Search Results (1239 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-12923 2 Emarket-design, Wordpress 2 Video Gallery – Youtube Gallery, Playlist & Video Grid, Wordpress 2026-07-06 7.5 High
The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize_text_field(), has its trailing '_PLUGIN_DIR' substring stripped, and is then invoked as a PHP function name with no arguments via `$sess_name()`. The handler is gated only by a nonce — no current_user_can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpversion, get_defined_vars, error_get_last), resulting in sensitive information disclosure and potential further compromise depending on the functions available in the environment.
CVE-2026-27412 2 Stylemixthemes, Wordpress 2 Pearl - Corporate Business, Wordpress 2026-07-06 8.1 High
Unauthenticated Local File Inclusion in Pearl - Corporate Business <= 3.4.10 versions.
CVE-2026-57748 2 Shopify Help Center, Wordpress 2 Shopify, Wordpress 2026-07-06 7.5 High
Contributor Local File Inclusion in Shopify <= 1.0.0 versions.
CVE-2026-12194 1 Phpipam 1 Phpipam 2026-07-06 N/A
PHPIPAM is affected by an authenticated local file inclusion vulnerability that allows users with access to the API to execute/include arbitrary PHP files on the web server's file system. The API is not enabled by default on installations.
CVE-2026-5137 2 Rometheme, Wordpress 2 Rtmkit, Wordpress 2026-07-06 4.3 Medium
The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute files on the server ending in _templates.php, allowing the execution of any PHP code in those files.
CVE-2025-58902 2026-07-03 8.1 High
Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.
CVE-2025-69133 2 Goodlayers, Wordpress 2 Tour Master, Wordpress 2026-07-02 7.5 High
Subscriber Local File Inclusion in Tourmaster <= 5.4.5 versions.
CVE-2026-42382 2026-07-02 8.1 High
Unauthenticated Local File Inclusion in Audrey <= 1.5 versions.
CVE-2026-57749 2026-07-02 7.5 High
Contributor Local File Inclusion in SportsPress Pro <= 2.7.29 versions.
CVE-2026-54814 2 Stylemix, Wordpress 2 Motors, Wordpress 2026-06-25 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109.
CVE-2016-20077 2 Kaymeephotography, Wordpress 2 Photocart Link, Wordpress 2026-06-23 6.2 Medium
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoint to retrieve sensitive files like wp-config.php containing database credentials and configuration data.
CVE-2016-20078 2 Henrique Dias, Wordpress 2 Imdb Profile Widget, Wordpress 2026-06-23 6.2 Medium
WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like wp-config.php containing database credentials and configuration data.
CVE-2016-20079 2 Jamie, Wordpress 2 Dharma Booking, Wordpress 2026-06-23 6.2 Medium
WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.
CVE-2016-20080 2 Brandfolder, Wordpress 2 Brandfolder, Wordpress 2026-06-23 6.2 Medium
WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter. Attackers can supply path traversal sequences or remote URLs through the wp_abspath parameter to read sensitive files like wp-config.php or execute remote code.
CVE-2016-20082 2 Abtest, Wordpress 2 Abtest, Wordpress 2026-06-23 6.2 Medium
WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtest_admin.php with malicious action values to include files from the admin directory and execute arbitrary code.
CVE-2025-58924 2 Themerex Group, Wordpress 2 Geya, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Geya <= 1.15 versions.
CVE-2025-60085 2 Themerex Group, Wordpress 2 Learnify, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Learnify <= 1.15.0 versions.
CVE-2025-69107 2 Themerex, Wordpress 2 Rosaleen, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Rosaleen <= 2.8 versions.
CVE-2025-69109 2 Themerex, Wordpress 2 Raider Spirit, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Raider Spirit <= 1.1.2 versions.
CVE-2025-69119 2 Themerex, Wordpress 2 Corbesier, Wordpress 2026-06-23 8.1 High
Unauthenticated Local File Inclusion in Corbesier <= 1.15.0 versions.