CVE-2025-8357

The CVE-2025-8357 entry concerns the WordPress plugin Media Library Assistant. It describes a vulnerability in versions up to 3.27 where insufficient file path validation and inadequate user-capability checks in the _process_mla_download_file function allow authenticated users with Author-level a...

WordPress plugin Media Library Assistant 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2025-7641

The Assistant for NextGEN Gallery plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated...

CVE-2025-7778

The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the deletefiles function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary...

CVE-2025-7641

The Assistant for NextGEN Gallery plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated...

CVE-2025-7778 Icons Factory <= 1.6.12 - Missing Authorization to Unauthenticated Arbitrary File Deletion via delete_files() Function

The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the deletefiles function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary...

CVE-2025-7641 Assistant for NextGEN Gallery <= 1.0.9 - Unauthenticated Arbitrary Directory Deletion

The Assistant for NextGEN Gallery plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated...

PT-2025-33463 · WordPress · Icons Factory

Name of the Vulnerable Software and Affected Versions: Icons Factory plugin for WordPress versions up to and including 1.6.12 Description: The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the dele...

WordPress plugin Icons Factory 授权问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. An authorization issue...

WordPress plugin Assistant for NextGEN Gallery 路径遍历漏洞

The WordPress Assistant for NextGEN Gallery plugin is a WordPress plugin that focuses on migrating the image uploading, processing and album management features of NextGEN Gallery from a website/browser to a desktop application running on a more powerful desktop system. The WordPress Assistant fo...

PT-2025-33459 · Unknown +1 · Nextgen Gallery +1

Name of the Vulnerable Software and Affected Versions: Assistant for NextGEN Gallery plugin for WordPress versions up to and including 1.0.9 Description: The Assistant for NextGEN Gallery plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation i...

Delta Electronics DIAView Directory Traversal Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DIAView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web service, which listens on TCP port 80 by default. The issue results fr...

Delta Electronics DIAView Directory Traversal Information Disclosure Vulnerability

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Delta Electronics DIAView. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web service, which listens on TCP port 80 by default. The issue...

CVE-2025-5391

The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deletefile function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above...

CVE-2025-5391

CVE-2025-5391 affects the WooCommerce Purchase Orders plugin for WordPress (versions ≤ 1.0.2). The vulnerability arises from insufficient file path validation in the delete_file() function, allowing authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the se...

CVE-2025-5391 WooCommerce Purchase Orders <= 1.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion

The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deletefile function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above...

CVE-2025-5391 WooCommerce Purchase Orders <= 1.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion

The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deletefile function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above...

Delta Electronics DIAView Catalog Traversal Vulnerability

Delta Electronics DIAView is an industrial configuration software from Delta Electronics China. A directory traversal vulnerability exists in Delta Electronics DIAView, which stems from a lack of validity checking of paths used by the program to process directory requests, and can be exploited by...

WordPress NinjaScanner plugin file path validation deficiency vulnerability

WordPress NinjaScanner plugin is a lightweight, fast and powerful virus scanning plugin designed for WordPress to detect malware and viruses in websites. WordPress NinjaScanner plugin suffers from an insufficient file path validation vulnerability that can be exploited by an attacker to cause...

CVE-2025-54794

Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the presence of or ability t...