Skip to main content

PHP

24723 CVEs product

Monthly

CVE-2026-12256 HIGH This Week

PHP Object Injection in the ThemeFusion Avada WordPress theme versions 3.15.3 and earlier allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or service disruption on the underlying WordPress installation. No public exploit identified at time of analysis, but the low attack complexity and widespread deployment of Avada as a commercial WordPress theme make this a meaningful risk for multi-author sites.

PHP Deserialization Avada
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2025-69178 HIGH This Week

Unauthenticated Local File Inclusion in the Truemag WordPress theme by Cactus Themes (versions up to and including 4.3.14.2) allows remote attackers to coerce the server into including arbitrary local PHP files without credentials. With CVSS 8.1 and full CIA impact (CWE-98), successful exploitation can lead to disclosure of sensitive files, configuration data, and potential code execution by including attacker-controlled or log-poisoned content, though no public exploit identified at time of analysis.

PHP Information Disclosure LFI Truemag
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69177 HIGH This Week

Unauthenticated local file inclusion in the Roneous WordPress theme (versions up to and including 2.1.5) allows remote attackers to coerce the application into including arbitrary files on the server, potentially exposing sensitive data such as wp-config.php credentials or, when combined with file upload primitives, achieving remote code execution. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. The vulnerability is tracked by Patchstack and ENISA EUVD (EUVD-2025-210183).

PHP Information Disclosure LFI Roneous
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69176 HIGH This Week

Local File Inclusion in the ThemeREX ITactics WordPress theme versions 1.0 and earlier allows remote unauthenticated attackers to include arbitrary files from the underlying server, leading to disclosure of sensitive configuration data and potentially PHP code execution if attacker-controlled content can be staged on the host. Tracked by Patchstack and indexed in ENISA EUVD as EUVD-2025-210182, the issue carries a CVSS 8.1 (High) score with no public exploit identified at time of analysis.

PHP Information Disclosure LFI Itactics
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69168 HIGH This Week

Local File Inclusion in the Spike WordPress theme (versions ≤1.2) by ThemeREX allows remote unauthenticated attackers to coerce the PHP backend into including arbitrary local files via crafted filename parameters. Successful exploitation can disclose sensitive server-side files, configuration data, and credentials, and on misconfigured PHP installations may lead to code execution. No public exploit identified at time of analysis, but the issue is reported and tracked by Patchstack (WordPress vulnerability intelligence).

PHP Information Disclosure LFI Spike
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69167 HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX Eros WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary files and potentially achieve PHP code execution via include/require paths reachable without authentication. No public exploit identified at time of analysis, but the flaw is reported by Patchstack and tracked as EUVD-2025-210180. WordPress themes with LFI sinks are a recurring target because they expose include() statements through AJAX or template loader endpoints.

PHP Information Disclosure LFI Eros
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69165 HIGH This Week

Local File Inclusion in the Choreo WordPress theme (versions through 1.6) allows unauthenticated remote attackers to include and read arbitrary local files from the server, with potential for further escalation to code execution depending on writable file content. The flaw was disclosed by Patchstack and is tracked as EUVD-2025-210179; no public exploit identified at time of analysis, and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.

PHP Information Disclosure LFI Choreo
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69163 HIGH This Week

Unauthenticated Local File Inclusion in the WineShop WordPress theme versions 3.17 and earlier allows remote attackers to include and execute arbitrary local files on the server via crafted requests. The flaw stems from improper control of filename for include/require (CWE-98) and carries a CVSS 8.1 (High) with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis.

PHP Information Disclosure LFI Wineshop
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69162 HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Grecko WordPress theme versions 5.17 and earlier allows remote attackers to coerce the application into including arbitrary files from the server filesystem, potentially leading to sensitive file disclosure and PHP code execution where attacker-controlled content can be reached. The flaw is reachable without authentication over HTTP and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 with high attack complexity, indicating exploitation is feasible but not trivially automatable.

PHP Information Disclosure LFI Grecko
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69160 HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Gita WordPress theme versions 1.11 and earlier allows remote attackers to include arbitrary local files via a PHP file-inclusion weakness (CWE-98), potentially exposing wp-config.php credentials and enabling further compromise. No public exploit identified at time of analysis, but the vulnerability is network-reachable without authentication and has been disclosed by Patchstack with a CVSS 3.1 base score of 8.1.

PHP Information Disclosure LFI Gita
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69159 HIGH This Week

Unauthenticated local file inclusion in the Printo WordPress theme (versions ≤ 1.11 by ThemeRex) allows remote attackers to include arbitrary local files via a PHP file-inclusion sink (CWE-98), enabling disclosure of sensitive server-side files and potential remote code execution if attacker-controlled content can be reached on disk. No public exploit identified at time of analysis, though Patchstack has cataloged the issue and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.

PHP Information Disclosure LFI Printo
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69150 HIGH This Week

Unauthenticated local file inclusion in the Medeus WordPress theme versions 1.14 and earlier allows remote attackers to coerce the PHP backend into including arbitrary files, exposing sensitive configuration data such as wp-config.php and potentially enabling code execution if log poisoning or uploaded content can be referenced. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require), affects a ThemeREX product tracked by Patchstack as a WordPress theme issue, and no public exploit identified at time of analysis. Despite the CVSS 8.1 high rating, AC:H signals non-trivial exploitation requirements beyond a simple parameter swap.

PHP Information Disclosure LFI Medeus
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69149 HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Top Dog WordPress theme (versions <=1.0.5) allows remote attackers to coerce the application into including arbitrary local PHP files, potentially leading to sensitive data disclosure or code execution if a writable/loggable file can be referenced. The flaw is reachable without authentication or user interaction over the network, though CVSS marks attack complexity as high; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

PHP Information Disclosure LFI Top Dog
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69147 HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Putter WordPress theme versions 1.17 and earlier allows remote attackers to read arbitrary files from the underlying web server and, in PHP environments where include wrappers are abused, potentially achieve code execution. The flaw is reachable without authentication or user interaction, though CVSS reports high attack complexity. No public exploit identified at time of analysis, but Patchstack has published the advisory.

PHP Information Disclosure LFI Putter
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69146 HIGH This Week

Unauthenticated local file inclusion in the ThemeREX 'Dom' WordPress theme through version 1.24 allows remote attackers to coerce the PHP application into including arbitrary local files, leading to sensitive information disclosure and potential code execution. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity, and availability if a vulnerable include path is reached. The flaw is tracked by Patchstack and ENISA (EUVD-2025-210210) and affects all Dom theme versions up to and including 1.24.

PHP Information Disclosure LFI Dom
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69143 HIGH This Week

Unauthenticated Local File Inclusion affects the ThemeREX Mission WordPress theme in all versions up to and including 1.22, enabling remote attackers to coerce the PHP application into including arbitrary local files. Exploitation can lead to sensitive file disclosure, source-code exposure, and - depending on what files are accessible on the server - remote code execution via log poisoning or PHP wrapper abuse. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI Mission
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69142 HIGH This Week

Unauthenticated local file inclusion in the Abelle WordPress theme versions 1.22 and earlier allows remote attackers to coerce the PHP runtime into including attacker-controlled file paths, leading to disclosure of sensitive server files and potential remote code execution if log poisoning or uploaded files can be reached. The flaw is reachable without credentials, but CVSS notes high attack complexity, and no public exploit identified at time of analysis. No EPSS or KEV signal is provided in the source data.

PHP Information Disclosure LFI Abelle
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69141 HIGH This Week

Unauthenticated Local File Inclusion in the Kelly Young WordPress theme (versions ≤1.1.0) allows remote attackers to read arbitrary local files and potentially achieve code execution by including attacker-controlled file paths via a vulnerable PHP include sink. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. Risk is elevated by the high CVSS impact triad (C:H/I:H/A:H), though AC:H indicates non-trivial exploitation prerequisites.

PHP Information Disclosure LFI Kelly Young
NVD VulDB
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69136 HIGH This Week

Local File Inclusion in the Wanium WordPress theme (versions up to and including 1.9.8) allows remote unauthenticated attackers to coerce the application into including arbitrary local PHP files, leading to source disclosure and potential remote code execution on the server. The flaw was disclosed via Patchstack and tracked as EUVD-2025-210204; no public exploit identified at time of analysis, and the CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable exploitation that nevertheless requires some non-trivial conditions to succeed.

