14154 matches found
CVE-2026-13430
The WordPress plugin Post Export Import with Media (versions up to 1.13.1) is vulnerable to Arbitrary File Upload. The root cause is insufficient file extension validation during ZIP import: the extension allow-list check in ajax_import_media_start() uses pathinfo() on the raw ZIP entry name, so ...
CVE-2026-14894
The CVE concerns the WordPress plugin Super Forms – Drag & Drop Form Builder. All versions up to 6.3.313 are vulnerable to Arbitrary File Upload via the submit_form function due to missing file type validation and absence of any capability check on the submit_form nopriv AJAX handler; the only ba...
CVE-2026-14894 Super Forms <= 6.3.313 - Unauthenticated Arbitrary File Upload via 'data' Parameter (datauristring / value)
The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submitform function. This is due to missing file type validation and the absence of any capability check on the submitform nopriv AJAX...
WordPress Post Export Import with Media plugin <= 1.13.1 - Authenticated (Administrator+) Arbitrary File Upload vulnerability
Authenticated Administrator+ Arbitrary File Upload vulnerability discovered by ? in WordPress Plugin Post Export Import with Media versions = 1.13.1...
WordPress WoowBot Pro Max plugin <= 14.1.7 - Arbitrary File Upload vulnerability
Arbitrary File Upload vulnerability discovered by Jamaal ahmed in WordPress Plugin WoowBot Pro Max versions = 14.1.7...
WordPress Aimogen Pro plugin <= 2.8.3 - Arbitrary File Upload vulnerability
Arbitrary File Upload vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Aimogen Pro versions = 2.8.3...
CVE-2026-56291
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE...
CVE-2026-15158
The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...
CVE-2026-56291 Joomla Extension - balbooa.com - Unauthenticated file upload in Balbooa Forms extension < 2.4.1
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE...
EUVD-2026-42573
The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE...
CVE-2026-56291
The CVE-2026-56291 entry concerns the Joomla extension Balbooa Forms, where an unauthenticated arbitrary file upload vulnerability allows uploading executable files and leads to full RCE. Affected version is Balbooa Forms
EUVD-2026-42549
The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...
CVE-2026-15158 Blocksy Companion <= 2.1.46 - Unauthenticated Arbitrary File Upload via 'blc-review-images[]' Parameter
The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...
CVE-2026-15158
The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the saveattachments function. This is due to the Custom Fonts extension registering a wpcheckfiletypeandext filter that approves any filename containing .woff2 or .tt...
CVE-2026-15158
Blocksy Companion
PT-2026-56962
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in CodexThemes TheGem Theme Elements for Elementor thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements for Elementor: from n/a through...
PT-2026-56777
Name of the Vulnerable Software and Affected Versions Balbooa Forms versions prior to 2.4.1 Description The Joomla extension Balbooa Forms, installed as the com baforms component, contains a flaw in its frontend attachment upload functionality. This issue allows an unauthenticated anonymous visit...
PT-2026-56939
Missing Authorization vulnerability in vowelweb VW Wedding vw-wedding allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Wedding: from n/a through = 1.3.7...
PT-2026-56936
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Milan Petrovic GD Rating System gd-rating-system allows Blind SQL Injection.This issue affects GD Rating System: from n/a through = 3.7...
PT-2026-56942
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Plugin Envision Envision Page Builder envision-page-builder allows DOM-Based XSS.This issue affects Envision Page Builder: from n/a through = 0.22...