2025-15521 CRITICAL Act Now

Academy LMS WordPress plugin has a privilege escalation vulnerability allowing unauthenticated users to bypass access controls and gain elevated privileges on WordPress sites.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-21664 MEDIUM This Month

Revive Adserver's afr.php script contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through crafted URLs targeting logged-in administrators. An attacker can exploit this to execute arbitrary JavaScript in an admin's browser session, potentially leading to unauthorized actions or credential theft. No patch is currently available for this vulnerability.

PHP XSS Revive Adserver
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2026-21663 MEDIUM This Month

Revive Adserver's banner-acl.php script contains a reflected cross-site scripting vulnerability that allows attackers to execute arbitrary scripts in the browsers of authenticated administrators through a crafted URL. An attacker can inject malicious HTML payloads into vulnerable parameters, which execute when an admin visits the malicious link, potentially compromising administrative sessions and server configuration. No patch is currently available for this vulnerability.

PHP XSS Revive Adserver
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2026-21642 MEDIUM This Month

Revive Adserver's banner-acl.php and channel-acl.php scripts contain reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary JavaScript in an administrator's browser by crafting malicious URLs. An authenticated attacker can exploit this to perform actions with administrative privileges if a logged-in admin visits the crafted link. No patch is currently available for this vulnerability affecting PHP-based Revive Adserver installations.

PHP XSS Revive Adserver
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2026-21641 MEDIUM This Month

Revive Adserver contains an authorization flaw in the tracker deletion function that permits authenticated users to delete trackers belonging to other accounts. An attacker with valid credentials can exploit this access control bypass to remove tracking objects outside their administrative scope, potentially disrupting competitor or other user operations. No patch is currently available for this vulnerability.

PHP Revive Adserver
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21640 LOW Monitor

HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error. [CVSS 2.7 LOW]

PHP
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-0726 HIGH This Week

PHP object injection in the Nexter Extension plugin for WordPress (versions up to 4.4.6) allows unauthenticated remote attackers to deserialize untrusted data, potentially enabling arbitrary code execution, file deletion, or data theft if a compatible POP chain exists in other installed plugins or themes. The vulnerability has a high CVSS score of 8.1 but currently lacks a public exploit chain in the vulnerable software itself. No patch is currently available.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-58095 MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-58094 MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-58093 MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-58092 MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-58091 MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-58090 MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-58089 MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-58088 MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-58087 MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-15380 HIGH This Week

The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-15347 HIGH This Week

The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15043 MEDIUM This Month

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. [CVSS 5.4 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-41081 This Week

Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'.

PHP XSS
NVD
EPSS
0.1%
CVE-2025-41025 MEDIUM This Month

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

PHP XSS Poultry Farm Management System
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-41024 MEDIUM This Month

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

PHP XSS Poultry Farm Management System
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-40644 This Week

Reflected Cross-Site Scripting (XSS) vulnerability in Riftzilla's QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'id' parameter in '/article.php'.

PHP XSS
NVD
EPSS
0.1%
CVE-2025-14533 CRITICAL Act Now

Advanced Custom Fields: Extended plugin for WordPress has a privilege escalation vulnerability allowing unauthenticated users to gain admin access in all versions up to the latest.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-12573 MEDIUM This Month

The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14977 HIGH This Week

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. [CVSS 8.1 HIGH]

WordPress PHP
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-14348 MEDIUM This Month

The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14798 MEDIUM This Month

The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. [CVSS 5.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14351 MEDIUM This Month

The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14978 MEDIUM This Month

The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. [CVSS 5.3 MEDIUM]

WordPress .NET PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1203 LOW POC Monitor

Improper authentication in CRMEB up to version 5.6.3 allows remote attackers to manipulate the uid parameter in the LoginServices.php token handler to bypass authentication, despite requiring high complexity. Public exploit code exists for this vulnerability, though no patch is currently available from the vendor.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-1202 MEDIUM POC This Month

Authentication bypass in CRMEB up to version 5.6.3 allows unauthenticated remote attackers to manipulate the openId parameter in the Apple login function, gaining unauthorized access without valid credentials. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The flaw affects the LoginController.php authentication mechanism and carries a CVSS score of 7.3 with confirmed impact to confidentiality, integrity, and availability.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2025-15466 MEDIUM This Month

Image Photo Gallery Final Tiles Grid (WordPress plugin) versions up to 3.6.9. is affected by missing authorization (CVSS 5.4).