PHP Information Disclosure LFI Wanium
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69125 HIGH This Week

Unauthenticated local file inclusion in the Food Drop WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary server files or potentially achieve PHP code execution by abusing an improperly controlled include/require path (CWE-98). The flaw was disclosed by Patchstack and tracked as EUVD-2025-210202; no public exploit code or active exploitation has been identified at time of analysis, but the network-reachable, no-auth attack surface makes it a meaningful risk for any site running this theme.

PHP Information Disclosure LFI Food Drop
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69124 HIGH This Week

Unauthenticated Local File Inclusion in the ThemeRex Especio WordPress theme (versions ≤ 1.0) allows remote attackers to coerce the PHP application into including arbitrary files from the underlying server. Because the include path is attacker-controlled and no authentication is required, the flaw can lead to disclosure of sensitive files (wp-config.php, system files) and, depending on local file primitives available on the server, escalation to code execution. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

PHP Information Disclosure LFI Especio
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69122 CRITICAL Act Now

Unauthenticated PHP Object Injection in the ThemeREX SeaFood Company WordPress theme (versions ≤1.4) enables remote attackers to deliver crafted serialized payloads that trigger insecure deserialization within PHP, potentially leading to remote code execution, file manipulation, or full site compromise depending on available gadget chains in the host WordPress stack. Reported by Patchstack and tracked as EUVD-2025-210200, with no public exploit identified at time of analysis.

PHP Deserialization Seafood Company
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-69121 HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Deliciosa WordPress theme (versions up to and including 1.10.0) allows remote attackers to coerce the PHP application into including arbitrary local files, potentially leading to sensitive file disclosure and code execution. The flaw is reachable without authentication but carries high attack complexity per the CVSS vector, and no public exploit identified at time of analysis. Patchstack disclosed the issue and tracks it as EUVD-2025-210199.

PHP Information Disclosure LFI Deliciosa
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69119 HIGH This Week

Unauthenticated local file inclusion in the Corbesier WordPress theme (versions ≤ 1.15.0) allows remote attackers to read arbitrary server files or potentially execute code by abusing improper validation of file paths passed to PHP include/require functions. The flaw is reachable without credentials and carries a CVSS 3.1 score of 8.1; no public exploit identified at time of analysis, and it is not listed in CISA KEV. The combination of network reachability and unauthenticated access makes any vulnerable WordPress site running this theme an immediate concern despite the high attack complexity rating.

PHP Information Disclosure LFI Corbesier
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69118 HIGH This Week

Unauthenticated local file inclusion in the CopyPress WordPress theme (ThemeREX) through version 1.4.5 lets remote attackers coerce the PHP include/require chain into loading arbitrary server-side files without credentials. Patchstack catalogued the flaw as CWE-98 with CVSS 8.1, and no public exploit identified at time of analysis. Successful exploitation can expose sensitive files such as wp-config.php and, depending on the include sink, escalate to PHP code execution.

PHP Information Disclosure LFI Copypress
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69116 HIGH This Week

Unauthenticated Local File Inclusion in the Iona WordPress theme versions 1.0.8 and earlier allows remote attackers to coerce the PHP application into including arbitrary local files, enabling source code disclosure and potentially full remote code execution. Reported by Patchstack and tracked as EUVD-2025-210196, the flaw is rated CVSS 8.1 (High) despite high attack complexity, with no public exploit identified at time of analysis.

PHP Information Disclosure LFI Iona
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69114 HIGH This Week

Unauthenticated local file inclusion in the ThemeREX MaxiNet WordPress theme through version 1.2.10 allows remote attackers to coerce the PHP application into including arbitrary local files, exposing sensitive configuration data such as wp-config.php and potentially enabling code execution if log poisoning or uploaded content can be reached. The flaw was disclosed via Patchstack and tracked as EUVD-2025-210195; no public exploit identified at time of analysis, and no CISA KEV listing exists.

PHP Information Disclosure LFI Maxinet
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69113 HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Nexio WordPress theme (versions ≤ 1.10.0) allows remote attackers to coerce the PHP application into including arbitrary local files, enabling disclosure of sensitive server content and potentially remote code execution if attacker-controlled content can be staged on the host. The CWE-98 classification and PHP tag indicate a classic dynamic include/require sink reachable without authentication. At time of analysis there is no public exploit identified and no CISA KEV listing, but the unauthenticated network vector and high CVSS (8.1) warrant prompt action on any WordPress site running this theme.

PHP Information Disclosure LFI Nexio
NVD
CVSS 3.1
8.1
EPSS
0.5%
CVE-2025-69112 HIGH This Week

Unauthenticated local file inclusion in the Planty WordPress theme versions 1.14.0 and earlier allows remote attackers to coerce the PHP application into including arbitrary files from the server filesystem, leading to disclosure of sensitive configuration data and potential code execution. The flaw is reachable without credentials over the network but rated AC:H, indicating exploitation requires meeting specific conditions; no public exploit identified at time of analysis and the issue is tracked by Patchstack and ENISA EUVD-2025-210193.

PHP Information Disclosure LFI Planty
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69109 HIGH This Week

Local File Inclusion in the ThemeREX Raider Spirit WordPress theme versions 1.1.2 and earlier allows unauthenticated remote attackers to include and disclose arbitrary local files via attacker-controlled file paths reaching a PHP include/require sink. The flaw maps to CWE-98 (Improper Control of Filename for Include/Require) and was disclosed through Patchstack with no public exploit identified at time of analysis, though the CVSS 8.1 rating reflects high confidentiality, integrity, and availability impact if the inclusion can be steered to executable PHP content.

PHP Information Disclosure LFI Raider Spirit
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69108 CRITICAL Act Now

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers to inject arbitrary serialized PHP objects, potentially triggering property-oriented programming (POP) chains that lead to remote code execution, arbitrary file operations, or full site compromise. The flaw was disclosed by Patchstack and carries a CVSS 9.8 due to network reachability with no authentication or user interaction, though no public exploit has been identified at time of analysis.

PHP Deserialization Hot Coffee
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-69107 HIGH This Week

Unauthenticated remote local file inclusion in the Rosaleen WordPress theme versions 2.8 and earlier allows attackers to coerce the PHP application into including arbitrary files via a CWE-98 remote file inclusion/path traversal flaw. The issue was reported by Patchstack and affects the ThemeREX-developed Rosaleen theme; no public exploit identified at time of analysis, though the unauthenticated network vector makes opportunistic targeting plausible.

PHP Information Disclosure LFI Rosaleen
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-69105 HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX Modernee WordPress theme (versions through 1.6.0) allows remote attackers to coerce the server into including arbitrary local PHP files, enabling information disclosure and potential code execution via log poisoning or session file abuse. Reported by Patchstack and tracked as EUVD-2025-210189, no public exploit identified at time of analysis and the vulnerability is not in CISA KEV. The CVSS 8.1 score reflects high impact across confidentiality, integrity, and availability but with high attack complexity.

PHP Information Disclosure LFI Modernee
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-60085 HIGH This Week

Unauthenticated Local File Inclusion in the Learnify WordPress theme (versions up to and including 1.15.0) allows remote attackers to read arbitrary files from the underlying server without credentials. Patchstack catalogued the issue as a PHP file inclusion flaw (CWE-98) and no public exploit was identified at time of analysis, though the WordPress theme ecosystem makes targeted scanning likely. The CVSS 3.1 score of 8.1 reflects high impact across confidentiality, integrity, and availability, tempered by high attack complexity.

PHP Information Disclosure LFI Learnify
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-58924 HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Geya WordPress theme (versions up to and including 1.15) allows remote attackers to read or include arbitrary files on the server, leading to information disclosure and potential code execution via PHP file inclusion. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, though the high CVSS (8.1) reflects severe confidentiality, integrity and availability impact if the vulnerable path is reached.

PHP Information Disclosure LFI Geya
NVD VulDB
CVSS 3.1
8.1
EPSS
0.4%
CVE-2026-54194 CRITICAL Act Now

PHP Object Injection in the ThemeFusion Fusion Builder WordPress plugin (versions ≤ 3.15.4) allows authenticated users with Contributor-level access to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can lead to property-oriented programming (POP) chain execution depending on classes loaded in the WordPress runtime, with potential outcomes ranging from arbitrary file operations to remote code execution. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the Contributor prerequisite is low in many multi-author WordPress deployments.

