SUSE CVE-2015-2308

Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element...

WordPress 'Eval PHP' Plugin Abandoned

The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:flashpixx:evalphp"; ifdescription...

Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week. The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users...

Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week. The plugin in question is Eval PHP, released by a developer named flashpixx. It allows users...

xwiki-platform-web-templates vulnerable to Eval Injection

Impact Any user with edit rights on a page e.g., it's own user page, can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in imported.vm, importinline.vm, and...

GHSA-HG5X-3W3X-7G96 xwiki-platform-web-templates vulnerable to Eval Injection

Impact Any user with edit rights on a page e.g., it's own user page, can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in imported.vm, importinline.vm, and...

CVE-2023-29509 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping o...

CVE-2023-29509 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping o...

CVE-2023-29214 org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the...

CVE-2023-29214 org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the...

CVE-2023-29211 org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wiki...

CVE-2023-29209 org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki...

CVE-2023-29209 org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki...

FreeBSD : py39-joblib -- arbitrary code execution (845f8430-d0ee-4134-ae35-480a3e139b8a)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 845f8430-d0ee-4134-ae35-480a3e139b8a advisory. - The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the...

GHSA-F4V8-58F6-MWJ4 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability

Impact Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the documentTree macro parameters in This macro is installed by default in...

GHSA-QX9H-C5V6-GHQH org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability

Impact Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. Precondition: As an admin, add the Panels.IncludedDocuments...

GHSA-C5F4-P5WV-2475 xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability

Impact Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the included documents edit panel. A proof of concept exploit is to edit a document and ad...

xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability

Impact Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the included documents edit panel. A proof of concept exploit is to edit a document and ad...

GHSA-W7V9-FC49-4QG4 org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability

Impact Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wikiId url parameter. A proof of concept exploit is to open...

org.xwiki.platform:xwiki-platform-notifications-ui Eval Injection vulnerability

Impact Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro...