Advisories archive Searching 26064 links categorized as php vuln/adviso since 2003-04-07 Search : Search in all sources Disable validation filter
26064 results found, please narrow your search...AppCMS 2.0.101 inc_head.php Cross Site Scriptingprojectworlds online-shopping-webvsite-in-php 1.0 cart_add.php id SQL InjectionHackers Planted Secret Backdoor in Dozens of WordPress Plugins and ThemesphpMyAdmin bis 5.0/5.1.1 Setup Cross Site ScriptingphpMyAdmin bis 4.9.7/5.1.1 Two-factor Authentication schwache AuthentisierungProject Worlds Online Examination System 1.0 account.php eid SQL InjectionSourceodester Courier Management System 1.0 /cms/ajax.php email SQL InjectionSourcecodester Simple Music Clour Community System 1.0 /music/ajax.php email SQL InjectionNavigate CMS 2.9.4 themes.php Cross Site ScriptingTaocms 3.0.2 Article.php path SQL InjectionCacti URL Parameter auth_changepassword.php ref Cross Site ScriptingCacti 1.1.38 allows authenticated users with User Management permissions to inject arbitrary web script or HTML in the "new_username" field during creation of a new user via "Copy" method at user_admin.php.The AnyComment WordPress plugin through 0.2.17 has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is aThe ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issueThe SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowedThe EventCalendar WordPress plugin before 1.1.51 does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issuesThe EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create eventsThe All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints theyThe All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from the affectedThe Modern Events Calendar Lite WordPress plugin before 6.2.0 alloed any logged-in user, even a subscriber user, may add a category whose parameters are incorrectly escaped in the admin panel, leading to stored XSS.The WP Booking System WordPress plugin before 2.0.15 was affected by a reflected xss in wp-booking-system on the wpbs-calendars admin page.The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 was affected by a reflected XSS in custom-facebook-feed in cff-top admin page.The Landing Page Builder WordPress plugin before 1.4.9.6 was affected by a reflected XSS in page-builder-add on the ulpb_post admin page.WordPress Plugin WP Visitor Statistics 4.7 SQL InjectionProfileGrid Plugin auf WordPress class-profile-magic-admin.php pm_user_avatar/pm_cover_image Cross Site ScriptingUser Registration, Login & Landing Pages Plugin bis 1.2.7 auf WordPress landing-page.php loader_text Cross Site ScriptingRandom Banner Plugin bis 4.1.4 auf WordPress model.php category Cross Site ScriptingCrisp Live Chat Plugin bis 0.31 auf WordPress ~/crisp.php crisp_plugin_settings_page Cross Site Request ForgeryHigh-Severity Vulnerability in 3 WordPress Plugins Affected 84,000 WebsitesLanding Page Builder Plugin vor 1.4.9.6 auf WordPress Admin Page Cross Site ScriptingSmash Balloon Social Post Feed Plugin bis 4.1.0 auf WordPress Admin Page Cross Site ScriptingWP Booking System Plugin vor 2.0.15 auf WordPress Admin Page Cross Site ScriptingModern Events Calendar Lite Plugin bis 6.1.x auf WordPress Admin Panel Cross Site ScriptingEventCalendar Plugin vor 1.1.51 auf WordPress add_calendar_event erweiterte RechteEventCalendar Plugin vor 1.1.51 auf WordPress Attribute Cross Site ScriptingSEUR Oficial Plugin bis 1.6.x auf WordPress Setting Cross Site ScriptingPHP Everywhere Plugin bis 2.0.2 auf WordPress Cross Site Request ForgeryNUUO NVRMini2 bis 3.11 TAR Archive handle_import_user.php schwache AuthentisierungZabbix Configuration setup.php erweiterte RechteWordPress Frontend Uploader 1.3.2 Cross Site ScriptingWordPress Core 5.8.2 - 'WP_Query' SQL InjectionSmarty bis 3.1.41/4.0.1 Template erweiterte RechteSmarty bis 3.1.42/4.0.2 Template erweiterte RechteUseful Simple Open-Source CMS vor Pb2.4Bfx3 admin/pages/useredit.php SQL InjectionWordPress Contact Form Entries Cross Site ScriptingLaundry Booking Management System bis 1.0 Parameter profile.php image Privilege EscalationMediaWiki bis 1.35.4/1.36.2/1.37.0 Language Name Search Denial of ServiceMediaWiki bis 1.35.4/1.36.2/1.37.0 Testwiki SecurePoll Information Disclosure10Web Social Photo Feed Plugin vor 1.4.29 auf WordPress Admin Page wdi_apply_changes Cross Site ScriptingWOOCS Plugin vor 1.3.7.3 auf WordPress Parameter custom_prices Cross Site ScriptingWPcalc Plugin bis 2.1 auf WordPress SQL Injection [CVE-2021-25054]Plus Addons for Elementor Pro Plugin vor 5.0.7 auf WordPress WP Search Filters Widget option SQL InjectionSmarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 orWordPress bis 5.8.2 Object erweiterte