PHP Deserialization Fusion Builder
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-6933 HIGH This Week

Remote code execution in the Premmerce Dev Tools WordPress plugin (versions ≤ 2.0) allows authenticated users with Subscriber-level access or higher to write arbitrary PHP files into wp-content/plugins/ by injecting payloads into the premmerce_plugin_namespace POST parameter. The flaw stems from a missing authorization check in generatePluginHandler combined with unsanitized string substitution in createFromStub, enabling attackers to escape the namespace context with a semicolon and execute arbitrary PHP on the host. No public exploit identified at time of analysis, but the low privilege barrier and the high-impact CVSS 8.8 score make this a serious risk on sites with open registration.

File Upload PHP WordPress RCE Premmerce Dev Tools
NVD VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2026-48157 PHP MEDIUM PATCH GHSA This Month

Reflected XSS in Slim PHP framework (versions 4.4.0 through 4.15.1) allows attackers to inject arbitrary HTML and JavaScript into HTML error pages when application code passes request-derived data into HttpException::setTitle() or setDescription(). The payload executes in a victim's browser upon rendering the crafted error page, and critically this occurs even when displayErrorDetails is set to false, since the unescaped values are rendered on a separate code path. No public exploit code or CISA KEV listing has been identified; exploitation is scoped to applications that explicitly feed untrusted input into these specific exception setter methods.

PHP XSS Slim
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-53537 PyPI MEDIUM PATCH GHSA This Month

Parameter smuggling in python-multipart below 0.0.30 allows unauthenticated network attackers to present a different field name or filename to an upstream WAF, proxy, or gateway than the value actually delivered to the backend application. The root cause is that parse_options_header delegates to Python's email.message.Message, which silently applies RFC 2231/5987 extended parameter decoding - a behavior explicitly forbidden for multipart/form-data by RFC 7578 §4.2 - causing the extended value to override the plain parameter and bypass inspection logic. Concrete downstream consequences include circumventing filename-based upload controls and, where applications construct filesystem paths from the parsed filename without sanitization, achieving path traversal via decoded percent sequences such as ..%2F or injecting null bytes (%00) to confuse validators. No public exploit has been identified and the vulnerability is not in CISA KEV; CVSS 3.7 with AC:H reflects that exploitation requires a specific upstream inspector in the deployment topology.

Python Path Traversal PHP Suse
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-49781 CRITICAL Act Now

Unauthenticated PHP Object Injection in the OttoKit WordPress plugin (formerly SureTriggers) versions 1.1.27 and earlier allows remote attackers to deserialize attacker-controlled PHP objects against any site running the plugin. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and a CWE-502 deserialization root cause, successful exploitation can lead to full code execution, data theft, or site takeover when a suitable POP gadget chain is present in WordPress core or another installed plugin. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Ottokit
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49770 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WP Travel Engine WordPress plugin versions 6.7.12 and earlier enables remote attackers to deserialize attacker-controlled data without authentication, leading to full compromise (CVSS 9.8). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any WordPress site running a vulnerable installation. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin ecosystem make this a high-priority patching target for travel-booking sites.

PHP Deserialization Wp Travel Engine
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49769 CRITICAL Act Now

Unauthenticated PHP Object Injection in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote attackers to deliver untrusted serialized payloads that are deserialized by the plugin, leading to potential remote code execution, data tampering, and full site compromise depending on available POP gadget chains. The flaw is reachable without authentication over the network and carries a vendor CVSS of 9.8; no public exploit identified at time of analysis and the issue is not currently on the CISA KEV list.

PHP Deserialization Wpforo Forum
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49768 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to deliver attacker-controlled serialized objects that get deserialized by the plugin, potentially leading to remote code execution, file manipulation, or data compromise on the underlying WordPress site. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any site running the plugin. Reported by Patchstack with a corresponding advisory in their WordPress vulnerability database.

PHP Deserialization Happyforms
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-49765 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions <= 1.1.8) allows remote attackers to deserialize attacker-controlled data, potentially leading to remote code execution when a suitable POP (property-oriented programming) gadget chain exists in the WordPress environment. The flaw is reachable without authentication and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. The plugin is distributed by CRM Perks and was disclosed via Patchstack.

PHP Deserialization Integration For Mailchimp And Contact Form 7 Wpforms Elementor Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49763 CRITICAL Act Now

Unauthenticated PHP Object Injection in the Integration for Contact Form 7 HubSpot WordPress plugin (versions <= 1.3.7) allows remote attackers to inject malicious serialized PHP objects, which can lead to full site compromise when a suitable POP gadget chain exists in WordPress core or co-installed plugins. The flaw is reachable without authentication or user interaction (CVSS 9.8) and was reported by Patchstack. No public exploit identified at time of analysis.

PHP Deserialization Integration For Contact Form 7 Hubspot
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49109 CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions <= 1.4.3) allows remote attackers to pass attacker-controlled serialized data into PHP's unserialize() function. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover when a suitable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Integration For Salesforce And Contact Form 7 Wpforms Elementor Formidable Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49106 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin Integration for Contact Form 7 and Constant Contact (versions <= 1.1.6) allows remote attackers to inject crafted serialized PHP objects that get deserialized server-side. When a suitable POP (property-oriented programming) gadget chain is present in WordPress core, another active plugin, or a theme, this can escalate to arbitrary file read/write, deletion, or remote code execution on the host. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects the unauthenticated network-reachable attack surface.

PHP Deserialization Integration For Contact Form 7 And Constant Contact
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49105 CRITICAL Act Now

Unauthenticated PHP Object Injection in the CRM Perks 'WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms' WordPress plugin (versions 1.1.4 and earlier) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, data theft, or site takeover when a suitable POP gadget chain is present. The flaw is reported by Patchstack and carries a 9.8 CVSS score with network-reachable, no-privilege, no-interaction characteristics. No public exploit identified at time of analysis.

PHP Deserialization Wp Zendesk For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49104 CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions 1.2.1 and earlier) allows remote attackers to inject crafted serialized objects that can be deserialized by the plugin, potentially leading to full site compromise. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high priority for any WordPress site running the affected plugin. EPSS and CISA KEV data were not provided in the input, so real-world exploitation prevalence is undetermined.

PHP Deserialization Integration For Keap Infusionsoft And Contact Form 7 Wpforms Elementor Formidable Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49085 CRITICAL Act Now

Unauthenticated PHP object injection in the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms WordPress plugin (versions <= 1.1.4) allows remote attackers to deliver crafted serialized payloads that the plugin deserializes without validation. Successful exploitation can lead to remote code execution, data tampering, or full site compromise when a suitable POP (property-oriented programming) gadget chain is available in WordPress core, the active theme, or any installed plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Wp Insightly For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-42687 HIGH This Week

Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows remote attackers to inject crafted serialized PHP objects that may trigger arbitrary deserialization-driven gadget chains, leading to potential remote code execution, file manipulation, or data tampering. The flaw is reachable without authentication but carries CVSS:3.1 AC:H, indicating non-trivial preconditions for successful exploitation. No public exploit identified at time of analysis, but Patchstack disclosure typically precedes broader exploit development against the WordPress plugin ecosystem.

PHP Deserialization Eventprime
NVD VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-39532 HIGH This Week

PHP Object Injection in the Events Calendar for GeoDirectory WordPress plugin (versions <= 2.3.25) allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or denial of service on the host WordPress site. The flaw is tracked as CWE-502 and was disclosed via Patchstack with a CVSS 3.1 score of 8.8, but no public exploit identified at time of analysis. Patchstack reports the issue and no vendor-released patch identified at time of analysis based on the supplied data.

PHP Deserialization Events Calendar For Geodirectory
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-39499 HIGH This Week

PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin versions 1.6.19 and below allows authenticated users with Shop Manager privileges to deserialize attacker-controlled data, potentially leading to remote code execution or full site compromise depending on available PHP gadget chains. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36946; no public exploit identified at time of analysis and the issue is not in CISA KEV.

PHP Deserialization WordPress Advanced Product Fields Product Addons For Woocommerce
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39498 HIGH This Week

PHP Object Injection in the YayMail WordPress plugin (versions ≤ 4.3.3) allows authenticated users with Shop Manager privileges to inject crafted serialized PHP objects and trigger deserialization on the server. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability of the WordPress site, though no public exploit identified at time of analysis. The flaw is reported by Patchstack and tracked as EUVD-2026-36945.

