CVE-2026-8939

The CVE-2026-8939 entry concerns the WordPress plugin Search Simple Fields (

PT-2026-43535

The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search simple fields options function in functions admin.php. This makes it possible for unauthenticated...

CVE-2023-53869

WEBIGniter 28.7.23 contains a file upload vulnerability that allows authenticated attackers to upload and execute dangerous PHP files through the media function. Attackers can leverage any created account to upload malicious PHP scripts that enable remote code execution on the application server...

CVE-2023-53869 WEBIGniter 28.7.23 Unrestricted File Upload Remote Code Execution

WEBIGniter 28.7.23 contains a file upload vulnerability that allows authenticated attackers to upload and execute dangerous PHP files through the media function. Attackers can leverage any created account to upload malicious PHP scripts that enable remote code execution on the application server...

CVE-2023-53869

WEBIGniter 28.7.23 contains an authenticated file upload vulnerability in the media function that enables remote code execution by uploading PHP scripts. Multiple sources (NVD entry, Red Hat CVE page, ENISA EUVD, CVE-list, CNA metadata and PT-2025-51287) confirm that any valid account can leverag...

CVE-2023-53869 WEBIGniter 28.7.23 Unrestricted File Upload Remote Code Execution

WEBIGniter 28.7.23 contains a file upload vulnerability that allows authenticated attackers to upload and execute dangerous PHP files through the media function. Attackers can leverage any created account to upload malicious PHP scripts that enable remote code execution on the application server...

PT-2025-51287

Name of the Vulnerable Software and Affected Versions WEBIGniter version 28.7.23 Description The software contains a file upload issue that permits authenticated attackers to upload and execute malicious PHP files via the media function. An attacker with any valid account can upload PHP scripts,...

CVE-2025-12674

The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the createmedia function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server...

CVE-2025-12674 KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload

The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the createmedia function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server...

CVE-2024-25802

SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content...

CVE-2024-13691

The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncoderecordMedia' function in all versions up to, and including, 2.9.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary...

PT-2024-35705 · Habitica · Habitica

Name of the Vulnerable Software and Affected Versions: Habitica versions prior to 5.28.5 Description: Habitica is an open-source habit-building program. The issue concerns reflected cross-site scripting vulnerabilities in the login and social media functions within RegisterLoginReset.vue, caused ...

PT-2024-11506 · WordPress · Adrotate Banner Manager

Name of the Vulnerable Software and Affected Versions: The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress versions up to, and including, 5.13.2 Description: The issue is related to arbitrary file uploads due to missing file extension sanitization in the adrotate...

CVE-2024-25802

SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content...

Unrestricted file upload

SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content...

CVE-2024-25802

SKINsoft S-Museum 7.02.3 allows Unrestricted File Upload via the Add Media function. Unlike in CVE-2024-25801, the attack payload is the file content...

CVE-2024-25801

SKINsoft S-Museum 7.02.3 is affected by CVE-2024-25801: an XSS vulnerability where the attack payload is delivered in the filename of an uploaded file (not its content). Product: SKINsoft S-Museum; Vulnerable component: filename handling during upload via Add Media. Impact: stored/ reflected XSS ...

Pandoc 安全漏洞

Pandoc is a Haskell library for converting from one markup format to another, as well as command line tools that use the library. A security vulnerability exists in Pandoc versions prior to 3.1.6, which stems from an arbitrary file write vulnerability in the extract-media function...