CVE-2025-6459 Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Cross-Site Request Forgery to PHP Code Injection in bsaCreateAdTemplate

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. This is due to missing or incorrect nonce validation on the bsaCreateAdTemplate function. This makes it possible for...

CVE-2025-6459

The CVE-2025-6459 entry maps to WordPress Ads Pro Plugin (Multi-Purpose WordPress Advertising Manager) with a Cross-Site Request Forgery flaw in the bsaCreateAdTemplate function across all versions up to 4.89. The root cause is missing or incorrect nonce validation, enabling unauthenticated attac...

PT-2025-27595 · WordPress · The Ads Pro Plugin

Name of the Vulnerable Software and Affected Versions: The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin versions up to, and including, 4.89 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the bsaCreateAdTemplat...

Exploit for Code Injection in Ispconfig

---- CVE-2023-46818...

Exploit for Code Injection in Ispconfig

CVE-2023-46818 ISPConfig - PHP Code Injection PoC Exploit Ba...

CVE-2024-44724

AutoCMS v5.4 was discovered to contain a PHP code injection vulnerability via the txtsiteurl parameter at /admin/siteadd.php. This vulnerability allows attackers to execute arbitrary PHP code via injecting a crafted value...

CVE-2024-55494

A PHP Code Injection vulnerability that can lead to Remote Code Execution RCE and XSS in Opencode Mobile Collect Call v5.4.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the opfunc parameter at /occontrolpanel/index.php...

CVE-2023-46815

An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using a crafted request, custom PHP code can be injected via the Notes module because of missing input validation. An attacker with...

CVE-2023-46818

An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if adminallowlangedit is enabled...

CVE-2022-35944

October is a self-hosted Content Management System CMS platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin pan...

CVE-2022-45291

PWS Personal Weather Station Dashboard PWSDashboard LTS December 2020 2012lts allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWSprintfile.php, PWSframetext.php, PWSlistfile.php, PWSwinter.php, and PWSeasyweathersetup.php endpoints. A contributing factor ...

CVE-2021-32924

Invision Community aka IPS Community Suite before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\builder::previewBlock method interacts unsafely with the IPS\Theme::runProcessFunction method...

CVE-2021-26753

NeDi 1.9C allows an authenticated user to inject PHP code in the System Files function on the endpoint /System-Files.php via the txt HTTP POST parameter. This allows an attacker to obtain access to the operating system where NeDi is installed and to all application data...

CVE-2020-8518

Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution...

CVE-2020-5593

Zenphoto versions prior to 1.5.7 allows an attacker to conduct PHP code injection attacks by leading a user to upload a specially crafted .zip file...

CVE-2020-26124

openmediavault before 4.1.36 and 5.x before 5.5.12 allows authenticated PHP code injection attacks, via the sortfield POST parameter of rpc.php, because jsonencodesafe is not used in config/databasebackend.inc. Successful exploitation allows arbitrary command execution on the underlying operating...

CVE-2013-3651

LOCKON EC-CUBE 2.11.2 through 2.12.4 allows remote attackers to conduct unspecified PHP code-injection attacks via a crafted string, related to data/class/SCCheckError.php and data/class/SCFormParam.php...

CVE-2019-19208

Codiad Web IDE through 2.8.4 allows PHP Code injection...

CVE-2019-17310

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user...

CVE-2019-17300

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user...