phpok CVE Vulnerabilities & Metrics

Focus on phpok vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About phpok Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with phpok. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total phpok CVEs: 21
Earliest CVE date: 22 Mar 2018, 21:29 UTC
Latest CVE date: 01 Jul 2024, 14:15 UTC

Latest CVE reference: CVE-2024-38953

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -80.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -80.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical phpok CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.54

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	6
4.0-6.9	10
7.0-8.9	5
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS phpok CVEs

These are the five CVEs with the highest CVSS scores for phpok, sorted by severity first and recency.

CVE-2022-29363 phpok Published on 12 May 2022, 18:16 UTC (CVSS: 7.5)
Phpok v6.1 was discovered to contain a deserialization vulnerability via the update_f() function in login_control.php. This vulnerability allows attackers to getshell via writing arbitrary files.
CVE-2020-18440 phpok Published on 02 Nov 2021, 18:15 UTC (CVSS: 7.5)
Buffer overflow vulnerability in framework/init.php in qinggan phpok 5.1, allows attackers to execute arbitrary code.
CVE-2020-16629 phpok Published on 08 Feb 2021, 15:15 UTC (CVSS: 7.5)
PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path.
CVE-2018-12491 phpok Published on 15 Jun 2018, 18:29 UTC (CVSS: 7.5)
PHPOK 4.9.032 has an arbitrary file upload vulnerability in the import_f function in framework/admin/modulec_control.php, as demonstrated by uploading a .php file within a .php.zip archive, a similar issue to CVE-2018-8944.
CVE-2018-8944 phpok Published on 22 Mar 2018, 21:29 UTC (CVSS: 7.5)
PHPOK 4.8.338 has an arbitrary file upload vulnerability.

All CVEs for phpok

CVE-2024-38953 phpok vulnerability CVSS: 0 01 Jul 2024, 14:15 UTC

phpok 6.4.003 contains a Cross Site Scripting (XSS) vulnerability in the ok_f() method under the framework/api/upload_control.php file.

CVE-2020-21486 phpok vulnerability CVSS: 0 20 Jun 2023, 15:15 UTC

SQL injection vulnerability in PHPOK v.5.4. allows a remote attacker to obtain sensitive information via the _userlist function in framerwork/phpok_call.php file.

CVE-2023-33601 phpok vulnerability CVSS: 0 07 Jun 2023, 02:15 UTC

An arbitrary file upload vulnerability in /admin.php?c=upload of phpok v6.4.100 allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2023-2888 phpok vulnerability CVSS: 5.8 25 May 2023, 13:15 UTC

A vulnerability, which was classified as problematic, was found in PHPOK 6.4.100. This affects an unknown part of the file /admin.php?c=upload&f=zip&_noCache=0.1683794968. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The identifier VDB-229953 was assigned to this vulnerability.

CVE-2022-47129 phpok vulnerability CVSS: 0 11 May 2023, 14:15 UTC

PHPOK v6.3 was discovered to contain a remote code execution (RCE) vulnerability.

CVE-2021-34076 phpok vulnerability CVSS: 0 11 May 2023, 12:15 UTC

File Upload vulnerability in PHPOK 5.7.140 allows remote attackers to run arbitrary code and gain escalated privileges via crafted zip file upload.

CVE-2022-40889 phpok vulnerability CVSS: 0 18 Oct 2022, 11:15 UTC

Phpok 6.1 has a deserialization vulnerability via framework/phpok_call.php.

CVE-2022-29363 phpok vulnerability CVSS: 7.5 12 May 2022, 18:16 UTC

Phpok v6.1 was discovered to contain a deserialization vulnerability via the update_f() function in login_control.php. This vulnerability allows attackers to getshell via writing arbitrary files.

CVE-2020-18440 phpok vulnerability CVSS: 7.5 02 Nov 2021, 18:15 UTC

Buffer overflow vulnerability in framework/init.php in qinggan phpok 5.1, allows attackers to execute arbitrary code.

CVE-2020-18439 phpok vulnerability CVSS: 6.4 02 Nov 2021, 18:15 UTC

An issue was discoverered in in function edit_save_f in framework/admin/tpl_control.php in qinggan phpok 5.1, allows attackers to write arbitrary files or get a shell.

CVE-2020-18438 phpok vulnerability CVSS: 5.0 02 Nov 2021, 18:15 UTC

Directory traversal vulnerability in qinggan phpok 5.1, allows attackers to disclose sensitive information, via the title parameter to admin.php.

CVE-2020-19199 phpok vulnerability CVSS: 6.8 10 May 2021, 18:15 UTC

A Cross Site Request Forgery (CSRF) vulnerability exists in PHPOK 5.2.060 via admin.php?c=admin&f=save, which could let a remote malicious user execute arbitrary code.

CVE-2020-16629 phpok vulnerability CVSS: 7.5 08 Feb 2021, 15:15 UTC

PhpOK 5.4.137 contains a SQL injection vulnerability that can inject an attachment data through SQL, and then call the attachment replacement function through api.php to write a PHP file to the target path.

CVE-2019-16132 phpok vulnerability CVSS: 5.5 09 Sep 2019, 03:15 UTC

An issue was discovered in OKLite v1.2.25. framework/admin/tpl_control.php allows remote attackers to delete arbitrary files via a title directory-traversal pathname followed by a crafted substring.

CVE-2019-16131 phpok vulnerability CVSS: 6.5 09 Sep 2019, 03:15 UTC

framework/admin/modulec_control.php in OKLite v1.2.25 has an Arbitrary File Upload Vulnerability because a .php file from a ZIP archive can be written to /data/cache/.

CVE-2018-20006 phpok vulnerability CVSS: 4.3 10 Dec 2018, 06:29 UTC

An issue was discovered in PHPok v5.0.055. There is a Stored XSS vulnerability via the title parameter to api.php?c=post&f=save (reachable via the index.php?id=book URI).

CVE-2018-19562 phpok vulnerability CVSS: 6.8 26 Nov 2018, 07:29 UTC

An issue was discovered in PHPok 4.9.015. admin.php?c=update&f=unzip allows remote attackers to execute arbitrary code via a "Login Background > Program Upgrade > Compressed Packet Upgrade" action in which a .php file is inside a ZIP archive.

CVE-2018-16142 phpok vulnerability CVSS: 4.3 30 Aug 2018, 05:29 UTC

PHPOK 4.8.278 has a Reflected XSS vulnerability in framework/www/login_control.php via the _back parameter to the ok_f function.

CVE-2018-12492 phpok vulnerability CVSS: 6.4 15 Jun 2018, 18:29 UTC

PHPOK 4.9.032 has an arbitrary file deletion vulnerability in the delfile_f function in framework/admin/tpl_control.php.

CVE-2018-12491 phpok vulnerability CVSS: 7.5 15 Jun 2018, 18:29 UTC

PHPOK 4.9.032 has an arbitrary file upload vulnerability in the import_f function in framework/admin/modulec_control.php, as demonstrated by uploading a .php file within a .php.zip archive, a similar issue to CVE-2018-8944.

CVE-2018-8944 phpok vulnerability CVSS: 7.5 22 Mar 2018, 21:29 UTC

PHPOK 4.8.338 has an arbitrary file upload vulnerability.