140 matches found
CVE-2023-2447
The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the 'exportusers' function. This makes it possible for unauthenticated attackers to export the users to a csv file, granted...
CVE-2019-14470
cosenary Instagram-PHP-API aka Instagram PHP API V2, as used in the UserPro plugin through 4.9.32 for WordPress, has XSS via the example/success.php errordescription parameter...
CVE-2024-12822
The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the addcaptoimg function in all versions up to, and including, 3.11.0. This makes it possible for unauthenticated...
CVE-2024-12821
The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the upmuploadmedia function in all versions up to, and including, 3.12.0. This makes it possible for authenticated...
CVE-2024-9863
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.6.0 due to the insecure 'administrator' default value for the 'defaultuserrole' option. This makes it possible for unauthenticated attackers to register an...
WordPress Media Manager for UserPro plugin <= 3.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update vulnerability
Missing Authorization to Authenticated Subscriber+ Arbitrary Options Update vulnerability discovered by Lucio Sá in WordPress Plugin Media Manager for UserPro versions = 3.12.0...
CVE-2024-12821
The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the upmuploadmedia function in all versions up to, and including, 3.12.0. This makes it possible for authenticated...
CVE-2024-12821
The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the upmuploadmedia function in all versions up to, and including, 3.12.0. This makes it possible for authenticated...
CVE-2024-12822 Media Manager for UserPro <= 3.12.0 - Missing Authorization to Unauthenticated Arbitrary Options Update
The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the addcaptoimg function in all versions up to, and including, 3.11.0. This makes it possible for unauthenticated...
CVE-2024-12821 Media Manager for UserPro <= 3.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the upmuploadmedia function in all versions up to, and including, 3.12.0. This makes it possible for authenticated...
CVE-2024-12821 Media Manager for UserPro <= 3.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the upmuploadmedia function in all versions up to, and including, 3.12.0. This makes it possible for authenticated...
CVE-2025-22322
CVE-2025-22322: Reflected XSS in WordPress Private Messages for UserPro plugin (NotFound Private Messages for UserPro) up to version 4.10.0. CVSS 3.1: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L; impact limited to confidentiality, integrity, and availability as per the provided metrics. No remediation de...
CVE-2025-22311 WordPress Private Messages for UserPro plugin <= 4.10.0 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in DeluxeThemes Private Messages for UserPro userpro-messaging.This issue affects Private Messages for UserPro: from n/a through = 4.10.0...
WordPress Private Messages for UserPro plugin <= 4.10.0 - Local File Inclusion vulnerability
Local File Inclusion vulnerability discovered by Bonds Patchstack Alliance in WordPress Plugin Private Messages for UserPro versions = 4.10.0...
WordPress Private Messages for UserPro plugin <= 4.10.0 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by Bonds Patchstack Alliance in WordPress Plugin Private Messages for UserPro versions = 4.10.0...
CVE-2024-56210 WordPress UserPro plugin <= 5.1.9 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in DeluxeThemes Userpro userpro allows Reflected XSS.This issue affects Userpro: from n/a through = 5.1.9...
CVE-2024-56210 WordPress UserPro plugin <= 5.1.9 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in DeluxeThemes Userpro userpro allows Reflected XSS.This issue affects Userpro: from n/a through = 5.1.9...
CVE-2024-56212 WordPress UserPro plugin <= 5.1.9 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in DeluxeThemes Userpro.This issue affects Userpro: from n/a through 5.1.9...
CVE-2024-56214
CVE-2024-56214 concerns a Path Traversal/Local File Inclusion vulnerability in the WordPress UserPro plugin (versions
WordPress plugin Userpro SQL注入漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A SQL injection...