PHP Deserialization Yaymail
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39481 HIGH This Week

PHP Object Injection in the Modula Image Gallery WordPress plugin (versions ≤ 2.14.18) allows authenticated authors to trigger unsafe deserialization of attacker-controlled input, potentially leading to remote code execution, data tampering, or denial of service depending on available POP gadget chains in the WordPress environment. The flaw was disclosed by Patchstack and tracked as ENISA EUVD-2026-36940; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Modula Image Gallery
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39478 HIGH This Week

Authenticated PHP object injection in the WordPress 'Anti-Malware Security and Brute-Force Firewall' (GOTMLS) plugin through version 4.23.87 allows contributor-level users to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can pivot through existing PHP gadget chains in WordPress or other installed plugins to achieve high-impact compromise of the site. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

PHP Deserialization Anti Malware Security And Brute Force Firewall
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-39474 HIGH This Week

PHP Object Injection in the Post Duplicator WordPress plugin versions <= 3.0.10 allows authenticated users with Contributor-level privileges to trigger insecure deserialization, potentially leading to remote code execution, data tampering, or full site compromise. The flaw is rated CVSS 8.8 (High) and was disclosed by Patchstack. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Post Duplicator
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-39472 HIGH PATCH This Week

PHP Object Injection in the WooCommerce PDF Invoices & Packing Slips WordPress plugin before version 5.9.0 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, potentially leading to full compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available, though no public exploit has been identified at time of analysis. The CVSS 7.2 score reflects high privilege requirements offset by network reach and severe impact.

PHP Deserialization WordPress Woocommerce Pdf Invoices Packing Slips
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39471 HIGH This Week

Authenticated PHP Object Injection in the ShortPixel Image Optimizer WordPress plugin (versions 6.4.3 and earlier) allows attackers with Author-level privileges to trigger unsafe deserialization of attacker-controlled data, enabling code execution or other impacts when a suitable PHP gadget chain is present. Reported by Patchstack with no public exploit identified at time of analysis, the flaw is tracked as CWE-502 and carries a CVSS 3.1 score of 7.2 due to the high-privilege prerequisite but full CIA impact.

PHP Deserialization Shortpixel Image Optimizer
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39434 HIGH This Week

PHP Object Injection in the CTX Feed (WebAppick Product Feed for WooCommerce) WordPress plugin versions up to and including 6.6.26 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, leading to full compromise of confidentiality, integrity, and availability on the host site. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36924; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP Deserialization Ctx Feed
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-27053 CRITICAL PATCH Act Now

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, data theft, or full site takeover when suitable gadget chains are present in the WordPress stack. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Broadcast Live Video
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-9691 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions 1.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, enabling abuse of POP gadget chains for code execution, file operations, or data tampering. The flaw scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and impacts any WordPress site running the affected CRM Perks integration plugin. There is no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress as a target make this a high-priority patching item.

PHP Deserialization Integration For Activecampaign And Contact Form 7 Wpforms Elementor Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49954 HIGH POC This Week

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a path traversal flaw in the plugin import routine with file upload functionality to run arbitrary PHP as the web server user. Publicly available exploit code exists (published by Karma Insecurity / VulnCheck) demonstrating a race-condition-assisted bypass of sanitization, but the issue is not listed in CISA KEV and no public EPSS signal was provided. The high PR:H requirement limits attackers to those already holding administrator credentials or able to obtain them.

File Upload RCE LFI Path Traversal PHP +1
NVD
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-49952 CRITICAL POC PATCH Act Now

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to access database backup and restore functionality exposed by dbbak.php. The flaw stems from a shared cryptographic key (CWE-323) between UCenter integration and the backup API, which lets an attacker abuse an encryption oracle in logging_ctl::logging_more() to mint legitimately signed authorization tokens, and chain a race condition to impersonate arbitrary users. Publicly available exploit code exists and an upstream fix has been published on Gitee.

PHP Authentication Bypass Oracle Discuz X5 0
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-48747 PHP MEDIUM PATCH GHSA This Month

Algorithm-confusion in Symfony's Mailomat webhook parser allows an attacker to downgrade the HMAC primitive used for signature verification, bypassing webhook authentication. Symfony packages symfony/mailomat-mailer and symfony/symfony versions 7.2.0 through 7.4.12 and 8.0.0 through 8.0.12 accept an attacker-controlled algorithm field from the inbound X-MOM-Webhook-Signature request header and pass it directly to PHP's hash_hmac(), enabling an adversary who can exploit cryptographic weaknesses in weaker HMAC primitives (e.g., HMAC-MD4 existential forgery) to inject fraudulent webhook payloads. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Canonical Jwt Attack PHP Information Disclosure
NVD GitHub
CVSS 4.0
6.3
EPSS
0.2%
CVE-2016-20068 HIGH POC This Week

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Booking Calendar Contact Form
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2019-25746 HIGH POC This Week

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post'. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Sliced Invoices
NVD Exploit-DB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2018-25437 HIGH POC Monitor

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Information Disclosure WordPress PHP Cherry Framework Themes
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2018-25436 CRITICAL POC Act Now

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress PHP Baggage Freight Shipping Australia
NVD Exploit-DB
CVSS 4.0
9.3
EPSS
0.7%
CVE-2016-20084 MEDIUM POC This Month

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS Privilege Escalation Booking Calendar Contact
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2016-20083 MEDIUM POC This Month

WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF WordPress More Fields
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2016-20082 MEDIUM POC This Month

WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress LFI Abtest
NVD Exploit-DB GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2016-20081 HIGH POC Monitor

WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal Hb Audio Gallery Lite
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.6%
CVE-2016-20080 MEDIUM POC Monitor

WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal LFI Brandfolder
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2016-20079 MEDIUM POC This Month

WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal LFI Dharma Booking
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.8%
CVE-2016-20078 MEDIUM POC Monitor

WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal LFI Imdb Profile Widget
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.7%
CVE-2016-20077 MEDIUM POC This Month

WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress LFI Photocart Link
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2016-20076 HIGH POC This Week

WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal Simple Backup
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
0.6%
CVE-2016-20075 HIGH POC This Week

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Authentication Bypass RCE WordPress +1
NVD Exploit-DB VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2016-20074 MEDIUM POC This Month

WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF WordPress Lazy Content Slider Plugin
NVD Exploit-DB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2016-20073 HIGH POC Monitor

Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi Answer My Question
NVD Exploit-DB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2016-20070 MEDIUM POC This Month

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS Privilege Escalation Booking Calendar Contact Form
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-5482 CRITICAL Act Now

Unrestricted file upload in Responsive FileManager 9.14.0 (and likely earlier) allows remote unauthenticated attackers to upload arbitrary files - including PHP scripts - via the dialog.php endpoint, leading directly to remote code execution on the hosting web server. The project is unmaintained at the time of CVE assignment, so no vendor patch is forthcoming, and while no public exploit is identified at time of analysis the trivial nature of unrestricted file upload makes weaponization straightforward.

File Upload PHP RCE Responsive Filemanager
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-12207 LOW POC Monitor

Patient record exposure in medkey EHR (up to commit fc09b7ba9441ff590b72d428d5380834216b09ed) allows authenticated remote users to retrieve arbitrary patient records by manipulating the `id` parameter of the `actionGetPatientById` REST API endpoint - a textbook Insecure Direct Object Reference (BOLA/IDOR) flaw classified under CWE-99. A publicly available proof-of-concept exploit is hosted on GitHub (onyxglitch/Medkey-EHR-IDOR-PoC), materially lowering the exploitation barrier. The vendor did not respond to coordinated disclosure, leaving no confirmed patch and no official advisory for this rolling-release EHR system.

PHP Information Disclosure Medkey
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12204 MEDIUM POC This Month

Unauthenticated remote access to ShopXO's Scheduled Task (Crontab) API endpoint in versions up to 6.7.1 allows any network attacker to invoke order-state mutation functions - including OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral - without any credentials or authorization. This authorization bypass (CWE-639) directly threatens e-commerce integrity: attackers can fraudulently mark unpaid orders as successful, prematurely close active orders, or artificially award loyalty points. A public proof-of-concept exploit is available on GitHub, no vendor patch has been released, and the vendor did not respond to responsible disclosure - making this an immediately actionable risk for any internet-exposed ShopXO deployment.

