CVE-2013-3629

ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution...

CVE-2013-3591

vTiger CRM 5.3 and 5.4: 'files' Upload Folder Arbitrary PHP Code Execution Vulnerability...

CVE-2013-3591

Summary of CVE-2013-3591 : The vulnerability affects vTiger CRM versions 5.3 and 5.4, where the attacker can abuse the vulnerable vTiger “files” upload folder to upload a PHP script and achieve arbitrary PHP code execution. Multiple connected sources document an authenticated remote-code-executio...

CVE-2013-2009

The CVE-2013-2009 entry concerns WordPress WP Super Cache Plugin 1.2, which is vulnerable to remote PHP code execution via unsanitized input (e.g., malicious blog comments). Root cause cited as an incomplete fix for CVE-2013-2009. Impact is remote code execution on the web server as the web-serve...

CVE-2019-20385

The CSV upload feature in /supervisor/procesacarga.php on Logaritmo Aware CallManager 2012 devices allows upload of .php files with a text/ content type. The PHP code can then be executed by visiting a /supervisor/csv/ URI...

AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution

Prior to version 3.3.2, this plugin allowed arbitrary PHP code execution through the loginerror function. This exploit is out in the wild now and actively being exploited. PoC curl -Ls http://www.example.com/login/?loginerror=%3C?%20$a%20=%20getcwd;%20echo%20$a;%20?%3E...

AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution

Prior to version 3.3.2, this plugin allowed arbitrary PHP code execution through the loginerror function. This exploit is out in the wild now and actively being exploited. curl -Ls http://www.example.com/login/?loginerror=%3C?%20$a%20=%20getcwd;%20echo%20$a;%20?%3E...

CVE-2019-20183

CVE-2019-20183 affects the Simple Employee Records System 1.0. The vulnerability is an arbitrary file upload flaw in uploadimage.php caused by client-side validation of file extensions, allowing an attacker to upload executable PHP code by bypassing validation (e.g., via modifying global.js). Thi...

CVE-2019-20183

uploadimage.php in Employee Records System 1.0 allows upload and execution of arbitrary PHP code because file-extension validation is only on the client side. The attacker can modify global.js to allow the .php extension...

CVE-2013-2011

WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execution vulnerability which could allow remote attackers to inject arbitrary code. This issue exists because of an incomplete fix for CVE-2013-2009...

CVE-2011-1028

The $smarty.template variable in Smarty3 allows attackers to possibly execute arbitrary PHP code via the sysplugins/smartyinternalcompileprivatespecialvariable.php file...

CVE-2011-1028

The $smarty.template variable in Smarty3 allows attackers to possibly execute arbitrary PHP code via the sysplugins/smartyinternalcompileprivatespecialvariable.php file...

File upload vulnerability in the backend of shopxo e-commerce system

ShopXO is an open source enterprise-level open source e-commerce system. shopxo e-commerce system backend file upload vulnerability , an attacker can exploit the vulnerability to execute arbitrary PHP code...

CVE-2015-9499

The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive...

Code injection

The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive...

CVE-2015-9499

CVE-2015-9499 affects the WordPress ShowBiz Pro plugin (≤ 1.7.1). The connected template details an authenticated arbitrary file upload to the WordPress admin endpoint (admin-ajax.php) that can upload a PHP file (e.g., inside a ZIP) and lead to remote code execution. Impact described: full server...

WBCE CMS File Rename Filter Bypass Vulnerability

WBCE CMS is an open source content management system CMS based on PHP and MySQL. A security vulnerability exists in the admin/media/rename.php file in WBCE CMS 1.4.0 and earlier versions. An attacker can exploit the vulnerability to rename media file names and extensions to execute arbitrary PHP...

CVE-2019-17370

OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheckFiledeal.php blocks "into outfile" in a SELECT statement, but does not block the "into//outfile" manipulation. Therefore, the attacker can create a .php file...

SugarCRM Contacts Module SQL Injection Vulnerability

SugarCRM is a set of open source customer relationship management software . A SQL injection vulnerability exists in the Contacts module of SugarCRM. The vulnerability stems from a lack of input validation. An attacker can exploit this vulnerability to inject custom PHP code...

CVE-2019-16722

ZZZCMS zzzphp v1.7.2 has an insufficient protection mechanism against PHP Code Execution, because passthru bypasses an strireplace operation...