PHP

A Remote Code Execution vulnerability exists in Craft CMS versions 4.x and 5.x that bypasses previous security patches for behavior injection attacks. An authenticated user with control panel access can exploit an unsanitized fieldLayouts parameter in the ElementIndexesController to inject malicious Yii2 behaviors and achieve arbitrary code execution. While no active exploitation (KEV) is documented, a patch is available and the vulnerability requires only low-privilege authenticated access, making it a significant risk for deployments with multiple control panel users.

Froxlor, a web hosting control panel, contains an injection vulnerability in its DNS zone management API that allows authenticated customers with DNS privileges to inject BIND zone file directives (such as $INCLUDE) through unvalidated content fields in LOC, RP, SSHFP, and TLSA DNS record types. Attackers can leverage this to read arbitrary world-readable files on the server, disrupt DNS services, or inject unauthorized DNS records. A proof-of-concept exploit is publicly available demonstrating file inclusion attacks, and patches have been released by the vendor in version 2.3.5.

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate the Name parameter in /sms/user/index.php?view=add, potentially enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.

A stored cross-site scripting (XSS) vulnerability exists in projectworlds Lawyer Management System version 1.0 within the /lawyer_booking.php file, where the Description parameter fails to sanitize user input before rendering. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. A proof-of-concept exploit has been publicly disclosed on GitHub, and the vulnerability carries a CVSS score of 3.5 with evidence of public exploitation.

SourceCodester Online Admission System 1.0 contains a SQL injection vulnerability in the /programmes.php file's program parameter that allows unauthenticated remote attackers to execute arbitrary database queries. Public exploit code is available for this vulnerability, and no patch is currently available. The flaw enables attackers to potentially read, modify, or delete sensitive admission system data.

SQL injection in SourceCodester Online Library Management System 1.0 allows unauthenticated remote attackers to manipulate the searchField parameter in /home.php, enabling data exfiltration, modification, and potential service disruption. Public exploit code exists for this vulnerability, and no patch is currently available.

A Server-Side Request Forgery (SSRF) vulnerability exists in DefaultFuction Jeson-Customer-Relationship-Management-System affecting versions up to commit 1b4679c4d06b90d31dd521c2b000bfdec5a36e00. The vulnerability resides in the /api/System.php file where the 'url' parameter can be manipulated to force the server to make arbitrary requests. A publicly disclosed proof-of-concept exploit is available on GitHub, and patches have been released by the vendor.

SourceCodester Patients Waiting Area Queue Management System 1.0 contains an improper authorization flaw in the ValidateToken function of the Patient Check-In Module that allows unauthenticated remote attackers to bypass access controls. Public exploit code is available for this vulnerability, and no patch has been released. The attack requires no user interaction and could enable unauthorized access to patient check-in functionality.

SQL injection in SourceCodester Online Catering Reservation 1.0 via the rcode parameter in /search.php allows unauthenticated remote attackers to manipulate database queries with no user interaction required. The vulnerability enables attackers to read, modify, or delete sensitive data, and public exploit code is readily available. PHP-based deployments of this catering reservation system are actively targeted due to the ease of exploitation and lack of available patches.

SQL injection in the Parameter Handler of itsourcecode sanitize or validate this input 1.0 allows authenticated remote attackers to manipulate the subject_code argument in /admin/subjects.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in the password reset function of ESICLivre v0.2.2 and earlier allows unauthenticated attackers to extract sensitive data by manipulating the cpfcnpj parameter. The vulnerability requires no user interaction and can be exploited remotely over the network, though no patch is currently available.

DedeCMS v5.7.118 contains a Cross-Site Request Forgery (CSRF) vulnerability in the /sys_task_add.php endpoint that allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An attacker can craft a malicious webpage or email that, when visited by an authenticated DedeCMS administrator, will execute unwanted administrative tasks such as adding or modifying system tasks. While no CVSS score, EPSS data, or active KEV listing is currently available, a public proof-of-concept exists on GitHub demonstrating the vulnerability's exploitability.