Authentication Bypass PHP Shopxo
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-36670 HIGH This Week

Authenticated SQL injection in OpenSIPS Control Panel (opensips-cp) versions prior to 9.3.3 allows attackers with valid panel credentials to execute arbitrary SQL via the 'table' GET parameter in alias_management.php using time-based blind techniques. The flaw resides in the alias_management module and yields full database confidentiality, integrity, and availability impact per CVSS 8.8. No public exploit identified at time of analysis, and EPSS is low (0.28%, 19th percentile), but a third-party advisory documents the issue on GitHub.

PHP SQLi N A
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-50869 CRITICAL Act Now

Path traversal in Bludit 3.19.0's api/plugin.php endpoint allows remote attackers to escape the intended directory and access arbitrary files on the server via crafted requests. The CVSS 9.8 rating reflects unauthenticated network-based exploitation with high impact across confidentiality, integrity, and availability, and publicly available exploit code exists in a public gist, though EPSS remains low at 0.25%.

Path Traversal PHP N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-38329 CRITICAL Act Now

{key} endpoint in bl-plugins/api/plugin.php. Publicly available exploit code exists as a gist, though EPSS rates exploitation probability at only 0.21% (11th percentile).

Authentication Bypass PHP RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-12176 LOW Monitor

Cross-site scripting in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via the unsanitized `action` parameter in `/index.php`. Publicly available exploit code exists (CVSS 4.0 E:P), and the attack requires no authentication, only that a victim interact with a crafted URL or request. No vendor-released patch has been identified at time of analysis.

PHP XSS Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-12175 LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 enables authenticated administrators to manipulate the `admissionNumber` parameter in `/attendance-php/Admin/createStudents.php`, allowing arbitrary SQL commands to be passed to the underlying database. Exploitation is constrained to actors who already hold high-privilege admin credentials (PR:H per the CVSS 4.0 vector), but impact spans database confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub; the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

PHP SQLi Student Attendance Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
EPSS 0% CVSS 8.8
HIGH This Week

PHP Object Injection in the ThemeFusion Avada WordPress theme versions 3.15.3 and earlier allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or service disruption on the underlying WordPress installation. No public exploit identified at time of analysis, but the low attack complexity and widespread deployment of Avada as a commercial WordPress theme make this a meaningful risk for multi-author sites.

PHP Deserialization Avada
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Truemag WordPress theme by Cactus Themes (versions up to and including 4.3.14.2) allows remote attackers to coerce the server into including arbitrary local PHP files without credentials. With CVSS 8.1 and full CIA impact (CWE-98), successful exploitation can lead to disclosure of sensitive files, configuration data, and potential code execution by including attacker-controlled or log-poisoned content, though no public exploit identified at time of analysis.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Roneous WordPress theme (versions up to and including 2.1.5) allows remote attackers to coerce the application into including arbitrary files on the server, potentially exposing sensitive data such as wp-config.php credentials or, when combined with file upload primitives, achieving remote code execution. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. The vulnerability is tracked by Patchstack and ENISA EUVD (EUVD-2025-210183).

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the ThemeREX ITactics WordPress theme versions 1.0 and earlier allows remote unauthenticated attackers to include arbitrary files from the underlying server, leading to disclosure of sensitive configuration data and potentially PHP code execution if attacker-controlled content can be staged on the host. Tracked by Patchstack and indexed in ENISA EUVD as EUVD-2025-210182, the issue carries a CVSS 8.1 (High) score with no public exploit identified at time of analysis.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Spike WordPress theme (versions ≤1.2) by ThemeREX allows remote unauthenticated attackers to coerce the PHP backend into including arbitrary local files via crafted filename parameters. Successful exploitation can disclose sensitive server-side files, configuration data, and credentials, and on misconfigured PHP installations may lead to code execution. No public exploit identified at time of analysis, but the issue is reported and tracked by Patchstack (WordPress vulnerability intelligence).

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX Eros WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary files and potentially achieve PHP code execution via include/require paths reachable without authentication. No public exploit identified at time of analysis, but the flaw is reported by Patchstack and tracked as EUVD-2025-210180. WordPress themes with LFI sinks are a recurring target because they expose include() statements through AJAX or template loader endpoints.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Choreo WordPress theme (versions through 1.6) allows unauthenticated remote attackers to include and read arbitrary local files from the server, with potential for further escalation to code execution depending on writable file content. The flaw was disclosed by Patchstack and is tracked as EUVD-2025-210179; no public exploit identified at time of analysis, and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the WineShop WordPress theme versions 3.17 and earlier allows remote attackers to include and execute arbitrary local files on the server via crafted requests. The flaw stems from improper control of filename for include/require (CWE-98) and carries a CVSS 8.1 (High) with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Grecko WordPress theme versions 5.17 and earlier allows remote attackers to coerce the application into including arbitrary files from the server filesystem, potentially leading to sensitive file disclosure and PHP code execution where attacker-controlled content can be reached. The flaw is reachable without authentication over HTTP and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 with high attack complexity, indicating exploitation is feasible but not trivially automatable.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Gita WordPress theme versions 1.11 and earlier allows remote attackers to include arbitrary local files via a PHP file-inclusion weakness (CWE-98), potentially exposing wp-config.php credentials and enabling further compromise. No public exploit identified at time of analysis, but the vulnerability is network-reachable without authentication and has been disclosed by Patchstack with a CVSS 3.1 base score of 8.1.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Printo WordPress theme (versions ≤ 1.11 by ThemeRex) allows remote attackers to include arbitrary local files via a PHP file-inclusion sink (CWE-98), enabling disclosure of sensitive server-side files and potential remote code execution if attacker-controlled content can be reached on disk. No public exploit identified at time of analysis, though Patchstack has cataloged the issue and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Medeus WordPress theme versions 1.14 and earlier allows remote attackers to coerce the PHP backend into including arbitrary files, exposing sensitive configuration data such as wp-config.php and potentially enabling code execution if log poisoning or uploaded content can be referenced. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require), affects a ThemeREX product tracked by Patchstack as a WordPress theme issue, and no public exploit identified at time of analysis. Despite the CVSS 8.1 high rating, AC:H signals non-trivial exploitation requirements beyond a simple parameter swap.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Top Dog WordPress theme (versions <=1.0.5) allows remote attackers to coerce the application into including arbitrary local PHP files, potentially leading to sensitive data disclosure or code execution if a writable/loggable file can be referenced. The flaw is reachable without authentication or user interaction over the network, though CVSS marks attack complexity as high; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Putter WordPress theme versions 1.17 and earlier allows remote attackers to read arbitrary files from the underlying web server and, in PHP environments where include wrappers are abused, potentially achieve code execution. The flaw is reachable without authentication or user interaction, though CVSS reports high attack complexity. No public exploit identified at time of analysis, but Patchstack has published the advisory.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeREX 'Dom' WordPress theme through version 1.24 allows remote attackers to coerce the PHP application into including arbitrary local files, leading to sensitive information disclosure and potential code execution. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity, and availability if a vulnerable include path is reached. The flaw is tracked by Patchstack and ENISA (EUVD-2025-210210) and affects all Dom theme versions up to and including 1.24.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion affects the ThemeREX Mission WordPress theme in all versions up to and including 1.22, enabling remote attackers to coerce the PHP application into including arbitrary local files. Exploitation can lead to sensitive file disclosure, source-code exposure, and - depending on what files are accessible on the server - remote code execution via log poisoning or PHP wrapper abuse. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Abelle WordPress theme versions 1.22 and earlier allows remote attackers to coerce the PHP runtime into including attacker-controlled file paths, leading to disclosure of sensitive server files and potential remote code execution if log poisoning or uploaded files can be reached. The flaw is reachable without credentials, but CVSS notes high attack complexity, and no public exploit identified at time of analysis. No EPSS or KEV signal is provided in the source data.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Kelly Young WordPress theme (versions ≤1.1.0) allows remote attackers to read arbitrary local files and potentially achieve code execution by including attacker-controlled file paths via a vulnerable PHP include sink. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. Risk is elevated by the high CVSS impact triad (C:H/I:H/A:H), though AC:H indicates non-trivial exploitation prerequisites.

