Websitebaker: Security Vulnerabilities
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating web pages. Attackers can craft malicious payloads in page titles that execute arbitrary JavaScript when the page is viewed by other users.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-12-19
WebsiteBaker 2.13.3 contains a directory traversal vulnerability that allows authenticated attackers to delete arbitrary files by manipulating directory path parameters. Attackers can send crafted GET requests to /admin/media/delete.php with directory traversal sequences to delete files outside the intended directory.
CVSS Score
6.5
EPSS Score
0.007
Published
2025-12-16
WebsiteBaker 2.13.3 contains a stored cross-site scripting vulnerability that allows authenticated users to upload malicious SVG files with embedded JavaScript. Attackers can upload crafted SVG files with script tags that execute when the file is viewed, enabling persistent cross-site scripting attacks.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-12-16
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CVSS Score
9.8
EPSS Score
0.004
Published
2020-10-01
websitebaker prior to and including 2.8.1 has an authentication error in backup module.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-01-21
An Arbitrary File Upload vulnerability exists in admin/media/upload.php in WebsiteBaker 2.8.1 and earlier due to a failure to restrict uploaded files with .htaccess, .php4, .php5, and .phtl extensions.
CVSS Score
7.2
EPSS Score
0.005
Published
2020-01-14
A Cross Site Request Forgery (CSRF) vulnerability exists in the administrator functions in WebsiteBaker 2.8.1 and earlier due to inadequate confirmation for sensitive transactions.
CVSS Score
8.8
EPSS Score
0.001
Published
2020-01-14
Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities in the files /wb/admin/admintools/tool.php (Droplet Description) and /install/index.php (Site Title) in WebsiteBaker 2.10.0 allow attackers to insert persistent JavaScript code that gets reflected back to users in multiple areas in the application.
CVSS Score
6.1
EPSS Score
0.002
Published
2018-01-10
install\save.php in WebsiteBaker v2.10.0 allows remote attackers to execute arbitrary PHP code via the database_username, database_host, or database_password parameter.
CVSS Score
9.8
EPSS Score
0.008
Published
2017-06-21
WebsiteBaker v2.10.0 has a SQL injection vulnerability in /account/details.php.
CVSS Score
9.8
EPSS Score
0.003
Published
2017-06-02
Page 1