CVE-2018-25397 PHP-SHOP 1.0 Cross-Site Request Forgery via users.php

PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST...

WordPress plugin Wishlist Member 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

CVE-2026-35063

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

CVE-2026-35063 Missing Authorization in OpenPLC_V3

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

CVE-2026-2446

CVE-2026-2446 affects the PowerPack for LearnDash WordPress plugin prior to 1.3.0. The issue is an missing authorization and CSRF protection in an AJAX action, enabling unauthenticated users to update arbitrary WordPress options (e.g., default_role) and to create arbitrary admin users. Impact is ...

CVE-2022-0952

The Sitemap by click5 WordPress plugin before 1.0.36 does not have authorisation and CSRF checks when updating options via a REST endpoint, and does not ensure that the option to be updated belongs to the plugin. As a result, unauthenticated attackers could change arbitrary blog options, such as...

CVE-2018-25127 SOCA Access Control System 180612 Cross-Site Request Forgery via Admin Interface

SOCA Access Control System 180612 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without proper request validation. Attackers can craft malicious web pages that submit forged requests to create admin accounts by tricking logged-in users...

CVE-2018-25127

CVE-2018-25127 affects SOCA Access Control System 180612. The issue is a cross-site request forgery in the admin interface caused by lack of proper request validation, allowing forged requests to create admin accounts when a user visits a malicious page. Affected component: admin interface/API en...

PT-2025-51961

Name of the Vulnerable Software and Affected Versions UliCMS version 2023.1 Description An unauthenticated attacker can create administrative accounts through the UserController endpoint. By sending a crafted POST request to the /dist/admin/index.php endpoint with specific parameters, an attacker...

CVE-2025-8059

The CVE refers to the WordPress B Blocks plugin (versions up to 2.0.6) with a privilege-escalation flaw caused by missing authorization and input validation in the rgfr_registration() function. This allows unauthenticated attackers to create a new account and grant it the administrator role. Publ...

CVE-2018-15459

A vulnerability in the administrative web interface of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker to gain additional privileges on an affected device. The vulnerability is due to improper controls on certain pages in the web interface. An attacker could explo...

CVE-2015-4307

The web framework in Cisco Prime Collaboration Provisioning before 11.0 allows remote authenticated users to bypass intended access restrictions and create administrative accounts via a crafted URL, aka Bug ID CSCut64111...

CVE-2007-6487

Unspecified vulnerability in Plain Black WebGUI 7.4.0 through 7.4.17 allows remote authenticated users with Secondary Admin privileges to create Admin accounts, a different vulnerability than CVE-2006-0680...

Design/Logic Flaw

Unspecified vulnerability in Plain Black WebGUI 7.4.0 through 7.4.17 allows remote authenticated users with Secondary Admin privileges to create Admin accounts, a different vulnerability than CVE-2006-0680...