彙總 websitebaker 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
歷史漏洞主要涉及 跨站腳本與SQL 注入 等問題,部分漏洞可能導致 工作階段劫持,並影響 生產負載與軟體部署 相關場景。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2021-47788 | WebsiteBaker 2.13.0 contains an authenticated remote code execution vulnerability that allows users with language editing permissions to execute arbitrary code. Attackers can exploit the language installation endpoint by manipulating language installation parameters to achieve remote code execution on the server. | [email protected] | 8.7 | 0.11% | 2026-01-16 | 2026-01-30 |
| CVE-2023-53953 | WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other users. | [email protected] | 5.1 | 0.03% | 2025-12-19 | 2025-12-27 |
| CVE-2023-53903 | WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attacks. | [email protected] | 5.1 | 0.03% | 2025-12-16 | 2025-12-24 |
| CVE-2023-53902 | WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to delete files outside the intended directory. | [email protected] | 7.0 | 0.71% | 2025-12-16 | 2025-12-24 |
| CVE-2020-25990 | WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. | [email protected] | 9.8 | 0.39% | 2020-10-01 | 2024-11-21 |
| CVE-2011-4322 | websitebaker prior to and including 2.8.1 has an authentication error in backup module. | [email protected] | 7.5 | 0.25% | 2020-01-21 | 2024-11-21 |
| CVE-2011-2934 | A Cross Site Request Forgery (CSRF) vulnerability exists in the administrator functions in WebsiteBaker 2.8.1 and earlier due to inadequate confirmation for sensitive transactions. | [email protected] | 8.8 | 0.14% | 2020-01-14 | 2024-11-21 |
| CVE-2011-2933 | An Arbitrary File Upload vulnerability exists in admin/media/upload.php in WebsiteBaker 2.8.1 and earlier due to a failure to restrict uploaded files with .htaccess, .php4, .php5, and .phtl extensions. | [email protected] | 7.2 | 0.43% | 2020-01-14 | 2024-11-21 |
| CVE-2017-16514 | Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities in the files /wb/admin/admintools/tool.php (Droplet Description) and /install/index.php (Site Title) in WebsiteBaker 2.10.0 allow attackers to insert persistent JavaScript code that gets reflected back to users in multiple areas in the application. | [email protected] | 6.1 | 0.24% | 2018-01-10 | 2024-11-21 |
| CVE-2017-9771 | install\save.php in WebsiteBaker v2.10.0 allows remote attackers to execute arbitrary PHP code via the database_username, database_host, or database_password parameter. | [email protected] | 9.8 | 0.78% | 2017-06-21 | 2026-05-13 |
| CVE-2017-9361 | WebsiteBaker v2.10.0 has a stored XSS vulnerability in /account/details.php. | [email protected] | 6.1 | 0.24% | 2017-06-02 | 2026-05-13 |
| CVE-2017-9360 | WebsiteBaker v2.10.0 has a SQL injection vulnerability in /account/details.php. | [email protected] | 9.8 | 0.25% | 2017-06-02 | 2026-05-13 |
| CVE-2017-7410 | Multiple SQL injection vulnerabilities in account/signup.php and account/signup2.php in WebsiteBaker 2.10.0 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username, (2) display_name parameter. | [email protected] | 9.8 | 1.69% | 2017-04-03 | 2026-05-13 |
| CVE-2015-0553 | Cross-site scripting (XSS) vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 SP3 allows remote attackers to inject arbitrary web script or HTML via the page_id parameter. | [email protected] | 4.3 | 0.57% | 2015-01-21 | 2026-05-06 |
| CVE-2014-9243 | Multiple cross-site scripting (XSS) vulnerabilities in WebsiteBaker 2.8.3 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to wb/admin/admintools/tool.php or (2) section_id parameter to edit_module_files.php, (3) news/add_post.php, (4) news/modify_group.php, (5) news/modify_post.php, or (6) news/modify_settings.php in wb/modules/. | [email protected] | 4.3 | 0.65% | 2014-12-03 | 2026-05-06 |
| CVE-2014-9242 | SQL injection vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 allows remote attackers to execute arbitrary SQL commands via the page_id parameter. | [email protected] | 7.5 | 0.83% | 2014-12-03 | 2026-05-06 |