Total
3867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-5012 | 1 Amentotech | 1 Workreap | 2025-07-10 | N/A | 8.8 HIGH |
|
The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'workreap_temp_upload_to_media' function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-8856 | 1 Revmakx | 1 Backup And Staging By Wp Time Capsule | 2025-07-09 | N/A | 9.8 CRITICAL |
|
The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-6220 | 1 Themefic | 1 Ultimate Addons For Contact Form 7 | 2025-07-09 | N/A | 7.2 HIGH |
|
The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_options' function in all versions up to, and including, 3.5.12. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2025-5961 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2025-07-09 | N/A | 7.2 HIGH |
|
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPres ...
Show More |
|||||
| CVE-2025-6586 | 1 Metagauss | 1 Download Plugin | 2025-07-09 | N/A | 7.2 HIGH |
|
The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwap_plugin_locInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||
| CVE-2024-40394 | 1 Oretnom23 | 1 Simple Library Management System | 2025-07-09 | N/A | 9.8 CRITICAL |
|
Simple Library Management System Project Using PHP/MySQL v1.0 was discovered to contain an arbitrary file upload vulnerability via the component ajax.php.
|
|||||
| CVE-2023-51590 | 1 Voltronicpower | 1 Viewpower | 2025-07-09 | N/A | 9.8 CRITICAL |
|
Voltronic Power ViewPower Pro UpLoadAction Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the UpLoadAction class. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage ...
Show More |
|||||
| CVE-2025-3040 | 1 Projectworlds | 1 Online Time Table Generator | 2025-07-09 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in Project Worlds Online Time Table Generator 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/add_student.php. The manipulation of the argument pic leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3041 | 1 Projectworlds | 1 Online Time Table Generator | 2025-07-09 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in Project Worlds Online Time Table Generator 1.0. This affects an unknown part of the file /admin/updatestudent.php. The manipulation of the argument pic leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-3042 | 1 Projectworlds | 1 Online Time Table Generator | 2025-07-09 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical was found in Project Worlds Online Time Table Generator 1.0. This vulnerability affects unknown code of the file /student/updateprofile.php. The manipulation of the argument pic leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-1500 | 1 Ibm | 1 Maximo Application Suite | 2025-07-08 | N/A | 5.5 MEDIUM |
|
IBM Maximo Application Suite 9.0 could allow an authenticated user to upload a file with dangerous types that could be executed by another user if opened.
|
|||||
| CVE-2025-7181 | 1 Carmelo | 1 Staff Audit System | 2025-07-08 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability, which was classified as critical, was found in code-projects Staff Audit System 1.0. Affected is an unknown function of the file /test.php. The manipulation of the argument uploadedfile leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-7151 | 1 Campcodes | 1 Advanced Online Voting System | 2025-07-08 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in Campcodes Advanced Online Voting System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/voters_add.php. The manipulation of the argument photo leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-7152 | 1 Campcodes | 1 Advanced Online Voting System | 2025-07-08 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in Campcodes Advanced Online Voting System 1.0. Affected is an unknown function of the file /admin/candidates_add.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-7124 | 1 Anisha | 1 Online Note Sharing | 2025-07-08 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical has been found in code-projects Online Note Sharing 1.0. Affected is an unknown function of the file /dashboard/userprofile.php of the component Profile Image Handler. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-23968 | 2025-07-08 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in WPCenter AiBud WP allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through 1.8.5.
|
|||||
| CVE-2025-30933 | 2025-07-08 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub allows Upload a Web Shell to a Web Server. This issue affects LogisticsHub: from n/a through 1.1.6.
|
|||||
| CVE-2025-28951 | 2025-07-08 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image allows Upload a Web Shell to a Web Server. This issue affects Bulk Featured Image: from n/a through 1.2.1.
|
|||||
| CVE-2025-49414 | 2025-07-08 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Gallery allows Using Malicious Files. This issue affects FW Gallery: from n/a through 8.0.0.
|
|||||
| CVE-2024-53619 | 1 Spip | 1 Spip | 2025-07-07 | N/A | 6.3 MEDIUM |
|
An authenticated arbitrary file upload vulnerability in the Documents module of SPIP v4.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.
|
|||||
| CVE-2021-4457 | 1 Digitalzoomstudio | 1 Zoomsounds | 2025-07-07 | N/A | 9.1 CRITICAL |
|
The ZoomSounds plugin before 6.05 contains a PHP file allowing unauthenticated users to upload an arbitrary file anywhere on the web server.
|
|||||
| CVE-2025-5746 | 2025-07-03 | N/A | 9.8 CRITICAL | ||
|
The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The ...