JiZhiCMS v2.5.6 and earlier contains a stored cross-site scripting (XSS) vulnerability in the user release function that allows authenticated attackers to inject malicious scripts through improper HTML sanitization. The vulnerability exists because the application filters <script> tags but fails to recursively remove dangerous event handlers (such as onerror) from other HTML elements like <img> tags, enabling persistent XSS attacks. A proof-of-concept has been published on GitHub, and while no CVSS score or EPSS data is currently available, the low barrier to exploitation (authenticated access via POST parameter) and persistent nature of the attack present meaningful risk to affected installations.

ConcreteCMS version 9.4.7 contains a memory exhaustion vulnerability in the File Manager's download functionality that allows authenticated attackers to trigger a Denial of Service condition. The vulnerability exists in the 'download' method of 'concrete/controllers/backend/file.php', where improper memory management during zip archive creation using ZipArchive::addFromString combined with file_get_contents loads entire file contents into PHP memory without streaming or size validation. An attacker with valid authentication credentials can exploit this by requesting bulk downloads of large files, exhausting available PHP memory and causing the PHP-FPM process to crash with a SIGSEGV signal, rendering the web application unavailable with HTTP 500 errors.

WPGraphQL prior to version 2.10.0 allows authenticated low-privileged users to bypass comment moderation controls and self-approve their own comments without possessing the moderate_comments capability. The vulnerability exploits owner-based authorization logic in the updateComment mutation, enabling non-moderator users to transition comment status to APPROVE, HOLD, SPAM, or TRASH states directly. A proof-of-concept demonstrating this authorization bypass in WPGraphQL 2.9.1 has been published, and while the EPSS score of 0.03% indicates low statistical likelihood of exploitation, the attack vector is network-based with low complexity and requires only low-level user privileges (including custom roles with zero capabilities).

The Contest Gallery plugin for WordPress contains an authentication bypass vulnerability that allows unaattacked attackers to take over administrator accounts and gain complete site control. All versions up to and including 28.1.5 are affected when the non-default RegMailOptional=1 setting is enabled. The vulnerability exploits MySQL type coercion by registering with specially crafted email addresses to overwrite admin activation keys, then using an unauthenticated login endpoint to authenticate as the target user. With a CVSS score of 8.1 and high attack complexity (AC:H), this represents a critical risk for sites using the vulnerable configuration.

The Jupiter X Core plugin for WordPress contains an unrestricted file upload vulnerability allowing authenticated users with Subscriber-level privileges or higher to upload dangerous file types including .phar, .svg, .dfxp, and .xhtml files. This stems from missing authorization checks in the import_popup_templates() function and insufficient file type validation in the upload_files() function. Successful exploitation leads to Remote Code Execution on Apache servers with mod_php configured to execute .phar files, or Stored Cross-Site Scripting attacks via malicious SVG and other file types on any server configuration.

The Woocommerce Custom Product Addons Pro plugin for WordPress contains a critical remote code execution vulnerability caused by unsafe use of PHP's eval() function when processing custom pricing formulas. All versions up to and including 5.4.1 are affected, allowing unauthenticated attackers to execute arbitrary PHP code on the server by submitting malicious input to WCPA text fields configured with custom pricing formulas. With a CVSS score of 9.8, this represents a maximum severity issue requiring immediate attention, though EPSS and KEV status data are not provided in the available intelligence.

SQL injection in SourceCodester E-Commerce Site 1.0 through the Search parameter in /products.php enables unauthenticated remote attackers to read, modify, and delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available, putting all installations at immediate risk.

SQL injection in the Free Hotel Reservation System 1.0 admin panel allows unauthenticated remote attackers to manipulate the account_id parameter and execute arbitrary SQL queries with potential for data theft, modification, and system disruption. Public exploit code exists for this vulnerability, and no patch is currently available.

This vulnerability in Roadiz's DownloadedFile::fromUrl() method allows authenticated users with ROLE_ACCESS_DOCUMENTS to read arbitrary files from the server via PHP stream wrapper abuse, specifically by injecting file:// URIs into media import workflows. An attacker can extract sensitive files including .env configuration files, database credentials, and system files, achieving complete confidentiality compromise of the application and potentially the underlying infrastructure. A proof-of-concept exists demonstrating exploitation through malicious Podcast RSS feeds, and a patch is available from the vendor.

A stored or reflected cross-site scripting (XSS) vulnerability exists in projectworlds Lawyer Management System version 1.0, specifically in the /lawyers.php file where the first_Name parameter is inadequately sanitized. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially stealing session tokens or performing unauthorized actions. A public proof-of-concept exploit is available, and exploitation requires only low complexity with user interaction (UI:R), though the attack vector is network-accessible and does not require high privileges.

MantisBT version 2.28.0 contains a stored cross-site scripting (XSS) vulnerability in the Timeline view of my_view_page.php where tag names are improperly escaped when retrieved from the History table, allowing attackers to inject arbitrary HTML and potentially execute JavaScript if Content Security Policy permits. This affects users viewing issues with renamed or deleted tags, and version 2.28.1 contains the patch. No CVSS score or EPSS data is currently available, but the vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and carries moderate to high risk in environments without strict CSP enforcement.

MantisBT version 2.28.0 contains a Stored/Reflected Cross-Site Scripting (XSS) vulnerability in the tag deletion confirmation dialog (tag_delete.php) due to improper HTML escaping of tag names in the confirmation message. An authenticated attacker can inject malicious HTML and JavaScript code that executes in the browser of any user viewing the confirmation page, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability was patched in version 2.28.1, and proof-of-concept information is available via the GitHub security advisory and associated commit references.

WWBN AVideo, an open source video platform, contains a SQL injection vulnerability in the Subscribe::save() method that allows authenticated attackers to execute arbitrary SQL queries. Versions up to and including 26.0 are affected, with the vulnerability stemming from unsanitized user input from the $_POST['user_id'] parameter being concatenated directly into INSERT queries. An attacker with low-level authentication can extract sensitive data including password hashes, API keys, and encryption salts from the database, representing a significant information disclosure risk.

WWBN AVideo video platform up to and including version 26.0 contains an authentication bypass vulnerability in the CDN plugin that allows unauthenticated remote attackers to completely modify CDN configuration settings including storage credentials and authentication keys. The vulnerability stems from the CDN plugin's default empty string authentication key, which causes validation checks to be bypassed entirely when the plugin is enabled but not properly configured. The CVSS score of 8.6 reflects high integrity impact with network-based exploitation requiring no privileges or user interaction.

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability (CWE-434) that allows authenticated attackers to upload and execute arbitrary PHP code on the server. The vulnerability exists in the downloadVideoFromDownloadURL() function which saves remote content with its original filename and extension to a web-accessible directory; by providing an invalid resolution parameter, attackers can bypass cleanup mechanisms, leaving executable PHP files persistent under the web root. With a CVSS score of 8.8, this represents a high-severity remote code execution risk for authenticated users.

WWBN AVideo versions up to and including 26.0 contain an authentication bypass vulnerability in the standalone live stream control endpoint. The endpoint accepts a user-supplied 'streamerURL' parameter that redirects token verification to an attacker-controlled server, allowing complete bypass of authentication without any user interaction. With a CVSS score of 9.4, an attacker gains unauthenticated control over any live stream including the ability to drop publishers, manipulate recordings, and probe stream existence.

WWBN AVideo versions up to and including 26.0 contain an IP address spoofing vulnerability in the getRealIpAddr() function that trusts user-controlled HTTP headers to determine client IP addresses. This allows attackers to bypass IP-based access controls and audit logging mechanisms by forging headers such as X-Forwarded-For or X-Real-IP without authentication or user interaction. The vulnerability carries a CVSS score of 5.3 (medium severity) with low attack complexity, and a patch is available via commit 1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c, though no public exploit code or KEV designation has been confirmed at this time.

WWBN AVideo versions up to and including 26.0 contain an information disclosure vulnerability in the password recovery endpoint (objects/userRecoverPass.php) that allows unauthenticated attackers to enumerate valid usernames and determine account status (active, inactive, or banned) without solving any captcha. The vulnerability exists because user existence and account status validation occurs before captcha verification, enabling attackers to distinguish three different JSON error responses at scale. No evidence of active exploitation in the wild has been reported, but a patch is available in commit e42f54123b460fd1b2ee01f2ce3d4a386e88d157.

