CVE-2009-20006 osCommerce <= 2.2 Admin File Manager Arbitrary PHP Code Execution

osCommerce versions up to and including 2.2 RC2a contain a vulnerability in its administrative file manager utility admin/filemanager.php. The interface allows file uploads and edits without sufficient input validation or access control. An unauthenticated attacker can craft a POST request to...

CVE-2025-10269

CVE-2025-10269 concerns the Spirit Framework WordPress plugin (

CVE-2025-8417

The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token e.g. ?key= 900001705 without proper authentication, combined with the unsafe use of eval on...

CVE-2025-9874 Ultimate Classified Listings <= 1.6 - Authenticated (Contributor+) Local File Inclusion

The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the 'uclwpdashboard' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary...

CVE-2025-8417 Catalog Importer, Scraper & Crawler <= 5.1.4 - Unauthenticated PHP Code Injection

The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token e.g. ?key= 900001705 without proper authentication, combined with the unsafe use of eval on...

CVE-2025-10246

A weakness has been identified in lokibhardwaj PHP-Code-For-Unlimited-File-Upload up to 124fe96324915490c81eaf7db3234b0b4e4bab3c. This affects an unknown part of the file /f.php. This manipulation of the argument h causes cross site scripting. Remote exploitation of the attack is possible. The...

PT-2025-37113

Name of the Vulnerable Software and Affected Versions: lokibhardwaj PHP-Code-For-Unlimited-File-Upload versions up to 124fe96324915490c81eaf7db3234b0b4e4bab3c Description: A weakness exists in the file /f.php within the software. Manipulation of the argument h can lead to cross-site scripting...

PT-2025-37159

Name of the Vulnerable Software and Affected Versions: The Ultimate Classified Listings plugin for WordPress versions up to and including 1.6 Description: The Ultimate Classified Listings plugin for WordPress is susceptible to Local File Inclusion via the uclwp dashboard shortcode. Authenticated...

Linux Distros Unpatched Vulnerability : CVE-2015-8832

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Multiple incomplete blacklist vulnerabilities in inc/core/class.dc.core.php in Dotclear before 2.8.2 allow remote authenticated users with manage their own medi...

Linux Distros Unpatched Vulnerability : CVE-2020-18185

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrary PHP code by modify the configuration file in a linux environment. CVE-2020-18185 Note th...

Linux Distros Unpatched Vulnerability : CVE-2023-4197

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper input validation in Dolibarr ERP CRM = v18.0.1 fails to strip certain PHP code from user- supplied input when creating a Website, allowing an attacker ...

CVE-2025-9990 WordPress Helpdesk Integration <= 5.8.10 - Unauthenticated Local File Inclusion

The WordPress Helpdesk Integration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.8.10 via the portaltype parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the...

CVE-2025-52353

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload,...

CVE-2012-10062

A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits...

Linux Distros Unpatched Vulnerability : CVE-2016-7980

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Cross-site request forgery CSRF vulnerability in ecrire/exec/validerxml.php in SPIP 3.1.2 and earlier allows remote attackers to hijack the authentication of...

VulnCheck KEV: CVE-2024-9193

The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpressdomainsearchajaxextendedresults function. This makes it possible for unauthenticated attackers to include and execute...

CVE-2025-50567

Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare function, which uses pregreplace with the deprecated /e eval modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code...

CVE-2024-8393 Woocommerce Blocks – Woolook <= 1.7.0 - Authenticated (Admin+) Local File Inclusion

The Woocommerce Blocks – Woolook plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.0 via the via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary...

CVE-2025-7650

The BizCalendar Web plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.0.53 via the 'bizcalv' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the...

PT-2025-33460 · WordPress · Bizcalendar Web

Name of the Vulnerable Software and Affected Versions: BizCalendar Web plugin for WordPress versions prior to 1.1.0.51 Description: The BizCalendar Web plugin for WordPress is vulnerable to Local File Inclusion via the bizcalv shortcode. Authenticated attackers with Contributor-level access and...