CVE-2025-49275

Summary: CVE-2025-49275 affects the Blogbyte WordPress theme (versions <= 1.1.1). The root cause is improper filename control in PHP, enabling Local File Inclusion (LFI) via an include/require statement. The vulnerability is unauthenticated and can be triggered by an attacker to read or includ...

VulnCheck KEV: CVE-2025-48828

Certain vBulletin versions might allow attackers to execute arbitrary PHP code by abusing Template Conditionals in the template engine. By crafting template code in an alternative PHP function invocation syntax, such as the "vardump""test" syntax, attackers can bypass security checks and...

CVE-2024-6460

The Grow by Tradedoubler WordPress plugin through 2.0.21 is vulnerable to Local File Inclusion via the component parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files...

CVE-2023-23879

Cross-Site Request Forgery CSRF vulnerability in Nicolas Zeh PHP Execution plugin = 1.0.0 versions...

CVE-2023-44381

October is a Content Management System CMS and web platform to assist with development workflow. An authenticated backend user with the editor.cmspages, editor.cmslayouts, or editor.cmspartials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to...

CVE-2022-24136

Hospital Management System v1.0 is affected by an unrestricted upload of dangerous file type vulerability in treatmentrecord.php. To exploit, an attacker can upload any PHP file, and then execute it...

CVE-2022-1609

The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site...

CVE-2021-43176

The GOautodial API prior to commit 3c3a979 made on October 13th, 2021 takes a user-supplied “action” parameter and appends a .php file extension to locate and load the correct PHP file to implement the API call. Vulnerable versions of GOautodial do not sanitize the user input that specifies the...

CVE-2021-37770

Nucleus CMS v3.71 is affected by a file upload vulnerability. In this vulnerability, we can use upload to change the upload path to the path without the Htaccess file. Upload an Htaccess file and write it to AddType application / x-httpd-php.jpg. In this way, an attacker can upload a picture with...

CVE-2021-20187

It was found in Moodle before version 3.10.1, 3.9.4, 3.8.7 and 3.5.16 that it was possible for site administrators to execute arbitrary PHP scripts via a PHP include used during Shibboleth authentication...

CVE-2020-17452

flatCore before 1.5.7 allows upload and execution of a .php file by an admin...

CVE-2020-28692

In Gila CMS 1.16.0, an attacker can upload a shell to tmp directy and abuse .htaccess through the logs function for executing PHP files...

CVE-2019-19502

Code injection in pluginconfig.php in Image Uploader and Browser for CKEditor before 4.1.9 allows remote authenticated users to execute arbitrary PHP code...

CVE-2019-6127

An issue was discovered in XiaoCms 20141229. It allows admin/index.php?c=database table SQL injection. This can be used for PHP code execution via "INTO OUTFILE" with a .php filename...

CVE-2019-9642

An issue was discovered in proxy.php in pydio-core in Pydio through 8.2.2. Through an unauthenticated request, it possible to evaluate malicious PHP code by placing it on the fourth line of a .php file, as demonstrated by a PoC.php created by the guest account, with execution via a...

CVE-2005-2612

Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cachelastpostdateserver cookie...

CVE-2025-30159 Kirby vulnerable to path traversal of snippet names in the `snippet()` helper

Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby sites that use the snippet helper or $kirby-snippet method with a dynamic snippet name such as a snippet name that depends on request or user data. Sites that onl...

CVE-2025-30159

CVE-2025-30159 affects Kirby CMS versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 when using the dynamic snippet name via the snippet() helper or $kirby->snippet() . The root cause is a missing path traversal check that could allow an attacker to access files outside the snippets root (or Kirby ...

Kirby 安全漏洞

Kirby is a file-based content management system CMS from Kirby Open Source. A security vulnerability exists in Kirby versions prior to 3.9.8.3, prior to 3.10.1.2, and prior to 4.7.1, which stems from a lack of path traversal checking and could lead to arbitrary file access and execution of PHP co...

CVE-2025-0520

An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7...