WordPress PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1192 MEDIUM POC This Month

Online Store Management System versions up to 1.01 contains a vulnerability that allows attackers to command injection (CVSS 7.3).

PHP Command Injection
NVD VulDB
CVSS 4.0
5.5
EPSS
2.5%
CVE-2026-1176 MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /subject/index.php allows unauthenticated remote attackers to query, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network against vulnerable instances.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-23843 HIGH This Week

Insecure Direct Object Reference (IDOR) in teklifolustur_app PHP application allows authenticated users to access and view quotes belonging to other users by manipulating the offer_id parameter, due to insufficient authorization validation. An attacker with valid credentials can enumerate and read sensitive quote data from other organization members without proper access controls. No patch is currently available for this vulnerability.

PHP
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion.This issue affects MoveMe: from n/a through <= 1.2.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion.This issue affects uReach: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through <= 1.4.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion.This issue affects PartyMaker: from n/a through <= 1.1.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Eldon eldon allows PHP Local File Inclusion.This issue affects Eldon: from n/a through <= 1.0. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

FmeAddons Registration & Login with Mobile Phone Number for WooCommerce has a missing authorization vulnerability allowing unauthenticated access to protected functionality.

WordPress PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion.This issue affects Overworld: from n/a through <= 1.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Töbel tobel allows PHP Local File Inclusion.This issue affects Töbel: from n/a through <= 1.6. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech MaxShop sw_maxshop allows PHP Local File Inclusion.This issue affects MaxShop: from n/a through <= 3.6.20. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion.This issue affects iRecco Core: from n/a through <= 1.3.6. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FooEvents FooEvents for WooCommerce fooevents allows SQL Injection.This issue affects FooEvents for WooCommerce: from n/a through <= 1.20.4. [CVSS 8.5 HIGH]

WordPress SQLi PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Vango vango allows PHP Local File Inclusion.This issue affects Vango: from n/a through <= 1.3.3. [CVSS 8.1 HIGH]

PHP Golang LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Rashy rashy allows PHP Local File Inclusion.This issue affects Rashy: from n/a through <= 1.1.3. [CVSS 8.2 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion.This issue affects Lindo: from n/a through <= 1.2.5. [CVSS 8.2 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Dekoro dekoro allows PHP Local File Inclusion.This issue affects Dekoro: from n/a through <= 1.0.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bfres bfres allows PHP Local File Inclusion.This issue affects Bfres: from n/a through <= 1.2.1. [CVSS 8.2 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Bailly bailly allows PHP Local File Inclusion.This issue affects Bailly: from n/a through <= 1.3.4. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Hyori hyori allows PHP Local File Inclusion.This issue affects Hyori: from n/a through <= 1.3.6. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Pippo pippo allows PHP Local File Inclusion.This issue affects Pippo: from n/a through <= 1.2.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion.This issue affects Search & Go: from n/a through <= 2.8. [CVSS 8.1 HIGH]

PHP Golang LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

XpeedStudio Bajaar - Highly Customizable WooCommerce WordPress Theme bajaar is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Miion WordPress theme by zozothemes has an unrestricted file upload vulnerability allowing unauthenticated web shell deployment and server compromise.

WordPress PHP RCE
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Miion miion allows PHP Local File Inclusion.This issue affects Miion: from n/a through <= 1.2.7. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Blogzee WordPress theme by blazethemes has an unrestricted file upload vulnerability — the fourth blazethemes product affected by the same shared vulnerable upload component.

