phpAdvisories Backend for PhpSecure
https://www.phpsecure.info
Latest security advisories about php applications2022-11-30T11:10:04Zhttps://www.phpsecure.info/v2/img/ban/miniban-phpsecure.gif
https://www.phpsecure.info/
PHPSecure logophpAdvisories Backend for PhpSecureNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3361
https://www.phpsecure.info/go/206259.html
The Ultimate Member plugin for WordPress is vulnerable to directory traversal in versions up to, and including 2.5.0 due to insufficient input validation on the 'template' attribute used in shortcodes. This makes it possible for attackers with 2022-11-30T07:40:11Zcxsecurity.com https://cxsecurity.com/issue/WLB-2022110051
https://www.phpsecure.info/go/206249.html
vBulletin 5.5.2 PHP Object Injection2022-11-29T23:40:10ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2983
https://www.phpsecure.info/go/206242.html
The Salat Times WordPress plugin before 3.2.2 does not sanitize and escapes its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.2022-11-29T07:40:12ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25059
https://www.phpsecure.info/go/206232.html
The Download Plugin WordPress plugin before 2.0.0 does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of 2022-11-28T16:40:03ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2311
https://www.phpsecure.info/go/206233.html
The Find and Replace All WordPress plugin before 1.3 does not sanitize and escape some parameters from its setting page before outputting them back to the user, leading to a Reflected Cross-Site Scripting issue.2022-11-28T16:40:03ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43258
https://www.phpsecure.info/go/206186.html
CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. 2022-11-24T07:40:11ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29334
https://www.phpsecure.info/go/206175.html
An issue was discovered in JIZHI CMS 1.9.4. There is a CSRF vulnerability that can add an admin account via index, /admin.php/Admin/adminadd.html2022-11-23T22:40:03ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-35284
https://www.phpsecure.info/go/206174.html
SQL Injection vulnerability in function get_user in login_manager.php in rizalafani cms-php v1.2022-11-23T20:40:03Zcxsecurity.com https://cxsecurity.com/issue/WLB-2022110040
https://www.phpsecure.info/go/206145.html
WordPress BeTheme 26.5.1.4 PHP Object Injection2022-11-22T23:40:10Zcxsecurity.com https://cxsecurity.com/issue/WLB-2022110039
https://www.phpsecure.info/go/206146.html
ChurchInfo 1.2.13-1.3.0 Remote Code Execution2022-11-22T23:40:10ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24649
https://www.phpsecure.info/go/206123.html
The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having 2022-11-21T14:40:02ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0421
https://www.phpsecure.info/go/206124.html
The Five Star Restaurant Reservations WordPress plugin before 2.4.12 does not have authorisation when changing whether a payment was successful or failed, allowing unauthenticated users to change the payment status of arbitrary bookings. Furthermore, due 2022-11-21T14:40:02ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1578
https://www.phpsecure.info/go/206125.html
The My wpdb WordPress plugin before 2.5 is missing CSRF check when running SQL queries, which could allow attacker to make a logged in admin run arbitrary SQL query via a CSRF attack2022-11-21T14:40:02ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1581
https://www.phpsecure.info/go/206127.html
The WP-Polls WordPress plugin before 2.76.0 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.2022-11-21T14:40:02ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36905
https://www.phpsecure.info/go/206064.html
Multiple Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Quiz And Survey Master plugin <= 7.3.4 on WordPress.2022-11-18T02:40:03ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4240
https://www.phpsecure.info/go/206038.html
A vulnerability, which was classified as problematic, was found in phpservermon. This affects the function generatePasswordResetToken of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. 2022-11-16T02:40:04ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4241
https://www.phpsecure.info/go/206039.html
A vulnerability, which was classified as problematic, was found in phpservermon. Affected is the function setUserLoggedIn of the file src/psm/Service/User.php. The manipulation leads to use of predictable algorithm in random number generator. The exploit 2022-11-16T02:40:04Zcxsecurity.com https://cxsecurity.com/issue/WLB-2022110025
https://www.phpsecure.info/go/206025.html
WordPress BeTheme BeCustom 1.0.5.2 Cross Site Request Forgery2022-11-15T23:40:09Zcxsecurity.com https://cxsecurity.com/issue/WLB-2022110023
https://www.phpsecure.info/go/206027.html
Remote Code Execution in MODX Revolution V2.8.3-pl2022-11-15T23:40:09ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2449
https://www.phpsecure.info/go/206010.html
The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 does not perform CSRF checks for any of its AJAX actions, allowing an attackers to trick logged in users to perform various actions on their behalf on t2022-11-15T07:40:12ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2450
https://www.phpsecure.info/go/206011.html
The reSmush.it : the only free Image Optimizer & compress plugin WordPress plugin before 0.4.4 lacks authorization in various AJAX actions, allowing any logged-in users, such as subscribers to call them.2022-11-15T07:40:12ZTheHackerNews https://thehackernews.com/2022/11/over-15000-wordpress-sites-compromised.html
https://www.phpsecure.info/go/205993.html
Over 15,000 WordPress Sites Compromised in Malicious SEO Campaign2022-11-14T12:40:02Zcxsecurity.com https://cxsecurity.com/issue/WLB-2022110010
https://www.phpsecure.info/go/205944.html
WordPress Blog2Social 6.9.11 Missing Authorization2022-11-10T16:40:06ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36906
https://www.phpsecure.info/go/205831.html
Multiple Insecure Direct Object References (IDOR) vulnerabilities in ExpressTech Quiz And Survey Master plugin <= 7.3.6 on WordPress.2022-11-03T23:40:11ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-22818
https://www.phpsecure.info/go/205826.html
MKCMS V6.2 has SQL injection via /ucenter/reg.php name parameter.2022-11-03T19:40:11ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-22819
https://www.phpsecure.info/go/205827.html
MKCMS V6.2 has SQL injection via the /ucenter/active.php verify parameter.2022-11-03T19:40:11ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-22820
https://www.phpsecure.info/go/205828.html
MKCMS V6.2 has SQL injection via the /ucenter/repass.php name parameter.2022-11-03T19:40:11ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2167
https://www.phpsecure.info/go/205812.html
The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting2022-11-03T06:40:04ZNational Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2190
https://www.phpsecure.info/go/205813.html
The Gallery Plugin for WordPress plugin before 1.8.4.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers2022-11-03T06:40:04Z