PT-2025-2645 · Unknown · Themeglow Jobboard

Name of the Vulnerable Software and Affected Versions: ThemeGlow JobBoard Job listing versions 1.2.6 and earlier Description: The issue allows for the unrestricted upload of files with dangerous types, enabling the upload of a web shell to a web server. This can be exploited by uploading a...

PT-2025-1860 · Gpt4 +5 · Gpt4 +5

Name of the Vulnerable Software and Affected Versions: The Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator plugin for WordPress versions up to, and including, 1.3.1 Description: The issue is related to a missing capability check and file type validatio...

PT-2025-4370

Name of the Vulnerable Software and Affected Versions: WeGIA versions prior to 3.2.8 Description: A critical issue was identified in the "/WeGIA/html/socio/sistema/controller/controla xlsx.php" endpoint, which accepts file uploads without proper validation. This allows the upload of malicious...

PT-2025-1369 · Suitecrm · Suitecrm

Name of the Vulnerable Software and Affected Versions: SuiteCRM version 7.12.7 Description: A problem was discovered in SuiteCRM where authenticated users can use CRM functions to upload malicious files. Then, deserialization can be used to achieve code execution. Recommendations: For SuiteCRM...

PT-2025-4294 · Unknown · Langchain4J-Aideepin

Name of the Vulnerable Software and Affected Versions: LangChain4j-AIDeepin versions prior to 3.5.0 Description: LangChain4j-AIDeepin is a Retrieval enhancement generation RAG project. Prior to version 3.5.0, it used MD5 to hash files, which may cause file upload conflicts. Recommendations: For...

My-Blog 代码问题漏洞

My-Blog is a Java blog system implemented by SpringBoot + Mybatis + Thymeleaf and other technologies, with beautiful pages, full functionality, easy deployment and perfect code. A code issue vulnerability exists in My-Blog version 1.0, which stems from improper handling of the file parameter,...

CVE-2025-22388

An issue was discovered in Optimizely EPiServer.CMS.Core before 12.22.0. A high-severity Stored Cross-Site Scripting XSS vulnerability exists in the CMS, allowing malicious actors to inject and execute arbitrary JavaScript code, potentially compromising user data, escalating privileges, or...

CVE-2025-22388

An issue was discovered in Optimizely EPiServer.CMS.Core before 12.22.0. A high-severity Stored Cross-Site Scripting XSS vulnerability exists in the CMS, allowing malicious actors to inject and execute arbitrary JavaScript code, potentially compromising user data, escalating privileges, or...

CVE-2025-22389

An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When accessed by...

CVE-2025-22388

Optimizely EPiServer.CMS.Core prior to version 12.22.0 contains a Stored Cross-Site Scripting (XSS) vulnerability in the CMS, affecting areas such as content editing, link management, and file uploads. The issue allows an attacker to inject and execute arbitrary JavaScript, which could compromise...

PT-2025-3229 · Unknown · Acf City Selector

Name of the Vulnerable Software and Affected Versions: ACF City Selector versions 1.14.0 and earlier Description: The issue allows for the unrestricted upload of files with dangerous types, enabling the upload of a web shell to a web server. This can be exploited by uploading malicious files...

Huang Yaoshi Pharmaceutical Management Software 安全漏洞

NWT Huang Yaoshi Pharmaceutical Management Software is a pharmaceutical management software from NWT. A security vulnerability exists in Huang Yaoshi Pharmaceutical Management version 16.0 and prior versions that originates from a file upload via the /XSDService.asmx interface that allows arbitra...

PT-2025-3215 · Webdeclic · Webdeclic Wpmastertoolkit

Name of the Vulnerable Software and Affected Versions: Webdeclic WPMasterToolKit versions 1.13.1 and earlier Description: The issue allows for the unrestricted upload of files with dangerous types, enabling the upload of a web shell to a web server. This can lead to unauthorized upload of malicio...

WordPress GutenKit 2.1.0 Arbitrary File Upload Vulnerability

CVE-2024-9234 GutenKit = 2.1.0 - Unauthenticated Arbitrary File Upload Description The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the...

1000 Projects Portfolio Management System MCA 安全漏洞

1000 Projects Portfolio Management System MCA is an open source portfolio management system from 1000 Projects. A security vulnerability exists in 1000 Projects Portfolio Management System MCA version 1.0, which stems from improper handling of the parameter achcerty in the file...

CVE-2024-10584

The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.6.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

CVE-2024-10584 DirectoryPress <= 3.6.16 - Authenticated (Author+) Stored Cross-Site Scripting

The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.6.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

CVE-2024-10584 DirectoryPress <= 3.6.16 - Authenticated (Author+) Stored Cross-Site Scripting

The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.6.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

CVE-2024-10584

CVE-2024-10584 affects the DirectoryPress – Business Directory And Classified Ad Listing WordPress plugin. It is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to 3.6.16 due to insufficient input sanitization/output escaping. Exploitation requires authenticated ...

CVE-2024-12881

The PlugVersions – Easily rollback to previous versions of your plugins plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the eospluginreviewsrestoreversion function in all versions up to, and including, 0.0.7. This makes it possible for authenticat...