20394 matches found
CVE-2024-6228
The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on t...
CVE-2024-6228
This CVE concerns the WordPress plugin Notifications for Forms & WordPress Actions (WANotifier) prior to version 2.6. The root cause is inadequate validation of a user-supplied value that is used to build a server-side file inclusion path. This allows authenticated users with subscriber-level acc...
WordPress Popup Builder < 4.0.7 - Remote Code Execution
Popup Builder WordPress plugin before 4.0.7 contains a local file inclusion caused by unsanitized 'sgpbtype' parameter in require statement, letting attackers include arbitrary local files or execute code via wrappers like PHAR, exploit requires attacker to control 'sgpbtype' parameter. id:...
Lokomedia CMS - Local File Inclusion
A Local File Inclusion LFI vulnerability exists in Lokomedia CMS. The application allows an attacker to include files on the server that should not be accessible, potentially exposing sensitive information. id: CVE-2010-2018 info: name: Lokomedia CMS - Local File Inclusion author: r3Y3r53 severit...
Oliver 5 Library Server <8.00.008.053 - Local File Inclusion
Oliver 5 Library Server versions prior to 8.00.008.053 are vulnerable to local file inclusion via the FileServlet function. id: CVE-2021-45027 info: name: Oliver 5 Library Server 8.00.008.053 - Local File Inclusion author: gy741 severity: high description: Oliver 5 Library Server versions prior t...
Moodle Jmol Filter 6.1 - Local File Inclusion
Moodle Jmol Filter 6.1 is vulnerable to local file inclusion through the jsmol.php file, allowing attackers to read arbitrary files on the server. id: CVE-2025-34031 info: name: Moodle Jmol Filter 6.1 - Local File Inclusion author: madrobot severity: high description: | Moodle Jmol Filter 6.1 is...
NAKIVO Backup and Replication Solution - Unauthenticated Arbitrary File Read
NAKIVO Backup & Replication is a data protection solution used for backing up and restoring virtualized and physical environments. A vulnerability has been identified in certain versions of NAKIVO Backup & Replication that allows an unauthenticated attacker to read arbitrary files on the underlyi...
WHMpress <= 6.3-revision-0 - Unauthenticated Local File Inclusion to Arbitrary Options Update
The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpressdomainsearchajaxextendedresults function. This makes it possible for unauthenticated attackers to include and execute...
WordPress Grow by Tradedoubler Plugin < 2.0.22 - Unauthenticated Local File Inclusion
The Grow by Tradedoubler WordPress plugin through version 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files. id: CVE-2024-6460 info:...
HUSKY – Products Filter Professional for WooCommerce <= 1.3.6.5 - Unauthenticated Local File Inclusion
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the wooftextsearch AJAX action. This makes it possible for unauthenticated attackers to include and...
Solara <1.35.1 - Local File Inclusion
A Local File Inclusion LFI vulnerability was identified in widgetti/solara, in version 1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. ...
Cross RSS 1.7 - Local File Inclusion
Absolute path traversal vulnerability in Cross-RSS wp-cross-rss plugin 1.7 for WordPress allows remote attackers to read arbitrary files via a full pathname in the rss parameter to proxy.php. id: CVE-2014-4941 info: name: Cross RSS 1.7 - Local File Inclusion author: DhiyaneshDK severity: medium...
Devika - Local File Inclusion
A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshotpath' parameter in the '/api/get-browser-snapshot' endpoint. An attacker can exploit this vulnerability by crafting a request with...
Mlflow < 2.17.0 - Local File Inclusion
Mlflow before 2.17.0 is susceptible to local file inclusion due to path traversal in GitHub repository mlflow/mlflow. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. id: CVE-2024-8859...
MasterSAM Star Gate v11 - Local File Inclusion
MasterSAM Star Gate v11 is vulnerable to a directory traversal attack via the endpoint /adama/adama/downloadService. An attacker can exploit this vulnerability by manipulating the file parameter to access arbitrary files on the server, potentially leading to the exposure of sensitive information...
System Dashboard < 2.8.15 - Admin+ Path Traversal
The System Dashboard WordPress plugin before 2.8.15 does not validate user input used in a path, which could allow high privilege users such as admin to perform path traversal attacks an read arbitrary files on the server id: CVE-2024-10708 info: name: System Dashboard 2.8.15 - Admin+ Path...
Mockoon < 9.2.0 - Path Traversal
Mockoon before 9.2.0 contains a path traversal and local file inclusion caused by unsafe templating of server filenames from user input, letting attackers read arbitrary files on the mock server filesystem, exploit requires crafted request. id: CVE-2025-59049 info: name: Mockoon 9.2.0 - Path...
Karel IP Phone IP1211 Web Management Panel - Local File Inclusion
Karel IP Phone IP1211 Web Management Panel is vulnerable to local file inclusion and can allow remote attackers to access arbitrary files stored on the remote device via the 'cgiServer.exx' endpoint and the 'page' parameter. id: CVE-2025-34023 info: name: Karel IP Phone IP1211 Web Management Pane...
Images to WebP < 1.9 - Authenticated Local File Inclusion
The Images to WebP WordPress plugin before version 1.9 did not validate or sanitize the tab parameter before using it in the include function. id: CVE-2021-24644 info: name: Images to WebP 1.9 - Authenticated Local File Inclusion author: Sourabh-Sahu severity: high description: | The Images to We...
Vite server.fs.deny Bypass - Local File Inclusion
Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest- script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...