CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32575 – WordPress WP w3all phpBB Plugin <= 2.9.2 - CSRF to Stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2025-32575
09 Apr 2025 — Cross-Site Request Forgery (CSRF) vulnerability in axew3 WP w3all phpBB allows Reflected XSS. This issue affects WP w3all phpBB: from n/a through 2.9.2. The WP w3all phpBB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site admini... • https://patchstack.com/database/wordpress/plugin/wp-w3all-phpbb-integration/vulnerability/wordpress-wp-w3all-phpbb-plugin-2-9-1-csrf-to-stored-xss-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5917 – phpBB Smiley Pack acp_icons.php main cross site scripting
https://notcve.org/view.php?id=CVE-2023-5917
02 Nov 2023 — A vulnerability, which was classified as problematic, has been found in phpBB up to 3.3.10. This issue affects the function main of the file phpBB/includes/acp/acp_icons.php of the component Smiley Pack Handler. The manipulation of the argument pak leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 3.3.11 is able to address this issue. • https://github.com/phpbb/phpbb/commit/ccf6e6c255d38692d72fcb613b113e6eaa240aac • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-8226
https://notcve.org/view.php?id=CVE-2020-8226
17 Aug 2020 — A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allowed remote image dimensions check to be used to SSRF. Se presenta una vulnerabilidad en phpBB versiones anteriores a v3.2.10 y versiones anteriores a v3.3.1, que permitió que la comprobación de las dimensiones de una imagen remota sea usada en un SSRF. • https://www.phpbb.com/community/viewtopic.php?f=14&t=2562631 • CWE-610: Externally Controlled Reference to a Resource in Another Sphere CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16108
https://notcve.org/view.php?id=CVE-2019-16108
19 Mar 2020 — phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode. phpBB versión 3.2.7, permite agregar una secuencia de token arbitrario Cascading Style Sheets (CSS) a una página por medio de BBCode. • https://www.phpbb.com/community/viewtopic.php?t=2523271 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16107
https://notcve.org/view.php?id=CVE-2019-16107
11 Mar 2020 — Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post attachments. Una falta de comprobación de tokens del formulario en phpBB versión 3.2.7, permite un ataque de tipo CSRF en una eliminación de archivos adjuntos de publicaciones. • https://www.phpbb.com/community/viewforum.php?f=14 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5502
https://notcve.org/view.php?id=CVE-2020-5502
14 Jan 2020 — phpBB 3.2.8 allows a CSRF attack that can approve pending group memberships. phpBB versión 3.2.8, permite un ataque de tipo CSRF que puede aprobar membresías de grupo pendientes. • https://blog.phpbb.com/category/security • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5501
https://notcve.org/view.php?id=CVE-2020-5501
14 Jan 2020 — phpBB 3.2.8 allows a CSRF attack that can modify a group avatar. phpBB versión 3.2.8, permite un ataque de tipo CSRF que puede modificar un avatar de grupo. • https://blog.phpbb.com/category/security • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2011-0544
https://notcve.org/view.php?id=CVE-2011-0544
13 Nov 2019 — phpbb 3.0.x-3.0.6 has an XSS vulnerability via the [flash] BB tag. phpbb versiones 3.0.x-3.0.6, tiene una vulnerabilidad de tipo XSS por medio de la etiqueta BB [flash]. • https://access.redhat.com/security/cve/cve-2011-0544 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-16993
https://notcve.org/view.php?id=CVE-2019-16993
30 Sep 2019 — In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper verification of a CSRF token on the BBCode page in the Administration Control Panel. An actual CSRF attack is possible if an attacker also manages to retrieve the session id of a reauthenticated administrator prior to targeting them. En phpBB versiones anteriores a 3.1.7-PL1, el archivo includes/acp/acp_bbcodes.php presenta una comprobación inapropiada de un token de CSRF en la página BBCode en el Panel de Control de Administración. Un ata... • https://github.com/phpbb/phpbb/commit/18abef716ecf42a35416444f3f84f5459d573789 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2019-13376
https://notcve.org/view.php?id=CVE-2019-13376
27 Sep 2019 — phpBB version 3.2.7 allows the stealing of an Administration Control Panel session id by leveraging CSRF in the Remote Avatar feature. The CSRF Token Hijacking leads to stored XSS phpBB versión 3.2.7, permite el robo de un id de sesión del Panel de Control de Administración mediante el aprovechamiento de una vulnerabilidad de tipo CSRF en la funcionalidad Remote Avatar. El secuestro de tokens CSRF conduce a XSS almacenado • https://blog.phpbb.com/category/security • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •