72 matches found
CVE-2025-1113
A vulnerability was found in taisan tarzan-cms up to 1.0.0. It has been rated as critical. This issue affects the function upload of the file /adminthemes of the component Add Theme Handler. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been...
CVE-2025-1113 taisan tarzan-cms Add Theme admin#themes upload deserialization
A vulnerability was found in taisan tarzan-cms up to 1.0.0. It has been rated as critical. This issue affects the function upload of the file /adminthemes of the component Add Theme Handler. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been...
Tarzan-CMS 安全漏洞
Tarzan-CMS is a modern open source content management system CMS based on the Java technology stack by the Tarzan team. A security vulnerability exists in Tarzan-CMS 1.0.0 and earlier versions, which stems from a deserialization due to the file/adminthemes upload function of the Add Theme Handler...
BIT-WORDPRESS-2020-4049 Authenticated self-XSS via theme uploads in WordPress
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version...
BIT-WORDPRESS-MULTISITE-2020-4049 Authenticated self-XSS via theme uploads in WordPress
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version...
VulnCheck KEV: CVE-2014-4725
The MailPoet Newsletters wysija-newsletters plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/...
CVE-2020-4049
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version...
CVE-2022-26965
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution...
CVE-2022-26965
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution...
Remote code execution
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution...
CVE-2022-26965
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution...
CVE-2022-26965
In Pluck 4.7.16, an admin user can use the theme upload functionality at /admin.php?action=themeinstall to perform remote code execution...
Pluck CMS 4.7.16 Shell Upload
Exploit Title: Pluck CMS 4.7.16 - Remote Code Execution RCE Authenticated Date: 13.03.2022 Exploit Author: Ashish Koli Shikari Vendor Homepage: https://github.com/pluck-cms/pluck Version: 4.7.16 Tested on Ubuntu 20.04.3 LTS CVE: CVE-2022-26965 Usage : python3 exploit.py Example: python3 exploit.p...
Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)
Exploit Title: Pluck CMS 4.7.16 - Remote Code Execution RCE Authenticated Date: 13.03.2022 Exploit Author: Ashish Koli Shikari Vendor Homepage: https://github.com/pluck-cms/pluck Version: 4.7.16 Tested on Ubuntu 20.04.3 LTS CVE: CVE-2022-26965 Usage : python3 exploit.py Example: python3 exploit.p...
Pluck CMS 4.7.16 - Remote Code Execution (Authenticated) Exploit
Exploit Title: Pluck CMS 4.7.16 - Remote Code Execution RCE Authenticated Exploit Author: Ashish Koli Shikari Vendor Homepage: https://github.com/pluck-cms/pluck Version: 4.7.16 Tested on Ubuntu 20.04.3 LTS CVE: CVE-2022-26965 Usage : python3 exploit.py Example: python3 exploit.py 127.0.0.1 80...
CVE-2020-35657
Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to execute OS commands. NOTE: this is unrelated to the JAWS aka Job Access With Speech product...
Design/Logic Flaw
Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to execute OS commands. NOTE: this is unrelated to the JAWS aka Job Access With Speech product...
CVE-2020-35657
Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of UploadTheme to upload a theme ZIP archive containing a .php file that is able to execute OS commands. NOTE: this is unrelated to the JAWS aka Job Access With Speech product...
DEBIAN-CVE-2020-4049
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version...
CVE-2020-4049
In affected versions of WordPress, when uploading themes, the name of the theme folder can be crafted in a way that could lead to JavaScript execution in /wp-admin on the themes page. This does require an admin to upload the theme, and is low severity self-XSS. This has been patched in version...