Lucene search
K

107 matches found

nvd
nvd
added 2022/08/15 11:21 a.m.24 views

CVE-2022-2381

The E Unlocked - Student Result WordPress plugin through 1.0.4 is lacking CSRF and validation when uploading the School logo, which could allow attackers to make a logged in admin upload arbitrary files, such as PHP via a CSRF attack...

8.8CVSS0.00443EPSS
Exploits2References1
osv
osv
added 2022/07/04 1:15 p.m.6 views

CVE-2022-2268

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE...

7.2CVSS5.9AI score0.01374EPSS
Exploits2References1
attackerkb
attackerkb
added 2022/07/04 1:15 p.m.3 views

CVE-2022-2268

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE...

7.2CVSS7.1AI score0.01374EPSS
Exploits2References2
osv
osv
added 2022/05/30 9:15 a.m.11 views

CVE-2022-1009

The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin ...

6.1CVSS5.8AI score0.00757EPSS
Exploits2References1
attackerkb
attackerkb
added 2022/05/30 9:15 a.m.6 views

CVE-2022-1009

The Smush WordPress plugin before 3.9.9 does not sanitise and escape a configuration parameter before outputting it back in an admin page when uploading a malicious preset configuration, leading to a Reflected Cross-Site Scripting. For the attack to be successful, an attacker would need an admin ...

6.1CVSS6.2AI score0.00757EPSS
Exploits2References2
osv
osv
added 2022/05/16 3:15 p.m.5 views

CVE-2021-25119

The AGIL WordPress plugin through 1.0 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE...

7.2CVSS5.9AI score0.01467EPSS
Exploits1References1
wpvulndb
wpvulndb
added 2022/04/21 12:0 a.m.16 views

Rara One Click Demo Import < 1.3.0 - Arbitrary File Upload via CSRF

The plugin does not have CSRF check when uploading files, which could allow attackers to make a logged in admin upload arbitrary files via a CSRF attack...

8.8CVSS5AI score0.00569EPSS
Exploits0Affected Software1
cnnvd
cnnvd
added 2022/04/10 12:0 a.m.4 views

newbee-mall 代码问题漏洞

newbee-mall is an e-commerce system. newbee-mall v1.0.0 has a security vulnerability that can be exploited by attackers to upload arbitrary files via the upload function of /admin/goods/edit...

9.8CVSS5.8AI score0.01088EPSS
Exploits1References2
nvd
nvd
added 2022/03/28 6:15 p.m.27 views

CVE-2022-0499

The Sermon Browser WordPress plugin through 0.45.22 does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones...

8.8CVSS0.00618EPSS
Exploits2References1
cnvd
cnvd
added 2022/03/15 12:0 a.m.22 views

Microweber remote code execution vulnerability

Microweber is an online store management system from the Microweber community in the United States that provides drag-and-drop functionality. The system includes modules for adding products, images, etc. A remote code execution vulnerability exists in versions of microweber prior to 1.2.12, which...

7.2CVSS5.7AI score0.0207EPSS
Exploits1References1
osv
osv
added 2022/03/10 5:46 p.m.5 views

CVE-2022-24652

sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload...

9.8CVSS7.8AI score0.02486EPSS
Exploits1References1
prion
prion
added 2022/03/10 5:46 p.m.19 views

Privilege escalation

sentcms 4.0.x allows remote attackers to cause arbitrary file uploads through an unauthorized file upload interface, resulting in php code execution in /admin/upload/upload...

7.5CVSS9.6AI score0.02486EPSS
Exploits1References1Affected Software1
cnnvd
cnnvd
added 2022/03/10 12:0 a.m.6 views

Tensent SentCMS 代码问题漏洞

Tensent SentCMS is a simple and easy-to-use website management system from Tensent, China. A security vulnerability exists in Tensent SentCMS version 4.0.x. The vulnerability stems from a lack of validation of uploaded files in the file upload interface of the /admin/upload/upload php code in the...

9.8CVSS8.4AI score0.02486EPSS
Exploits1References2
osv
osv
added 2021/11/08 9:15 p.m.4 views

CVE-2020-23572

BEESCMS v4.0 was discovered to contain an arbitrary file upload vulnerability via the component /admin/upload.php. This vulnerability allows attackers to execute arbitrary code via a crafted image file...

8.8CVSS6AI score0.01302EPSS
Exploits1References1
cnnvd
cnnvd
added 2021/11/08 12:0 a.m.6 views

BEESCMS 代码问题漏洞

BEESCMS is a template program completely separated, using PHP MYSQL technology development, with powerful SEO features, simple operation of the self-service building system. BEESCMS version 4.0 /admin/upload.php in the arbitrary file upload vulnerability. The vulnerability can be exploited by...

8.8CVSS6.2AI score0.01302EPSS
Exploits1References2
cnnvd
cnnvd
added 2021/09/13 12:0 a.m.6 views

KiteCMS 代码问题漏洞

KiteCMS is a content management system based on think php. An arbitrary file upload vulnerability exists in /admin/upload/uploadfile in KiteCMS version 1.1. An attacker can exploit the vulnerability getshell via a specially crafted PHP file...

7.8CVSS5.8AI score0.00879EPSS
Exploits1References2
osv
osv
added 2021/08/20 2:15 p.m.3 views

CVE-2020-18886

Unrestricted File Upload in PHPMyWind v5.6 allows remote attackers to execute arbitrary code via the component 'admin/uploadfiledo.php'...

7.2CVSS7.3AI score0.01803EPSS
Exploits1References1
prion
prion
added 2021/06/23 1:15 p.m.15 views

Remote code execution

Remote Code Execution vulnerability in GetSimpleCMS before 3.3.16 in admin/upload.php via phar filess...

6.5CVSS7.2AI score0.07548EPSS
Exploits3References1Affected Software1
cnnvd
cnnvd
added 2021/06/23 12:0 a.m.5 views

GetSimpleCMS 跨站脚本漏洞

GetSimple CMS is an XML-based, completely self-contained, streamlined content management system. A cross-site scripting vulnerability exists in admin/upload.php in GetSimple CMS version 3.3.16. The vulnerability can be exploited to conduct cross-site scripting attacks by adding comments to the...

4.8CVSS5.1AI score0.00506EPSS
Exploits0References1
cnnvd
cnnvd
added 2021/05/06 12:0 a.m.4 views

WordPress 代码问题漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on servers with PHP and MySQL. A security vulnerability exists in the WordPress plugin Event Banner version 1.3 and prior versions...

7.2CVSS7.2AI score0.01678EPSS
Exploits2References2
Rows per page
Query Builder