11 matches found
EUVD-2026-42009
The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized write of attacker-controlled postData values...
CVE-2026-48230
Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdbimport.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix,...
CVE-2026-44418 Incomplete fix for CVE-2026-35184: SQL Injection in phili67/ecclesiacrm
EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL queries via strreplace without any sanitization, enabling SQL injection through query parameters th...
📄 Pachno 1.0.6 Cross Site Scripting
Pachno version 1.0.6 suffers from persistent cross site scripting vulnerabilities. Pachno 1.0.6 Stored Cross-Site Scripting Vendor: Daniel André Eikeland Product web page: https://github.com/pachno/pachno Affected version: 1.0.6 Summary: Pachno is an open-source collaboration platform formerly...
CVE-2013-20006 Qool CMS Multiple Persistent Cross-Site Scripting Vulnerabilities
Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email',...
CVE-2020-37137
PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'addpanelform' function that allows attackers to execute arbitrary code through an eval function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panelcontent POST parameters to the...
CVE-2020-37137
PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the 'addpanelform' function that allows attackers to execute arbitrary code through an eval function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panelcontent POST parameters to the...
📄 Blesta 5.13.1 Admin Interface PHP Object Injection
Blesta versions 3.0.0 through 5.13.1 suffer from an administrative interface PHP object injection vulnerability. The vulnerabilities exist because user input passed through the vars and orderinfo POST parameters when dispatching the /app/controllers/adminclients.php script, and through the...
CVE-2021-25101
The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.94 does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin...
CVE-2021-24294
The dsgvoaiowritelog AJAX action of the DSGVO All in one for WP WordPress plugin before 4.0 did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard wp-admin/admin.php?page=dsgvoaiofree-show-log. This could allow unauthenticate...
Jason Maloney's Guestbook 3.0 - Remote Command Execution
// source: https://www.securityfocus.com/bid/9139/info A vulnerability has been reported in Jason Maloney's Guestbook that could result in remote command execution with the privileges of the web server. The problem occurs due to the application failing to sanitize sensitive script variables after...