Code injection

Empire CMS 7.5 allows remote attackers to execute arbitrary PHP code via the ftemp parameter in an enews=EditMemberForm action because this code is injected into a memberform.$fid.php file...

CVE-2018-20156

The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated "site administrator" users to execute arbitrary PHP code throughout a multisite network...

CVE-2018-20156

The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated "site administrator" users to execute arbitrary PHP code throughout a multisite network...

CVE-2018-20129

An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/selectimagespost.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the...

CVE-2018-20129

An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/selectimagespost.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the...

Design/Logic Flaw

An issue was discovered in tp5cms through 2017-05-25. admin.php/upload/picture.html allows remote attackers to execute arbitrary PHP code by uploading a .php file with the image/jpeg content type...

CVE-2018-19550

Interspire Email Marketer through 6.1.6 allows arbitrary file upload via a surveyssubmit.php "create survey and submit survey" operation, which can cause a .php file to be accessible under a admin/temp/surveys/ URI...

PT-2018-14968 · Z Blogphp · Z-Blogphp

Name of the Vulnerable Software and Affected Versions: Z-BlogPHP versions prior to 1.5.1 Description: The issue allows remote attackers to execute arbitrary PHP code by uploading an image with the image/jpeg content type to the "zb system/admin/index.php?act=UploadMng" API endpoint. This requires...

CVE-2018-19422

/panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these...

phpBB 3.2.3: Phar Deserialization to RCE

Impact phpBB is one of the oldest and most popular board software. If an attacker aims to take over a board running phpBB3, he will usually attempt to gain access to the admin control panel by means of bruteforcing, phishing or XSS vulnerabilities in plugins that the target site has installed. Bu...

Code injection

statics/app/index/controller/Install.php in YUNUCMS 1.1.5 if install.lock is not present allows remote attackers to execute arbitrary PHP code by placing this code in the index.php?s=index/install/setup2 DBPREFIX field, which is written to database.php...

Code injection

PbootCMS 1.2.2 allows remote attackers to execute arbitrary PHP code by specifying a .php filename in a "SET GLOBAL generallogfile" statement, followed by a SELECT statement containing this PHP code...

PbootCMS Arbitrary PHP Code Execution Vulnerability

PbootCMS is a new core open source enterprise building system developed by Avantech. An arbitrary PHP code execution vulnerability exists in PbootCMS 1.2.2. A remote attacker can exploit this vulnerability by specifying a .php file name in the "SET GLOBAL generallogfile" statement and a subsequen...

CVE-2018-18934

An issue was discovered in PopojiCMS v2.0.1. admincomponent.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code that is extracted and can be executed. This can also be exploited via CSRF...

Cross site request forgery (csrf)

An issue was discovered in PopojiCMS v2.0.1. admincomponent.php is exploitable via the po-admin/route.php?mod=component&act=addnew URI by using the fupload parameter to upload a ZIP file containing arbitrary PHP code that is extracted and can be executed. This can also be exploited via CSRF...

CVE-2018-18892

MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the sitename field in mcconf.php...

Code injection

uploadtemplate in system/changeskin.php in DocCms 2016.5.12 allows remote attackers to execute arbitrary PHP code via a template file...

Cross site request forgery (csrf)

CSRF exists in zbusers/plugin/AppCentre/theme.js.php in Z-BlogPHP 1.5.2.1935 Zero, which allows remote attackers to execute arbitrary PHP code...

CVE-2018-18835

uploadtemplate in system/changeskin.php in DocCms 2016.5.12 allows remote attackers to execute arbitrary PHP code via a template file...

Code Execution Vulnerability in X6CMS_V2.2

X6CMS, the full name of Xiaoliu Website Content Management System. X6CMS is a marketing website management platform with PHP+MYSQL architecture. A code execution vulnerability exists in X6CMSV2.2. An attacker can write any php code to gain server privileges...