CVE-2026-42878

FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PH...

CVE-2026-42878 FacturaScripts: Unauthenticated phpinfo() Disclosure via Installer Endpoint in FacturaScripts

FacturaScripts is an open source accounting and invoicing software. Prior to v2026, an unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PH...

FacturaScripts Vulnerable to Unauthenticated phpinfo() Disclosure via Installer Endpoint

Summary An unauthenticated information disclosure vulnerability in the Installer controller allows any remote attacker to trigger phpinfo on a fresh FacturaScripts deployment by requesting /?phpinfo=TRUE, exposing full PHP configuration, server environment variables including any database...

PT-2026-38616

Name of the Vulnerable Software and Affected Versions FacturaScripts versions prior to v2026 Description An unauthenticated information disclosure issue in the Installer controller allows a remote attacker to trigger the phpinfo function on a fresh deployment. By requesting the endpoint "/" with...

CVE-2025-63738

An issue was discovered in file index.php in Xinhu Rainrock RockOA 2.7.0 allowing attackers to gain sensitive information via phpinfo via the a parameter to the index.php...

PT-2025-50097

Name of the Vulnerable Software and Affected Versions Xinhu Rainrock RockOA version 2.7.0 Description An issue exists in the index.php file of Xinhu Rainrock RockOA version 2.7.0 that allows attackers to obtain sensitive information. This is achieved by exploiting the phpinfo function through the...

WordPress BigBuy Dropshipping Connector for WooCommerce plugin <= 2.0.5 - Unauthenticated IP Spoofing to phpinfo() Exposure vulnerability

Unauthenticated IP Spoofing to phpinfo Exposure vulnerability discovered by Jarno Vos jarnovos in WordPress Plugin BigBuy Dropshipping Connector for WooCommerce versions = 2.0.5...

CVE-2025-12039

The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.0.5 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for...

CVE-2025-12039

The CVE-2025-12039 entry concerns the WordPress plugin “BigBuy Dropshipping Connector for WooCommerce.” The connected sources describe an IP address forgery/spoofing vulnerability caused by insufficient IP validation and reliance on user-supplied HTTP headers to determine the client IP, exposing ...

CVE-2025-12039 BigBuy Dropshipping Connector for WooCommerce <= 2.0.5 - Unauthenticated IP Spoofing to phpinfo() Exposure

The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.0.5 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for...

CVE-2025-12039 BigBuy Dropshipping Connector for WooCommerce <= 2.0.5 - Unauthenticated IP Spoofing to phpinfo() Exposure

The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 2.0.5 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for...

EUVD-2025-33817

The Trinity Audio – Text to Speech AI audio player to convert content into audio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.21.0 via the /admin/inc/phpinfo.php file that gets created on install. This makes it possible for...

EUVD-2009-2156

Malware in sbrugna...

EUVD-2024-33186

Malicious code in bioql PyPI...

CVE-2024-10588

The Debug Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the info function in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to obtain information from...

CVE-2021-37704

PhpFastCache is a high-performance backend cache system packagist package phpfastcache/phpfastcache. In versions before 6.1.5, 7.1.2, and 8.0.7 the phpinfo can be exposed if the /vendor is not protected from public access. This is a rare situation today since the vendor directory is often located...

CVE-2024-44820

A sensitive information disclosure vulnerability exists in ZZCMS v.2023 and before within the eginfo.php file located at /3/Ebak5.1/upload/. When accessed with the query parameter phome=ShowPHPInfo, the application executes the phpinfo function, which exposes detailed information about the PHP...

Mars: phpinfo() exposed on ██████████

A phpinfo page was exposed at the URL ███████. This configuration issue allowed sensitive system information to be publicly accessed...

YouDianCMS 信息泄露漏洞

YouDianCMS YouDian CMS is a website builder from China YouDian Company. An information disclosure vulnerability exists in YouDianCMS version 7, which originates from an unknown handling of the file /t.php?action=phpinfo that can lead to information disclosure...

PT-2024-40406 · Unknown · Simplesamlphp

Name of the Vulnerable Software and Affected Versions: SimpleSAMLphp versions 1.17 up to 1.17.7 Description: The issue concerns an endpoint in the admin module of SimpleSAMLphp that exposes the output of the phpinfo PHP function, allowing any individual to access it without authenticating and...