CVE-2026-5338

A security vulnerability has been detected in Tenda G103 1.0.0.5. The affected element is the function actionsetsystemsettings of the file system.lua of the component Setting Handler. Such manipulation of the argument lanIp leads to command injection. The attack may be performed from remote. The...

CVE-2026-5338

CVE-2026-5338 affects Tenda G103 1.0.0.5. The vulnerability is in the Setting Handler’s Setting System component, specifically the file system.lua and its function action_set_system_settings . Manipulating the argument lanIp leads to a remote command injection , with exploitation disclosed public...

EUVD-2026-2807

The AffiliateX – Amazon Affiliate Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savecustomizationsettings AJAX action in versions 1.0.0 to 1.3.9.3. This makes it possible for authenticated attackers, with Subscriber-level...

PT-2026-3004

Name of the Vulnerable Software and Affected Versions AffiliateX – Amazon Affiliate Plugin versions 1.0.0 through 1.3.9.3 Description The AffiliateX – Amazon Affiliate Plugin for WordPress is susceptible to unauthorized data modification because of a missing capability check on the save...

CVE-2025-12961

The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wpajaxsavesettings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the dlpnsavesettings...

CVE-2025-7040 Cloud SAML SSO <= 1.0.19 - Missing Authorization to Unauthenticated Settings Modification via set_organization_settings Action

The Cloud SAML SSO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'setorganizationsettings' action of the cssohandleactions function in all versions up to, and including, 1.0.19. The handler reads client-supplied POST parameters fo...

CVE-2021-38841

Remote Code Execution can occur in Simple Water Refilling Station Management System 1.0 via the System Logo option on the systeminfo page in classes/SystemSettings.php with an updatesettings action...

CVE-2018-11346

An insecure direct object reference vulnerability in download.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 allows the ability to reference the "downloadsyssettings" action and then specify files arbitrarily throughout the system via the act parameter...

CVE-2014-1603

Multiple cross-site scripting XSS vulnerabilities in GetSimple CMS 3.3.1 allow remote attackers to inject arbitrary web script or HTML via the 1 param parameter to admin/load.php or 2 user, 3 email, or 4 name parameter in a Save Settings action to admin/settings.php...

CVE-2014-1603

Multiple cross-site scripting XSS vulnerabilities in GetSimple CMS 3.3.1 allow remote attackers to inject arbitrary web script or HTML via the 1 param parameter to admin/load.php or 2 user, 3 email, or 4 name parameter in a Save Settings action to admin/settings.php...

There is a reflected xss flaw in the settings.action of dailysummary settings.action.

There is a reflected xss flaw in the settings.action of dailysummary settings.action as the username parameter is not html encoded before being rendered on the page. Here is an example of a reflected xss it adds a picture of a lolcat to the page...

CVE-2012-1227

Multiple cross-site request forgery CSRF vulnerabilities in admin.php in pluck 4.7 allow remote attackers to hijack the authentication of admins for requests that 1 modify the admin email address or 2 modify the blog title via a settings action; 3 add a page via an editpage action, or 4 add a...

CVE-2012-1227

Multiple cross-site request forgery CSRF vulnerabilities in admin.php in pluck 4.7 allow remote attackers to hijack the authentication of admins for requests that 1 modify the admin email address or 2 modify the blog title via a settings action; 3 add a page via an editpage action, or 4 add a...