CVE-2026-10038

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar...

WordPress plugin Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

CVE-2026-10038

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar...

PT-2026-47067

Name of the Vulnerable Software and Affected Versions The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More versions prior to 1.8.11.2 Description An Insecure Direct Object Reference and Authorization Bypass allows authenticated attackers with Subscriber-lev...

PT-2025-38005

Name of the Vulnerable Software and Affected Versions: code-projects Computer Laboratory System version 1.0 Description: The Computer Laboratory System contains a file upload issue. Staff members can upload malicious files, specifically PHP backdoor files, when modifying their avatar information...

CVE-2025-9296

A security vulnerability has been detected in Emlog Pro up to 2.5.18. This affects an unknown function of the file /admin/blogger.php?action=updateavatar. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been...

CVE-2023-6384

The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar...

CVE-2021-24675

The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the avatarupload shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack...

One User Avatar < 2.3.7 - Avatar Update via CSRF

The plugin does not check for CSRF when updating the Avatar in page where the avatarupload shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack PoC Click POST /one-user-avatar-avatar-upload/ HTTP/1.1 Accept:...

Unrestricted file upload

Because of Unrestricted Upload of a File with a Dangerous Type, Sourcefabric Newscoop 4.4.7 allows an authenticated user to execute arbitrary PHP code and sometimes terminal commands on a server by making an avatar update and then visiting the avatar file under the /images/ path...

phpok sql注入一枚

简要描述： phpok4.2.083，刚下的 详细说明： 1.safekey固定，导致加密函数可逆 2.使用固定的safekey加密后发起攻击请求，加密内容在代码中解密，绕过了过滤 /install/index.php中 $content = filegetcontentsROOT."config.php"; //查找替换 $content = pregreplace'/$config"db"\"file"\s=\s'|"a-zA-Z0-9-\'|";/isU','$config"db""file" = "'.$dbconfig'file'.'";',$content;...