34 matches found
CVE-2023-41953
CVE-2023-41953 concerns the WordPress plugin ProfilePress (Membership Team) up to version 4.13.1, where a Missing Authorization vulnerability exists. The connected PT-2023-8991 document attributes the issue to a flaw in the admin_notice() path that enables a CSRF attack due to incorrect nonce val...
CVE-2021-34621
CVE-2021-34621 affects WordPress ProfilePress plugin versions 3.0.0–3.1.3. The root cause is in RegistrationAuth.php, enabling unauthenticated users to register with administrator privileges, effectively granting full site control. Impact documented as unauthenticated privilege escalation with po...
CVE-2024-2861
CVE-2024-2861 affects the ProfilePress WordPress plugin. The vulnerability is a Stored Cross-Site Scripting (XSS) via the ProfilePress User Panel widget in all versions up to 4.15.8, caused by insufficient input sanitization and output escaping on user-supplied attributes. Exploitation requires a...
CVE-2021-34622
ProfilePress for WordPress (plugin) versions 3.0.0–3.1.3 contain a privilege-escalation flaw in the user profile update flow (EditUserProfile.php) that allows authenticated users to elevate to administrator by supplying arbitrary usermeta (notably wp_capabilities). Affected products: ProfilePress...
CVE-2023-23830
CVE-2023-23830 affects the WordPress ProfilePress Plugin (ProfilePress Membership Team ProfilePress) versions
CVE-2021-24522
CVE-2021-24522 affects ProfilePress (formerly WP User Avatar) for WordPress, before version 3.1.11. The tabbed login/register widget is vulnerable to unauthenticated reflected XSS due to improper escaping, with some cases enabling replication via $_GET because $_POST values were mapped to $_GET. ...
CVE-2024-13120
The CVE-2024-13120 entry concerns the ProfilePress WordPress plugin (Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress) prior to version 4.15.20. Technical details in connected records show the issue is a stored XSS caused by not...
CVE-2023-41954
ProfilePress WordPress plugin
CVE-2022-47444
The CVE-2022-47444 entry concerns an Unauth. Reflected Cross-Site Scripting (XSS) in the ProfilePress Membership Team Paid Membership Plugin. Affected are ProfilePress plugin versions
CVE-2021-34623
The CVE-2021-34623 entry describes an Arbitrary File Upload vulnerability in the Image Uploader component of the ProfilePress WordPress plugin, affecting versions 3.0.0–3.1.3. The issue allows attackers to upload arbitrary files during user registration or profile updates. Connected sources indic...
CVE-2024-1806
The CVE-2024-1806 entry concerns the ProfilePress (Paid Membership Plugin) for WordPress. A stored XSS flaw exists in all versions up to 4.15.1 caused by insufficient input sanitization and output escaping on user-supplied attributes within the plugin’s shortcodes. Exploitation requires an attack...
CVE-2021-34624
The CVE concerns the WordPress ProfilePress plugin (versions 3.0.0–3.1.3). A vulnerability in the FileUploader.php component allows unauthenticated users to upload arbitrary files during registration or profile updates, enabling potential remote code execution and full site compromise. The issue ...
CVE-2023-44150
CVE-2023-44150 affects ProfilePress (Paid Membership Plugin) for WordPress; versions
CVE-2024-11083
The CVE-2024-11083 entry concerns the ProfilePress WordPress plugin. Affected software: ProfilePress plugin for WordPress, versions up to and including 4.15.18. Vulnerability: unauthenticated access allows sensitive information exposure by abusing WordPress core search to retrieve data from posts...
CVE-2024-1570
Affected software: ProfilePress (WordPress plugin) ≤ 4.14.4. Vulnerability: Stored Cross-Site Scripting via the login-password shortcode caused by insufficient input sanitization and output escaping on user-supplied attributes. Impact: Authenticated attackers with contributor-level permissions (o...
CVE-2022-4697
The CVE-2022-4697 relates to the WordPress ProfilePress plugin (versions up to 4.5.0). It is a Stored Cross‑Site Scripting vulnerability via the wp_user_cover_default_image_url parameter caused by insufficient input sanitization and output escaping. Exploitation requires authenticated access with...
CVE-2024-2867
CVE-2024-2867: Stored XSS in ProfilePress (Paid Membership Plugin) for WordPress. Affected versions up to 4.15.4 permit authenticated attackers with Contributor+ to inject scripts via the title parameter; scripts run when users visit the injected page. Root cause: insufficient input sanitization ...
