EUVD-2026-26495

A weakness has been identified in MacCMS Pro up to 2022.1.3. This vulnerability affects the function install of the file /admi.php/admin/addon/add.html of the component Plugin Installation Handler. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote...

PT-2025-41677

Name of the Vulnerable Software and Affected Versions GSheetConnector For Gravity Forms plugin for WordPress versions prior to 1.3.28 Description The GSheetConnector For Gravity Forms plugin for WordPress is susceptible to an authorization bypass. This occurs because of a missing capability check...

EUVD-2021-0486

Malware in sbrugna...

CVE-2025-8481 Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid <= 1.1.7 - Cross-Site Request Forgery

The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfeinstallactivaterswpbsonly function. This makes it possible for unauthenticated...

CVE-2025-8102

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the eddsendwpdisconnect and eddsendwpremoteinstall functions. This makes it possible for unauthenticated attackers t...

CVE-2025-8592 Inspiro <= 2.1.2 - Cross-Site Request Forgery to Arbitrary Plugin Installation

The Inspiro theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing or incorrect nonce validation on the inspiroinstallplugin function. This makes it possible for unauthenticated attackers to install plugins from the...

PT-2025-5756 · Vxe-Table · Vxe-Table

Name of the Vulnerable Software and Affected Versions: vxe-table version 4.8.10 Description: A prototype pollution in the lib.install function allows attackers to cause a Denial of Service DoS via supplying a crafted payload. Recommendations: For vxe-table version 4.8.10, consider disabling the...

WordPress plugin Spexo Addons for Elementor 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

PT-2025-1950 · Aurum · Aurum

Name of the Vulnerable Software and Affected Versions: Aurum - WordPress & WooCommerce Shopping Theme versions prior to 4.0.3 Description: The issue concerns a missing capability check in the lab 1cl demo install package content function, allowing authenticated attackers with Subscriber-level...

CVE-2024-48336

The install function of ProviderInstaller.java in Magisk App before canary version 27007 does not verify the GMS app before loading it, which allows a local untrusted app with no additional privileges to silently execute arbitrary code in the Magisk app and escalate privileges to root via a craft...

CVE-2024-48336

The install function of ProviderInstaller.java in Magisk App before canary version 27007 does not verify the GMS app before loading it, which allows a local untrusted app with no additional privileges to silently execute arbitrary code in the Magisk app and escalate privileges to root via a craft...

CVE-2024-48336

The install function of ProviderInstaller.java in Magisk App before canary version 27007 does not verify the GMS app before loading it, which allows a local untrusted app with no additional privileges to silently execute arbitrary code in the Magisk app and escalate privileges to root via a craft...

PT-2024-10839 · Discuzx · Discuzx

Name of the Vulnerable Software and Affected Versions: DiscuzX versions up to 3.4-20200818 Description: A problematic issue was found in the function show next step of the file upload/install/include/install function.php. The manipulation of the argument uchidden leads to cross-site scripting. It...

WordPress Plugin Database Reset Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

PT-2024-18096 · WordPress · Wp Database Reset

Name of the Vulnerable Software and Affected Versions: Database Reset plugin for WordPress versions up to, and including, 3.22 Description: The issue is due to missing or incorrect nonce validation on the install wpr function, making it possible for unauthenticated attackers to install the WP Res...

Command injection in buns

There is a command injection vulnerability in all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function installrequestedModule...

Buns Command Injection Vulnerability

Buns is a Javascript-based application for executing shell commands with cached output by the individual developer of Buns. Buns all versions suffers from a command injection vulnerability in lib/index.js in the exported function installrequestdmodule at line 678...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection. The injection point is located in line 678 in index file lib/index.js in the exported function installrequestedModule. PoC var root = require"buns"; var name = "& touch JHU"; root.installname; Remediation There is no...

openSIS Remote Code Execution Vulnerability (CNVD-2020-50534)

openSIS is a free, open source student information system/school management software. A remote code execution vulnerability exists in the install function in openSIS 7.4. An attacker can exploit this vulnerability by sending an HTTP request to inject PHP code into the Data.php file via the userna...

Command Injection

Overview All versions of npm-programmatic are vulnerable to Command Injection. The package fails to sanitize input rules and passes it directly to an exec call on the install, uninstall and list functions . This may allow attackers to execute arbitrary code in the system if the package name passe...