Show More |
|||||
| CVE-2025-4954 | 1 Axlethemes | 1 Axle Demo Importer | 2025-07-02 | N/A | 8.8 HIGH |
|
The Axle Demo Importer WordPress plugin through 1.0.3 does not validate files to be uploaded, which could allow authenticated users (author and above) to upload arbitrary files such as PHP on the server
|
|||||
| CVE-2024-40695 | 1 Ibm | 1 Cognos Analytics | 2025-07-02 | N/A | 8.0 HIGH |
|
IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and
12.0.0 through 12.0.4
could be vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks.
|
|||||
| CVE-2025-5108 | 1 Shopxo | 1 Shopxo | 2025-07-02 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in zongzhige ShopXO 6.5.0. It has been rated as critical. This issue affects the function Upload of the file app/admin/controller/Payment.php of the component ZIP File Handler. The manipulation of the argument params leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-25361 | 1 Publiccms | 1 Publiccms | 2025-07-01 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the component /cms/CmsWebFileAdminController.java of PublicCMS v4.0.202406 allows attackers to execute arbitrary code via uploading a crafted svg or xml file.
|
|||||
| CVE-2025-27411 | 1 Redaxo | 1 Redaxo | 2025-07-01 | N/A | 5.4 MEDIUM |
|
REDAXO is a PHP-based CMS. In Redaxo before 5.18.3, the mediapool/media page is vulnerable to arbitrary file upload. This vulnerability is fixed in 5.18.3.
|
|||||
| CVE-2024-44849 | 1 Qualitor | 1 Qualitor | 2025-07-01 | N/A | 9.8 CRITICAL |
|
Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.
|
|||||
| CVE-2025-6873 | 1 Oretnom23 | 1 Simple Company Website | 2025-07-01 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability, which was classified as critical, has been found in SourceCodester Simple Company Website 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-6872 | 1 Oretnom23 | 1 Simple Company Website | 2025-07-01 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability classified as critical was found in SourceCodester Simple Company Website 1.0. This vulnerability affects unknown code of the file /classes/SystemSettings.php?f=update_settings. The manipulation of the argument img leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-6870 | 1 Oretnom23 | 1 Simple Company Website | 2025-07-01 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability was found in SourceCodester Simple Company Website 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Content.php?f=service. The manipulation of the argument img leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-6837 | 1 Code-projects | 1 Library System | 2025-07-01 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability classified as critical was found in code-projects Library System 1.0. Affected by this vulnerability is an unknown functionality of the file /profile.php. The manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-6900 | 1 Code-projects | 1 Library System | 2025-07-01 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file /add-book.php. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-47787 | 1 Emlog | 1 Emlog | 2025-07-01 | N/A | 9.8 CRITICAL |
|
Emlog is an open source website building system. Emlog Pro prior to version 2.5.10 contains a file upload vulnerability. The store.php component contains a critical security flaw where it fails to properly validate the contents of remotely downloaded ZIP plugin files. This insufficient validation allows attackers to execute arbitrary code on the vulnerable system. Version 2.5.10 contains a patch for the issue.
|
|||||
| CVE-2025-53260 | 2025-06-30 | N/A | 9.1 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in getredhawkstudio File Manager Plugin For Wordpress allows Upload a Web Shell to a Web Server. This issue affects File Manager Plugin For Wordpress: from n/a through 7.5.
|
|||||
| CVE-2025-49885 | 2025-06-30 | N/A | 10.0 CRITICAL | ||
|
Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme Drag and Drop Multiple File Upload (Pro) - WooCommerce allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop Multiple File Upload (Pro) - WooCommerce: from n/a through 5.0.6.
|
|||||
| CVE-2024-22060 | 1 Ivanti | 1 Neurons For Itsm | 2025-06-30 | N/A | 4.9 MEDIUM |
|
An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authenticated, high privileged user to write arbitrary files into sensitive directories of ITSM server.
|
|||||
| CVE-2024-3117 | 1 Youdiancms | 1 Youdiancms | 2025-06-30 | 5.8 MEDIUM | 4.7 MEDIUM |
|
A vulnerability classified as critical was found in YouDianCMS up to 9.5.12. This vulnerability affects unknown code of the file App\Lib\Action\Admin\ChannelAction.class.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-258778 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2024-48646 | 1 Sage | 1 Sage Frp 1000 | 2025-06-27 | N/A | 8.1 HIGH |
|
An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. An attacker could exploit this vulnerability by uploading malicious files, such as HTML, scripts, or other executable content, that may be executed on the server, leading to further system compromise.
|
|||||
| CVE-2025-0357 | 1 Iqonic | 1 Wpbookit | 2025-06-27 | N/A | 9.8 CRITICAL |
|
The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'WPB_Profile_controller::handle_image_upload' function in versions up to, and including, 1.6.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
|
|||||