Lucene search
K

439 matches found

NVD
NVD
added 3 days ago7 views

CVE-2026-15338

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the gettypetemplate function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute...

7.5CVSS0.00565EPSS
Exploits0References7
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-43126

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the gettypetemplate function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute...

7.5CVSS6.5AI score0.00565EPSS
Exploits0References7
EUVD
EUVD
added 4 days ago6 views

EUVD-2025-210450

The Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.26.12 via the happyformsgetformpartial function. This makes it possible for authenticat...

6.6CVSS6.5AI score0.00516EPSS
Exploits0References4
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42736

Cotonti Siena 0.9.26 and earlier contains a cross-site request forgery vulnerability that allows unauthenticated attackers to modify administrator configuration by tricking a logged-in administrator into submitting a forged POST request to the admin.php config update handler, which never invokes...

8.8CVSS6.1AI score0.00175EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 4 days ago9 views

PT-2026-57111

Name of the Vulnerable Software and Affected Versions Happyforms – Form Builder for WordPress versions prior to 1.26.13 Description The plugin is subject to Local File Inclusion, a condition where an application includes files from the local file system without proper validation. This occurs...

6.6CVSS6.4AI score0.00516EPSS
Exploits0References8
NVD
NVD
added 2026/07/06 8:16 a.m.9 views

CVE-2024-6228

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on t...

7.5CVSS0.00318EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 6:0 a.m.35 views

CVE-2026-11962 FileOrganizer < 1.2.0 - Authenticated Arbitrary File Upload via elFinder File Operations

The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and...

0.00435EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/06 6:0 a.m.9 views

CVE-2026-11962

The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and...

8.8CVSS6.3AI score0.00435EPSS
Exploits0References1
NVD
NVD
added 2026/07/02 8:17 p.m.8 views

CVE-2026-58467

Cockpit CMS through 2.14.0 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATHINFO derived from REQUESTURI in filesystem path construction without containment checks...

8.2CVSS0.00406EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/01 4:20 p.m.9 views

EUVD-2026-41070

Guardian language-system passes the id GET parameter directly into a PHP exec call in speechmac.php line 18 without sanitization: exec"php jobs/speechaudiomac.php ".$loginsession." ".$GET'id'." ...". No authentication is required. An unauthenticated remote attacker can append shell...

9.8CVSS6.1AI score0.00537EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/01 4:20 p.m.8 views

EUVD-2026-41069

Guardian language-system passes the id GET parameter directly into a PHP exec call in speechmactext.php line 18 without sanitization: exec"php jobs/speechaudiomactext.php ".$loginsession." ".$GET'id'." ...". No authentication is required. An unauthenticated remote attacker can append shell...

9.8CVSS6.1AI score0.00549EPSS
Exploits0References2
Packet Storm
Packet Storm
added 2026/06/29 12:0 a.m.187 views

📄 ICagenda 3.9.14 / 4.0.7 Shell Upload

iCagenda, a popular events and calendar component for Joomla, contains an unauthenticated file upload vulnerability that allows remote attackers to upload and execute arbitrary PHP code on Joomla 6 sites. Versions 3.2.1 through 3.9.14 and 4.0.0 through 4.0.7 are affected.:1 CVE-2026-48939 -...

10CVSS6.2AI score0.01505EPSS
Exploits4
NVD
NVD
added 2026/06/19 6:17 a.m.15 views

CVE-2026-7515

The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the docstyle parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code ...

9.8CVSS0.00886EPSS
Exploits2References3
Cvelist
Cvelist
added 2026/06/19 5:33 a.m.38 views

CVE-2026-7515 BetterDocs Pro <= 3.8.0 - Unauthenticated Local File Inclusion via doc_style

The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the docstyle parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code ...

9.8CVSS0.00886EPSS
Exploits2References3
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.27 views

PT-2026-51135

Name of the Vulnerable Software and Affected Versions SP Page Builder for Joomla versions 1.0.0 through 6.6.1 Description An issue in SP Page Builder for Joomla allows unauthenticated users to upload arbitrary files, leading to remote code execution via PHP. The flaw exists in the...

10CVSS7.6AI score0.01569EPSS
Exploits6References49
VulnCheck KEV
VulnCheck KEV
added 2026/06/12 12:0 a.m.20 views

VulnCheck KEV: CVE-2026-48907

A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution...

10CVSS5.3AI score0.80425EPSS
In wildExploits19References7
Vulnrichment
Vulnrichment
added 2026/06/09 11:48 a.m.18 views

CVE-2017-20251 WordPress Insert PHP Plugin 4.7.0 PHP Code Injection via REST API

WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the wp-json/wp/v2/posts endpoint...

9.8CVSS6.1AI score0.00559EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/06/09 12:0 a.m.12 views

WordPress plugin Insert PHP 代码注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

9.8CVSS6AI score0.00559EPSS
Exploits1References1
NVD
NVD
added 2026/06/08 7:16 p.m.11 views

CVE-2026-52778

YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator CalcField.php of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passin...

9.8CVSS0.00561EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/06 12:31 a.m.14 views

EUVD-2026-34928

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the profile template scope function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files...

7.5CVSS6.3AI score0.02403EPSS
Exploits1References14
Rows per page
Query Builder