📄 WBCE CMS Privilege Escalation / Insecure Direct Object Reference

WBCE CMS versions prior to 1.6.4 suffers from insecure direct object reference and privilege escalation vulnerabilities. CVE-2025-65094: WBCE CMS is Vulnerable to Privilege Escalation via Group ID Manipulation IDOR Overview | Field | Details | |---|---| | CVE ID | CVE-2025-65094 | | Severity | HI...

CVE-2024-25181

A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery SSRF and arbitrary file reading. The vulnerability stems from improper handling of user-supplied URLs in the "filegetcontents" function within the "save.php" file...

CVE-2024-25181

A critical vulnerability has been identified in givanz VvvebJs 1.7.2, which allows both Server-Side Request Forgery SSRF and arbitrary file reading. The vulnerability stems from improper handling of user-supplied URLs in the "filegetcontents" function within the "save.php" file...

PT-2025-53789

Name of the Vulnerable Software and Affected Versions givanz VvvebJs version 1.7.2 Description givanz VvvebJs version 1.7.2 is subject to a File Upload issue through the save.php file. Recommendations At the moment, there is no information about a newer version that contains a fix for this...

CVE-2023-53910

WBCE CMS 1.6.1 has a stored XSS vulnerability in the WYSIWYG editor: authenticated attackers can inject JavaScript by sending malicious content to /wbce/modules/wysiwyg/save.php (content parameter), which executes when pages are viewed. Root cause: improper input handling in page content. Impact:...

CVE-2023-53910 WBCE CMS 1.6.1 Stored Cross-Site Scripting via Page Content

WBCE CMS 1.6.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by inserting script tags into page content through the WYSIWYG editor. Attackers can submit POST requests to /wbce/modules/wysiwyg/save.php with malicious script...

CVE-2025-65094

WBCE CMS is a content management system. Prior to version 1.6.4, a low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups parameter in the /admin/users/save.php request. The UI restricts users to assigning only their existing group, bu...

PT-2025-47517

Name of the Vulnerable Software and Affected Versions WBCE CMS versions prior to 1.6.4 Description A low-privileged user in WBCE CMS can escalate their privileges to the Administrators group by manipulating the groups parameter in the '/admin/users/save.php' request. The user interface restricts...

CVE-2025-8522

A vulnerability, which was classified as critical, was found in givanz Vvvebjs up to 2.0.4. Affected is an unknown function of the file /save.php of the component node.js. The manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The complexity o...

CVE-2025-29425

Code-projects Online Class and Exam Scheduling System 1.0 is vulnerable to SQL Injection in examsave.php via the parameters member and first...

emlog 安全漏洞

emlog is a PHP and MySQL based CMS website builder for emlog personal developers. A security vulnerability exists in emlog Pro version v2.5.4, which originates from the postStrVar function in articlesave.php and is vulnerable to cross-site scripting attacks...

PT-2024-34543 · Sourcecodester · Sourcecodester Online Examination System

Name of the Vulnerable Software and Affected Versions: SourceCodester Online Examination System version 1.0 Description: A critical issue has been found in the SourceCodester Online Examination System, affecting some unknown functionality of the file save.php. The manipulation of the vote argumen...

CVE-2023-5263

A vulnerability was found in ZZZCMS 2.1.7 and classified as critical. Affected by this issue is the function restore of the file /admin/save.php of the component Database Backup File Handler. The manipulation leads to permission issues. The attack may be launched remotely. The exploit has been...

CVE-2023-24058

Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId value to reservationsave.php. NOTE: 2.5.5 is a version from 2014; the latest version of Booked Scheduler is not affected. However, LabArchives Scheduler Sep 6, 2022 Feature...

CVE-2022-2542

The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the /app/sites/ajax/actions/keywordsave.php file that is called via the doAjax function. This make...

CVE-2022-30073

WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting XSS via /admin/users/save.php...

ZZCMS 跨站请求伪造漏洞

ZZCMS is a content management system CMS by China Zzcms team. ZZZCMS V1.7.1 suffers from a cross-site request forgery vulnerability, which stems from the lack of token validation for cross-site request forgery in the saveuser function in save.php...

ZZCMS 跨站脚本漏洞

ZZZCMS is a content management system CMS from the ZZZCMS team in China. ZZZCMS suffers from a cross-site scripting vulnerability that stems from a lack of data validation filtering of user-supplied and output data in the editfile action of /adminxxx/save.php. An attacker could exploit the...

PT-2021-16825 · Unknown · Avideo/Youphptube

Name of the Vulnerable Software and Affected Versions: AVideo/YouPHPTube versions 10.0 and prior Description: The issue allows an administrator-privileged user to write files on the filesystem using flag and code variables in the file save.php. This is due to insecure file write. Recommendations:...

LeptonCMS Cross-Site Scripting Vulnerability (CNVD-2020-35505)

LeptonCMS is a content management system CMS for the Lepton Project. A cross-site scripting vulnerability exists in the modules/wysiwyg/save.php file in LeptonCMS version 4.5.0. The vulnerability stems from a lack of proper validation of client-side data by the WEB application. An attacker can...