WWBN AVideo versions up to 26.0 expose advertising analytics data through an unauthenticated JSON API endpoint that lacks access controls, allowing attackers to retrieve sensitive information including video titles, user identifiers, channel names, and ad campaign performance metrics. While the HTML and CSV export functions properly enforce admin authentication, the JSON variant was left unprotected, enabling unauthorized data disclosure with no authentication required. A patch is available in commit daca4ffb1ce19643eecaa044362c41ac2ce45dde.

WWBN AVideo, an open source video platform, contains a critical path traversal vulnerability in the pluginRunDatabaseScript.json.php endpoint that allows authenticated administrators to execute arbitrary SQL queries against the application database. Versions up to and including 26.0 are affected. The vulnerability can also be exploited via CSRF attacks against authenticated admin sessions, enabling unauthenticated attackers to achieve remote code execution or complete database compromise.

SQL injection in WWBN AVideo up to version 26.0 allows authenticated users to extract arbitrary database contents through time-based blind SQL injection via the remindMe.json.php endpoint. The vulnerability stems from insufficient input sanitization of the live_schedule_id parameter, which is concatenated directly into a SQL LIKE clause despite partial validation in intermediate functions. No patch is currently available.

A stored cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0 affecting the /admin/update_s6.php file, where the sname parameter fails to properly sanitize user input. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the context of other users' browsers, potentially compromising admin accounts or exfiltrating sensitive exam data. A public proof-of-concept is available on GitHub, and while the CVSS score is low at 2.4, the vulnerability requires high privileges and user interaction to exploit, limiting real-world impact.

Privilege escalation in WWBN AVideo up to version 26.0 allows users with "Videos Moderator" permissions to gain full video management capabilities, including transferring ownership and deleting any video, by exploiting inconsistent authorization checks between the video editing and deletion endpoints. An authenticated attacker can chain an ownership transfer with deletion operations to compromise videos outside their legitimate scope. A patch is available in commit 838e16818c793779406ecbf34ebaeba9830e33f8.

A Cross-Site Request Forgery (CSRF) vulnerability in WWBN AVideo open source video platform versions up to and including 26.0 allows unauthenticated attackers to escalate privileges to near-admin access by tricking an administrator into visiting a malicious page. The vulnerability exists in the setPermission.json.php endpoint which accepts state-changing operations via GET requests without CSRF token validation, compounded by the application's explicit SameSite=None cookie setting. No patched version is currently available, and with a CVSS score of 8.1 (High), this represents a significant risk for installations with administrative users who browse external content.

WWBN AVideo versions up to and including 26.0 contain a critical file upload vulnerability in the ImageGallery::saveFile() method that allows authenticated attackers to upload polyglot files (JPEG with embedded PHP code) and achieve Remote Code Execution. The vulnerability exploits a mismatch between MIME type validation (which checks file content) and filename extension handling (which trusts user input), allowing attackers to bypass security controls and execute arbitrary code on the server. A patch is available in commit 345a8d3ece0ad1e1b71a704c1579cbf885d8f3ae, and the issue has been publicly disclosed via GitHub Security Advisory GHSA-wxjw-phj6-g75w.

WWBN AVideo versions up to and including 26.0 contain an unauthenticated path traversal vulnerability in the locale API endpoint that allows arbitrary PHP file inclusion under the web root. Attackers can achieve confirmed file disclosure and code execution by including existing PHP files, with potential escalation to full remote code execution if they can upload or control PHP files elsewhere in the application tree. The vulnerability has a CVSS score of 8.6 and requires no authentication or user interaction to exploit, though no patch is currently available and there is no evidence of active exploitation in KEV data.

WWBN AVideo versions up to and including 26.0 contain an unauthenticated API endpoint that allows arbitrary decryption of ciphertext. Attackers can exploit the decryptString action in the API plugin without authentication to decrypt publicly-issued ciphertext (such as from view/url2Embed.json.php), allowing recovery of protected tokens and metadata. The CVSS score of 7.5 reflects high confidentiality impact with network accessibility and no authentication required.

