71 matches found
EUVD-2025-203008
The Complag plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-13988
The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the $SERVER'PHPSELF' variable in the plugin's settings page. This mak...
CVE-2025-14138
CVE-2025-14138 : WPLG Default Mail From (WordPress) is vulnerable to Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] in all versions up to 1.0.0. Affected: WordPress plugin WPLG Default Mail From; exploitation possible by tricking an authenticated? no—un/authenticated user? The descriptio...
CVE-2025-13988
CVE-2025-13988 refers to the WordPress plugin 评论小秘书 (Comments Secretary). It is a Reflected Cross‑Site Scripting vulnerability via the $_SERVER['PHP_SELF'] variable in all versions up to and including 1.3.2, caused by insufficient input sanitization and output escaping on the plugin’s settings pa...
CVE-2025-13988 评论小秘书 <= 1.3.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the $SERVER'PHPSELF' variable in the plugin's settings page. This mak...
CVE-2025-14129 Like DisLike Voting <= 1.0.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2025-14129 Like DisLike Voting <= 1.0.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
PT-2025-50842
The 评论小秘书 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $ SERVER'PHP SELF' variable in all versions up to, and including, 1.3.2. This is due to insufficient input sanitization and output escaping on the $ SERVER'PHP SELF' variable in the plugin's settings page. This...
PT-2025-50852
The Complag plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $ SERVER'PHP SELF' variable in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
PT-2025-50856
The WPLG Default Mail From plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $ SERVER'PHP SELF' variable in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injec...
PT-2025-50855
The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $ SERVER'PHP SELF' variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2025-13894
The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
CVE-2025-11332
A vulnerability was determined in CmsEasy up to 7.7.7. This affects an unknown function in the library lib/inc/view.php of the component URL Handler. Executing a manipulation of the argument PHPSELF can lead to cross site scripting. The attack may be launched remotely. The exploit has been public...
CVE-2025-1949
A vulnerability, which was classified as problematic, has been found in ZZCMS 2025. This issue affects some unknown processing of the file /3/ucenterapi/code/registernodb.php of the component URL Handler. The manipulation of the argument $SERVER'PHPSELF' leads to cross site scripting. The attack...
ZoneMinder 安全漏洞
ZoneMinder is an open source video surveillance software system. The system supports IP, USB and analog cameras, among others. A security vulnerability exists in ZoneMinder versions prior to 1.34.21. A remote attacker can exploit this vulnerability to execute arbitrary code, elevate privileges, a...
PT-2023-10821 · Unknown · Mobiledetect
Name of the Vulnerable Software and Affected Versions: MobileDetect version 2.8.31 Description: A problematic issue has been found in MobileDetect, affecting the initLayoutType function of the examples/session example.php file in the Example component. The manipulation of the argument $ SERVER'PH...
PHP-Calendar 跨站脚本漏洞
PHP-Calendar is a calendar application by Sean Proctor Individual Developer. PHP-Calendar suffers from a code injection vulnerability that originates in an unknown section of the component index.php, where manipulation of the parameter $SERVER PHPSELF can lead to cross-site scripting...
PT-2022-27234
Name of the Vulnerable Software and Affected Versions sproctor php-calendar affected versions not specified Description A problematic vulnerability was found in sproctor php-calendar, affecting an unknown part of the file index.php. The manipulation of the argument $ SERVER'PHP SELF' leads to cro...
Cross-site Scripting (XSS)
Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS via crafted PATHINFO in a URL. An attacker can inject arbitrary code by manipulating the unsanitized $SERVER'PHPSELF' used to generate URLs. Details Cross-site scriptin...
CVE-2022-1216
The Advanced Image Sitemap WordPress plugin through 1.2 does not sanitise and escape the PHPSELF PHP variable before outputting it back in an attribute in an admin page, leading to Reflected Cross-Site Scripting...