CVE-2026-35054 XenForo Stored Cross-Site Scripting via BB Code Rendering

XenForo before 2.3.9 is vulnerable to stored cross-site scripting XSS related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content...

CVE-2026-25923

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file disguised as JPEG via the image...

CVE-2026-25923

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file disguised as JPEG via the image...

CVE-2026-25923 Phar Deserialization leading to Arbitrary File Deletion in my little forum

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file disguised as JPEG via the image...

CVE-2026-25923 Phar Deserialization leading to Arbitrary File Deletion in my little forum

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file disguised as JPEG via the image...

CVE-2026-25923

CVE-2026-25923 affects My Little Forum (PHP/MySQL). Before version 20260208.1, URL validation fails to filter the phar:// protocol, enabling an attacker to upload a malicious Phar Polyglot file (disguised as JPEG) via the image upload feature. The exploit triggers Phar deserialization during BBCo...

CVE-2026-25923 Phar Deserialization leading to Arbitrary File Deletion in my little forum

my little forum is a PHP and MySQL based internet forum that displays the messages in classical threaded view. Prior to 20260208.1, the application fails to filter the phar:// protocol in URL validation, allowing attackers to upload a malicious Phar Polyglot file disguised as JPEG via the image...

CVE-2009-4041

UseBB 1.0.9 before 1.0.10 allows remote attackers to cause a denial of service infinite loop via crafted BBCode tags...

CVE-2008-6885

Cross-site scripting XSS vulnerability in pmlite.php in XOOPS 2.3.1 and 2.3.2a allows remote attackers to inject arbitrary web script or HTML via a STYLE attribute in a URL BBcode tag in a private message...

CVE-2019-16108

phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets CSS token sequence to a page through BBCode...

CVE-2019-12830

In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to video BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue...

CVE-2025-11873

The WP BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

EUVD-2025-60973

The WP BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

CVE-2025-11873

The WP BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

CVE-2025-11873

CVE-2025-11873 : WordPress WP BBCode plugin

CVE-2025-11873 WP BBCode <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

CVE-2025-11873 WP BBCode <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The WP BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

WordPress WP BBCode plugin <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin WP BBCode versions = 1.8.1...

WordPress plugin WP BBCode 跨站脚本漏洞

WordPress and the WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers. WordPress plugin is an application plugin. A cross-site...

PT-2025-46260

Name of the Vulnerable Software and Affected Versions WP BBCode plugin for WordPress versions up to and including 1.8.1 Description The WP BBCode plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 'url' shortcode. This is due to inadequate input sanitization and output...