PHP Information Disclosure LFI +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the Wanium WordPress theme (versions up to and including 1.9.8) allows remote unauthenticated attackers to coerce the application into including arbitrary local PHP files, leading to source disclosure and potential remote code execution on the server. The flaw was disclosed via Patchstack and tracked as EUVD-2025-210204; no public exploit identified at time of analysis, and the CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable exploitation that nevertheless requires some non-trivial conditions to succeed.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Food Drop WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary server files or potentially achieve PHP code execution by abusing an improperly controlled include/require path (CWE-98). The flaw was disclosed by Patchstack and tracked as EUVD-2025-210202; no public exploit code or active exploitation has been identified at time of analysis, but the network-reachable, no-auth attack surface makes it a meaningful risk for any site running this theme.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the ThemeRex Especio WordPress theme (versions ≤ 1.0) allows remote attackers to coerce the PHP application into including arbitrary files from the underlying server. Because the include path is attacker-controlled and no authentication is required, the flaw can lead to disclosure of sensitive files (wp-config.php, system files) and, depending on local file primitives available on the server, escalation to code execution. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

PHP Information Disclosure LFI +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the ThemeREX SeaFood Company WordPress theme (versions ≤1.4) enables remote attackers to deliver crafted serialized payloads that trigger insecure deserialization within PHP, potentially leading to remote code execution, file manipulation, or full site compromise depending on available gadget chains in the host WordPress stack. Reported by Patchstack and tracked as EUVD-2025-210200, with no public exploit identified at time of analysis.

PHP Deserialization Seafood Company
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Deliciosa WordPress theme (versions up to and including 1.10.0) allows remote attackers to coerce the PHP application into including arbitrary local files, potentially leading to sensitive file disclosure and code execution. The flaw is reachable without authentication but carries high attack complexity per the CVSS vector, and no public exploit identified at time of analysis. Patchstack disclosed the issue and tracks it as EUVD-2025-210199.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Corbesier WordPress theme (versions ≤ 1.15.0) allows remote attackers to read arbitrary server files or potentially execute code by abusing improper validation of file paths passed to PHP include/require functions. The flaw is reachable without credentials and carries a CVSS 3.1 score of 8.1; no public exploit identified at time of analysis, and it is not listed in CISA KEV. The combination of network reachability and unauthenticated access makes any vulnerable WordPress site running this theme an immediate concern despite the high attack complexity rating.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the CopyPress WordPress theme (ThemeREX) through version 1.4.5 lets remote attackers coerce the PHP include/require chain into loading arbitrary server-side files without credentials. Patchstack catalogued the flaw as CWE-98 with CVSS 8.1, and no public exploit identified at time of analysis. Successful exploitation can expose sensitive files such as wp-config.php and, depending on the include sink, escalate to PHP code execution.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Iona WordPress theme versions 1.0.8 and earlier allows remote attackers to coerce the PHP application into including arbitrary local files, enabling source code disclosure and potentially full remote code execution. Reported by Patchstack and tracked as EUVD-2025-210196, the flaw is rated CVSS 8.1 (High) despite high attack complexity, with no public exploit identified at time of analysis.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeREX MaxiNet WordPress theme through version 1.2.10 allows remote attackers to coerce the PHP application into including arbitrary local files, exposing sensitive configuration data such as wp-config.php and potentially enabling code execution if log poisoning or uploaded content can be reached. The flaw was disclosed via Patchstack and tracked as EUVD-2025-210195; no public exploit identified at time of analysis, and no CISA KEV listing exists.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeREX Nexio WordPress theme (versions ≤ 1.10.0) allows remote attackers to coerce the PHP application into including arbitrary local files, enabling disclosure of sensitive server content and potentially remote code execution if attacker-controlled content can be staged on the host. The CWE-98 classification and PHP tag indicate a classic dynamic include/require sink reachable without authentication. At time of analysis there is no public exploit identified and no CISA KEV listing, but the unauthenticated network vector and high CVSS (8.1) warrant prompt action on any WordPress site running this theme.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the Planty WordPress theme versions 1.14.0 and earlier allows remote attackers to coerce the PHP application into including arbitrary files from the server filesystem, leading to disclosure of sensitive configuration data and potential code execution. The flaw is reachable without credentials over the network but rated AC:H, indicating exploitation requires meeting specific conditions; no public exploit identified at time of analysis and the issue is tracked by Patchstack and ENISA EUVD-2025-210193.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in the ThemeREX Raider Spirit WordPress theme versions 1.1.2 and earlier allows unauthenticated remote attackers to include and disclose arbitrary local files via attacker-controlled file paths reaching a PHP include/require sink. The flaw maps to CWE-98 (Improper Control of Filename for Include/Require) and was disclosed through Patchstack with no public exploit identified at time of analysis, though the CVSS 8.1 rating reflects high confidentiality, integrity, and availability impact if the inclusion can be steered to executable PHP content.

PHP Information Disclosure LFI +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers to inject arbitrary serialized PHP objects, potentially triggering property-oriented programming (POP) chains that lead to remote code execution, arbitrary file operations, or full site compromise. The flaw was disclosed by Patchstack and carries a CVSS 9.8 due to network reachability with no authentication or user interaction, though no public exploit has been identified at time of analysis.

PHP Deserialization Hot Coffee
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated remote local file inclusion in the Rosaleen WordPress theme versions 2.8 and earlier allows attackers to coerce the PHP application into including arbitrary files via a CWE-98 remote file inclusion/path traversal flaw. The issue was reported by Patchstack and affects the ThemeREX-developed Rosaleen theme; no public exploit identified at time of analysis, though the unauthenticated network vector makes opportunistic targeting plausible.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the ThemeREX Modernee WordPress theme (versions through 1.6.0) allows remote attackers to coerce the server into including arbitrary local PHP files, enabling information disclosure and potential code execution via log poisoning or session file abuse. Reported by Patchstack and tracked as EUVD-2025-210189, no public exploit identified at time of analysis and the vulnerability is not in CISA KEV. The CVSS 8.1 score reflects high impact across confidentiality, integrity, and availability but with high attack complexity.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated Local File Inclusion in the Learnify WordPress theme (versions up to and including 1.15.0) allows remote attackers to read arbitrary files from the underlying server without credentials. Patchstack catalogued the issue as a PHP file inclusion flaw (CWE-98) and no public exploit was identified at time of analysis, though the WordPress theme ecosystem makes targeted scanning likely. The CVSS 3.1 score of 8.1 reflects high impact across confidentiality, integrity, and availability, tempered by high attack complexity.

PHP Information Disclosure LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated local file inclusion in the ThemeRex Geya WordPress theme (versions up to and including 1.15) allows remote attackers to read or include arbitrary files on the server, leading to information disclosure and potential code execution via PHP file inclusion. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, though the high CVSS (8.1) reflects severe confidentiality, integrity and availability impact if the vulnerable path is reached.

PHP Information Disclosure LFI +1
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

PHP Object Injection in the ThemeFusion Fusion Builder WordPress plugin (versions ≤ 3.15.4) allows authenticated users with Contributor-level access to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can lead to property-oriented programming (POP) chain execution depending on classes loaded in the WordPress runtime, with potential outcomes ranging from arbitrary file operations to remote code execution. No public exploit identified at time of analysis and the issue is not on CISA KEV, but the Contributor prerequisite is low in many multi-author WordPress deployments.

PHP Deserialization Fusion Builder
NVD VulDB
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in the Premmerce Dev Tools WordPress plugin (versions ≤ 2.0) allows authenticated users with Subscriber-level access or higher to write arbitrary PHP files into wp-content/plugins/ by injecting payloads into the premmerce_plugin_namespace POST parameter. The flaw stems from a missing authorization check in generatePluginHandler combined with unsanitized string substitution in createFromStub, enabling attackers to escape the namespace context with a semicolon and execute arbitrary PHP on the host. No public exploit identified at time of analysis, but the low privilege barrier and the high-impact CVSS 8.8 score make this a serious risk on sites with open registration.

File Upload PHP WordPress +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Reflected XSS in Slim PHP framework (versions 4.4.0 through 4.15.1) allows attackers to inject arbitrary HTML and JavaScript into HTML error pages when application code passes request-derived data into HttpException::setTitle() or setDescription(). The payload executes in a victim's browser upon rendering the crafted error page, and critically this occurs even when displayErrorDetails is set to false, since the unescaped values are rendered on a separate code path. No public exploit code or CISA KEV listing has been identified; exploitation is scoped to applications that explicitly feed untrusted input into these specific exception setter methods.

