CVE-2024-13767

The Live2DWebCanvas plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ClearFiles function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete...

CVE-2024-12267

The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dndcodedropzuploaddelete function in all versions up to, and including, 1.3.8.5. This makes it possible for unauthenticated...

CVE-2024-13767

CVE-2024-13767 (Live2DWebCanvas

CVE-2024-13720 WP Image Uploader <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion

The WP Image Uploader plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the gkyimageuploadermainfunction function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to delete arbitrary files on...

CVE-2025-0357

The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPBProfilecontroller::handleimageupload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on t...

Arbitrary Code Execution

github.com/t2bot/matrix-media-repo is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to improper validation of file types during the thumbnail generation process, where MMR relies on user-supplied file type values to select decoders e.g., ImageMagick or ffmpeg, which can...

CVE-2025-0638

The initial code parsing the manifest did not check the content of the file names yet later code assumed that it was checked and panicked when encountering illegal characters, resulting in a crash of Routinator...

CVE-2025-0394 Groundhogg <= 3.7.3.5 - Authenticated (Author+) Arbitrary File Upload via gh_big_file_upload Function

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ghbigfileupload function in all versions up to, and including, 3.7.3.5. This makes it possible for...

WordPress plugin Modula Image Gallery 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability...

CVE-2025-22133 WeGIA Allows Arbitrary File Upload with Remote Code Execution (RCE)

WeGIA is a web manager for charitable institutions. Prior to 3.2.8, a critical vulnerability was identified in the /WeGIA/html/socio/sistema/controller/controlaxlsx.php endpoint. The endpoint accepts file uploads without proper validation, allowing the upload of malicious files, such as .phar,...

Remote Code Execution (RCE)

Unisharp/laravel-filemanager is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper validation of file extensions and mimetypes, which allows an attacker to bypass security mechanisms by inserting the . character after the php file extension...

CVE-2025-22389

An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When accessed by...

CVE-2025-22389

An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS, where the application does not properly validate uploaded files. This allows the upload of potentially malicious file types, including .docm .html. When accessed by...

Optimizely EPiServer.CMS.Core 安全漏洞

Optimizely EPiServer.CMS.Core is a content management system core from Optimizely, Inc. A security vulnerability exists in Optimizely EPiServer.CMS.Core versions prior to 12.32.0 that stems from not properly validating uploaded files...

CVE-2024-12042 MStore API – Create Native Android & iOS Apps On The Cloud <= 4.16.4 - Authenticated (Subscriber+) HTML File Upload (Stored Cross-Site Scripting)

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for...

WordPress plugin Super Backup & Clone 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability...

Cross-site Scripting (XSS)

Mobile Security Framework MobSF is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of filenames, allowing malicious users to upload script files that can execute when the "Diff or Compare" functionality is used...

Cross-site Scripting (XSS)

sylius/sylius is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of uploaded SVG files, allowing attackers to inject malicious scripts that execute in the user's browser context...

Exploit for CVE-2024-52380

CVE-2024-52380 Picsmize = 1.0.0 - Unauthenticated Arbitrar...

CVE-2024-9660

The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the mjsmgtloaddocumetsnew and mjsmgtloaddocumets functions in all versions up to, and including, 91.5.0. This makes it possible for authenticated attacker...