Improper authentication in the two-factor authentication verification function of Kalcaddle Kodbox 1.64 allows remote attackers to bypass login controls with high complexity exploitation. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. Affected users should implement network-level access controls while awaiting a vendor update.

The fileThumb endpoint in Kodbox 1.64 contains an OS command injection vulnerability in the checkBin function that allows authenticated remote attackers to execute arbitrary commands with the privileges of the web server process. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with high-level privileges can leverage this to achieve remote code execution on affected systems.

A cross-site request forgery (CSRF) vulnerability exists in Kalcaddle Kodbox 1.64 affecting the loginSubmit API endpoint within the OAuth bind controller. An unauthenticated remote attacker can manipulate the 'third' parameter to forge requests that modify application state, though the attack requires user interaction and high complexity. A public proof-of-concept exploit has been released, and the vendor has not responded to early disclosure notifications.

Server-side request forgery in Kodbox 1.64's fileGet endpoint allows authenticated attackers to manipulate the path parameter in the PathDriverUrl function, enabling arbitrary outbound requests from the affected server. Public exploit code exists for this vulnerability, and no patch is currently available. The impact is limited to users with valid credentials, though successful exploitation could facilitate further network reconnaissance or attacks against internal systems.

A SQL injection vulnerability exists in Sinturno that allows unauthenticated or low-privileged attackers to execute arbitrary SQL commands through the 'client' parameter in the '/_adm/scripts/modalReport_data.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, updating, and deletion of database objects. The vulnerability was reported by INCIBE and affects all versions of Sinturno; no CVSS score, EPSS data, or KEV status has been published, but the ability to perform CRUD operations on databases represents critical severity regardless of formal scoring.

Kalcaddle Kodbox 1.64 contains a cryptographic key hardcoding vulnerability in the Site-level API key Handler component (shareSafeGroup function in shareOut.class.php), where manipulation of the 'sk' parameter exploits the use of a hard-coded cryptographic key. This allows unauthenticated remote attackers to disclose sensitive information with low complexity, though the attack itself requires high complexity execution. A public proof-of-concept is available, and the vendor has not responded to early disclosure.

HybridAuth versions up to 3.12.2 contain an improper certificate validation vulnerability in the SSL Handler component (src/HttpClient/Curl.php) where manipulation of curlOptions arguments bypasses SSL/TLS certificate verification. This affects any application using HybridAuth for authentication, allowing attackers to conduct man-in-the-middle attacks against remote authentication flows. While the CVSS score is relatively low (3.7) due to high attack complexity and lack of confidentiality impact, the integrity compromise from certificate validation bypass presents a real threat to authentication security in vulnerable deployments.

A SQL injection vulnerability exists in Cuantis that allows unauthenticated attackers to execute arbitrary SQL commands through the 'search' parameter in the '/search.php' endpoint. This vulnerability enables complete database compromise including retrieval, creation, modification, and deletion of database contents. A patch is available from the vendor, and exploitation requires only network access to the affected application with no special privileges or user interaction.

SQL injection in Simple Laundry System 1.0's /checklogin.php parameter handler allows unauthenticated remote attackers to manipulate the Username field and execute arbitrary database queries. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, leaving affected PHP installations vulnerable to data theft and unauthorized access.

SQL injection in Simple Laundry System 1.0's /checkupdatestatus.php parameter handler allows unauthenticated remote attackers to manipulate the serviceId argument and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available, creating immediate risk for affected deployments.

SQL injection in Simple Laundry System 1.0 through the serviceId parameter in /viewdetail.php allows unauthenticated remote attackers to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can exploit this to read or modify sensitive database information.

A cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, specifically in the /admin/update_s3.php file where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious scripts through this parameter to perform actions in the context of other users' browsers. A public proof-of-concept is available, making this vulnerability actively exploitable despite its low CVSS score of 2.4.