WordPress PHP RCE
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Blogistic WordPress theme by blazethemes has an unrestricted file upload vulnerability enabling attackers to deploy web shells for persistent server access.

WordPress PHP RCE
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in temash Barberry barberry allows PHP Local File Inclusion.This issue affects Barberry: from n/a through <= 2.9.9.87. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion.This issue affects JNews - Pay Writer: from n/a through <= 11.0.0. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS.This issue affects WP Simple Redirect: from n/a through <= 1.1. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeGoods Photography photography allows PHP Local File Inclusion.This issue affects Photography: from n/a through < 7.7.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.1
HIGH This Week

codisto Omnichannel for WooCommerce codistoconnect is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Real Homes CRM WordPress plugin has an unrestricted file upload allowing web shell deployment for persistent remote code execution.

WordPress PHP RCE
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion.This issue affects Listivo Core: from n/a through <= 2.3.77. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scriptsbundle AdForest adforest allows PHP Local File Inclusion.This issue affects AdForest: from n/a through <= 6.0.11. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion.This issue affects The Aisle: from n/a through < 2.9.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Powerlift powerlift allows PHP Local File Inclusion.This issue affects Powerlift: from n/a through < 3.2.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.This issue affects Biagiotti: from n/a through < 3.5.2. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery.This issue affects WP SEO Search: from n/a through <= 1.1. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion.This issue affects Mella: from n/a through <= 1.2.29. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Myour myour allows PHP Local File Inclusion.This issue affects Myour: from n/a through <= 1.5.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion.This issue affects WerkStatt Plugin: from n/a through <= 1.6.6. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

News Event WordPress theme by blazethemes has an unrestricted file upload allowing web shell deployment and remote code execution.

WordPress PHP RCE
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Blogmatic WordPress theme by blazethemes has an unrestricted file upload vulnerability allowing attackers to upload web shells for persistent server access.

WordPress PHP RCE
NVD
EPSS 0% CVSS 8.1
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) that allows unauthenticated attackers to execute arbitrary remote PHP code on the server.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability allowing attackers to include malicious remote PHP files for unauthenticated code execution.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) enabling unauthenticated remote code execution through crafted include paths.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

A WordPress plugin has a PHP Remote File Inclusion vulnerability allowing unauthenticated attackers to include and execute arbitrary remote PHP files on the server.

PHP LFI Information Disclosure
NVD
EPSS 1% CVSS 7.2
HIGH This Week

Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. [CVSS 7.2 HIGH]

PHP RCE LFI +2
NVD
EPSS 0% CVSS 9.0
CRITICAL POC Act Now

HUSTOJ online judge system has a CSV injection vulnerability in all versions that allows code execution through crafted submissions exported to spreadsheets.

Linux PHP MySQL +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the 'order_col' parameter. [CVSS 7.1 HIGH]

PHP SQLi
NVD GitHub Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC This Week

Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. [CVSS 8.8 HIGH]

PHP SSH
NVD GitHub Exploit-DB
EPSS 1% CVSS 7.2
HIGH POC This Week

GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. [CVSS 7.2 HIGH]

PHP RCE Code Injection +1
NVD GitHub Exploit-DB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Academy LMS WordPress plugin has a privilege escalation vulnerability allowing unauthenticated users to bypass access controls and gain elevated privileges on WordPress sites.

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Revive Adserver's afr.php script contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through crafted URLs targeting logged-in administrators. An attacker can exploit this to execute arbitrary JavaScript in an admin's browser session, potentially leading to unauthorized actions or credential theft. No patch is currently available for this vulnerability.

PHP XSS Revive Adserver
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Revive Adserver's banner-acl.php script contains a reflected cross-site scripting vulnerability that allows attackers to execute arbitrary scripts in the browsers of authenticated administrators through a crafted URL. An attacker can inject malicious HTML payloads into vulnerable parameters, which execute when an admin visits the malicious link, potentially compromising administrative sessions and server configuration. No patch is currently available for this vulnerability.

