| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Local File Inclusion in Thegov Core < 2.0.23 versions. |
| Unauthenticated Local File Inclusion in Integrio Core < 1.2.8 versions. |
| The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. |
| Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send GET requests to index.php with the option parameter set to com_easyshop, task set to ajax.loadImage, and a base64-encoded file path in the file parameter to retrieve sensitive files like configuration.php and system files. |
| Unauthenticated Local File Inclusion in Softlab Core < 1.2.11 versions. |
| Unauthenticated Local File Inclusion in AirSupply <= 2.0.0 versions. |
| Unauthenticated Local File Inclusion in Snowy <= 1.13 versions. |
| Unauthenticated Local File Inclusion in Orpheus <= 1.3 versions. |
| Unauthenticated Local File Inclusion in Hitek < 1.8.3 versions. |
| Unauthenticated Local File Inclusion in LuxMed | Medicine & Healthcare Doctor WordPress Theme <= 1.2.2 versions. |
| Unauthenticated Local File Inclusion in Preservation <= 1.10 versions. |
| Unauthenticated Local File Inclusion in Skyward <= 1.10 versions. |
| Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions. |
| Unauthenticated Local File Inclusion in Line Agency <= 1.3.1 versions. |
| Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions. |
| CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11. |
| Unauthenticated Arbitrary File Download in Premium Age Verification / Restriction for WordPress <= 3.0.2 versions. |
| Unauthenticated Local File Inclusion in Mikado Core <= 1.6 versions. |
| Unauthenticated Local File Inclusion in Aperitif <= 1.5 versions. |
| Discuz! X5.0 releases 20260320 through 20260610 contain a local file inclusion vulnerability that allows authenticated administrators to execute arbitrary code by importing a specially crafted plugin configuration containing path traversal sequences in the directory attribute. Attackers can trigger an exception during plugin installation to bypass sanitization routines, causing malicious paths to be stored unsanitized and subsequently passed to include(), which combined with file upload functionality escalates to arbitrary code execution in the context of the web server user. |