PHP XSS Slim
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Parameter smuggling in python-multipart below 0.0.30 allows unauthenticated network attackers to present a different field name or filename to an upstream WAF, proxy, or gateway than the value actually delivered to the backend application. The root cause is that parse_options_header delegates to Python's email.message.Message, which silently applies RFC 2231/5987 extended parameter decoding - a behavior explicitly forbidden for multipart/form-data by RFC 7578 §4.2 - causing the extended value to override the plain parameter and bypass inspection logic. Concrete downstream consequences include circumventing filename-based upload controls and, where applications construct filesystem paths from the parsed filename without sanitization, achieving path traversal via decoded percent sequences such as ..%2F or injecting null bytes (%00) to confuse validators. No public exploit has been identified and the vulnerability is not in CISA KEV; CVSS 3.7 with AC:H reflects that exploitation requires a specific upstream inspector in the deployment topology.

Python Path Traversal PHP +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the OttoKit WordPress plugin (formerly SureTriggers) versions 1.1.27 and earlier allows remote attackers to deserialize attacker-controlled PHP objects against any site running the plugin. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and a CWE-502 deserialization root cause, successful exploitation can lead to full code execution, data theft, or site takeover when a suitable POP gadget chain is present in WordPress core or another installed plugin. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Ottokit
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the WP Travel Engine WordPress plugin versions 6.7.12 and earlier enables remote attackers to deserialize attacker-controlled data without authentication, leading to full compromise (CVSS 9.8). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any WordPress site running a vulnerable installation. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin ecosystem make this a high-priority patching target for travel-booking sites.

PHP Deserialization Wp Travel Engine
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the wpForo Forum WordPress plugin versions 3.1.0 and earlier allows remote attackers to deliver untrusted serialized payloads that are deserialized by the plugin, leading to potential remote code execution, data tampering, and full site compromise depending on available POP gadget chains. The flaw is reachable without authentication over the network and carries a vendor CVSS of 9.8; no public exploit identified at time of analysis and the issue is not currently on the CISA KEV list.

PHP Deserialization Wpforo Forum
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to deliver attacker-controlled serialized objects that get deserialized by the plugin, potentially leading to remote code execution, file manipulation, or data compromise on the underlying WordPress site. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any site running the plugin. Reported by Patchstack with a corresponding advisory in their WordPress vulnerability database.

PHP Deserialization Happyforms
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions <= 1.1.8) allows remote attackers to deserialize attacker-controlled data, potentially leading to remote code execution when a suitable POP (property-oriented programming) gadget chain exists in the WordPress environment. The flaw is reachable without authentication and carries a CVSS 9.8 rating, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. The plugin is distributed by CRM Perks and was disclosed via Patchstack.

PHP Deserialization Integration For Mailchimp And Contact Form 7 Wpforms Elementor Ninja Forms +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the Integration for Contact Form 7 HubSpot WordPress plugin (versions <= 1.3.7) allows remote attackers to inject malicious serialized PHP objects, which can lead to full site compromise when a suitable POP gadget chain exists in WordPress core or co-installed plugins. The flaw is reachable without authentication or user interaction (CVSS 9.8) and was reported by Patchstack. No public exploit identified at time of analysis.

PHP Deserialization Integration For Contact Form 7 Hubspot
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions <= 1.4.3) allows remote attackers to pass attacker-controlled serialized data into PHP's unserialize() function. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover when a suitable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Integration For Salesforce And Contact Form 7 Wpforms Elementor Formidable Ninja Forms +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin Integration for Contact Form 7 and Constant Contact (versions <= 1.1.6) allows remote attackers to inject crafted serialized PHP objects that get deserialized server-side. When a suitable POP (property-oriented programming) gadget chain is present in WordPress core, another active plugin, or a theme, this can escalate to arbitrary file read/write, deletion, or remote code execution on the host. No public exploit identified at time of analysis, but the CVSS 9.8 rating reflects the unauthenticated network-reachable attack surface.

PHP Deserialization Integration For Contact Form 7 And Constant Contact
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the CRM Perks 'WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms' WordPress plugin (versions 1.1.4 and earlier) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, data theft, or site takeover when a suitable POP gadget chain is present. The flaw is reported by Patchstack and carries a 9.8 CVSS score with network-reachable, no-privilege, no-interaction characteristics. No public exploit identified at time of analysis.

PHP Deserialization Wp Zendesk For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms' (versions 1.2.1 and earlier) allows remote attackers to inject crafted serialized objects that can be deserialized by the plugin, potentially leading to full site compromise. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high priority for any WordPress site running the affected plugin. EPSS and CISA KEV data were not provided in the input, so real-world exploitation prevalence is undetermined.

PHP Deserialization Integration For Keap Infusionsoft And Contact Form 7 Wpforms Elementor Formidable Ninja Forms +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP object injection in the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms WordPress plugin (versions <= 1.1.4) allows remote attackers to deliver crafted serialized payloads that the plugin deserializes without validation. Successful exploitation can lead to remote code execution, data tampering, or full site compromise when a suitable POP (property-oriented programming) gadget chain is available in WordPress core, the active theme, or any installed plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Wp Insightly For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Unauthenticated PHP Object Injection in the EventPrime event calendar plugin for WordPress (versions <= 4.3.2.1) allows remote attackers to inject crafted serialized PHP objects that may trigger arbitrary deserialization-driven gadget chains, leading to potential remote code execution, file manipulation, or data tampering. The flaw is reachable without authentication but carries CVSS:3.1 AC:H, indicating non-trivial preconditions for successful exploitation. No public exploit identified at time of analysis, but Patchstack disclosure typically precedes broader exploit development against the WordPress plugin ecosystem.

PHP Deserialization Eventprime
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

PHP Object Injection in the Events Calendar for GeoDirectory WordPress plugin (versions <= 2.3.25) allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or denial of service on the host WordPress site. The flaw is tracked as CWE-502 and was disclosed via Patchstack with a CVSS 3.1 score of 8.8, but no public exploit identified at time of analysis. Patchstack reports the issue and no vendor-released patch identified at time of analysis based on the supplied data.

PHP Deserialization Events Calendar For Geodirectory
NVD
EPSS 0% CVSS 7.2
HIGH This Week

PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin versions 1.6.19 and below allows authenticated users with Shop Manager privileges to deserialize attacker-controlled data, potentially leading to remote code execution or full site compromise depending on available PHP gadget chains. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36946; no public exploit identified at time of analysis and the issue is not in CISA KEV.

PHP Deserialization WordPress +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

PHP Object Injection in the YayMail WordPress plugin (versions ≤ 4.3.3) allows authenticated users with Shop Manager privileges to inject crafted serialized PHP objects and trigger deserialization on the server. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability of the WordPress site, though no public exploit identified at time of analysis. The flaw is reported by Patchstack and tracked as EUVD-2026-36945.

PHP Deserialization Yaymail
NVD
EPSS 0% CVSS 7.2
HIGH This Week

PHP Object Injection in the Modula Image Gallery WordPress plugin (versions ≤ 2.14.18) allows authenticated authors to trigger unsafe deserialization of attacker-controlled input, potentially leading to remote code execution, data tampering, or denial of service depending on available POP gadget chains in the WordPress environment. The flaw was disclosed by Patchstack and tracked as ENISA EUVD-2026-36940; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Modula Image Gallery
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated PHP object injection in the WordPress 'Anti-Malware Security and Brute-Force Firewall' (GOTMLS) plugin through version 4.23.87 allows contributor-level users to inject crafted serialized PHP objects that are deserialized by the plugin. Successful exploitation can pivot through existing PHP gadget chains in WordPress or other installed plugins to achieve high-impact compromise of the site. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

PHP Deserialization Anti Malware Security And Brute Force Firewall
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP Object Injection in the Post Duplicator WordPress plugin versions <= 3.0.10 allows authenticated users with Contributor-level privileges to trigger insecure deserialization, potentially leading to remote code execution, data tampering, or full site compromise. The flaw is rated CVSS 8.8 (High) and was disclosed by Patchstack. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Post Duplicator
NVD
EPSS 0% CVSS 7.2
HIGH PATCH This Week

PHP Object Injection in the WooCommerce PDF Invoices & Packing Slips WordPress plugin before version 5.9.0 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, potentially leading to full compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available, though no public exploit has been identified at time of analysis. The CVSS 7.2 score reflects high privilege requirements offset by network reach and severe impact.

