WordPress Core 5.0.0 - Crop-image Shell Upload

WordPress through 5.0.3 allows Path Traversal in wpcropimage. An attacker who has privileges to crop an image can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring. i...

SUSE CVE-2026-33019

libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INTMAX are accepted without overflow-safe bounds...

CVE-2026-4979

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the processimagecrop...

CVE-2026-4979 UsersWP <= 1.2.58 - Authenticated (Subscriber+) Server-Side Request Forgery via 'uwp_crop' Parameter

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the processimagecrop...

CVE-2026-4979 UsersWP <= 1.2.58 - Authenticated (Subscriber+) Server-Side Request Forgery via 'uwp_crop' Parameter

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the processimagecrop...

EUVD-2026-21649

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the processimagecrop...

EUVD-2015-9266

Malware in sbrugna...

Malicious code in cp-image-crop (npm)

The package cp-image-crop was found to contain malicious code...

MAL-2025-17645 Malicious code in cp-image-crop (npm)

The package cp-image-crop was found to contain malicious code...

CVE-2015-9426

The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=miceditorwindow postId parameter...

CVE-2023-22676 WordPress Advanced Custom Fields: Image Crop Add-on Plugin <= 1.4.12 is vulnerable to Broken Access Control

Missing Authorization vulnerability in Anders Thorborg.This issue affects Anders Thorborg: from n/a through 1.4.12...

augbuilder (>=0.0.2 <=0.0.3), hlm-texts (=0.1.2) +15 more potentially affected by CVE-2023-27494 via streamlit (>=0.63.1 <=0.80.0)

streamlit PYPI version =0.63.1, =0.0.2, =0.0.2, =0.0.1, =0.1.6, =0.32.0, =0.10.8, =2.4.30, =0.1.0, =0.0.0, =0.1.0, =0.2.0 - streamlit-prophet =1.0.0 and more Source cves: CVE-2023-27494 Source advisory: OSV:PYSEC-2023-50...

SUSE CVE-2013-7226

Integer overflow in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allows remote attackers to cause a denial of service application crash or possibly have unspecified other impact via an imagecrop function call with a large x dimension value, leading to a heap-based buffer...

SUSE CVE-2013-7328

Multiple integer signedness errors in the gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 allow remote attackers to cause a denial of service application crash or obtain sensitive information via an imagecrop function call with a negative value for the 1 x or 2 y dimension, a...

SUSE CVE-2013-7327

The gdImageCrop function in ext/gd/gd.c in PHP 5.5.x before 5.5.9 does not check return values, which allows remote attackers to cause a denial of service application crash or possibly have unspecified other impact via invalid imagecrop arguments that lead to use of a NULL pointer as a return...

WordPress Advanced Custom Fields: Image Crop Add-on Plugin <= 1.4.12 is vulnerable to Broken Access Control

Software Advanced Custom Fields: Image Crop Add-on Type Plugin Vulnerable versions = 1.4.12 Fixed in N/A OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2023-22676 Patch priority Low CVSS severity Low 3.1 Developer Claim ownership PSID ae467650d1f0 Credits Istv...

CVE-2015-9426

The manual-image-crop plugin before 1.11 for WordPress has CSRF with resultant XSS via the wp-admin/admin-ajax.php?action=miceditorwindow postId parameter...

CVE-2019-8943

WordPress through 5.0.3 allows Path Traversal in wpcropimage. An attacker who has privileges to crop an image can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring...

CVE-2019-8943

WordPress through 5.0.3 allows Path Traversal in wpcropimage. An attacker who has privileges to crop an image can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring...

CVE-2019-8943

WordPress through 5.0.3 allows Path Traversal in wpcropimage. An attacker who has privileges to crop an image can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring...