CVE-2025-3491

The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acptvalidatesetting' function. This is due to insufficient sanitization of the 'templatename' parameter. This makes it possib...

CVE-2025-2101

CVE-2025-2101 (Edumall theme for WordPress) Unauthenticated Local File Inclusion via the template parameter of the edumall_lazy_load_template AJAX action affects Edumall

CVE-2025-3491

The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acptvalidatesetting' function. This is due to insufficient sanitization of the 'templatename' parameter. This makes it possib...

CVE-2025-3491

The WordPress Add custom page template plugin (vulnerable

CVE-2025-3491 Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution

The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acptvalidatesetting' function. This is due to insufficient sanitization of the 'templatename' parameter. This makes it possib...

PT-2025-17949 · WordPress · Add Custom Page Template Plugin

Name of the Vulnerable Software and Affected Versions: Add custom page template plugin for WordPress versions up to, and including, 2.0.1 Description: The issue is related to PHP Code Injection leading to Remote Code Execution due to insufficient sanitization of the template name parameter. This ...

CVE-2025-1782

CVE-2025-1782 affects HylaFAX Enterprise Web Interface and AvantFAX. The vulnerability arises from an unsanitized language form element that can be abused to include an arbitrary file in PHP code, enabling an authenticated attacker to perform actions as the web server user. The available document...

Exploit for Code Injection in Ispconfig

CVE-2023-46818-Exploit This is my own exploit for CVE-2023-468...

CVE-2025-2636

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files ...

CVE-2025-2636 InstaWP Connect <= 0.1.0.85 - Unauthenticated Local PHP File Inclusion

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files ...

CVE-2025-2636

The CVE-2025-2636 entry fixes a Local File Inclusion flaw in the InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress. Affected versions are up to 0.1.0.85; the vulnerability is exploitable via the instawp-database-manager parameter, enabling unauthenticated attackers to include ...

BIT-DOLIBARR-2023-4197 Dolibarr ERP CRM (<= 18.0.1) Improper Input Sanitization Authenticated RCE

Improper input validation in Dolibarr ERP CRM = v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code...

BIT-DOLIBARR-2021-33816

The website builder module in Dolibarr 13.0.2 allows remote PHP code execution because of an incomplete protection mechanism in which system, exec, and shellexec are blocked but backticks are not blocked...

CVE-2025-2294

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubiohybridthemeloadtemplate function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...

CmsMadeSimple Authenticated File Manager RCE

CMS Made Simple use exploit/multi/http/cmsmsfilemanagerauthrce msf exploitcmsmsfilemanagerauthrce show targets ...targets... msf exploitcmsmsfilemanagerauthrce set TARGET msf exploitcmsmsfilemanagerauthrce show options ...show and set options... msf exploitcmsmsfilemanagerauthrce exploit This...

CVE-2025-2294

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubiohybridthemeloadtemplate function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...

CVE-2025-2294 Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion

The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubiohybridthemeloadtemplate function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the...

WordPress Kubio AI Page Builder 2.5.1 Local File Inclusion

The Kubio AI Page Builder plugin for WordPress is vulnerable to a local file inclusion vulnerability in all versions up to, and including, 2.5.1 via the kubiohybridthemeloadtemplate function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server...

CMS Made Simple 2.2.21 Remote Code Execution

CMS Made Simple versions 2.2.21 and below allow an authenticated administrator to upload files with the .phar or .phtml extensions, enabling execution of PHP code leading to remote code execution. This module requires Metasploit: https://metasploit.com/download Current source:...

CVE-2024-12563

The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the...