King Addons for Elementor contains an information disclosure vulnerability that exposes sensitive API keys and secrets in HTML source code through the render_full_form function. Unauthenticated attackers can extract Mailchimp, Facebook, and Google API credentials from affected WordPress sites running the plugin up to version 51.1.49 that have the Premium license installed. This vulnerability has a CVSS score of 5.3 with a network attack vector requiring no authentication, making it easily discoverable and exploitable at scale.

The Sina Extension for Elementor plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the Fancy Text Widget and Countdown Widget that allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into pages through insufficiently sanitized DOM attributes. When users visit pages containing the malicious widgets, the injected scripts execute in their browsers, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions on behalf of the victim. The vulnerability affects all versions up to and including 3.7.0, with a CVSS score of 6.4 indicating medium severity, though the impact is amplified by the stored nature of the XSS and the broad audience of WordPress sites using this popular page builder extension.

A Stored Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0 affecting the /admin/update_s4.php endpoint, where the 'sname' parameter is not properly sanitized before output. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or administrative action abuse. A public proof-of-concept exploit is available, increasing real-world risk despite the low CVSS score of 2.4.

A Stored or Reflected Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, specifically in the /admin/update_s5.php file where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious JavaScript code through this parameter, which will execute in the context of other users' browsers when they interact with the affected page. A public proof-of-concept exploit is available on GitHub, and the vulnerability has a low CVSS score of 2.4 due to high privilege requirements and user interaction dependency, but the public disclosure increases practical exploitation likelihood.

A stored cross-site scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, affecting the /admin/update_s2.php endpoint where the 'sname' parameter is not properly sanitized. An authenticated attacker with high privileges can inject malicious JavaScript that executes in the browser of other users who view the affected page, potentially leading to session hijacking, credential theft, or administrative action manipulation. A public proof-of-concept exploit is available on GitHub, and the vulnerability carries a low CVSS score of 2.4 due to requiring high privileges and user interaction, but the published exploit status indicates active reconnaissance and potential targeted exploitation.

The ReviewX - WooCommerce Product Reviews plugin for WordPress contains a Sensitive Information Exposure vulnerability in the syncedData function that allows unauthenticated attackers to extract sensitive user data including names, emails, phone numbers, and addresses from affected sites. All versions up to and including 2.2.12 are vulnerable, affecting any WordPress installation running this popular review plugin. The vulnerability has a CVSS score of 5.3 (Medium) with low attack complexity and no authentication required, making it relatively straightforward to exploit.

The ReviewX plugin for WordPress contains a critical arbitrary method call vulnerability in all versions up to and including 2.2.12. Unauthenticated attackers can exploit insufficient input validation in the bulkTenReviews function to call arbitrary PHP class methods, potentially achieving remote code execution or information disclosure. With a CVSS score of 7.3 and network-based exploitation requiring no privileges or user interaction, this presents a significant risk to WordPress sites using this WooCommerce product review plugin.

The ReviewX WordPress plugin for WooCommerce contains an unauthenticated sensitive information exposure vulnerability in the allReminderSettings function that allows attackers to obtain authentication tokens and bypass admin restrictions. Affected versions up to 2.2.12 expose critical customer data including order details, names, emails, addresses, phone numbers, and user information. With a CVSS score of 5.3 and network-based attack vector requiring no authentication or user interaction, this vulnerability poses a moderate but immediate risk to any WordPress installation using the plugin.

SQL injection in SourceCodester Simple E-learning System 1.0 allows authenticated attackers to manipulate the post_id parameter in the delete_post.php endpoint, enabling unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available.

The ReviewX plugin for WordPress contains an improper authorization vulnerability in the userAccessibility() function that allows unauthenticated attackers to bypass authentication checks and access protected REST API endpoints. Affected versions through 2.2.10 permit unauthorized extraction and modification of user data and plugin configuration, posing a direct threat to WooCommerce installations relying on this review management solution. With a CVSS score of 6.5 and network-based attack vector requiring no user interaction or privileges, this vulnerability presents a moderate-to-significant risk for any WordPress site using the affected plugin.

