CVE-2026-6248 wpForo Forum <= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Profile Field File Path

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store ...

EUVD-2020-7198

Malware in sbrugna...

CVE-2025-30369

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any...

CVE-2025-30369 Zulip allows the deletion of Custom profile fields by administrators of a different organization

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any...

CVE-2025-30369 Zulip allows the deletion of Custom profile fields by administrators of a different organization

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any...

Code injection

Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and chose to write a crafted custom profile field value...

CVE-2020-15070

Zulip Server 2.x before 2.1.7 is affected by an eval-injection vulnerability that an attacker with privilege and access to write to the PostgreSQL database can exploit by crafting a custom profile field value. The root cause is the ability to inject and evaluate code via a crafted value stored in...

Cross site scripting

Cross-site scripting XSS vulnerability in install/forumdata/src/customfields.inc.t in FUDforum 3.0.4.1 and earlier, when registering a new user, allows remote attackers to inject arbitrary web script or HTML via a custom profile field to index.php. NOTE: some of these details are obtained from...

CVE-2013-5309

Cross-site scripting XSS vulnerability in install/forumdata/src/customfields.inc.t in FUDforum 3.0.4.1 and earlier, when registering a new user, allows remote attackers to inject arbitrary web script or HTML via a custom profile field to index.php. NOTE: some of these details are obtained from...