PHP Deserialization WordPress +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Authenticated PHP Object Injection in the ShortPixel Image Optimizer WordPress plugin (versions 6.4.3 and earlier) allows attackers with Author-level privileges to trigger unsafe deserialization of attacker-controlled data, enabling code execution or other impacts when a suitable PHP gadget chain is present. Reported by Patchstack with no public exploit identified at time of analysis, the flaw is tracked as CWE-502 and carries a CVSS 3.1 score of 7.2 due to the high-privilege prerequisite but full CIA impact.

PHP Deserialization Shortpixel Image Optimizer
NVD
EPSS 0% CVSS 7.2
HIGH This Week

PHP Object Injection in the CTX Feed (WebAppick Product Feed for WooCommerce) WordPress plugin versions up to and including 6.6.26 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, leading to full compromise of confidentiality, integrity, and availability on the host site. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36924; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP Deserialization Ctx Feed
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, data theft, or full site takeover when suitable gadget chains are present in the WordPress stack. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

PHP Deserialization Broadcast Live Video
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions 1.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, enabling abuse of POP gadget chains for code execution, file operations, or data tampering. The flaw scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and impacts any WordPress site running the affected CRM Perks integration plugin. There is no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress as a target make this a high-priority patching item.

PHP Deserialization Integration For Activecampaign And Contact Form 7 Wpforms Elementor Ninja Forms +1
NVD
EPSS 1% CVSS 8.6
HIGH POC This Week

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a path traversal flaw in the plugin import routine with file upload functionality to run arbitrary PHP as the web server user. Publicly available exploit code exists (published by Karma Insecurity / VulnCheck) demonstrating a race-condition-assisted bypass of sanitization, but the issue is not listed in CISA KEV and no public EPSS signal was provided. The high PR:H requirement limits attackers to those already holding administrator credentials or able to obtain them.

File Upload RCE LFI +3
NVD
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to access database backup and restore functionality exposed by dbbak.php. The flaw stems from a shared cryptographic key (CWE-323) between UCenter integration and the backup API, which lets an attacker abuse an encryption oracle in logging_ctl::logging_more() to mint legitimately signed authorization tokens, and chain a race condition to impersonate arbitrary users. Publicly available exploit code exists and an upstream fix has been published on Gitee.

PHP Authentication Bypass Oracle +1
NVD Exploit-DB VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Algorithm-confusion in Symfony's Mailomat webhook parser allows an attacker to downgrade the HMAC primitive used for signature verification, bypassing webhook authentication. Symfony packages symfony/mailomat-mailer and symfony/symfony versions 7.2.0 through 7.4.12 and 8.0.0 through 8.0.12 accept an attacker-controlled algorithm field from the inbound X-MOM-Webhook-Signature request header and pass it directly to PHP's hash_hmac(), enabling an adversary who can exploit cryptographic weaknesses in weaker HMAC primitives (e.g., HMAC-MD4 existential forgery) to inject fraudulent webhook payloads. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Canonical Jwt Attack PHP +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi +1
NVD Exploit-DB
EPSS 0% CVSS 7.1
HIGH POC This Week

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post'. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi +1
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC Monitor

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Information Disclosure WordPress +2
NVD Exploit-DB
EPSS 1% CVSS 9.3
CRITICAL POC Act Now

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload RCE WordPress +2
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS +2
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress +2
NVD Exploit-DB GitHub
EPSS 1% CVSS 8.7
HIGH POC Monitor

WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal +1
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC Monitor

WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal +2
NVD Exploit-DB
EPSS 1% CVSS 6.9
MEDIUM POC This Month

WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal +2
NVD Exploit-DB
EPSS 1% CVSS 6.9
MEDIUM POC Monitor

WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal +2
NVD Exploit-DB
EPSS 0% CVSS 6.9
MEDIUM POC This Month

WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP RCE WordPress +2
NVD Exploit-DB
EPSS 1% CVSS 8.7
HIGH POC This Week

WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress Path Traversal +1
NVD Exploit-DB
EPSS 0% CVSS 8.7
HIGH POC This Week

WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Authentication Bypass +3
NVD Exploit-DB VulDB
EPSS 0% CVSS 5.3
MEDIUM POC This Month

WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF WordPress +1
NVD Exploit-DB
EPSS 0% CVSS 8.8
HIGH POC Monitor

Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress SQLi +1
NVD Exploit-DB
EPSS 0% CVSS 5.1
MEDIUM POC This Month

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP WordPress XSS +2
NVD Exploit-DB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unrestricted file upload in Responsive FileManager 9.14.0 (and likely earlier) allows remote unauthenticated attackers to upload arbitrary files - including PHP scripts - via the dialog.php endpoint, leading directly to remote code execution on the hosting web server. The project is unmaintained at the time of CVE assignment, so no vendor patch is forthcoming, and while no public exploit is identified at time of analysis the trivial nature of unrestricted file upload makes weaponization straightforward.

File Upload PHP RCE +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW POC Monitor

Patient record exposure in medkey EHR (up to commit fc09b7ba9441ff590b72d428d5380834216b09ed) allows authenticated remote users to retrieve arbitrary patient records by manipulating the `id` parameter of the `actionGetPatientById` REST API endpoint - a textbook Insecure Direct Object Reference (BOLA/IDOR) flaw classified under CWE-99. A publicly available proof-of-concept exploit is hosted on GitHub (onyxglitch/Medkey-EHR-IDOR-PoC), materially lowering the exploitation barrier. The vendor did not respond to coordinated disclosure, leaving no confirmed patch and no official advisory for this rolling-release EHR system.

PHP Information Disclosure Medkey
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Unauthenticated remote access to ShopXO's Scheduled Task (Crontab) API endpoint in versions up to 6.7.1 allows any network attacker to invoke order-state mutation functions - including OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral - without any credentials or authorization. This authorization bypass (CWE-639) directly threatens e-commerce integrity: attackers can fraudulently mark unpaid orders as successful, prematurely close active orders, or artificially award loyalty points. A public proof-of-concept exploit is available on GitHub, no vendor patch has been released, and the vendor did not respond to responsible disclosure - making this an immediately actionable risk for any internet-exposed ShopXO deployment.

Authentication Bypass PHP Shopxo
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated SQL injection in OpenSIPS Control Panel (opensips-cp) versions prior to 9.3.3 allows attackers with valid panel credentials to execute arbitrary SQL via the 'table' GET parameter in alias_management.php using time-based blind techniques. The flaw resides in the alias_management module and yields full database confidentiality, integrity, and availability impact per CVSS 8.8. No public exploit identified at time of analysis, and EPSS is low (0.28%, 19th percentile), but a third-party advisory documents the issue on GitHub.

PHP SQLi N A
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Path traversal in Bludit 3.19.0's api/plugin.php endpoint allows remote attackers to escape the intended directory and access arbitrary files on the server via crafted requests. The CVSS 9.8 rating reflects unauthenticated network-based exploitation with high impact across confidentiality, integrity, and availability, and publicly available exploit code exists in a public gist, though EPSS remains low at 0.25%.

Path Traversal PHP N A
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

{key} endpoint in bl-plugins/api/plugin.php. Publicly available exploit code exists as a gist, though EPSS rates exploitation probability at only 0.21% (11th percentile).

Authentication Bypass PHP RCE +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW Monitor

Cross-site scripting in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via the unsanitized `action` parameter in `/index.php`. Publicly available exploit code exists (CVSS 4.0 E:P), and the attack requires no authentication, only that a victim interact with a crafted URL or request. No vendor-released patch has been identified at time of analysis.

PHP XSS Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
EPSS 0% CVSS 2.0
LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 enables authenticated administrators to manipulate the `admissionNumber` parameter in `/attendance-php/Admin/createStudents.php`, allowing arbitrary SQL commands to be passed to the underlying database. Exploitation is constrained to actors who already hold high-privilege admin credentials (PR:H per the CVSS 4.0 vector), but impact spans database confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub; the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

PHP SQLi Student Attendance Management System
NVD VulDB GitHub
Prev Page 8 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy