E107CVEs & Vulnerabilities

86 CVEs affecting E107 products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

e107 1,163alternate profiles plugin 2e107 cms 2chatbox plugin 1easyshop plugin 1my gallery 1
CVE-2025-11941HIGH

A vulnerability was detected in e107 CMS up to 2.3.3. This impacts an unknown function of the file /e107_admin/image.php?mode=main&action=avatar of the component Avatar Handler. Performing manipulation of the argument multiaction[] results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

19 Oct 2025
8.1
CVSS
CVE-2025-61505MEDIUM

e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing attackers to craft malicious serialized data. This could lead to remote code execution, arbitrary file operations, or denial of service, depending on available PHP object gadgets in the codebase.

10 Oct 2025
6.5
CVSS
CVE-2023-43874MEDIUM

Multiple Cross Site Scripting (XSS) vulnerability in e017 CMS v.2.3.2 allows a local attacker to execute arbitrary code via a crafted script to the Copyright and Author fields in the Meta & Custom Tags Menu.

28 Sep 2023
5.4
CVSS
CVE-2023-43873MEDIUM

A Cross Site Scripting (XSS) vulnerability in e017 CMS v.2.3.2 allows a local attacker to execute arbitrary code via a crafted script to the Name filed in the Manage Menu.

28 Sep 2023
5.4
CVSS
CVE-2023-36121MEDIUM

Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the description function in the SEO project.

2 Aug 2023
5.4
CVSS
CVE-2021-27885HIGHpoc

usersettings.php in e107 through 2.3.0 lacks a certain e_TOKEN protection mechanism.

2 Mar 2021
8.8
CVSS
CVE-2018-11734MEDIUM

In e107 v2.1.7, output without filtering results in XSS.

10 Jul 2019
6.1
CVSS
CVE-2018-17423MEDIUM

An issue was discovered in e107 v2.1.9. There is a XSS attack on e107_admin/comment.php.

19 Jun 2019
4.8
CVSS
CVE-2016-10753HIGH

e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC.

24 May 2019
8.8
CVSS
CVE-2018-17081MEDIUM

e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&action=inline&ajax_used=1&id= for changing the title of an arbitrary page.

27 Sep 2018
4.3
CVSS
CVE-2018-16389MEDIUM

e107_admin/banlist.php in e107 2.1.8 allows SQL injection via the old_ip parameter.

12 Sep 2018
6.5
CVSS
CVE-2018-16388HIGH

e107_web/js/plupload/upload.php in e107 2.1.8 allows remote attackers to execute arbitrary PHP code by uploading a .php filename with the image/jpeg content type.

12 Sep 2018
7.2
CVSS
CVE-2018-16381MEDIUM

e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter.

6 Sep 2018
6.1
CVSS
CVE-2018-15901HIGH

e107 2.1.8 has CSRF in 'usersettings.php' with an impact of changing details such as passwords of users including administrators.

28 Aug 2018
8.8
CVSS
CVE-2018-11127MEDIUM

e107 2.1.7 has CSRF resulting in arbitrary user deletion.

15 May 2018
6.5
CVSS
CVE-2016-10378HIGH

e107 2.1.1 allows SQL injection by remote authenticated administrators via the pagelist parameter to e107_admin/menus.php, related to the menuSaveVisibility function.

29 May 2017
7.2
CVSS
CVE-2017-8098MEDIUM

e107 2.1.4 is vulnerable to cross-site request forgery in plugin-installing, meta-changing, and settings-changing. A malicious web page can use forged requests to make e107 download and install a plug-in provided by the attacker.

24 Apr 2017
6.5
CVSS
CVE-2015-1057MEDIUMpoc

Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value.

16 Jan 2015
4.3
CVSS
CVE-2015-1041MEDIUM

Cross-site scripting (XSS) vulnerability in e107_admin/filemanager.php in e107 1.0.4 allows remote attackers to inject arbitrary web script or HTML via the e107_files/ file path in the QUERY_STRING.

