Sql injection

A vulnerability was found in Most Popular Posts Widget Plugin up to 0.8 on WordPress. It has been classified as critical. Affected is the function addviews/showviews of the file functions.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. Upgrading to...

GHSA-CFH4-7WQ9-6PGG WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)

Impact Users with capabilities to upload media editors and above are succeptible to SSRF Server-Side Request Forgery when executing the createMediaItem Mutation. Authenticated users making GraphQL requests that execute the createMediaItem could pass executable paths in the mutations filePath...

WPGraphQL Plugin vulnerable to Server Side Request Forgery (SSRF)

Impact Users with capabilities to upload media editors and above are succeptible to SSRF Server-Side Request Forgery when executing the createMediaItem Mutation. Authenticated users making GraphQL requests that execute the createMediaItem could pass executable paths in the mutations filePath...

CVE-2020-36723

The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Sensitive Data Exposure in versions before 2.6.1 via the /listingpro-plugin/functions.php file. This makes it possible for unauthenticated attackers to extract sensitive data including usernames, full names, email...

CVE-2009-10004

CVE-2009-10004 : A cross-site scripting vulnerability affects Turante Sandbox Theme up to version 1.5.2, specifically the sandbox_body_class function in functions.php. The vulnerability arises from manipulation of the page argument, enabling a remote attacker to initiate an attack. Upgrade to ver...

CVE-2009-10004 Turante Sandbox Theme functions.php sandbox_body_class cross site scripting

A vulnerability was found in Turante Sandbox Theme up to 1.5.2. It has been classified as problematic. This affects the function sandboxbodyclass of the file functions.php. The manipulation of the argument page leads to cross site scripting. It is possible to initiate the attack remotely. Upgradi...

Sql injection

A vulnerability was found in HD FLV PLayer Plugin up to 1.7 on WordPress. It has been rated as critical. Affected by this issue is the function hdaddmedia/hdupdatemedia of the file functions.php. The manipulation of the argument name leads to sql injection. The attack may be launched remotely...

CVE-2022-25498

CuppaCMS v1.0 was discovered to contain a remote code execution RCE vulnerability via the saveConfigData function in /classes/ajax/Functions.php...

CVE-2022-25498

CuppaCMS v1.0 was discovered to contain a remote code execution RCE vulnerability via the saveConfigData function in /classes/ajax/Functions.php...

CVE-2022-25498

CuppaCMS v1.0 was discovered to contain a remote code execution RCE vulnerability via the saveConfigData function in /classes/ajax/Functions.php...

CVE-2022-24221

eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/functions/functions.php...

CVE-2022-24221

eliteCMS v1.0 was discovered to contain a SQL injection vulnerability via /admin/functions/functions.php...

Cross-site Scripting (XSS)

buddyboss-bundler is vulnerable to cross-site scripting. The vulnerability exists due to lack of input validationin in bpregisteractivegrouptypesfunction in bp-groups-functions.php file. allow attacker to inject maliciously crafted script into the system...

CVE-2021-39314 WooCommerce EnvioPack <= 1.2 Reflected Cross-Site Scripting

The WooCommerce EnvioPack WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the dataid parameter found in the /includes/functions.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.2...

Cross-site Scripting (XSS)

zoneminder is vulnerable to Cross Site Scripting. The vulnerability exists due to a lack of validation of the function sortHeader in functions.php which insecurely returns the value of the limit query string parameter without applying any filtration...

CVE-2020-18890

Rmote Code Execution RCE vulnerability in puppyCMS v5.1 due to insecure permissions, which could let a remote malicious user getshell via /admin/functions.php...

Sql injection

An issue was discovered in EyesOfNetwork eonweb 5.3-7 through 5.3-8. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to exploit the usernameavailable function of the includes/functions.php file which is called by login.php...

CVE-2019-17230

The CVE-2019-17230 vulnerability affects WordPress users of the OneTone theme up to version 3.0.6, where the file includes/theme-functions.php allows unauthenticated changes to theme options. This can enable unauthenticated attackers to modify site options (e.g., content or behavior) and is class...

Code injection

A vulnerability exits in Status2K 2.5 Server Monitoring Software via the multies parameter to includes/functions.php, which could let a malicious user execute arbitrary PHP code...

Backup and Staging by WP Time Capsule < 1.21.16 - Authentication Bypass

It is possible to login as an administrator on the site due to logical mistakes in the code. The issue resides in wptc-cron-functions.php line 12 where it parses the request. This parserequest function calls the function decodeserverrequestwptc which check if the raw POST payload contains a certa...