Craft CMS stores user-provided content session files

RISK EVALUATION Craft CMS stores user-provided content in session files. A remote, unauthenticated attacker can introduce arbitrary content, including PHP code, into session files with known names and locations. If an attacker can access these files, possibly through another vulnerability such...

Exploit for Code Injection in Ispconfig

CVE-2023-46818 ISPConfig - PHP Code Injection PoC Exploit Ba...

PT-2025-23087 · Sourcecodester · Sourcecodester Web-Based Pharmacy Product Management System

Name of the Vulnerable Software and Affected Versions: Sourcecodester Web-based Pharmacy Product Management System version 1.0 Sourcecodester Web-based Pharmacy Product Management System version 0.0.1 Description: The issue allows an attacker to upload a PHP file disguised as an image by modifyin...

CVE-2025-48828

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "vardump""test" syntax, attackers can bypass security checks and execute...

CVE-2025-48828

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "vardump""test" syntax, attackers can bypass security checks and execute...

CVE-2025-48828

vBulletin versions 5.0.0 through 6.0.3 contain a Remote Code Execution (RCE) flaw in the ajax/api/ad/replaceAdTemplate endpoint caused by improper use of PHP’s Reflection API. An unauthenticated attacker can inject a crafted template (eg, using vb:if with code via passthru($POST[...])) and trigge...

CVE-2024-6459

The News Element Elementor Blog Magazine WordPress plugin before 1.0.6 is vulnerable to Local File Inclusion via the template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files...

CVE-2024-2203

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.1 via the Clients widget. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on t...

CVE-2024-25415

A remote code execution RCE vulnerability in /admin/definelanguage.php of CE Phoenix v1.0.8.20 allows attackers to execute arbitrary PHP code via injecting a crafted payload into the file english.php...

CVE-2024-24399

An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area...

CVE-2024-27622

A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated users with...

CVE-2024-48180

ClassCMS =4.8 is vulnerable to file inclusion in the nowView method in/class/cms/cms.php, which can include a file uploaded to the/class/template directory to execute PHP code...

CVE-2024-44724

AutoCMS v5.4 was discovered to contain a PHP code injection vulnerability via the txtsiteurl parameter at /admin/siteadd.php. This vulnerability allows attackers to execute arbitrary PHP code via injecting a crafted value...

CVE-2024-6164

The Filter & Grids WordPress plugin before 2.8.33 is vulnerable to Local File Inclusion via the postlayout parameter. This makes it possible for an unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files...

CVE-2024-55494

A PHP Code Injection vulnerability that can lead to Remote Code Execution RCE and XSS in Opencode Mobile Collect Call v5.4.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the opfunc parameter at /occontrolpanel/index.php...

CVE-2024-4551

The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the display function. This makes it possible for authenticated attackers, with contributor access and higher, to include and...

CVE-2024-0658

The Insert PHP Code Snippet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's name when accessing the insert-php-code-snippet-manage page in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible f...

CVE-2024-43275

Cross-Site Request Forgery CSRF vulnerability in xyzscripts.Com Insert PHP Code Snippet.This issue affects Insert PHP Code Snippet: from n/a through 1.3.6...

CVE-2023-46815

An issue was discovered in SugarCRM 12 before 12.0.4 and 13 before 13.0.2. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using a crafted request, custom PHP code can be injected via the Notes module because of missing input validation. An attacker with...

CVE-2023-46818

An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if adminallowlangedit is enabled...