* phpSecure.info - Welcome .. script, faille, hack, news, developpement, securité, open source php security related articles and vulnerabilities, vulnérabilités, by tobozo , frogman and calimero

Home

Home

Grey Skin Blue Skin Green Skin Red Skin

Home Articles Random Stuff PHP Advisories PHP Advisories

Backends RSS Team

PHPSecure II

When release the trilogy ?
Perfect remake
Boring ..
It isn't a good job

Last holes

The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with

2022-11-30

(38hits)

vBulletin 5.5.2 PHP Object Injection

2022-11-29

(30hits)

The Salat Times WordPress plugin before 3.2.2 does not sanitize and escapes its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

2022-11-29

(53hits)

The Download Plugin WordPress plugin before 2.0.0 does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of

2022-11-28

(43hits)

The Find and Replace All WordPress plugin before 1.3 does not sanitize and escape some parameters from its setting page before outputting them back to the user, leading to a Reflected Cross-Site Scripting issue.

2022-11-28

(48hits)

CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email.

2022-11-24

(83hits)

An issue was discovered in JIZHI CMS 1.9.4. There is a CSRF vulnerability that can add an admin account via index, /admin.php/Admin/adminadd.html

2022-11-23

(71hits)

SQL Injection vulnerability in function get_user in login_manager.php in rizalafani cms-php v1.

2022-11-23

(82hits)

WordPress BeTheme 26.5.1.4 PHP Object Injection

2022-11-22

(76hits)

ChurchInfo 1.2.13-1.3.0 Remote Code Execution

2022-11-22

(83hits)

The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having

2022-11-21

(84hits)

The Five Star Restaurant Reservations WordPress plugin before 2.4.12 does not have authorisation when changing whether a payment was successful or failed, allowing unauthenticated users to change the payment status of arbitrary bookings. Furthermore, due

2022-11-21

(74hits)

The My wpdb WordPress plugin before 2.5 is missing CSRF check when running SQL queries, which could allow attacker to make a logged in admin run arbitrary SQL query via a CSRF attack

2022-11-21

(78hits)

The WP-Polls WordPress plugin before 2.76.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.

2022-11-21

(76hits)

Multiple Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Quiz And Survey Master plugin <= 7.3.4 on WordPress.

2022-11-18

(104hits)

A vulnerability, which was classified as problematic, was found in phpservermon. This affects the function generatePasswordResetToken of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator.

2022-11-16

(80hits)

A vulnerability, which was classified as problematic, was found in phpservermon. Affected is the function setUserLoggedIn of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit

2022-11-16

(93hits)

WordPress BeTheme BeCustom 1.0.5.2 Cross Site Request Forgery

2022-11-15

(81hits)

Remote Code Execution in MODX Revolution V2.8.3-pl

2022-11-15

(91hits)

The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on t

2022-11-15

(78hits)

The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them.

2022-11-15

(89hits)

Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign

2022-11-14

(87hits)

WordPress Blog2Social 6.9.11 Missing Authorization

2022-11-10

(103hits)

Multiple Insecure Direct Object References (IDOR) vulnerabilities in ExpressTech Quiz And Survey Master plugin <= 7.3.6 on WordPress.

2022-11-03

(117hits)

MKCMS V6.2 has SQL injection via /ucenter/reg.php name parameter.

2022-11-03

(107hits)

MKCMS V6.2 has SQL injection via the /ucenter/active.php verify parameter.

2022-11-03

(113hits)

MKCMS V6.2 has SQL injection via the /ucenter/repass.php name parameter.

2022-11-03

(107hits)

The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting

2022-11-03

(98hits)

The Gallery Plugin for WordPress plugin before 1.8.4.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

2022-11-03

(111hits)

PHP Advisories/Bugs/Vulns frequency for this month


1	2	3	4	5	6	7	8	9	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31

These PHP advisories are also available as a rss feed and on the dedicated twitter account @phpavdisories

Follow @phpAdvisories

PHP Classes Framework (New)	2022-12-02
PHP Trello Clone using Laravel and Vue.js	2022-12-01
pohodove-erp.sk	2022-11-30
anduintransact.com	2022-11-30
tokyotools.cz	2022-11-30
stormware.sk	2022-11-30
uctovny-program.com	2022-11-30
ucetni-program.com	2022-11-30
fakturacia-zadarmo.sk	2022-11-30
stormware.cz	2022-11-30
fakturace-zdarma.cz	2022-11-30
e-trzby-pohoda.cz	2022-11-30
The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with	2022-11-30
WP Post	2022-11-30
sts-st.sa	2022-11-29
News browser

PHP Tutorial PHPBasics Installation Guide, Data Types, Variables, and Operators, Control structures, Functions, Strings, Regular expression, Error Handling, Cookies+Sessions, and many more..

SQLi The SQL Injection Knowledge Base is the ultimate resource regarding SQL Injections. Here you will find everything there is to know about SQL Injections.

phpseclib phpSec is a open-source, PSR-0 compatible, PHP security library that takes care of the common security tasks a web developer faces.

Class:sql_inject - This class is meant to search in your SQL data values for special characters that may change the meaning of your SQL data and execute actions that may compromise the security of servers.

Top 10 Links
÷ phpforge
÷ KillerProtection
÷ PY-Membres
÷ PhenHP Album
÷ ALP - Banner Ad
÷ CuteNews
÷ phpMyNewsletter
÷ LokwaBB
÷ Avotravis
÷ Kietu

French

English