Vendor CVEs
Website Baker
All CVEs
25 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-9771 | Cri | 0.64 | 9.8 | 0.01 | Jun 21, 2017 | install\save.php in WebsiteBaker v2.10.0 allows remote attackers to execute arbitrary PHP code via the database_username, database_host, or database_password parameter. | ||
| CVE-2017-9360 | Cri | 0.64 | 9.8 | 0.01 | Jun 2, 2017 | WebsiteBaker v2.10.0 has a SQL injection vulnerability in /account/details.php. | ||
| CVE-2017-7410 | Cri | 0.64 | 9.8 | 0.03 | Apr 3, 2017 | Multiple SQL injection vulnerabilities in account/signup.php and account/signup2.php in WebsiteBaker 2.10.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) display_name parameter. | ||
| CVE-2017-16514 | Med | 0.40 | 6.1 | 0.01 | Jan 10, 2018 | Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities in the files /wb/admin/admintools/tool.php (Droplet Description) and /install/index.php (Site Title) in WebsiteBaker 2.10.0 allow attackers to insert persistent JavaScript code that gets reflected back to… | ||
| CVE-2017-9668 | Med | 0.40 | 6.1 | 0.01 | Jun 18, 2017 | In admin\addgroup.php in CMS Made Simple 2.1.6, when adding a user group, there is no XSS filtering, resulting in storage-type XSS generation, via the description parameter in an addgroup action. | ||
| CVE-2017-9361 | Med | 0.40 | 6.1 | 0.01 | Jun 2, 2017 | WebsiteBaker v2.10.0 has a stored XSS vulnerability in /account/details.php. | ||
| CVE-2014-9243 | 0.03 | — | 0.02 | Dec 3, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in WebsiteBaker 2.8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to wb/admin/admintools/tool.php or (2) section_id parameter to edit_module_files.php, (3) news/add_post.php, (4)… | |||
| CVE-2014-9242 | 0.03 | — | 0.02 | Dec 3, 2014 | SQL injection vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 allows remote attackers to execute arbitrary SQL commands via the page_id parameter. | |||
| CVE-2005-4140 | 0.03 | — | 0.02 | Dec 9, 2005 | SQL injection vulnerability in admin/login/index.php in Website Baker 2.6.0 allows remote attackers to execute arbitrary SQL commands via the username parameter, as used by the user field. | |||
| CVE-2021-47788 | 0.00 | — | 0.01 | Jan 15, 2026 | WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve… | |||
| CVE-2023-53953 | 0.00 | — | 0.00 | Dec 19, 2025 | WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other… | |||
| CVE-2023-53903 | 0.00 | — | 0.00 | Dec 16, 2025 | WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent… | |||
| CVE-2023-53902 | 0.00 | — | 0.01 | Dec 16, 2025 | WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to… | |||
| CVE-2020-25990 | 0.00 | — | 0.02 | Oct 1, 2020 | WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. | |||
| CVE-2011-4322 | 0.00 | — | 0.01 | Jan 21, 2020 | websitebaker prior to and including 2.8.1 has an authentication error in backup module. | |||
| CVE-2011-2933 | 0.00 | — | 0.01 | Jan 14, 2020 | An Arbitrary File Upload vulnerability exists in admin/media/upload.php in WebsiteBaker 2.8.1 and earlier due to a failure to restrict uploaded files with .htaccess, .php4, .php5, and .phtl extensions. | |||
| CVE-2011-2934 | 0.00 | — | 0.01 | Jan 14, 2020 | A Cross Site Request Forgery (CSRF) vulnerability exists in the administrator functions in WebsiteBaker 2.8.1 and earlier due to inadequate confirmation for sensitive transactions. | |||
| CVE-2015-0553 | 0.00 | — | 0.02 | Jan 21, 2015 | Cross-site scripting (XSS) vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 SP3 allows remote attackers to inject arbitrary web script or HTML via the page_id parameter. | |||
| CVE-2011-3817 | 0.00 | — | 0.01 | Sep 24, 2011 | Website Baker 2.8.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by admin/media/parameters.php and certain other files. NOTE: this might overlap… | |||
| CVE-2011-3385 | 0.00 | — | 0.01 | Sep 2, 2011 | Cross-site scripting (XSS) vulnerability in WebsiteBaker before 2.8, as used in LEPTON and possibly other products, allows remote attackers to inject arbitrary web script or HTML via unknown vectors, a different vulnerability than CVE-2006-2307. | |||
| CVE-2007-0527 | 0.00 | — | 0.01 | Jan 26, 2007 | SQL injection vulnerability in the is_remembered function in class.login.php in Website Baker 2.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the REMEMBER_KEY cookie parameter. NOTE: some of these details are obtained from third party information. | |||
| CVE-2006-2307 | 0.00 | — | 0.01 | May 11, 2006 | Cross-site scripting (XSS) vulnerability in Website Baker CMS before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a user display name. | |||
| CVE-2005-2437 | 0.00 | — | 0.01 | Aug 3, 2005 | Website Baker Project does not properly verify the file extensions of uploaded files, which allows remote attackers to upload and execute arbitrary PHP code. | |||
| CVE-2005-2436 | 0.00 | — | 0.01 | Aug 3, 2005 | browse.php in Website Baker Project allows remote attackers to obtain sensitive data via (1) a directory that does not exist in the dir parameter or (2) a direct request to certain php files, which reveal the path in an error message. | |||
| CVE-2005-2435 | 0.00 | — | 0.01 | Aug 3, 2005 | Cross-site scripting (XSS) vulnerability in browse.php in Website Baker Project allows remote attackers to inject arbitrary web script or HTML via the dir parameter. |
- risk 0.64cvss 9.8epss 0.01
install\save.php in WebsiteBaker v2.10.0 allows remote attackers to execute arbitrary PHP code via the database_username, database_host, or database_password parameter.
