Forum Security Vulnerabilities
MyPHP Forum 1.0 allows remote attackers to spoof the username by modifying the (1) nbuser parameter to post.php or (2) sender parameter to...
7.1AI Score
0.006EPSS
Cross-site scripting (XSS) vulnerability in posts.asp for ASP-DEv XM Forum RC3 allows remote attackers to inject arbitrary web script or HTML via a "javascript:" URL in an IMG...
5.7AI Score
0.001EPSS
Gurgens (GASoft) Ultimate Forum 1.0 stores the db/Genid.dat database file under the web document root with insufficient access control, which allows remote attackers to obtain and decrypt usernames and...
7.1AI Score
0.004EPSS
Splatt Forum 3.0 to 3.2 allows remote attackers to bypass authentication via unknown...
7.3AI Score
0.004EPSS
views/auth.go in Orange Forum 1.4.0 allows Open Redirection via the next parameter to /login or...
6.1CVSS
6.2AI Score
0.001EPSS
wpforo_get_request_uri in wpf-includes/functions.php in the wpForo Forum plugin before 1.4.12 for WordPress allows Unauthenticated Reflected Cross-Site Scripting (XSS) via the...
6.1CVSS
6AI Score
0.002EPSS
Multiple cross-site scripting (XSS) vulnerabilities in edit_prefs.php in Beehive Forum 1.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) homepage_url, (2) pic_url, or (3) avatar_url parameter, which are not properly handled in an error...
5.9AI Score
0.001EPSS
Multiple SQL injection vulnerabilities in the Mingle Forum plugin 1.0.32.1 and other versions before 1.0.33 for WordPress might allow remote authenticated users to execute arbitrary SQL commands via the (1) memberid or (2) groupid parameters in a removemember action or (3) id parameter to...
8.4AI Score
0.001EPSS
Multiple cross-site scripting (XSS) vulnerabilities in KENT-WEB WEB FORUM before 5.1 allow remote attackers to inject arbitrary web script or HTML via (1) an e-mail address field or (2) a cookie, a related issue to CVE-2011-3383, CVE-2011-3983, and...
5.8AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in KENT-WEB WEB FORUM 5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to "the web page to be...
5.7AI Score
0.001EPSS
Advanced Electron Forum (AEF) 1.0.8 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by...
6.3AI Score
0.003EPSS
Multiple cross-site request forgery (CSRF) vulnerabilities in the Mingle Forum plugin 1.0.34 and possibly earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) modify user privileges or (2) conduct cross-site scripting (XSS) attacks via...
6.9AI Score
0.001EPSS
Unrestricted file upload vulnerability in the avatar upload functionality in Simple Machines Forum before 2.0.6 and 2.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified....
7.6AI Score
0.009EPSS
SQL injection vulnerability in topic.php in KerviNet Forum 1.1 allows remote attackers to execute arbitrary SQL commands via the forum...
8.7AI Score
0.001EPSS
Multiple unspecified vulnerabilities in Beehive Forum 0.7.1 have unknown "critical" impact and attack vectors, different issues than...
6.7AI Score
0.005EPSS
Multiple cross-site scripting (XSS) vulnerabilities in WowBB Forum 1.61 allow remote attackers to inject arbitrary web script or HTML via the (1) country parameter to view_user.php, (2) show parameter to view_forum.php, (3) letter parameter to view_user.php, (4) highlight parameter to...
5.8AI Score
0.001EPSS
SQL injection vulnerability in DevoyBB Web Forum 1.0.0 allows remote attackers to execute arbitrary SQL commands via unknown...
8.3AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in DevoyBB Web Forum 1.0.0 allows remote attackers to inject arbitrary web script or HTML via unknown...
5.7AI Score
0.002EPSS
Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team wpForo Forum plugin <= 2.0.5 at...
8.8CVSS
8.8AI Score
0.001EPSS
A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached...
5.3CVSS
4.8AI Score
0.0004EPSS
Online Discussion Forum Site 1 was discovered to contain a blind SQL injection vulnerability via the component...
9.8CVSS
9.8AI Score
0.002EPSS
An issue in the delete_post() function of Online Discussion Forum Site 1 allows unauthenticated attackers to arbitrarily delete...
7.5CVSS
7.5AI Score
0.001EPSS
An issue in the save_users() function of Online Discussion Forum Site 1 allows unauthenticated attackers to arbitrarily create or update user...
