562 matches found
Account Takeover
prestashop/pscheckout is vulnerable to Account takeover. The vulnerability is due to missing validation in the Express Checkout feature, which allows an attacker to silently authenticate using a victim’s email address and take over the account...
CVE-2025-13094 WP3D Model Import Viewer <= 1.0.7 - Authenticated (Contributor+) Arbitrary File Upload
The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handleimportfile function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to...
CVE-2025-12968
The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.42. This is due to the uploadfile function in the infilityimportfile class only validating the MIME type which can ...
PT-2025-51076
The Lucky Draw Contests plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2. This is due to missing or incorrect nonce validation in misc-settings.php. This makes it possible for unauthenticated attackers to update plugin settings via a forge...
PT-2025-51062
Name of the Vulnerable Software and Affected Versions WP3D Model Import Viewer plugin for WordPress versions through 1.0.7 Description The WP3D Model Import Viewer plugin for WordPress is susceptible to arbitrary file uploads. This is due to a lack of file type validation within the handle import...
WordPress plugin WooMulti 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...
WordPress plugin Simple Theme Changer 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site request...
Ibexa User Bundle 安全漏洞
Ibexa User Bundle is an open source content management system from Ibexa. A security vulnerability exists in Ibexa User Bundle versions 5.0.0-beta1 through 5.0.3, which stems from a lack of password validation that could cause a logged-in user to change their password without having to know the o...
Unverified Password Change
Overview Affected versions of this package are vulnerable to Unverified Password Change via the password change process in the back office. An attacker can gain unauthorized access to change account credentials by exploiting the lack of previous password validation during the password change...
CVE-2025-56704
LeptonCMS version 7.3.0 contains an arbitrary file upload vulnerability, which is caused by the lack of proper validation for uploaded files. An authenticated attacker can exploit this vulnerability by uploading a specially crafted ZIP/PHP file to execute arbitrary code...
EUVD-2025-201544
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolveimportdirectory function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload...
CVE-2025-12966 All-in-One Video Gallery 4.5.4 - 4.5.7 – Authenticated (Author+) Arbitrary File Upload via Import ZIP
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolveimportdirectory function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload...
EUVD-2025-201530
The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the updateqrcode function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site...
CVE-2025-12154
The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload...
EUVD-2025-201365
The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload...
CVE-2025-12153
CVE-2025-12153 affects the WordPress plugin Featured Image via URL, vulnerable in all versions up to and including 0.1. An authenticated attacker with Contributor-level access or higher can upload arbitrary files to the target site, with remote code execution potential. Wordfence lists the patch ...
CVE-2025-12153 Featured Image via URL <= 0.1 - Authenticated (Contributor+) Arbitrary FIle Upload
The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on...
PT-2025-49203
Name of the Vulnerable Software and Affected Versions Auto Thumbnailer WordPress plugin versions prior to 1.0. Description The Auto Thumbnailer plugin for WordPress is susceptible to arbitrary file uploads because of a lack of file type validation within the uploadThumb function. This allows...
CVE-2025-13646
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajaxunzipfile' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files...
CVE-2025-13646
The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ajaxunzipfile' function in versions 2.13.1 to 2.13.2. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files...