- risk 0.64cvss 9.8epss 0.01
WebsiteBaker v2.10.0 has a SQL injection vulnerability in /account/details.php.
- risk 0.64cvss 9.8epss 0.03
Multiple SQL injection vulnerabilities in account/signup.php and account/signup2.php in WebsiteBaker 2.10.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) display_name parameter.
- risk 0.40cvss 6.1epss 0.01
Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities in the files /wb/admin/admintools/tool.php (Droplet Description) and /install/index.php (Site Title) in WebsiteBaker 2.10.0 allow attackers to insert persistent JavaScript code that gets reflected back to…
- risk 0.40cvss 6.1epss 0.01
In admin\addgroup.php in CMS Made Simple 2.1.6, when adding a user group, there is no XSS filtering, resulting in storage-type XSS generation, via the description parameter in an addgroup action.
- risk 0.40cvss 6.1epss 0.01
WebsiteBaker v2.10.0 has a stored XSS vulnerability in /account/details.php.
- CVE-2014-9243Dec 3, 2014risk 0.03cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in WebsiteBaker 2.8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to wb/admin/admintools/tool.php or (2) section_id parameter to edit_module_files.php, (3) news/add_post.php, (4)…
- CVE-2014-9242Dec 3, 2014risk 0.03cvss —epss 0.02
SQL injection vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 allows remote attackers to execute arbitrary SQL commands via the page_id parameter.
- CVE-2005-4140Dec 9, 2005risk 0.03cvss —epss 0.02
SQL injection vulnerability in admin/login/index.php in Website Baker 2.6.0 allows remote attackers to execute arbitrary SQL commands via the username parameter, as used by the user field.
- CVE-2021-47788Jan 15, 2026risk 0.00cvss —epss 0.01
WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve…
- CVE-2023-53953Dec 19, 2025risk 0.00cvss —epss 0.00
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other…
- CVE-2023-53903Dec 16, 2025risk 0.00cvss —epss 0.00
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent…
- CVE-2023-53902Dec 16, 2025risk 0.00cvss —epss 0.01
WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to…
- CVE-2020-25990Oct 1, 2020risk 0.00cvss —epss 0.02
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
- CVE-2011-4322Jan 21, 2020risk 0.00cvss —epss 0.01
websitebaker prior to and including 2.8.1 has an authentication error in backup module.
- CVE-2011-2933Jan 14, 2020risk 0.00cvss —epss 0.01
An Arbitrary File Upload vulnerability exists in admin/media/upload.php in WebsiteBaker 2.8.1 and earlier due to a failure to restrict uploaded files with .htaccess, .php4, .php5, and .phtl extensions.
- CVE-2011-2934Jan 14, 2020risk 0.00cvss —epss 0.01
A Cross Site Request Forgery (CSRF) vulnerability exists in the administrator functions in WebsiteBaker 2.8.1 and earlier due to inadequate confirmation for sensitive transactions.
- CVE-2015-0553Jan 21, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 SP3 allows remote attackers to inject arbitrary web script or HTML via the page_id parameter.
- CVE-2011-3817Sep 24, 2011risk 0.00cvss —epss 0.01
Website Baker 2.8.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by admin/media/parameters.php and certain other files. NOTE: this might overlap…
- CVE-2011-3385Sep 2, 2011risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in WebsiteBaker before 2.8, as used in LEPTON and possibly other products, allows remote attackers to inject arbitrary web script or HTML via unknown vectors, a different vulnerability than CVE-2006-2307.
- CVE-2007-0527Jan 26, 2007risk 0.00cvss —epss 0.01
SQL injection vulnerability in the is_remembered function in class.login.php in Website Baker 2.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the REMEMBER_KEY cookie parameter. NOTE: some of these details are obtained from third party information.
- CVE-2006-2307May 11, 2006risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in Website Baker CMS before 2.6.4 allows remote attackers to inject arbitrary web script or HTML via a user display name.
- CVE-2005-2437Aug 3, 2005risk 0.00cvss —epss 0.01
Website Baker Project does not properly verify the file extensions of uploaded files, which allows remote attackers to upload and execute arbitrary PHP code.
- CVE-2005-2436Aug 3, 2005risk 0.00cvss —epss 0.01
browse.php in Website Baker Project allows remote attackers to obtain sensitive data via (1) a directory that does not exist in the dir parameter or (2) a direct request to certain php files, which reveal the path in an error message.
- CVE-2005-2435Aug 3, 2005risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in browse.php in Website Baker Project allows remote attackers to inject arbitrary web script or HTML via the dir parameter.