phpwcms CVE Vulnerabilities & Metrics

Focus on phpwcms vulnerabilities and metrics.

Last updated: 01 Aug 2025, 22:25 UTC

About phpwcms Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with phpwcms. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total phpwcms CVEs: 10
Earliest CVE date: 24 Nov 2005, 11:03 UTC
Latest CVE date: 03 Jun 2025, 13:15 UTC

Latest CVE reference: CVE-2025-5497

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical phpwcms CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.83

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range Count
0.0-3.9 6
4.0-6.9 8
7.0-8.9 1
9.0-10.0 0

CVSS Distribution Chart

Top 5 Highest CVSS phpwcms CVEs

These are the five CVEs with the highest CVSS scores for phpwcms, sorted by severity first and recency.

All CVEs for phpwcms

CVE-2025-5497 phpwcms vulnerability CVSS: 6.5 03 Jun 2025, 13:15 UTC

A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been declared as critical. This vulnerability affects unknown code of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. The manipulation of the argument cnt_text leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9.46 and 1.10.9 is able to address this issue. It is recommended to upgrade the affected component.

CVE-2021-36426 phpwcms vulnerability CVSS: 0 03 Feb 2023, 18:15 UTC

File Upload vulnerability in phpwcms 1.9.25 allows remote attackers to run arbitrary code via crafted file upload to include/inc_lib/general.inc.php.

CVE-2021-36425 phpwcms vulnerability CVSS: 0 03 Feb 2023, 18:15 UTC

Directory traversal vulnerability in phpcms 1.9.25 allows remote attackers to delete arbitrary files via unfiltered $file parameter to unlink method in include/inc_act/act_ftptakeover.php file.

CVE-2021-36424 phpwcms vulnerability CVSS: 0 03 Feb 2023, 18:15 UTC

An issue discovered in phpwcms 1.9.25 allows remote attackers to run arbitrary code via DB user field during installation.

CVE-2021-4301 phpwcms vulnerability CVSS: 6.5 07 Jan 2023, 22:15 UTC

A vulnerability was found in slackero phpwcms up to 1.9.26 and classified as critical. Affected by this issue is some unknown functionality. The manipulation of the argument $phpwcms['db_prepend'] leads to sql injection. The attack may be launched remotely. Upgrading to version 1.9.27 is able to address this issue. The patch is identified as 77dafb6a8cc1015f0777daeb5792f43beef77a9d. It is recommended to upgrade the affected component. VDB-217418 is the identifier assigned to this vulnerability.

CVE-2021-4302 phpwcms vulnerability CVSS: 4.0 04 Jan 2023, 22:15 UTC

A vulnerability was found in slackero phpwcms up to 1.9.26. It has been classified as problematic. This affects an unknown part of the component SVG File Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.9.27 is able to address this issue. The patch is named b39db9c7ad3800f319195ff0e26a0981395b1c54. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217419.

CVE-2020-19855 phpwcms vulnerability CVSS: 4.3 08 Sep 2021, 00:15 UTC

phpwcms v1.9 contains a cross-site scripting (XSS) vulnerability in /image_zoom.php.

CVE-2020-21784 phpwcms vulnerability CVSS: 7.5 24 Jun 2021, 16:15 UTC

phpwcms 1.9.13 is vulnerable to Code Injection via /phpwcms/setup/setup.php.

CVE-2018-12990 phpwcms vulnerability CVSS: 5.0 30 Jun 2018, 14:29 UTC

phpwcms 1.8.9 allows remote attackers to discover the installation path via an invalid csrf_token_value field.

CVE-2017-15872 phpwcms vulnerability CVSS: 3.5 24 Oct 2017, 20:29 UTC

phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and include/inc_tmpl/admin.newuser.tmpl.php via the username (aka new_login) field.

CVE-2011-3789 phpwcms vulnerability CVSS: 5.0 24 Sep 2011, 00:55 UTC

phpwcms 1.4.7 r412 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by template/inc_script/frontend_render/disabled/majonavi.php and certain other files.

CVE-2006-6886 phpwcms vulnerability CVSS: 5.0 31 Dec 2006, 05:00 UTC

phpwcms 1.2.5-DEV allows remote attackers to obtain sensitive information via a direct request for (1) files.public-userroot.inc.php or (2) files.private.additions.inc.php in include/inc_lib/, which reveals the path in various error messages.

CVE-2006-2518 phpwcms vulnerability CVSS: 2.6 22 May 2006, 22:02 UTC

Cross-site scripting (XSS) vulnerability in phpwcms 1.2.5-DEV allows remote attackers to inject arbitrary web script or HTML via the BL[be_cnt_plainhtml] parameter to include/inc_tmpl/content/cnt6.inc.php.

CVE-2006-2519 phpwcms vulnerability CVSS: 2.6 22 May 2006, 22:02 UTC

Directory traversal vulnerability in include/inc_ext/spaw/spaw_control.class.php in phpwcms 1.2.5-DEV allows remote attackers to include arbitrary local files via .. (dot dot) sequences in the spaw_root parameter. NOTE: CVE analysis suggests that this issue is actually in SPAW Editor PHP Edition.

CVE-2005-3789 phpwcms vulnerability CVSS: 5.0 24 Nov 2005, 11:03 UTC

Multiple directory traversal vulnerabilities in phpwcms 1.2.5 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) form_lang parameter in login.php and (2) the imgdir parameter in random_image.php.