WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection

WordPress Visitor Statistics Real Time Traffic plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks. id: CVE-2021-247...

WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection

The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. id: CVE-2023-0600 info: name: WP Visitor Statistics Real Time Traffic 6.9 - SQL Injection author: r3Y3r53,j4vaovo severity: critical description: | The...

Company Visitor Management System 1.0 - SQL Injection

Company Visitor Management System 1.0 contains a SQL injection vulnerability via the login page in the username parameter. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id...

CVE-2026-49287

Statamic CMS (Laravel/Git) had an incomplete fix for CVE-2026-41175; in-memory collection sorting was not protected. CVE-2026-49287 notes that prior to 5.73.23 and 6.20.0, the patch covered the query builder but not in-memory sorting. This could allow a front-end template that passes request inpu...

CVE-2026-49287 Statamic CMS vulnerable to unsafe method invocation via collection sorting allows data destruction

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could...

CVE-2026-6162

A vulnerability has been found in PHPGurukul Company Visitor Management System 2.0. This impacts an unknown function of the file /bwdates-reports-details.php. The manipulation of the argument fromdate leads to cross site scripting. The attack is possible to be carried out remotely. The exploit ha...

CVE-2026-37748

Visitor Management System 1.0 by sanjay1313 is vulnerable to Unrestricted File Upload in vms/php/adminuserinsert.php and vms/php/update1.php. The moveuploadedfile function is called without any MIME type, extension, or content validation, allowing an authenticated admin to upload a PHP webshell a...

CVE-2026-39112

Cross Site Scripting vulnerability in Apartment Visitors Management System Apartment Visitors Management System V1.1 in the visname parameter of visitors-form.php. An authenticated attacker can inject arbitrary JavaScript that is later executed when the malicious input is viewed in...

CVE-2026-8096

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

CVE-2024-58343

Vision Helpdesk before 5.7.0 patched in 5.6.10 allows attackers to read user profiles via modified serialized cookie data to visclientid...

CVE-2026-10170

A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be...

CVE-2026-10170

A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be...

CVE-2026-10170 code-projects Visitor Management System phone_0.php sql injection

A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be...

CVE-2026-10170

The CVE-2026-10170 entry affects code-projects Visitor Management System 1.0. A SQL injection vulnerability is present in /vms/php/phone_0.php via the phone parameter. The issue is remotely triggerable and an exploit has been published, indicating potential real-world use. The bundled metrics ind...

CVE-2026-10170 code-projects Visitor Management System phone_0.php sql injection

A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be...

CVE-2026-10170

A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be...

EUVD-2026-33490

A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be...

Code-Projects Visitor Management System SQL注入漏洞

The Code-Projects Visitor Management System is an open-source visitor management system developed by Code-Projects. Version 1.0 of the code-projects Visitor Management System has a SQL injection vulnerability. This vulnerability arises from the parameter handling in the file/vms/php/phone0.php,...

PT-2026-45173

A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone 0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may b...

CVE-2026-39964

TypeBot (viewer at packages/embeds/js) before version 3.16.0 renders rich-text bubble links without filtering javascript: URIs. A bot author can set a link to javascript:PAYLOAD, which executes in the visitor’s browser context when clicked, allowing the attacker’s code to run with the host page’s...