6.5CVSS
6.5AI Score
0.001EPSS
7.2CVSS
7.3AI Score
0.001EPSS
Online Discussion Forum Site v1.0 is vulnerable to Cross Site Scripting (XSS) via /odfs/classes/Master.php?f=save_category,...
4.8CVSS
4.9AI Score
0.001EPSS
SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. NOTE: the vendor's position is that administrators are intended to have the ability to modify...
7.2CVSS
7.2AI Score
0.022EPSS
The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL...
8.8CVSS
8.8AI Score
0.001EPSS
An issue in the getType function of BBS Forum v5.3 and below allows attackers to upload arbitrary...
9.8CVSS
9.4AI Score
0.003EPSS
The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection...
7.2CVSS
7.2AI Score
0.001EPSS
Multiple SQL injection vulnerabilities are found on Simple Forum-Discussion System 1.0 For example on three applications which are manage_topic.php, manage_user.php, and ajax.php. The attacker can be retrieving all information from the database of this system by using this...
9.8CVSS
9.8AI Score
0.002EPSS
The Asgaros Forums WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the name parameter found in the ~/admin/tables/admin-structure-table.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to....
4.8CVSS
4.8AI Score
0.001EPSS
The Asgaros Forum WordPress plugin before 1.15.13 does not validate and escape user input when subscribing to a topic before using it in a SQL statement, leading to an unauthenticated SQL injection...
9.8CVSS
9.8AI Score
0.195EPSS
The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website under their control.....
6.1CVSS
6.1AI Score
0.001EPSS
The messaging subsystem in the Online Discussion Forum 1.0 is vulnerable to XSS in the message body. An authenticated user can send messages to arbitrary users on the system that include javascript that will execute when viewing the messages...
5.4CVSS
5.3AI Score
0.001EPSS
5.3CVSS
5.2AI Score
0.001EPSS
The mm_forum extension through 1.9.5 for TYPO3 allows XSS that can be exploited via...
5.4CVSS
5.2AI Score
0.001EPSS
An issue was discovered in Simple Machines Forum (SMF) before release 2.0.17. There is SSRF related to Subs-Package.php and Subs.php because user-supplied data is used directly in curl...
9.8CVSS
9.3AI Score
0.002EPSS
6.1CVSS
6AI Score
0.001EPSS
File Disclosure in SMF (SimpleMachines Forum) <= 2.0.3: Forum admin can read files such as the database...
4.9CVSS
5.1AI Score
0.001EPSS
An issue was discovered in Simple Machines Forum (SMF) before 2.0.16. Reverse tabnabbing can occur because of use of _blank for external...
6.5CVSS
6.4AI Score
0.002EPSS
There is a file disclosure vulnerability in SMF (Simple Machines Forum) affecting versions through v2.0.3. On some configurations a SMF deployment is shared by several "co-admins" that are not trusted beyond the SMF deployment. This vulnerability allows them to read arbitrary files on the...
7.2CVSS
6.8AI Score
0.001EPSS
Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject arbitrary SQL...
9.8CVSS
8AI Score
0.005EPSS
The TYPO3 Core wec_discussion extension before 2.1.1 is vulnerable to SQL Injection due to improper sanitation of user-supplied...
9.8CVSS
9.8AI Score
0.002EPSS
A cross-site scripting (XSS) vulnerability in Jitbit .NET Forum (aka ASP.NET forum) 8.3.8 allows remote attackers to inject arbitrary web script or HTML via the gravatar URL...
5.4CVSS
5.2AI Score
0.001EPSS
An issue was discovered in the update function in the wpForo Forum plugin before 1.5.2 for WordPress. A registered forum is able to escalate privilege to the forum administrator without any form of user...
9.8CVSS
9.5AI Score
0.003EPSS
6.5CVSS
6.4AI Score
0.001EPSS
Simple Machines Forum (SMF) 2.0.4 allows PHP Code Injection via the index.php?action=admin;area=languages;sa=editlang dictionary...
8.1CVSS
8.4AI Score
0.004EPSS
Simple Machines Forum (SMF) 2.0.4 allows local file inclusion, with resultant remote code execution, in install.php via ../ directory traversal in the db_type parameter if install.php remains present after...
8.8CVSS
8.7AI Score
0.003EPSS
Simple Machines Forum (SMF) 2.0.4 allows XSS via the index.php?action=pm;sa=settings;save sa...
6.1CVSS
6.5AI Score
0.001EPSS
6.5CVSS
6.5AI Score
0.001EPSS