CVE-2026-2426

The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to insufficient validation of user-supplied file paths, allowing directory traversal sequences. This make...

CVE-2026-2426 WP-DownloadManager <= 1.69 - Authenticated (Administrator+) Path Traversal to Arbitrary File Deletion via 'file' Parameter

The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to insufficient validation of user-supplied file paths, allowing directory traversal sequences. This make...

Base Admin 代码问题漏洞

Base Admin is a backend management system developed by huanzi-qch as an individual developer. Base Admin has code-related vulnerabilities; these vulnerabilities stem from incorrect handling of the File parameter in the Upload function within the SysFileController.java file, which could lead to th...

PT-2026-20380

The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to insufficient validation of user-supplied file paths, allowing directory traversal sequences. This make...

CVE-2025-13681

The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied firstfile parameter in the zip function. This makes it possible for authenticated attackers, with...

CVE-2025-13681 BFG Tools – Extension Zipper <= 1.0.7 - Authenticated (Administrator+) Path Traversal via 'first_file' Parameter

The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied firstfile parameter in the zip function. This makes it possible for authenticated attackers, with...

CVE-2025-13681

CVE-2025-13681 affects the WordPress plugin BFG Tools – Extension Zipper (versions

WordPress plugin BFG Tools – Extension Zipper 路径遍历漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress BFG Tools - Extension Zipper plugin <= 1.0.7 - Authenticated (Administrator+) Path Traversal via 'first_file' Parameter vulnerability

WordPress BFG Tools - Extension Zipper plugin = 1.0.7 - Authenticated Administrator+ Path Traversal via 'firstfile' Parameter vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin BFG Tools – Extension Zipper versions = 1.0.7...

VulnCheck KEV: CVE-2015-5471

Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter...

Code-Projects Online Music Site SQL注入漏洞

Code-Projects Online Music Site is an online music website developed by Code-Projects as open source. Version 1.0 of Code-Projects Online Music Site has a SQL injection vulnerability. This vulnerability stems from incorrect handling of parameters related to files, administrators, and the...

CVE-2026-2064

A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the atta...

CVE-2026-2064

A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the atta...

EUVD-2026-5595

A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the atta...

CVE-2026-2064

CVE-2026-2064 affects Portabilis i-Educar up to version 2.10. The vulnerability is in the file /intranet/meusdadod.php of the User Data Page, where manipulation of the File argument leads to cross-site scripting. It can be exploited remotely and a public exploit exists. Multiple sources confirm t...

CVE-2026-25512

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution RCE vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled...

i-Educar 代码注入漏洞

i-Educar is a free educational software developed by Portábilis. Versions of i-Educar 2.10 and earlier had a code injection vulnerability. This vulnerability stemmed from incorrect handling of the File parameter in the user data page file/intranet/meusdadod.php, which could lead to cross-site...

CVE-2025-15487

The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which...

CVE-2026-1246 ShortPixel Image Optimizer <= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via 'loadFile' Parameter

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the 'loadFile' parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the 'loadLogFile' AJAX action. This makes it possible for...

CVE-2025-15487

The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which...