15 Jan 2015
4.3
CVSS
CVE-2014-9459MEDIUM

Cross-site request forgery (CSRF) vulnerability in the AdminObserver function in e107_admin/users.php in e107 2.0 alpha2 allows remote attackers to hijack the authentication of administrators for requests that add users to the administrator group via the id parameter in an admin action.

2 Jan 2015
6.8
CVSS
CVE-2014-4734MEDIUM

Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

21 Jul 2014
4.3
CVSS
CVE-2013-7305MEDIUM

fpw.php in e107 through 1.0.4 does not check the user_ban field, which makes it easier for remote attackers to reset passwords by sending a pwsubmit request and leveraging access to the e-mail account of a banned user.

22 Jan 2014
4.3
CVSS
CVE-2013-2750MEDIUMpoc

Cross-site scripting (XSS) vulnerability in e107_plugins/content/handlers/content_preset.php in e107 before 1.0.3 allows remote attackers to inject arbitrary web script or HTML via the query string.

22 Jan 2014
4.3
CVSS
CVE-2012-6434MEDIUMpoc

Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3) download_author_email, (4) download_author_website, (5) download_image, (6) download_thumb, (7) download_visible, or (8) download_class parameter.

3 Jan 2013
6.8
CVSS
CVE-2012-6433MEDIUMpoc

Cross-site request forgery (CSRF) vulnerability in e107_admin/newspost.php in e107 1.0.1 allows remote attackers to hijack the authentication of administrators for requests that conduct XSS attacks via the news_title parameter in a create action.

3 Jan 2013
6.8
CVSS
CVE-2011-5186MEDIUMpoc

Cross-site scripting (XSS) vulnerability in jbshop.php in the jbShop plugin for e107 7 allows remote attackers to inject arbitrary web script or HTML via the item_id parameter.

20 Sep 2012
4.3
CVSS
CVE-2011-4947MEDIUM

Cross-site request forgery (CSRF) vulnerability in e107_admin/users_extended.php in e107 before 0.7.26 allows remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the user_include parameter.

1 Sep 2012
6.8
CVSS
CVE-2011-4946MEDIUM

SQL injection vulnerability in e107_admin/users_extended.php in e107 before 0.7.26 allows remote attackers to execute arbitrary SQL commands via the user_field parameter.

1 Sep 2012
6.8
CVSS
CVE-2012-3843MEDIUM

Cross-site scripting (XSS) vulnerability in the registration page in e107, probably 1.0.1, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4 Jul 2012
4.3
CVSS
CVE-2010-5084MEDIUM

The cross-site request forgery (CSRF) protection mechanism in e107 before 0.7.23 uses a predictable random token based on the creation date of the administrator account, which allows remote attackers to hijack the authentication of administrators for requests that add new users via e107_admin/users.php.

14 Feb 2012
6.0
CVSS
CVE-2011-4921MEDIUM

SQL injection vulnerability in usersettings.php in e107 0.7.26, and possibly other versions before 1.0.0, allows remote attackers to execute arbitrary SQL commands via the username parameter.

4 Jan 2012
5.1
CVSS
CVE-2011-4920MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.26, and other versions before 1.0.0, allow remote attackers to inject arbitrary web script or HTML via the URL to (1) e107_images/thumb.php or (2) rate.php, (3) resend_name parameter to e107_admin/users.php, and (4) link BBCode in user signatures.

4 Jan 2012
4.3
CVSS
CVE-2011-1513HIGHpoc

Static code injection vulnerability in install_.php in e107 CMS 0.7.24 and probably earlier versions, when the installation script is not removed, allows remote attackers to inject arbitrary PHP code into e107_config.php via a crafted MySQL server name.

4 Nov 2011
7.5
CVSS
CVE-2011-3731MEDIUM

e107 0.7.24 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by e107_plugins/pdf/e107pdf.php and certain other files.

24 Sep 2011
5.0
CVSS
CVE-2011-0457MEDIUM

Cross-site scripting (XSS) vulnerability in e107 0.7.22 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

15 Mar 2011
4.3
CVSS
CVE-2010-4757MEDIUM

Cross-site scripting (XSS) vulnerability in submitnews.php in e107 before 0.7.23 allows remote attackers to inject arbitrary web script or HTML via the submitnews_title parameter, a different vector than CVE-2008-6208. NOTE: some of these details are obtained from third party information. NOTE: this might be the same as CVE-2009-4083.1 or CVE-2011-0457.

