Total
4076 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-6207 | 1 Vjinfotech | 1 Wp Import Export Lite | 2026-06-17 | N/A | 7.5 HIGH |
| The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including, 3.9.28. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-6206 | 1 Coderevolution | 1 Aiomatic | 2026-06-17 | N/A | 7.5 HIGH |
| The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_image_editor_ajax_submit' function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. In order to exploit the vulnerability, there must be a value entered for the Stability.AI API key. The value can be arbitrary. | |||||
| CVE-2025-6161 | 1 Fabian | 1 Simple Food Ordering System | 2026-06-17 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability, which was classified as critical, was found in SourceCodester Simple Food Ordering System 1.0. Affected is an unknown function of the file /editproduct.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-6086 | 2026-06-17 | N/A | 7.2 HIGH | ||
| The CSV Me plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'csv_me_options_page' function in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-6085 | 1 Celonis | 1 Make Connector | 2026-06-17 | N/A | 7.2 HIGH |
| The Make Connector plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'upload_media' function in all versions up to, and including, 1.5.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-6079 | 2026-06-17 | N/A | 8.8 HIGH | ||
| The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework.php file in all versions up to, and including, 93.2.0. This makes it possible for authenticated attackers, with Student-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2025-31100 is potentially a duplicate of this. | |||||
| CVE-2025-6058 | 1 Iqonic | 1 Wpbookit | 2026-06-17 | N/A | 9.8 CRITICAL |
| The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-6057 | 1 Iqonic | 1 Wpbookit | 2026-06-17 | N/A | 8.8 HIGH |
| The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
| CVE-2025-6002 | 2026-06-17 | N/A | 7.2 HIGH | ||
| An unrestricted file upload vulnerability exists in the Product Image section of the VirtueMart backend. Authenticated attackers can upload files with arbitrary extensions, including executable or malicious files, potentially leading to remote code execution or other security impacts depending on server configuration. | |||||
| CVE-2025-69981 | 1 Frangoteam | 1 Fuxa | 2026-06-17 | N/A | 9.8 CRITICAL |
| FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code. | |||||
| CVE-2025-69906 | 1 Monstra | 1 Monstra Cms | 2026-06-17 | N/A | 8.8 HIGH |
| Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution. | |||||
| CVE-2025-69828 | 2026-06-17 | N/A | 10.0 CRITICAL | ||
| File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Customer/AddEdit | |||||
| CVE-2025-69771 | 1 Killergerbah | 1 Asbplayer | 2026-06-17 | N/A | 9.6 CRITICAL |
| Cross-Site Scripting (XSS) vulnerability in the subtitle loading function of the asbplayer Chrome Extension version 1.14.0 allows attackers to execute arbitrary JavaScript in the context of the active streaming platform via a crafted .srt subtitle file. Because the script executes within the same-site context, it can bypass cross-origin restrictions, leading to unauthorized same-site API requests and session data exfiltration. | |||||
| CVE-2025-69565 | 1 Fabian | 1 Mobile Shop Management System | 2026-06-17 | N/A | 9.8 CRITICAL |
| code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php. | |||||
| CVE-2025-69559 | 1 Carmelo | 1 Computer Book Store | 2026-06-17 | N/A | 9.8 CRITICAL |
| code-projects Computer Book Store 1.0 is vulnerable to File Upload in admin_add.php. | |||||
| CVE-2025-69403 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.3.0. | |||||
| CVE-2025-69312 | 2026-06-17 | N/A | 9.1 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1. | |||||
| CVE-2025-68986 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Miion miion allows Upload a Web Shell to a Web Server.This issue affects Miion: from n/a through <= 1.2.7. | |||||
| CVE-2025-68910 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogzee blogzee allows Using Malicious Files.This issue affects Blogzee: from n/a through <= 1.0.5. | |||||
| CVE-2025-68909 | 2026-06-17 | N/A | 9.9 CRITICAL | ||
| Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogistic blogistic allows Using Malicious Files.This issue affects Blogistic: from n/a through <= 1.0.5. | |||||