YesWiki before 4.5.2 allows unauthenticated path traversal via the 'squelette' parameter. An attacker can exploit this to read arbitrary files on the server, like /etc/passwd.
The Exclusive Addons for Exclusive Addons for Elementor for WordPress, in versions up to and including 2.6.9, is vulnerable to stored cross-site scripting (XSS) via the 's' parameter. Improper input sanitization and output escaping allow an attacker with contributor-level permissions or higher to inject arbitrary JavaScript that executes when a user views the affected page.
XWiki Platform is vulnerable to a critical Remote Code Execution (RCE) vulnerability that allows guest users to execute arbitrary code remotely via the SolrSearch endpoint. This can result in a complete server compromise, granting the attacker the ability to run commands on the underlying system, impacting the confidentiality, integrity, and availability of the XWiki installation. The issue has been addressed in XWiki versions 15.10.11, 16.4.1, and 16.5.0RC1.
The WordPress User Registration & Membership Plugin version 4.1.1 and below allows unauthenticated users to escalate privileges. An attacker can exploit this vulnerability to gain unauthorized access and perform malicious actions.
The exploit allows remote attackers to execute arbitrary code on the target system by uploading a malicious payload to a specific URL and triggering it through a crafted request. This vulnerability is identified as CVE-2025-24813 affecting Apache Tomcat versions prior to 11.0.3, 10.1.35, and 9.0.98.
The WordPress plugin 'Backup and Staging by WP Time Capsule' up to version 1.21.16 allows unauthenticated attackers to upload arbitrary files via the upload.php endpoint, potentially leading to remote code execution by uploading and executing a PHP file directly from a specific directory.
Services By CQR