SQL injection vulnerability in Blog Pixel Motion (aka Blog PixelMotion) allows remote attackers to execute arbitrary SQL commands via the categorie parameter to index.php, possibly related to include/requetesIndex.php.

admin/sauvBase.php in Blog Pixel Motion (aka Blog PixelMotion) does not require authentication, which allows remote attackers to trigger a database backup dump, and obtain the resulting blogPM.sql file that contains sensitive information.

admin/modif_config.php in Blog Pixel Motion (aka PixelMotion) does not require admin authentication, which allows remote authenticated users to upload arbitrary PHP scripts in a ZIP archive, which is written to templateZip/ and then automatically ext