15 Mar 2011
4.3
CVSS
CVE-2010-2099HIGHpoc

bbcode/php.bb in e107 0.7.20 and earlier does not perform access control checks for all inputs that could contain the php bbcode tag, which allows remote attackers to execute arbitrary PHP code, as demonstrated using the toEmail method in contact.php, related to invocations of the toHTML method.

28 May 2010
7.5
CVSS
CVE-2010-2098HIGH

Incomplete blacklist vulnerability in usersettings.php in e107 0.7.20 and earlier allows remote attackers to conduct SQL injection attacks via the loginname parameter.

28 May 2010
7.5
CVSS
CVE-2010-0997LOW

Cross-site scripting (XSS) vulnerability in 107_plugins/content/content_manager.php in the Content Management plugin in e107 before 0.7.20, when the personal content manager is enabled, allows user-assisted remote authenticated users to inject arbitrary web script or HTML via the content_heading parameter.

20 Apr 2010
3.5
CVSS
CVE-2010-0996MEDIUM

Unrestricted file upload vulnerability in e107 before 0.7.20 allows remote authenticated users to execute arbitrary code by uploading a .php.filetypesphp file. NOTE: the vendor disputes the significance of this issue, noting that "an odd set of preferences and a missing file" are required.

20 Apr 2010
6.0
CVSS
CVE-2009-4084HIGH

SQL injection vulnerability in the search feature in e107 0.7.16 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

29 Nov 2009
7.5
CVSS
CVE-2009-4083MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.16 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors in (1) submitnews.php, (2) usersettings.php; and (3) newpost.php, (4) banlist.php, (5) banner.php, (6) cpage.php, (7) download.php, (8) users_extended.php, (9) frontpage.php, (10) links.php, and (11) mailout.php in e107_admin/. NOTE: this may overlap CVE-2004-2040 and CVE-2006-4794, but there are insufficient details to be certain.

29 Nov 2009
4.3
CVSS
CVE-2009-3444MEDIUMpoc

Cross-site scripting (XSS) vulnerability in email.php in e107 0.7.16 and earlier allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header in a news.1 (aka news to email) action.

29 Sep 2009
4.3
CVSS
CVE-2009-1409MEDIUMpoc

SQL injection vulnerability in usersettings.php in e107 0.7.15 and earlier, when "Extended User Fields" is enabled and magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the hide parameter, a different vector than CVE-2005-4224 and CVE-2008-5320.

24 Apr 2009
5.1
CVSS
CVE-2008-6466HIGHpoc

SQL injection vulnerability in image_gallery.php in the Akira Powered Image Gallery (image_gallery) plugin 0.9.6.2 for e107 allows remote attackers to execute arbitrary SQL commands via the image parameter in an image-detail action.

13 Mar 2009
7.5
CVSS
CVE-2008-6438HIGHpoc

SQL injection vulnerability in macgurublog_menu/macgurublog.php in the MacGuru BLOG Engine plugin 2.2 for e107 allows remote attackers to execute arbitrary SQL commands via the uid parameter, a different vector than CVE-2008-2455. NOTE: it was later reported that 2.1.4 is also affected.

6 Mar 2009
7.5
CVSS
CVE-2008-6208MEDIUM

Cross-site scripting (XSS) vulnerability in submitnews.php in e107 CMS 0.7.11 allows remote attackers to inject arbitrary web script or HTML via the (1) author_name, (2) itemtitle, and (3) item parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

20 Feb 2009
4.3
CVSS
CVE-2008-6114HIGHpoc

SQL injection vulnerability in product_details.php in the Mytipper Zogo-shop 1.15.4 plugin for e107 allows remote attackers to execute arbitrary SQL commands via the product parameter.

11 Feb 2009
7.5
CVSS
← PrevPage 1 / 2Next →