CVE-2026-6248 wpForo Forum <= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Profile Field File Path

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store ...

PT-2026-33825

Name of the Vulnerable Software and Affected Versions wpForo Forum versions prior to 3.0.6 Description The plugin is subject to arbitrary file deletion. This occurs because the Members::update method fails to validate or restrict values for file-type custom profile fields, enabling authenticated...

EUVD-2025-8865

Malicious code in bioql PyPI...

CVE-2025-30369

CVE-2025-30369 affects Zulip where the Delete Organizational Custom Profile Fields API lacked a proper org-bound check, allowing an administrator to delete custom profile fields belonging to a different organization. The root cause is insufficient permission verification in the handler. Impact is...

CVE-2025-30369 Zulip allows the deletion of Custom profile fields by administrators of a different organization

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any...

Zulip server 安全漏洞

Zulip server is an open source team chat application from Zulip, Inc. in the United States. A security vulnerability exists in versions of Zulip server prior to 10.1, which stems from insufficient permission checking in the Delete Organizational Custom Profile Fields API, which could result in an...

WordPress plugin Custom User Profile Fields for User Registration 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress plugin is an application plugin that supports personal blog sites on PHP and MySQL servers. A cross-site scripting vulnerability exists in the...

LayerBB 1.1.2 Cross Site Scripting

Exploit Title: LayerBB 1.1.2 - Cross-Site Scripting Date: 11/19/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://forum.layerbb.com/downloads.php?view=file&id=28 Version: 1.1.2 Tested on: Ubuntu 18.04 CVE: CVE-2019-7688 1. Description: LayerBB is a free open-source...

LayerBB 1.1.2 - Cross-Site Scripting

LayerBB 1.1.2 - Cross-Site Scripting Exploit Title: LayerBB 1.1.2 - Cross-Site Scripting Date: 11/19/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://forum.layerbb.com/downloads.php?view=file&id=28 Version: 1.1.2 Tested on: Ubuntu 18.04 CVE: CVE-2019-7688 1...

LayerBB 1.1.2 - Cross-Site Scripting Vulnerability

Exploit for php platform in category web applications Exploit Title: LayerBB 1.1.2 - Cross-Site Scripting Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://forum.layerbb.com/downloads.php?view=file&id=28 Version: 1.1.2 Tested on: Ubuntu 18.04 CVE: CVE-2019-7688 1...

LayerBB 1.1.2 - Cross-Site Scripting

Exploit Title: LayerBB 1.1.2 - Cross-Site Scripting Date: 11/19/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://forum.layerbb.com/downloads.php?view=file&id=28 Version: 1.1.2 Tested on: Ubuntu 18.04 CVE: CVE-2019-7688 1. Description: LayerBB is a free open-source...

Cross-site Request Forgery (CSRF)

Moodle is vulnerable to cross-site request forgery CSRF attacks. The library does not check a user's session key before letting them execute actions on custom profile fields and categories. This can allow a malicious user without the proper permissions to edit the custom fields and categories...