CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1028 – Contact Manager <= 8.6.4 - Unauthenticated Arbitrary Double File Extension Upload
https://notcve.org/view.php?id=CVE-2025-1028
04 Feb 2025 — The Contact Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the contact form upload feature in all versions up to, and including, 8.6.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible in specific configurations where the first extension is processed over the final. This vulnerability also requires successfully exploiting a race condition in o... • https://plugins.trac.wordpress.org/changeset?old_path=/contact-manager/tags/8.6.4&new_path=/contact-manager/tags/8.6.5&sfp_email=&sfph_mail= • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2008-5127
https://notcve.org/view.php?id=CVE-2008-5127
18 Nov 2008 — Ocean12 Contact Manager Pro 1.02 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to o12con.mdb. Ocean12 Contact Manager Pro 1.02 almacena información sensible en la raíz del web con controles de acceso deficientes; esto permite a atacantes remotos obtener información sensible mediante una solicitud directa a o12con.mdb. • http://packetstorm.linuxsecurity.com/0810-exploits/ocean12-database.txt • CWE-264: Permissions, Privileges, and Access Controls •