wCMS
Products
1- 11 CVEs
Recent CVEs
11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-31689 | Cri | 0.65 | 9.8 | 0.20 | May 22, 2023 | In Wcms 0.3.2, an attacker can send a crafted request from a vulnerable web application backend server /wcms/wex/html.php via the finish parameter and the textAreaCode parameter. It can write arbitrary strings into custom file names and upload any files, and write malicious code… | ||
| CVE-2019-11377 | Hig | 0.57 | 8.8 | 0.02 | Apr 20, 2019 | wcms/wex/finder/action.php in WCMS v0.3.2 has a Arbitrary File Upload Vulnerability via developer/finder because .php is a valid extension according to the fm_get_text_exts function. | ||
| CVE-2019-14240 | Hig | 0.53 | 8.1 | 0.01 | Jul 23, 2019 | WCMS v0.3.2 has a CSRF vulnerability, with resultant directory traversal, to modify index.html via the /wex/html.php?finish=../index.html URI. | ||
| CVE-2025-3800 | Hig | 0.47 | 7.3 | 0.01 | Apr 19, 2025 | A vulnerability has been found in WCMS 11 and classified as critical. Affected by this vulnerability is an unknown functionality of the file app/controllers/AnonymousController.php. The manipulation of the argument mobile_phone leads to sql injection. The attack can be launched… | ||
| CVE-2025-3799 | Hig | 0.47 | 7.3 | 0.00 | Apr 19, 2025 | A vulnerability, which was classified as critical, was found in WCMS 11. Affected is an unknown function of the file app/controllers/AnonymousController.php. The manipulation of the argument email/username leads to sql injection. It is possible to launch the attack remotely. The… | ||
| CVE-2025-2978 | Med | 0.41 | 6.3 | 0.00 | Mar 31, 2025 | A vulnerability was found in WCMS 11. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?articleadmin/upload/?&CKEditor=container&CKEditorFuncNum=1 of the component Article Publishing Page. The manipulation of the argument… | ||
| CVE-2026-38669 | Med | 0.40 | 6.1 | 0.00 | May 4, 2026 | wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog. | ||
| CVE-2025-5149 | Med | 0.36 | 5.6 | 0.01 | May 25, 2025 | A vulnerability was found in WCMS up to 8.3.11. It has been declared as critical. Affected by this vulnerability is the function getMemberByUid of the file /index.php?articleadmin/getallcon of the component Login. The manipulation of the argument uid leads to improper… | ||
| CVE-2025-3798 | Med | 0.31 | 4.7 | 0.00 | Apr 19, 2025 | A vulnerability, which was classified as critical, has been found in WCMS 11. This issue affects the function sub of the file app/admin/AdvadminController.php of the component Advertisement Image Handler. The manipulation leads to unrestricted upload. The attack may be initiated… | ||
| CVE-2025-2979 | Low | 0.16 | 2.4 | 0.00 | Mar 31, 2025 | A vulnerability classified as problematic has been found in WCMS 11. This affects an unknown part of the file /index.php?anonymous/setregister of the component Registration. The manipulation of the argument Username leads to cross site scripting. It is possible to initiate the… | ||
| CVE-2005-4488 | 0.03 | — | 0.02 | Dec 22, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in index.tpl in Redakto WCMS 3.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) iid, (2) iid2, (3) r, (4) cart, (5) str, (6) nf, and (7) a parameters. |
- risk 0.65cvss 9.8epss 0.20
In Wcms 0.3.2, an attacker can send a crafted request from a vulnerable web application backend server /wcms/wex/html.php via the finish parameter and the textAreaCode parameter. It can write arbitrary strings into custom file names and upload any files, and write malicious code…
- risk 0.57cvss 8.8epss 0.02
wcms/wex/finder/action.php in WCMS v0.3.2 has a Arbitrary File Upload Vulnerability via developer/finder because .php is a valid extension according to the fm_get_text_exts function.
- risk 0.53cvss 8.1epss 0.01
WCMS v0.3.2 has a CSRF vulnerability, with resultant directory traversal, to modify index.html via the /wex/html.php?finish=../index.html URI.
- risk 0.47cvss 7.3epss 0.01
A vulnerability has been found in WCMS 11 and classified as critical. Affected by this vulnerability is an unknown functionality of the file app/controllers/AnonymousController.php. The manipulation of the argument mobile_phone leads to sql injection. The attack can be launched…
- risk 0.47cvss 7.3epss 0.00
A vulnerability, which was classified as critical, was found in WCMS 11. Affected is an unknown function of the file app/controllers/AnonymousController.php. The manipulation of the argument email/username leads to sql injection. It is possible to launch the attack remotely. The…
- risk 0.41cvss 6.3epss 0.00
A vulnerability was found in WCMS 11. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?articleadmin/upload/?&CKEditor=container&CKEditorFuncNum=1 of the component Article Publishing Page. The manipulation of the argument…
- risk 0.40cvss 6.1epss 0.00
wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog.
- risk 0.36cvss 5.6epss 0.01
A vulnerability was found in WCMS up to 8.3.11. It has been declared as critical. Affected by this vulnerability is the function getMemberByUid of the file /index.php?articleadmin/getallcon of the component Login. The manipulation of the argument uid leads to improper…
- risk 0.31cvss 4.7epss 0.00
A vulnerability, which was classified as critical, has been found in WCMS 11. This issue affects the function sub of the file app/admin/AdvadminController.php of the component Advertisement Image Handler. The manipulation leads to unrestricted upload. The attack may be initiated…
- risk 0.16cvss 2.4epss 0.00
A vulnerability classified as problematic has been found in WCMS 11. This affects an unknown part of the file /index.php?anonymous/setregister of the component Registration. The manipulation of the argument Username leads to cross site scripting. It is possible to initiate the…
- CVE-2005-4488Dec 22, 2005risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in index.tpl in Redakto WCMS 3.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) iid, (2) iid2, (3) r, (4) cart, (5) str, (6) nf, and (7) a parameters.