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the searchtxt parameter in /view_product.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in SourceCodester Sales and Inventory System 1.0 allows remote authenticated attackers to manipulate the searchtxt parameter in /view_payments.php, enabling unauthorized data access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed with low complexity over the network.

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_customers.php endpoint where the searchtxt parameter is insufficiently sanitized, allowing authenticated attackers to execute arbitrary SQL queries and manipulate database contents. The vulnerability requires valid credentials but can be exploited remotely over the network, and public exploit code is available. No patch is currently available for this vulnerability.

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the /view_category.php endpoint's searchtxt parameter that allows authenticated attackers to execute arbitrary SQL queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and there is currently no available patch. The attack requires valid credentials but can be executed remotely over the network.

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in /update_supplier.php allows authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

An authorization bypass vulnerability exists in MacCMS up to version 2025.1000.4052 within the Member Order Detail Interface component, specifically in the order_info function of application/index/controller/User.php. An authenticated attacker can manipulate the order_id parameter to access order information belonging to other users, disclosing sensitive data. A public proof-of-concept exploit is available, elevating the risk of active exploitation despite the moderate CVSS 4.3 score.

A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A stored cross-site scripting (XSS) vulnerability in the component /admin/search-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Multiple cross-site scripting (XSS) vulnerabilities in the component /admin/edit-vehicle.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A stored cross-site scripting (XSS) vulnerability in the component /admin/add-brand.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Phpgurukul Vehicle Record Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

MacCMS version 2025.1000.4052 contains a missing authentication vulnerability in the Timming API endpoint (application/api/controller/Timming.php). An unauthenticated remote attacker can access protected functionality, potentially leading to unauthorized data access, modification, or service disruption. A public proof-of-concept exploit is available on GitHub, significantly increasing the risk of active exploitation in the wild.

A Stored Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, affecting the /admin/update_s1.php file where the 'sname' parameter is not properly sanitized. An unauthenticated attacker can remotely inject malicious JavaScript by manipulating this parameter, which will execute in the browsers of administrators or other users who view the affected page. A public proof-of-concept exploit is available on GitHub, and the vulnerability has an EPSS score indicating probable exploitation likelihood.

SQL injection in Simple Gym Management System up to version 1.0 allows remote attackers with high privileges to manipulate the Trainer_id and fname parameters in /gym/func.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in projectworlds Online Notes Sharing System 1.0 allows unauthenticated remote attackers to manipulate the Benutzer parameter in /login.php, enabling unauthorized data access, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.

SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to manipulate the Status parameter in all-tickets.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete database contents. The affected PHP application currently lacks a security patch.

PbootCMS versions up to 3.2.12 contain an improper access control vulnerability in the Backend UserController component that allows authenticated attackers to manipulate the Field argument and bypass access restrictions. An attacker with login credentials can exploit this to gain unauthorized access to sensitive user data or system functions. A proof-of-concept exploit has been publicly disclosed on GitHub and the vulnerability carries a moderate CVSS score of 6.3 with documented exploitation capability.

A reflected cross-site scripting (XSS) vulnerability exists in PbootCMS versions up to 3.2.12 in the alert_location function of the MemberController.php file, where the backurl parameter is not properly sanitized before output. An attacker can craft a malicious URL containing JavaScript code that will execute in a victim's browser when they click the link, potentially leading to session hijacking, credential theft, or malware distribution. A public proof-of-concept exploit is available on GitHub, increasing the risk of active exploitation.

PbootCMS versions up to 3.2.12 contain an incomplete blacklist bypass vulnerability in the file upload functionality (core/function/file.php) that allows authenticated attackers to upload dangerous files by manipulating the blacklist parameter. An attacker with login credentials can bypass file type restrictions to upload arbitrary files, potentially achieving remote code execution or other malicious outcomes. A public proof-of-concept exploit is available on GitHub, increasing the practical risk of exploitation.

A Stored Cross-Site Scripting (XSS) vulnerability exists in the Sherk Custom Post Type Displays WordPress plugin (versions up to 1.2.1) where the 'title' shortcode attribute is insufficiently sanitized and directly concatenated into HTML output without escaping. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript that executes for all users viewing affected pages. The vulnerability has a CVSS score of 6.4 (Medium) with a local privilege requirement, making it exploitable by lower-privileged authenticated users rather than unauthenticated remote attackers.

