CVE-2021-40678

In Piwigo 11.5.0, there exists a persistent cross-site scripting in the single mode function through /admin.php?page=batchmanager=unit...

CVE-2020-14485

OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to bypass client-side access controls or use a crafted request to initiate a session with limited functionality, which may allow execution of admin functions such as SQL queries...

CVE-2020-18660

GetSimpleCMS =3.3.15 has an open redirect in admin/changedata.php via the redirect function to the url parameter...

CVE-2025-3553 phpshe admin.php pe_delete sql injection

A vulnerability was found in phpshe 1.8. It has been declared as critical. This vulnerability affects the function pedelete of the file /admin.php?mod=brand&act=del. The manipulation of the argument brandid leads to sql injection. The attack can be initiated remotely. The exploit has been disclos...

CVE-2025-23058

A vulnerability in the ClearPass Policy Manager web-based management interface allows a low-privileged read-only authenticated remote attacker to gain unauthorized access to data and the ability to execute functions that should be restricted to administrators only with read/write privileges...

PT-2025-1606 · WordPress · Wp User Profile Avatar

Name of the Vulnerable Software and Affected Versions: WP User Profile Avatar plugin for WordPress versions up to, and including, 1.0.5 Description: The issue is due to missing or incorrect nonce validation on the wpupa user admin function, making it possible for unauthenticated attackers to upda...

CVE-2024-34191

htmly v2.9.6 was discovered to contain an arbitrary file deletion vulnerability via the deletepost function at admin.php. This vulnerability allows attackers to delete arbitrary files via a crafted request...

Meinberg LANTIME Information Disclosure (CVE-2018-10836)

Other logged-in users were visible to info users and admin users through the function 'logged in users'. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information. %NASLMINLEVEL 80900 C Tenable, Inc. include'compat.inc'; if description...

CVE-2024-2962

CVE-2024-2962 affects the Networker - Tech News WordPress Theme with Dark Mode. The vulnerability arises from a missing capability check in the admin_reload_nav_menu() function, affecting all versions up to and including 1.1.9. This allows unauthenticated attackers to modify the location of displ...

CVE-2023-49543

Incorrect access control in Book Store Management System v1 allows attackers to access unauthorized pages and execute administrative functions without authenticating...

CVE-2024-25316

Code-projects Hotel Managment System 1.0 allows SQL Injection via the 'eid' parameter in Hotel/admin/usersettingdel.php?eid=2...

Cross site request forgery (csrf)

The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.1. This is due to missing or incorrect nonce validation on the adminaddorderitem function. This makes it possible for unauthenticated attackers to add an order item via a...

PT-2023-10016 · WordPress · Exit Box Lite Plugin

Name of the Vulnerable Software and Affected Versions: Exit Box Lite Plugin versions up to 1.06 Description: A problematic vulnerability was found in the Exit Box Lite Plugin, affecting the exitboxadmin function of the wordpress-exit-box-lite.php file. This vulnerability leads to cross-site reque...

Image Optimizer by 10web < 1.0.27 - Admin+ Path Traversal

The plugin does not sanitize the dir parameter when handling the getsubdirs ajax action, allowing a high privileged users such as admins to inspect names of files and directories outside of the sites root. PoC - Payload: ../../../../../../../../../../../../../../../../../../../ - At the "Other...

CVE-2023-1854

A vulnerability, which was classified as problematic, was found in SourceCodester Online Graduate Tracer System 1.0. Affected is an unknown function of the file admin/. The manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit has been disclosed to th...

CVE-2022-39308 GoCD API authentication of user access tokens subject to timing attack during comparison

GoCD is a continuous delivery server. GoCD helps you automate and streamline the build-test-release cycle for continuous delivery of your product. GoCD versions from 19.2.0 to 19.10.0 inclusive are subject to a timing attack in validation of access tokens due to use of regular string comparison f...

Improper Privilege Management in com.xuxueli:xxl-job

XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account...

GHSA-7QQ9-9G2W-56F9 Improper Privilege Management in com.xuxueli:xxl-job

XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account...

CVE-2022-36157

XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account...

CVE-2022-36157

XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account...