CVE-2024-12859 BoomBox Theme Extensions <= 1.8.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode

The BoomBox Theme Extensions plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.8.0 via the 'boomboxlisting' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and...

CVE-2025-0493

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Limited Local File Inclusion in all versions up to, and including, 4.2.14 via the tabname parameter. This makes it possible for unauthenticated attackers to include PHP files on the...

CVE-2025-0493

The CVE-2025-0493 entry concerns the WordPress plugin MultiVendorX (The Ultimate WooCommerce Multivendor Marketplace Solution) with a Limited Local File Inclusion (LFI) vulnerability via the tabname parameter. Affected versions are all up to and including 4.2.14, and exploitation is possible with...

CVE-2025-0493 MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.14 - Unauthenticated Limited Local File Inclusion

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Limited Local File Inclusion in all versions up to, and including, 4.2.14 via the tabname parameter. This makes it possible for unauthenticated attackers to include PHP files on the...

PT-2025-3923 · Unknown · Multivendorx

Name of the Vulnerable Software and Affected Versions: MultiVendorX plugin versions up to 4.2.14 Description: The issue allows unauthenticated attackers to include PHP files on the server via the tabname parameter, enabling the execution of any PHP code in those files. This can be used to bypass...

CVE-2025-0682

The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trxscreviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute...

CVE-2025-0682

The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trxscreviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute...

CVE-2025-0682 ThemeREX Addons <= 2.33.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode

The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trxscreviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute...

WordPress plugin ThemeREX Addons 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2024-13545 Bootstrap Ultimate <= 1.4.9 - Unauthenticated Limited Local File Inclusion

The Bootstrap Ultimate theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.9 via the path parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This...

PT-2025-2162 · WordPress · Post Grid

Name of the Vulnerable Software and Affected Versions: Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress versions up to, and including, 1.6.10 Description: The issue allows authenticated attackers, with Contributor-level access and...

CVE-2024-13593

CVE-2024-13593 affects the WordPress plugin “BMLT Meeting Map” (versions ≤ 2.6.0). The vulnerability is a Local File Inclusion via the short code “bmlt_meeting_map.” It permits authenticated users with Contributor-level access or higher to include and execute arbitrary PHP files on the server, en...

Exploit for PHP Remote File Inclusion in Ays-Pro Chartify

CVE-2024-10571 Chartify – WordPress Chart Plugin = 2.9.5 - Un...

CVE-2024-13297 Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063

Deserialization of Untrusted Data vulnerability in Drupal Eloqua allows Object Injection.This issue affects Eloqua: from 7.X- before 7.X-1.15...

CVE-2024-13297

CVE-2024-13297 describes a deserialization of untrusted data vulnerability in the Drupal Eloqua integration/module, allowing PHP object injection that could lead to arbitrary code execution. Affected: Eloqua versions 7.X-* before 7.X-1.15 (via the Eloqua Drupal module). The issue is surfaced in t...

CVE-2024-13297 Eloqua - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-063

Deserialization of Untrusted Data vulnerability in Drupal Eloqua allows Object Injection.This issue affects Eloqua: from 7.X- before 7.X-1.15...

CVE-2024-13296 Mailjet - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-062

Deserialization of Untrusted Data vulnerability in Drupal Mailjet allows Object Injection.This issue affects Mailjet: from 0.0.0 before 4.0.1...

CVE-2024-13296

CVE-2024-13296 describes a Deserialization of Untrusted Data vulnerability in the Drupal Mailjet module, enabling Object Injection. Affected versions are Mailjet 0.0.0 up to (but not including) 4.0.1. The root cause is insecure deserialization within the Mailjet Drupal module, potentially allowin...

CVE-2024-13295 Node export - Moderately critical - Arbitrary PHP code execution - SA-CONTRIB-2024-061

Deserialization of Untrusted Data vulnerability in Drupal Node export allows Object Injection.This issue affects Node export: from 7.X- before 7.X-3.3...

CVE-2024-13294 POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Drupal POST File allows Cross-Site Scripting XSS.This issue affects POST File: from 0.0.0 before 1.0.2...