CVE-2023-4290 WP Matterport Shortcode < 2.1.7 - Reflected XSS

The WP Matterport Shortcode WordPress plugin before 2.1.7 does not escape the PHPSELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin...

K17313: PHP vulnerability CVE-2014-4721

Security Advisory Description The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHPAUTHPW, PHPAUTHTYPE, PHPAUTHUSER, and PHPSELF variables, which might allow context-dependent attackers to obtain...

SUSE CVE-2016-5702

phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHPSELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI...

Cross-site Scripting (XSS)

mobiledetect/mobiledetectlib is vulnerable to Cross-site Scripting XSS. The vulnerability exists because the initLayoutType functions in sessionexample.php does properly escape the special characters in $SERVER'PHPSELF' before being rendered, allowing an attacker to inject and execute malicious...

GHSA-R77C-QV68-J3PP Cross-site Scripting in MobileDetect

A vulnerability, which was classified as problematic, has been found in MobileDetect 2.8.31. This issue affects the function initLayoutType of the file examples/sessionexample.php of the component Example. The manipulation of the argument $SERVER'PHPSELF' leads to cross site scripting. The attack...

CVE-2018-25080

MobileDetect 2.8.31 contains a cross-site scripting (XSS) vulnerability in the examples/session_example.php file (initLayoutType function) caused by improper handling of $_SERVER['PHP_SELF']. The vulnerability can be triggered remotely, and exploitation has been disclosed publicly. Upgrading to M...

Cross site scripting

A vulnerability was found in 01-Scripts 01-Artikelsystem. It has been classified as problematic. Affected is an unknown function of the file 01article.php. The manipulation of the argument $SERVER'PHPSELF' leads to cross site scripting. It is possible to launch the attack remotely. The patch is...

CVE-2012-10003 ahmyi RivetTracker cross site scripting

A vulnerability, which was classified as problematic, has been found in ahmyi RivetTracker. This issue affects some unknown processing. The manipulation of the argument $SERVER'PHPSELF' leads to cross site scripting. The attack may be initiated remotely. The patch is named...

CVE-2022-1216

The Advanced Image Sitemap WordPress plugin through 1.2 does not sanitise and escape the PHPSELF PHP variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting...

Cross site scripting

The Custom TinyMCE Shortcode Button WordPress plugin through 1.1 does not sanitise and escape the PHPSELF variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting...

CVE-2022-1217 Custom TinyMCE Shortcode Button <= 1.1 - Reflected Cross-Site Scripting

The Custom TinyMCE Shortcode Button WordPress plugin through 1.1 does not sanitise and escape the PHPSELF variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting...

CVE-2022-1216 Advanced Image Sitemap <= 1.2 - Reflected Cross-Site Scripting

The Advanced Image Sitemap WordPress plugin through 1.2 does not sanitise and escape the PHPSELF PHP variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting...

Advanced Image Sitemap <= 1.2 - Reflected Cross-Site Scripting

The plugin does not sanitise and escape the PHPSELF PHP variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting. PoC https://example.com/wp-admin/options-general.php/%22%3E%3Csvg/onload=alert/xss/%3E?page=ais...

CVE-2022-0380 Fotobook <= 3.2.3 Reflected Cross-Site Scripting

The Fotobook WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping and the use of $SERVER'PHPSELF' found in the /options-fotobook.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 3.2.3...

CVE-2022-0380 Fotobook <= 3.2.3 Reflected Cross-Site Scripting

The Fotobook WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping and the use of $SERVER'PHPSELF' found in the /options-fotobook.php file which allows attackers to inject arbitrary web scripts onto the page, in versions up to and including 3.2.3...

Fotobook <= 3.2.3 - Reflected Cross-Site Scripting

The plugin is vulnerable to Reflected Cross-Site Scripting due to insufficient escaping and the use of $SERVER'PHPSELF' found in the /options-fotobook.php file which allows attackers to inject arbitrary web scripts onto the page...

Cross site scripting

The Real WYSIWYG WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of PHPSELF in the /real-wysiwyg.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2...

CVE-2021-39310

The Real WYSIWYG WordPress plugin (

Real WYSIWYG <= 0.0.2 - Reflected Cross-Site Scripting

The plugin is vulnerable to Reflected Cross-Site Scripting due to the use of PHPSELF in the /real-wysiwyg.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.0.2...

CVE-2021-39412

Multiple Cross Site Scripting XSS vulnerabilities exists in PHPGurukul Shopping v3.1 via the 1 callback parameter in a serverside/scripts/idjsonp.php, b serverside/scripts/jsonp.php, and c scripts/objectsjsonp.php, the 2 value parameter in examplessupport/editableajax.php, and the 3 PHPSELF...