CVE-2026-45551

Affected product: Group-Office (enterprise CRM/groupware). Vulnerability details: Before versions 26.0.25, 25.0.100, and 6.8.165, an authenticated user can persist arbitrary legacy settings for any user_id via index.php?r=core/saveSetting, and a client-side sink in the email module injects email_...

PT-2026-21355

Name of the Vulnerable Software and Affected Versions Moodle affected versions not specified Description A flaw exists in the TeX filter administrative settings due to inadequate input sanitization, potentially leading to command injection. This issue affects systems with the TeX filter enabled a...

EUVD-2017-1630

Malware in sbrugna...

EUVD-2021-15702

Malware in sbrugna...

EUVD-2022-24881

Malicious code in bioql PyPI...

CVE-2025-60447

A stored Cross-Site Scripting XSS vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to...

CVE-2025-60447

A stored Cross-Site Scripting XSS vulnerability has been discovered in Emlog Pro 2.5.19. The vulnerability exists in the email template configuration component located at /admin/setting.php?action=mail, which allows administrators to input HTML code that is not properly sanitized, leading to...

CVE-2024-6856

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2022-1627

The My Private Site WordPress plugin before 3.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2022-1780

The LaTeX for WordPress plugin through 3.4.10 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack which could also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping...

CVE-2017-1002013

Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, Blind SQL Injection via imgid parameter in image-gallery-with-slideshow/adminsetting.php...

Emlog Pro 代码问题漏洞

Emlog is a PHP and MySQL based CMS website builder for emlog individual developers. A code issue vulnerability exists in Emlog Pro version 2.3.4, which stems from an unknown function in the file admin/setting.php that causes unrestricted uploads...

CVE-2024-4681

A vulnerability, which was classified as critical, was found in Campcodes Legal Case Management System 1.0. Affected is an unknown function of the file /admin/general-setting of the component Setting Handler. The manipulation of the argument favicon/logo leads to unrestricted upload. It is possib...

CVE-2023-3248 All-in-one Floating Contact Form < 2.1.2 - Admin+ Stored Cross-Site Scripting

The All-in-one Floating Contact Form WordPress plugin before 2.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2022-3144

The Wordfence Security – Firewall & Malware Scan plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 7.6.0 via a setting on the options page due to insufficient escaping on the stored value. This makes it possible for authenticated users, with...

baseRatePerBlock not updated when a new base rate is set

Lines of code Vulnerability details Impact When an admin sets a new baseRatePerYear in setBaseRatePerYear, the baseRatePerBlock is not updated. If the deltaBlocks has not passed yet, it will also not be updated when getSupplyRate is called, i.e. a stale value will be returned there. Recommended...

CVE-2022-1749

The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createpluginatfadminsettingpage function found in the /inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and...

PT-2022-14083

Name of the Vulnerable Software and Affected Versions WPMK Ajax Finder WordPress plugin versions up to and including 1.0.1 Description The issue is related to Cross-Site Request Forgery, which occurs due to a missing nonce check in the createplugin atf admin setting page function found in the...

Exploit for Code Injection in Mybb

CVE-2022-24734 PoC An RCE can be obtained on MyBB's Admin CP...

Pixelimity 跨站脚本漏洞

Pixelimity is an open source PHP-based CMS Content Management System. A security vulnerability exists in Pixelimity 1.0 that originates from cross-site scripting via the site description field in pixelimity/admin/setting.php...