Tag: php

phpMyAdmin 4.8.1 – Remote Code Execution (RCE)

Security Team ChaMd5 disclose a Local File Inclusion vulnerability in phpMyAdmin latest version 4.8.1. And the exploiting of this vulnerability may lead to Remote Code Execution. Reference:

November 21, 2022
qdPM 9.1 – Remote Code Execution (RCE) (Authenticated)

A remote code execution (RCE) vulnerability exists in qdPM 9.1 and earlier. An attacker can upload a malicious PHP code file via the profile photo functionality, by leveraging a path traversal vulnerability in the users[‘photo_preview’] delete photo feature, allowing bypass of .htaccess protection. NOTE: this issue exists because of an incomplete fix for CVE-2015-3884. Reference:

November 21, 2022
Elementor < 3.4.8 – DOM Cross-Site-Scripting

The plugin does not sanitise or escape user input appended to the DOM via a malicious hash, resulting in a DOM Cross-Site Scripting issue. The issue was initially fixed in 3.1.4, however re-introduced in 3.2.0. The base64 string is an encoded JSON with the following structure: This vulnerability has been fixed in the version 3.1.4.…

November 21, 2022
CVE-2022-3360 – Unauthenticated PHP Object Injection via REST API

The LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a…

November 21, 2022