CVE-2019-14252

An issue was discovered in the secure portal in Publisure 2.1.2. Once successfully authenticated as an administrator, one is able to inject arbitrary PHP code by using the adminCons.php form. The code is then stored in the E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if remove...

CVE-2019-17307

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user...

CVE-2019-17308

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user...

CVE-2019-17304

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user...

CVE-2019-17299

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user...

CVE-2017-1000160

EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection...

CVE-2019-17306

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user...

CVE-2011-4451

libs/Wakka.class.php in WikkaWiki 1.3.1 and 1.3.2, when the spamlogging option is enabled, allows remote attackers to write arbitrary PHP code to the spamlogpath file via the User-Agent HTTP header in an addcomment request. NOTE: the vendor disputes this issue because the rendering of the...

CVE-2019-17303

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user...

CVE-2019-17309

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user...

CVE-2011-4825

Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted...

CVE-2019-17305

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user...

CVE-2009-5053

Unspecified vulnerability in Smarty before 3.0.0 beta 6 allows remote attackers to execute arbitrary PHP code by injecting this code into a cache file...

Arbitrary Command Injection

Craft CMS is vulnerable to Arbitrary Command Injection. The vulnerability is due to unauthenticated user-supplied data being stored in session files without validation, potentially allowing PHP code injection into a predictable server file path...

CVE-2025-35939

Craft CMS stores arbitrary content provided by unauthenticated users in session files. This content could be accessed and executed, possibly using an independent vulnerability. Craft CMS redirects requests that require authentication to the login page and generates a session file on the server at...

CVE-2025-3491

The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acptvalidatesetting' function. This is due to insufficient sanitization of the 'templatename' parameter. This makes it possib...

CVE-2025-3491

The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acptvalidatesetting' function. This is due to insufficient sanitization of the 'templatename' parameter. This makes it possib...

CVE-2025-3491

The WordPress Add custom page template plugin (vulnerable

CVE-2025-3491 Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution

The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acptvalidatesetting' function. This is due to insufficient sanitization of the 'templatename' parameter. This makes it possib...

PT-2025-17949 · WordPress · Add Custom Page Template Plugin

Name of the Vulnerable Software and Affected Versions: Add custom page template plugin for WordPress versions up to, and including, 2.0.1 Description: The issue is related to PHP Code Injection leading to Remote Code Execution due to insufficient sanitization of the template name parameter. This ...