The Punnel - Landing Page Builder WordPress plugin contains a critical missing authorization vulnerability in the save_config() AJAX function that allows authenticated attackers with Subscriber-level privileges to overwrite the plugin's configuration and API key without proper capability checks or nonce verification. Combined with an insecure public API endpoint (sniff_requests()) that only validates requests via token comparison, attackers can subsequently create, update, or delete arbitrary posts, pages, and products on affected WordPress installations. The vulnerability affects all versions up to and including 1.3.1 and has been documented by Wordfence with publicly available code references.

The Invelity Product Feeds plugin for WordPress contains an arbitrary file deletion vulnerability through path traversal in versions up to and including 1.2.6. Authenticated administrators can be socially engineered into clicking malicious links that delete arbitrary server files due to missing validation in the createManageFeedPage function. No evidence of active exploitation (not in KEV) exists, though the vulnerability is publicly documented with technical details available via WordPress plugin repository references.

The WP-WebAuthn WordPress plugin contains an unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in the wwa_auth AJAX endpoint that allows attackers to inject arbitrary JavaScript into the plugin's log page. Affected are all versions up to and including 1.3.4 of the plugin (identified via CPE cpe:2.3:a:axton:wp-webauthn:*:*:*:*:*:*:*:*), which is exploitable only when logging is enabled in plugin settings. The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes, enabling persistent XSS execution whenever administrators or authorized users access the logging interface.

The App Builder - Create Native Android & iOS Apps On The Flight WordPress plugin up to version 5.5.10 contains a privilege escalation vulnerability in its REST API registration endpoint that allows unauthenticated attackers to register accounts with the wcfm_vendor role, bypassing WCFM Marketplace's vendor approval workflow. The verify_role() function in AuthTrails.php explicitly whitelists the wcfm_vendor role without proper authorization checks, enabling attackers to immediately gain vendor-level privileges including product management, order access, and store management on affected WordPress installations. This vulnerability has a CVSS score of 6.5 with low attack complexity and no authentication requirements, making it a moderate-to-significant risk for WordPress sites using both this plugin and WCFM Marketplace.

The Canto plugin for WordPress (versions up to 3.1.1) contains a critical missing authorization vulnerability in the copy-media.php file and related endpoints that allows unauthenticated attackers to upload arbitrary files to the WordPress uploads directory. The vulnerability stems from multiple PHP files being directly accessible without authentication, nonce validation, or authorization checks, while also accepting attacker-controlled parameters for API endpoints and domain configuration. An attacker can exploit this to upload malicious files (within WordPress MIME type constraints) or redirect legitimate file operations to attacker-controlled infrastructure, potentially leading to remote code execution or site compromise.

The Smarter Analytics WordPress plugin (all versions up to 2.0) contains an authentication bypass vulnerability that allows unauthenticated attackers to reset plugin configuration and delete all analytics settings via the 'reset' parameter in the global scope of smarter-analytics.php. This is a missing authentication and capability check vulnerability (CWE-862) with a CVSS score of 5.3, classified as moderate severity with low attack complexity and no authentication required. The vulnerability is publicly documented via Wordfence threat intelligence with direct references to the vulnerable code in the WordPress plugin repository, though no active exploitation in the wild or public proof-of-concept has been widely reported.

The EmailKit - Email Customizer for WooCommerce & WP WordPress plugin contains a path traversal vulnerability in the TemplateData class that allows authenticated administrators to read arbitrary files from the server via the 'emailkit-editor-template' REST API parameter. An attacker with Administrator privileges can exploit this flaw to access sensitive files such as wp-config.php or /etc/passwd by supplying directory traversal sequences, with the retrieved file contents stored as post metadata and retrievable through the fetch-data REST API endpoint. The vulnerability affects all versions up to and including 1.6.3, and while it requires high-level administrative access and has a moderate CVSS score of 4.9, it represents a critical information disclosure risk in multi-user WordPress environments.