CVE-2024-13121
The CVE-2024-13121 entry concerns the WordPress Paid Membership Plugin (and related components) prior to version 4.15.20. The root cause is insufficient sanitisation/escaping of certain plugin settings, enabling stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disall...
CVE-2022-4698
The CVE-2022-4698 entry concerns the WordPress ProfilePress plugin. Affected: ProfilePress plugin for WordPress (versions up to and including 4.5.0). Issue: Stored Cross-Site Scripting via several form fields caused by insufficient input sanitization and output escaping. Impact: Authenticated att...
CVE-2021-24450
CVE-2021-24450 affects WordPress ProfilePress (former WP User Avatar) plugin prior to 3.1.8. The vulnerability arises from improper sanitisation/escaping of certain settings when saved or output, enabling an authenticated Stored XSS by high-privilege users (e.g., admins) to inject JavaScript payl...
CVE-2024-1408
The CVE concerns the WordPress ProfilePress (Paid Membership Plugin) for ProfilePress plugin in WordPress, affected up to version 4.14.4. The vulnerability is a Stored Cross-Site Scripting through the edit-profile-text-box shortcode caused by insufficient input sanitization and output escaping on...
CVE-2024-1519
CVE-2024-1519 affects the WordPress ProfilePress/Payed Membership Plugin (ProfilePress) up to version 4.14.4. The root cause is stored cross-site scripting via the name parameter due to insufficient input sanitization and output escaping. Exploitation requires an active member listing page using ...
CVE-2024-10517
CVE-2024-10517 affects ProfilePress family (Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content) for WordPress, with vulnerable Drag & Drop Builder fields not sanitised/escaped. Root cause per Red Hat/patch sources: lack of sanitisation/escaping ...
CVE-2024-9947
CVE-2024-9947 affects ProfilePress Pro for WordPress. The vulnerability is an authentication bypass in all versions up to 4.11.1 caused by insufficient verification of the user returned by the social login token, enabling unauthenticated attackers to log in as existing users (e.g., administrators...
CVE-2024-1046
ProfilePress for WordPress (WordPress plugin) is affected by CVE-2024-1046: stored cross-site scripting via the reg-number-field shortcode. The vulnerability exists in all versions up to and including 4.14.3 due to insufficient input sanitization and output escaping on user-supplied attributes. A...
CVE-2024-13119
CVE-2024-13119 affects the ProfilePress family in WordPress via the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content suite. The public description confirms that versions prior to 4.15.20 do not sanitize/escape certain settings, enabling Stored...
CVE-2024-3210
CVE-2024-3210 affects the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress for WordPress. It is a Stored XSS via the reg-single-checkbox shortcode in all versions up to 4.15.5 due to insufficient input sanitization and output es...
CVE-2022-45083
The CVE-2022-45083 entry concerns the ProfilePress Membership Team Paid Membership Plugin for WordPress, with a deserialization of untrusted data vulnerability. Affected components include the ProfilePress: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Rest...
CVE-2023-23820
The CVE-2023-23820 entry concerns the WordPress ProfilePress Plugin (Membership Team) versions <= 4.5.4. The vulnerability is a stored XSS that requires authentication (contributors or higher) to exploit. The available documents specify the issue as an Auth. (contributor+) Stored Cross-Site Sc...
CVE-2024-10518
CVE-2024-10518 is an Admin+ Stored XSS vulnerability in the WordPress ProfilePress suite (Paid Membership Plugin/Ecommerce/User Registration Form/Login Form/User Profile & Restrict Content) up to version 4.15.15. The issue arises from unsanitized Membership Plan settings, enabling stored XSS by h...
CVE-2024-1535
ProfilePress WordPress plugin (formerly named ProfilePress/Restrict Content) is affected by CVE-2024-1535. According to the sources, versions up to 4.15.2 are vulnerable to stored cross-site scripting via the plugin’s shortcodes due to insufficient input sanitization and output escaping on user-s...
CVE-2023-50882
CVE-2023-50882 affects the ProfilePress WordPress plugin (wp-user-avatar component). The vulnerability is a Missing Authorization / Broken Access Control issue in ProfilePress versions n/a through 4.13.2, exploitable by unauthenticated users due to incorrectly configured access control. PatchStac...
CVE-2024-1409
CVE-2024-1409 affects the WordPress ProfilePress (Paid Membership Plugin) via the reg-select-role shortcode. The vulnerability is a Stored XSS due to insufficient input sanitization and output escaping on user-supplied attributes in all versions up to 4.15.0. Exploitation requires authenticated a...
CVE-2023-23996
CVE-2023-23996 affects the WordPress ProfilePress Plugin (ProfilePress Membership Team ProfilePress)