Php Exploits
1,334 exploits tracked across all sources.
WordPress Theme Felici - 'Uploadify.php' Arbitrary File Upload
by CaFc Versace
WordPress Plugin Premium Gallery Manager - Arbitrary File Upload
by eX-Sh1Ne
MODx Evogallery Module - 'Uploadify.php' Arbitrary File Upload
by TUNISIAN CYBER
Linksys E-Series - Command Injection
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
by Rew
WordPress Theme Kiddo - Arbitrary File Upload
by TUNISIAN CYBER
AfterLogic Pro and Lite 7.1.1.1 - Persistent Cross-Site Scripting
by Saeed reza Zamanian
SmarterMail Enterprise and Standard 11.x - Persistent Cross-Site Scripting
by Saeed reza Zamanian
Seagate Blackarmor Nas 220 Firmware - Command Injection
Seagate BlackArmor NAS devices with firmware sg2000-2000.1331 allow remote attackers to execute arbitrary commands via shell metacharacters in the ip parameter to backupmgt/getAlias.php.
by Jeroen - IT Nerdbox
CVSS 9.8
Scriptbrasil Taboada Macronews - SQL Injection
SQL injection vulnerability in news_popup.php in Taboada MacroNews 1.0 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.
by Jefrey
Ofilter Player 1.1 - '.wav' Integer Division by Zero
by Osanda Malith Jayathissa
osCMax - Arbitrary File Upload / Full Path Information Disclosure
by KedAns-Dz
WordPress Plugin PhotoSmash Galleries - 'bwbps-uploader.php' Arbitrary File Upload
by Ashiyane Digital Security Team
WordPress Plugin page-flip-image-gallery - Arbitrary File Upload
by Ashiyane Digital Security Team
NeoBill - '/modules/nullregistrar/PHPwhois/example.php?query' Remote Code Execution
by KedAns-Dz
NeoBill - '/install/include/solidstate.php' Multiple SQL Injections
by KedAns-Dz
WordPress Theme Suco - 'themify-ajax.php' Arbitrary File Upload
by DevilScreaM
Limonade Framework - 'limonade.php' Local File Disclosure
by Yashar shahinzadeh
WordPress Theme Kernel - Arbitrary File Upload
by link_satisi
WordPress Theme This Way - 'upload_settings_image.php' Arbitrary File Upload
by Bet0
Joomla! Component Maian15 - 'name' Arbitrary File Upload
by SultanHaikal
PHP Point Of Sale - 'ofc_upload_image.php' Remote Code Execution
by Gabby
WordPress Plugin Woopra Analytics - 'ofc_upload_image.php' Arbitrary PHP Code Execution
by wantexz
HP ProCurve Manager <4.0 - RCE
HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, Identity Driven Manager (IDM) 4.0, and Application Lifecycle Management allow remote attackers to execute arbitrary code via a marshalled object to (1) EJBInvokerServlet or (2) JMXInvokerServlet, aka ZDI-CAN-1760. NOTE: this is probably a duplicate of CVE-2007-1036, CVE-2010-0738, and/or CVE-2012-0874.
by rgod
CVSS 9.8
By Source