CVE-2026-10038

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar...

CVE-2023-53924

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution...

CVE-2023-53876

Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable...

CVE-2023-53876

Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable...

CVE-2023-53876

CVE-2023-53876 affects Academy LMS 6.1 and is a file-upload vulnerability that lets authenticated users upload malicious SVGs containing stored XSS via the profile avatar upload feature by altering extensions and embedding JavaScript. Root cause: lax file-type handling permitting SVG execution. I...

CVE-2023-53876 Academy LMS 6.1 Arbitrary File Upload Vulnerability via Profile Settings

Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable...

CVE-2023-53876 Academy LMS 6.1 Arbitrary File Upload Vulnerability via Profile Settings

Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable...

PT-2025-51294

Name of the Vulnerable Software and Affected Versions Academy LMS version 6.1 Description Academy LMS version 6.1 has a file upload issue. Authenticated users can upload malicious SVG files containing stored cross-site scripting payloads. An attacker can inject malicious scripts through the profi...

EUVD-2018-6479

Malware in sbrugna...

EUVD-2023-56792

Malicious code in bioql PyPI...

EUVD-2022-15528

Malicious code in bioql PyPI...

Stored XSS

Overview FormCMS is a FormCMS is an open-source Content Management System designed to simplify and accelerate web development workflows for CMS projects and general web applications. It streamlines data modeling, backend development, and frontend design, making them as intuitive as filling out a...

CVE-2025-49980

Missing Authorization vulnerability in WP Event Manager WP User Profile Avatar wp-user-profile-avatar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Profile Avatar: from n/a through = 1.0.6...

CVE-2025-49980

Missing Authorization vulnerability in WP Event Manager WP User Profile Avatar wp-user-profile-avatar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Profile Avatar: from n/a through = 1.0.6...

CVE-2025-49980 WordPress WP User Profile Avatar plugin <= 1.0.6 - Broken Access Control Vulnerability

Missing Authorization vulnerability in WP Event Manager WP User Profile Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Profile Avatar: from n/a through 1.0.6...

CVE-2025-49980 WordPress WP User Profile Avatar plugin <= 1.0.6 - Broken Access Control Vulnerability

Missing Authorization vulnerability in WP Event Manager WP User Profile Avatar wp-user-profile-avatar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Profile Avatar: from n/a through = 1.0.6...

CVE-2025-49980

CVE-2025-49980 concerns the WordPress plugin WP User Profile Avatar (affected: versions up to 1.0.6) and is a Missing Authorization / broken access control vulnerability. The CVE describes an exposure where access control is misconfigured, enabling exploitation via unauthorized actions. Public so...

WordPress plugin WP User Profile Avatar 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2023-52118

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WP Event Manager WP User Profile Avatar allows Stored XSS.This issue affects WP User Profile Avatar: from n/a through 1.0...

CVE-2024-10789

The WP User Profile Avatar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.5. This is due to missing or incorrect nonce validation on the wpupauseradmin function. This makes it possible for unauthenticated attackers to update the plugins...