EUVD-2025-16372

Malicious code in bioql PyPI...

PT-2025-38116

Name of the Vulnerable Software and Affected Versions: WP Import – Ultimate CSV XML Importer for WordPress plugin versions prior to 7.28 Description: The WP Import – Ultimate CSV XML Importer for WordPress plugin is susceptible to arbitrary file deletion due to inadequate file path validation...

CVE-2025-10176

The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepareitems function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level...

CVE-2025-8895

The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server to arbitrary locations...

CVE-2025-9048

The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delimgajaxcall function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2025-8895

The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server to arbitrary locations...

CVE-2025-7778

The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the deletefiles function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary...

PT-2025-33348 · Unknown · Empirebak 2010

Name of the Vulnerable Software and Affected Versions: phome Empirebak 2010 Description: An issue was discovered in the config.php file located in the ebak2008/upload/class/ directory, allowing attackers to execute arbitrary code when the config file is loaded. Recommendations: At the moment, the...

CVE-2025-7384 Database for Contact Form 7, WPforms, Elementor forms <= 1.4.3 - Unauthenticated PHP Object Injection to Arbitrary File Deletion

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the getleaddetail function. This makes it possible for unauthenticated attackers to inject a P...

CVE-2025-55169 WeGIA Path Traversal at endpoint 'html/socio/sistema/download_remessa.php' via parameter 'file'

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a path traversal vulnerability was discovered in the WeGIA application, html/socio/sistema/downloadremessa.php endpoint. This vulnerability could allow an attacker to...

CVE-2014-125116 HybridAuth 2.0.9 - 2.2.2 Unauthenticated RCE via install.php Configuration Injection

A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated...

WordPress plugin Support Board 路径遍历漏洞

Support Board is an online customer service communication plugin for WordPress platform, which is mainly used to improve the user experience and customer service efficiency of the website. WordPress Support Board plugin has a path traversal vulnerability, the vulnerability stems from the...

CVE-2025-6381

The BeeTeam368 Extensions plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.3.4 via the handleremovetempfile function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of...

PT-2025-27286 · WordPress · Beeteam368 Extensions

Name of the Vulnerable Software and Affected Versions: BeeTeam368 Extensions plugin for WordPress versions up to, and including, 2.3.4 Description: The issue allows authenticated attackers with Subscriber-level access and above to perform actions on files outside of the originally intended...

VulnCheck KEV: CVE-2021-39312

The True Ranker plugin = 2.2.2 for WordPress allows arbitrary files, including sensitive configuration files such as wp-config.php, to be accessed via the src parameter found in the /admin/vendor/datatables/examples/resources/examples.php file...

CVE-2025-48046

An authenticated user can disclose the cleartext password of a configured SMTP server via an HTTP GET request to the /config.php endpoint...

CVE-2025-48046

CVE-2025-48046 involves an authenticated user disclosing the cleartext password of a configured SMTP server via an HTTP GET to /config.php. The connected Red Hat entries describe the vulnerability as an authenticated-access issue that exposes SMTP credentials through the /config.php endpoint. The...

CVE-2024-51055

An issue Hoosk v1.7.1 allows a remote attacker to execute arbitrary code via a crafted script to the config.php component...

CVE-2022-1585

The Project Source Code Download WordPress plugin through 1.0.0 does not protect its backup generation and download functionalities, which may allow any visitors on the site to download the entire site, including sensitive files like wp-config.php...

CVE-2021-24227

The Jetpack Scan team identified a Local File Disclosure vulnerability in the Patreon WordPress plugin before 1.7.0 that could be abused by anyone visiting the site. Using this attack vector, an attacker could leak important internal files like wp-config.php, which contains database credentials a...