WordPress plugin BuddyPress Xprofile Custom Fields Type 路径遍历漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

CVE-2025-67081

An SQL injection vulnerability in Itflow through 25.06 has been identified in the "roleid" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises fro...

CVE-2025-67081

An SQL injection vulnerability in Itflow through 25.06 has been identified in the "roleid" parameter when editing a profile. An attacker with admin account can exploit this issue via blind SQL injection, allowing for the extraction of arbitrary data from the database. The vulnerability arises fro...

CVE-2025-67875 ChurchCRM has stored XSS via Person Property Assignment Leading to Admin Session Hijacking

ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions "Edit Records" and "Manage Properties and Classifications" can inject a persistent Cross-Site Scripting...

CVE-2025-66474 XWiki vulnerable to remote code execution through insufficient protection against {{/html}} injection

XWiki Rendering is a generic rendering system that converts textual input in a given syntax wiki syntax, HTML, etc into another syntax XHTML, etc. Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against /html injection, which...

CVE-2025-13180

A vulnerability was found in Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System up to 20250320. Impacted is an unknown function of the file /editprofile. Performing manipulation of the argument firstname/lastname results in basic cross site scripting. It is possible to...

ELOG multiple vulnerabilities

RISK EVALUATION ELOG the Electronic Logbook package contains multiple vulnerabilities. Regardless of configuration, low-privileged attackers can modify user profiles, escalate privileges, and deny access to ELOG. If the execute facility is specifically enabled with the "-x" command line flag,...

CVE-2025-34253

D-Link Nuclias Connect firmware versions = 1.3.1.4 contain a stored cross-site scripting XSS vulnerability due to improper sanitization of the 'Network' field when editing the configuration, creating a profile, and adding a network. An authenticated attacker can inject arbitrary JavaScript to be...

CVE-2025-34253 D-Link Nuclias Connect <= v1.3.1.4 Stored Cross-Site Scripting (XSS)

D-Link Nuclias Connect firmware versions = 1.3.1.4 contain a stored cross-site scripting XSS vulnerability due to improper sanitization of the 'Network' field when editing the configuration, creating a profile, and adding a network. An authenticated attacker can inject arbitrary JavaScript to be...

PT-2025-13393 · Unknown · Hay-Kot Mealie

Name of the Vulnerable Software and Affected Versions: hay-kot mealie version 2.2.0 Description: A Broken Object Level Authorization vulnerability in the component "/api/users/user-id" of hay-kot mealie allows users to edit their own profile in order to give themselves more permissions or to chan...

XWiki Platform 注入漏洞

XWiki Platform is a suite of Wiki platforms for creating web collaboration applications from the XWiki Foundation in France. An injection vulnerability exists in XWiki Platform versions 9.6-rc-1 through 14.10.6 and 15.0-rc-1 through 15.2-rc-1, which stems from the fact that any user who can edit...

XWiki Platform 注入漏洞

XWiki Platform is a suite of wiki platforms for creating web collaboration applications from XWiki France. An injection vulnerability exists in XWiki Platform, which arises from the ability of a user without scripting or programming privileges to edit a user profile or any other document and add...

CVE-2022-23057

In ERPNext, versions v12.0.9--v13.0.3 are vulnerable to Stored Cross-Site-Scripting XSS, due to user input not being validated properly. A low privileged attacker could inject arbitrary code into input fields when editing his profile...

PT-2021-23328 · Archibus · Archibus Web Central

Name of the Vulnerable Software and Affected Versions: ARCHIBUS Web Central version 21.3.3.815 Description: The issue arises from the software's failure to properly validate requests for access to data and functionality in several affected endpoints: "/archibus/schema/ab-edit-users.axvw",...

PT-2021-20589

Name of the Vulnerable Software and Affected Versions: ProfilePress WordPress plugin versions 3.0.0 through 3.1.3 Description: A vulnerability in the user profile update component found in the /src/Classes/EditUserProfile.php file made it possible for users to escalate their privileges to that of...