RechteNavigateCMS 2.9 Parameter navigate_download.php id Directory Traversalemlog bis 1.0.7 Parameter index.php Cross Site ScriptingThe WP Travel Engine WordPress plugin before 5.3.1 does not escape the Description field in the Trip Destination/Activities/Trip Type and Pricing Category pages, allowing users with a role as low as editor to perform Stored Cross-Site Scripting attacks,The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issueThe Mortgage Calculator / Loan Calculator WordPress plugin before 1.5.17 does not escape the some of the attributes of its mlcalc shortcode before outputting them, which could allow users with a role as low as contributor to perform Cross-Site ScriptingAll AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs.The Stars Rating WordPress plugin before 3.5.1 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the comments section, or pending comment dashboard depending if the user sent it as unauthenticatedThe LiteSpeed Cache WordPress plugin before 4.4.4 does not escape the qc_res parameter before outputting it back in the JS code of an admin page, leading to a Reflected Cross-Site ScriptingThe LiteSpeed Cache WordPress plugin before 4.4.4 does not properly verify that requests are coming from QUIC.cloud servers, allowing attackers to make requests to certain endpoints by using a specific X-Forwarded-For header value. In addition, one of theActive PHP BookMarks 1.3 - Sql Injection VulnerabilityWordPress AAWP 3.16 Cross Site ScriptingWordPress CRM Form Entries Cross Site ScriptingBooking Calendar Plugin bis 8.9.1 auf WordPress Admin Page booking_type Cross Site ScriptingPowerPack Addons for Elementor Plugin bis 2.6.1 auf WordPress Admin Dashboard tab Cross Site ScriptingUpdraftPlus Backup Plugin vor 1.16.66 auf WordPress Admin Page backup_timestamp/job_id Cross Site ScriptingChaty Plugin Plugin/Chaty Pro Plugin auf WordPress Admin Dashboard search Cross Site ScriptingSite Reviews Plugin bis 5.17.2 auf WordPress AJAX Action glsr_action site-reviews Cross Site ScriptingLiteSpeed Cache Plugin bis 4.4.3 auf WordPress HTTP Header X-Forwarded-For Cross Site ScriptingLiteSpeed Cache Plugin bis 4.4.3 auf WordPress Admin Page qc_res Cross Site ScriptingLoan Calculator Plugin bis 1.5.16 auf WordPress Shortcode Cross Site ScriptingDolibarr 7.0.2 Parameter admin/limits.php MAIN_MAX_DECIMALS_TOT Cross Site ScriptingA Cross-Site Request Forgery (CSRF) in /member/post.php?job=postnew&step=post of Qibosoft v7 allows attackers to force victim users into arbitrarily publishing new articles via a crafted URL.An issue in /admin/index.php?lfj=mysql&action=del of Qibosoft v7 allows attackers to arbitrarily delete files.A Cross-Site Request Forgery (CSRF) in /admin/index.php?lfj=member&action=editmember of Qibosoft v7 allows attackers to arbitrarily add administrator accounts.Qibosoft v7 contains a stored cross-site scripting (XSS) vulnerability in the component /admin/index.php?lfj=friendlink&action=add.An arbitrary file download vulnerability in jeecg v3.8 allows attackers to access sensitive files via modification of the "localPath" variable.A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user's session cookie.An issue in the user login box of LJCMS v1.11 allows attackers to hijack user accounts via brute force attacks.S-CMS Government Station Building System v5.0 contains a cross-site scripting (XSS) vulnerability in /function/booksave.php.MediaWiki bis 1.37 EntitySchema Item erweiterte RechteMediaWiki bis 1.37 Parameter Special:ImportFile clientUrl Cross Site ScriptingMediaWiki bis 1.37 Description Cross Site ScriptingMediaWiki bis 1.37 Wikibase Cross Site ScriptingphpKF CMS 3.00 Beta y6 Remote Code ExecutionOpmantek Open-AudIT 3.5.x util.php schwache AuthentisierungCookies legislation & GDPR Plugin bis 1.6 auf WordPress tarteaucitron.js Cross Site ScriptingBlog2Social Plugin bis 6.8.6 auf WordPress Admin Page b2sShowByDate Cross Site ScriptingLogo Carousel Plugin bis 3.4.1 auf WordPress Logo Margin Cross Site ScriptingSportsPress Plugin bis 2.7.8 auf WordPress Events Backend Page match_day Cross Site ScriptingWCFM Marketplace Plugin bis 3.4.11 auf WordPress AJAX Action wcfm_ajax_controller SQL InjectionWP Visitor Statistics Plugin bis 4.7 auf WordPress AJAX Action refDetails refUrl SQL InjectionLogo Carousel Plugin bis 3.4.1 auf WordPress Carousel Duplication erweiterte RechteNi WooCommerce Custom Order Status Plugin bis 1.9.6 auf WordPress get_query sort SQL InjectionVideo Sharing Website 1.0 Parameter ajax.php load_file email SQL InjectionSimple Cold Storage Management System 1.0 view_storage.php load_file id SQL InjectionSimple Forum-Discussion System 1.0 manage_topic.php SQL Injection
