Vulnerabilities > External Control of File Name or Path

DATE CVE VULNERABILITY TITLE RISK
2025-03-31 CVE-2025-2982 A vulnerability, which was classified as critical, was found in Legrand SMS PowerView 1.x.
network
low complexity
CWE-73
6.3
6.3
2025-03-26 CVE-2025-1911 The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.5.0.
network
low complexity
CWE-73
2.7
2.7
2025-03-22 CVE-2025-1972 The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.2.
network
low complexity
CWE-73
2.7
2.7
2025-03-20 CVE-2024-13922 External Control of File Name or Path vulnerability in Webtoffee Order Export & Order Import for Woocommerce
The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.6.0.
network
low complexity
webtoffee CWE-73
6.5
6.5
2025-03-11 CVE-2025-24054 External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
network
low complexity
CWE-73
6.5
6.5
2025-03-11 CVE-2025-24996 External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.
network
low complexity
CWE-73
6.5
6.5
2025-03-07 CVE-2024-12036 The CS Framework plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.9 via the get_widget_settings_json() function.
network
low complexity
CWE-73
7.5
7.5
2025-03-03 CVE-2024-51961 External Control of File Name or Path vulnerability in Esri Arcgis Server 10.9.1/11.1
There is a local file inclusion vulnerability in ArcGIS Server 10.9.1 thru 11.3 that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.  Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability.
network
low complexity
esri CWE-73
7.5
7.5
2025-03-01 CVE-2025-1730 The Simple Download Counter plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.0 via the 'simple_download_counter_download_handler'.
network
low complexity
CWE-73
6.5
6.5
2025-01-31 CVE-2024-12267 The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited arbitrary file deletion due to insufficient file path validation in the dnd_codedropz_upload_delete() function in all versions up to, and including, 1.3.8.5.
network
low complexity
CWE-73
5.3
5.3