CVE-2013-2009

WordPress WP Super Cache Plugin 1.2 has Remote PHP Code Execution...

CVE-2013-2009

The CVE-2013-2009 entry concerns WordPress WP Super Cache Plugin 1.2, which is vulnerable to remote PHP code execution via unsanitized input (e.g., malicious blog comments). Root cause cited as an incomplete fix for CVE-2013-2009. Impact is remote code execution on the web server as the web-serve...

CVE-2013-3214

vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'...

CVE-2013-3214

vtiger CRM 5.4.0 and earlier contain a PHP Code Injection Vulnerability in 'vtigerolservice.php'...

CVE-2013-2267

FUDforum 3.0.4 and earlier are affected by a PHP code injection in /adm/admreplace.php due to insufficient validation of POST parameters regex_str, regex_str_opt and regex_with, allowing remote attackers to inject and execute arbitrary PHP code on the server with web server privileges (CWE-94). T...

CVE-2012-6649

WordPress WP GPX Maps Plugin 1.1.21 allows remote attackers to execute arbitrary PHP code via improper file upload...

Unrestricted file upload

WordPress WP GPX Maps Plugin 1.1.21 allows remote attackers to execute arbitrary PHP code via improper file upload...

Path traversal

A remote code execution RCE vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users'photoppreview' delete photo feature, allowing bypass of .htaccess protection...

Design/Logic Flaw

The CSV upload feature in /supervisor/procesacarga.php on Logaritmo Aware CallManager 2012 devices allows upload of .php files with a text/ content type. The PHP code can then be executed by visiting a /supervisor/csv/ URI...

CVE-2019-20385

The CSV upload feature in /supervisor/procesacarga.php on Logaritmo Aware CallManager 2012 devices allows upload of .php files with a text/ content type. The PHP code can then be executed by visiting a /supervisor/csv/ URI...

AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution

Prior to version 3.3.2, this plugin allowed arbitrary PHP code execution through the loginerror function. This exploit is out in the wild now and actively being exploited. PoC curl -Ls http://www.example.com/login/?loginerror=%3C?%20$a%20=%20getcwd;%20echo%20$a;%20?%3E...

AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution

Prior to version 3.3.2, this plugin allowed arbitrary PHP code execution through the loginerror function. This exploit is out in the wild now and actively being exploited. curl -Ls http://www.example.com/login/?loginerror=%3C?%20$a%20=%20getcwd;%20echo%20$a;%20?%3E...

WordPress InfiniteWP Client Authentication Bypass

This module exploits an authentication bypass in the WordPress InfiniteWP Client plugin to log in as an administrator and execute arbitrary PHP code by overwriting the file specified by PLUGINFILE. The module will attempt to retrieve the original PLUGINFILE contents and restore them after payload...

CVE-2020-5505

Freelancy v1.0.0 allows remote command execution via the "file":"data:application/x-php;base64 substring in conjunction with "type":"application/x-php" to the /api/files/ URI...

CVE-2012-2950

Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local File Include Vulnerability which allows remote attackers to execute local PHP code and obtain sensitive information...

Design/Logic Flaw

uploadimage.php in Employee Records System 1.0 allows upload and execution of arbitrary PHP code because file-extension validation is only on the client side. The attacker can modify global.js to allow the .php extension...

Design/Logic Flaw

Gateway Geomatics MapServer for Windows before 3.0.6 contains a Local File Include Vulnerability which allows remote attackers to execute local PHP code and obtain sensitive information...

CVE-2019-20183

CVE-2019-20183 affects the Simple Employee Records System 1.0. The vulnerability is an arbitrary file upload flaw in uploadimage.php caused by client-side validation of file extensions, allowing an attacker to upload executable PHP code by bypassing validation (e.g., via modifying global.js). Thi...

CVE-2019-20183

uploadimage.php in Employee Records System 1.0 allows upload and execution of arbitrary PHP code because file-extension validation is only on the client side. The attacker can modify global.js to allow the .php extension...

CVE-2012-2931

PHP code injection in TinyWebGallery before 1.8.8 allows remote authenticated users with admin privileges to inject arbitrary code into the .htusers.php file...