PHP XSS Revive Adserver
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Revive Adserver's banner-acl.php and channel-acl.php scripts contain reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary JavaScript in an administrator's browser by crafting malicious URLs. An authenticated attacker can exploit this to perform actions with administrative privileges if a logged-in admin visits the crafted link. No patch is currently available for this vulnerability affecting PHP-based Revive Adserver installations.

PHP XSS Revive Adserver
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Revive Adserver contains an authorization flaw in the tracker deletion function that permits authenticated users to delete trackers belonging to other accounts. An attacker with valid credentials can exploit this access control bypass to remove tracking objects outside their administrative scope, potentially disrupting competitor or other user operations. No patch is currently available for this vulnerability.

PHP Revive Adserver
NVD
EPSS 0% CVSS 2.7
LOW Monitor

HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error. [CVSS 2.7 LOW]

PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP object injection in the Nexter Extension plugin for WordPress (versions up to 4.4.6) allows unauthenticated remote attackers to deserialize untrusted data, potentially enabling arbitrary code execution, file deletion, or data theft if a compatible POP chain exists in other installed plugins or themes. The vulnerability has a high CVSS score of 8.1 but currently lacks a public exploit chain in the vulnerable software itself. No patch is currently available.

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. [CVSS 6.1 MEDIUM]

PHP XSS Pacs Server
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. [CVSS 5.4 MEDIUM]

WordPress PHP
NVD
EPSS 0%
This Week

Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'.

PHP XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

PHP XSS Poultry Farm Management System
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Poultry Farm Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 5.4).

PHP XSS Poultry Farm Management System
NVD
EPSS 0%
This Week

Reflected Cross-Site Scripting (XSS) vulnerability in Riftzilla's QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'id' parameter in '/article.php'.

PHP XSS
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Advanced Custom Fields: Extended plugin for WordPress has a privilege escalation vulnerability allowing unauthenticated users to gain admin access in all versions up to the latest.

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD WPScan
EPSS 0% CVSS 8.1
HIGH This Week

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. [CVSS 8.1 HIGH]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. [CVSS 5.3 MEDIUM]

WordPress Information Disclosure PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. [CVSS 5.3 MEDIUM]

WordPress .NET PHP
NVD
EPSS 0% CVSS 2.9
LOW POC Monitor

Improper authentication in CRMEB up to version 5.6.3 allows remote attackers to manipulate the uid parameter in the LoginServices.php token handler to bypass authentication, despite requiring high complexity. Public exploit code exists for this vulnerability, though no patch is currently available from the vendor.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Authentication bypass in CRMEB up to version 5.6.3 allows unauthenticated remote attackers to manipulate the openId parameter in the Apple login function, gaining unauthorized access without valid credentials. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The flaw affects the LoginController.php authentication mechanism and carries a CVSS score of 7.3 with confirmed impact to confidentiality, integrity, and availability.

PHP Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Image Photo Gallery Final Tiles Grid (WordPress plugin) versions up to 3.6.9. is affected by missing authorization (CVSS 5.4).

WordPress PHP
NVD
EPSS 3% CVSS 5.5
MEDIUM POC This Month

Online Store Management System versions up to 1.01 contains a vulnerability that allows attackers to command injection (CVSS 7.3).

PHP Command Injection
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /subject/index.php allows unauthenticated remote attackers to query, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network against vulnerable instances.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Insecure Direct Object Reference (IDOR) in teklifolustur_app PHP application allows authenticated users to access and view quotes belonging to other users by manipulating the offer_id parameter, due to insufficient authorization validation. An attacker with valid credentials can enumerate and read sensitive quote data from other organization members without proper access controls. No patch is currently available for this vulnerability.

PHP
NVD GitHub
Prev Page 41 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy