The Paid Memberships Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.2. This is due to missing or incorrect nonce validation on the pmpro_page_save() function. This makes it possible for unauthenticated attackers to save pages via a forged ...
4.3CVSS
4.2AI Score
0.001EPSS
The Paid Memberships Pro WordPress plugin before 2.9.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high pri...
5.4CVSS
5.3AI Score
0.001EPSS
The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query.
8.8CVSS
8.9AI Score
0.001EPSS
The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.
9.8CVSS
9.6AI Score
0.116EPSS
The Paid Memberships Pro plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'pmpro_paypalexpress_session_vars_for_user_fields' function in versions up to, and including, 2.12.3. This makes it possible for authenticated attackers with subscriber ...
8.8CVSS
8.8AI Score
0.002EPSS