Phpwcms Security Vulnerabilities and Issues — Phpwcms CVE List

Lucene search

PhpwcmsPhpwcms

18 matches found

CVE•added 2006/05/22 10:2 p.m.•165 views

CVE-2006-2519

Directory traversal vulnerability in include/inc_ext/spaw/spaw_control.class.php in phpwcms 1.2.5-DEV allows remote attackers to include arbitrary local files via .. (dot dot) sequences in the spaw_root parameter. NOTE: CVE analysis suggests that this issue is actually in SPAW Editor PHP Edition.

2.6CVSS6.7AI score0.01858EPSS

CVE•added 2023/01/07 10:15 p.m.•64 views

CVE-2021-4301

A vulnerability was found in slackero phpwcms up to 1.9.26 and classified as critical. Affected by this issue is some unknown functionality. The manipulation of the argument $phpwcms['db_prepend'] leads to sql injection. The attack may be launched remotely. Upgrading to version 1.9.27 is able to ad...

9.8CVSS8.3AI score0.00052EPSS

CVE•added 2023/02/03 6:15 p.m.•47 views

CVE-2021-36425

Directory traversal vulnerability in phpcms 1.9.25 allows remote attackers to delete arbitrary files via unfiltered $file parameter to unlink method in include/inc_act/act_ftptakeover.php file.

5.4CVSS5.5AI score0.00407EPSS

CVE•added 2011/09/24 12:55 a.m.•46 views

CVE-2011-3789

phpwcms 1.4.7 r412 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by template/inc_script/frontend_render/disabled/majonavi.php and certain other files.

5CVSS6.3AI score0.00283EPSS

CVE•added 2023/01/04 10:15 p.m.•46 views

CVE-2021-4302

A vulnerability was found in slackero phpwcms up to 1.9.26. It has been classified as problematic. This affects an unknown part of the component SVG File Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.9.27 is able to a...

6.1CVSS4.8AI score0.00069EPSS

CVE•added 2025/06/03 2:15 p.m.•44 views

CVE-2025-5498

A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom le...

6.5CVSS5.6AI score0.0006EPSS

CVE•added 2025/06/03 2:15 p.m.•44 views

CVE-2025-5499

A vulnerability classified as critical has been found in slackero phpwcms up to 1.9.45/1.10.8. Affected is the function is_file/getimagesize of the file image_resized.php. The manipulation of the argument imgfile leads to deserialization. It is possible to launch the attack remotely. The exploit ha...

7.5CVSS7.3AI score0.00056EPSS

CVE•added 2025/06/03 1:15 p.m.•43 views

CVE-2025-5497

A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been declared as critical. This vulnerability affects unknown code of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. The manipulation of the argument cnt_text leads to de...

9.8CVSS6.5AI score0.00042EPSS

CVE•added 2005/11/24 11:3 a.m.•40 views

CVE-2005-3789

Multiple directory traversal vulnerabilities in phpwcms 1.2.5 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) form_lang parameter in login.php and (2) the imgdir parameter in random_image.php.

5CVSS6.9AI score0.04783EPSS

CVE•added 2007/02/15 2:28 a.m.•38 views

CVE-2006-7019

phpwcms 1.2.5-DEV and earlier, and 1.1 before RC4, allows remote attackers to execute arbitrary code via crafted arguments to the (1) text_evento and (2) email_eventonome_evento parameters to phpwcms_code_snippets/mail_file_form.php and sample_ext_php/mail_file_form.php, which is processed by the r...

7.5CVSS7.5AI score0.01788EPSS

CVE•added 2021/06/24 4:15 p.m.•38 views

CVE-2020-21784

phpwcms 1.9.13 is vulnerable to Code Injection via /phpwcms/setup/setup.php.

9.8CVSS9.6AI score0.00483EPSS

CVE•added 2023/02/03 6:15 p.m.•37 views

CVE-2021-36424

An issue discovered in phpwcms 1.9.25 allows remote attackers to run arbitrary code via DB user field during installation.

9.8CVSS9.5AI score0.00333EPSS

CVE•added 2017/10/24 8:29 p.m.•36 views

CVE-2017-15872

phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and include/inc_tmpl/admin.newuser.tmpl.php via the username (aka new_login) field.

4.8CVSS4.9AI score0.00219EPSS

CVE•added 2007/01/05 11:0 a.m.•34 views

CVE-2006-6886

phpwcms 1.2.5-DEV allows remote attackers to obtain sensitive information via a direct request for (1) files.public-userroot.inc.php or (2) files.private.additions.inc.php in include/inc_lib/, which reveals the path in various error messages.

5CVSS6.6AI score0.00597EPSS

CVE•added 2018/06/30 2:29 p.m.•34 views

CVE-2018-12990

phpwcms 1.8.9 allows remote attackers to discover the installation path via an invalid csrf_token_value field.

5.3CVSS5.3AI score0.00244EPSS

CVE•added 2021/09/08 12:15 a.m.•30 views

CVE-2020-19855

phpwcms v1.9 contains a cross-site scripting (XSS) vulnerability in /image_zoom.php.

6.1CVSS5.9AI score0.0024EPSS

CVE•added 2023/02/03 6:15 p.m.•30 views

CVE-2021-36426

File Upload vulnerability in phpwcms 1.9.25 allows remote attackers to run arbitrary code via crafted file upload to include/inc_lib/general.inc.php.

8.8CVSS8.8AI score0.00315EPSS

CVE•added 2006/05/22 10:2 p.m.•29 views

CVE-2006-2518

Cross-site scripting (XSS) vulnerability in phpwcms 1.2.5-DEV allows remote attackers to inject arbitrary web script or HTML via the BL[be_cnt_plainhtml] parameter to include/inc_tmpl/content/cnt6.inc.php.

2.6CVSS5.7AI score0.00622EPSS