28 matches found
CVE-2023-41953
CVE-2023-41953 concerns the WordPress plugin ProfilePress (Membership Team) up to version 4.13.1, where a Missing Authorization vulnerability exists. The connected PT-2023-8991 document attributes the issue to a flaw in the admin_notice() path that enables a CSRF attack due to incorrect nonce val...
CVE-2024-2861
CVE-2024-2861 affects the ProfilePress WordPress plugin. The vulnerability is a Stored Cross-Site Scripting (XSS) via the ProfilePress User Panel widget in all versions up to 4.15.8, caused by insufficient input sanitization and output escaping on user-supplied attributes. Exploitation requires a...
CVE-2023-23830
CVE-2023-23830 affects the WordPress ProfilePress Plugin (ProfilePress Membership Team ProfilePress) versions
CVE-2021-24522
CVE-2021-24522 affects ProfilePress (formerly WP User Avatar) for WordPress, before version 3.1.11. The tabbed login/register widget is vulnerable to unauthenticated reflected XSS due to improper escaping, with some cases enabling replication via $_GET because $_POST values were mapped to $_GET. ...
CVE-2024-13120
The CVE-2024-13120 entry concerns the ProfilePress WordPress plugin (Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress) prior to version 4.15.20. Technical details in connected records show the issue is a stored XSS caused by not...
CVE-2023-41954
ProfilePress WordPress plugin
CVE-2024-1806
The CVE-2024-1806 entry concerns the ProfilePress (Paid Membership Plugin) for WordPress. A stored XSS flaw exists in all versions up to 4.15.1 caused by insufficient input sanitization and output escaping on user-supplied attributes within the plugin’s shortcodes. Exploitation requires an attack...
CVE-2023-44150
CVE-2023-44150 affects ProfilePress (Paid Membership Plugin) for WordPress; versions
CVE-2024-11083
The CVE-2024-11083 entry concerns the ProfilePress WordPress plugin. Affected software: ProfilePress plugin for WordPress, versions up to and including 4.15.18. Vulnerability: unauthenticated access allows sensitive information exposure by abusing WordPress core search to retrieve data from posts...
CVE-2024-1570
Affected software: ProfilePress (WordPress plugin) ≤ 4.14.4. Vulnerability: Stored Cross-Site Scripting via the login-password shortcode caused by insufficient input sanitization and output escaping on user-supplied attributes. Impact: Authenticated attackers with contributor-level permissions (o...
CVE-2022-4697
The CVE-2022-4697 relates to the WordPress ProfilePress plugin (versions up to 4.5.0). It is a Stored Cross‑Site Scripting vulnerability via the wp_user_cover_default_image_url parameter caused by insufficient input sanitization and output escaping. Exploitation requires authenticated access with...
CVE-2024-2867
CVE-2024-2867: Stored XSS in ProfilePress (Paid Membership Plugin) for WordPress. Affected versions up to 4.15.4 permit authenticated attackers with Contributor+ to inject scripts via the title parameter; scripts run when users visit the injected page. Root cause: insufficient input sanitization ...
CVE-2024-13121
The CVE-2024-13121 entry concerns the WordPress Paid Membership Plugin (and related components) prior to version 4.15.20. The root cause is insufficient sanitisation/escaping of certain plugin settings, enabling stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disall...
CVE-2022-4698
The CVE-2022-4698 entry concerns the WordPress ProfilePress plugin. Affected: ProfilePress plugin for WordPress (versions up to and including 4.5.0). Issue: Stored Cross-Site Scripting via several form fields caused by insufficient input sanitization and output escaping. Impact: Authenticated att...
CVE-2021-24450
CVE-2021-24450 affects WordPress ProfilePress (former WP User Avatar) plugin prior to 3.1.8. The vulnerability arises from improper sanitisation/escaping of certain settings when saved or output, enabling an authenticated Stored XSS by high-privilege users (e.g., admins) to inject JavaScript payl...
CVE-2024-1519
CVE-2024-1519 affects the WordPress ProfilePress/Payed Membership Plugin (ProfilePress) up to version 4.14.4. The root cause is stored cross-site scripting via the name parameter due to insufficient input sanitization and output escaping. Exploitation requires an active member listing page using ...
CVE-2024-1408
The CVE concerns the WordPress ProfilePress (Paid Membership Plugin) for ProfilePress plugin in WordPress, affected up to version 4.14.4. The vulnerability is a Stored Cross-Site Scripting through the edit-profile-text-box shortcode caused by insufficient input sanitization and output escaping on...
CVE-2024-10517
CVE-2024-10517 affects ProfilePress family (Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content) for WordPress, with vulnerable Drag & Drop Builder fields not sanitised/escaped. Root cause per Red Hat/patch sources: lack of sanitisation/escaping ...
CVE-2024-9947
CVE-2024-9947 affects ProfilePress Pro for WordPress. The vulnerability is an authentication bypass in all versions up to 4.11.1 caused by insufficient verification of the user returned by the social login token, enabling unauthenticated attackers to log in as existing users (e.g., administrators...
CVE-2024-13119
CVE-2024-13119 affects the ProfilePress family in WordPress via the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content suite. The public description confirms that versions prior to 4.15.20 do not sanitize/escape certain settings, enabling Stored...
CVE-2024-3210
CVE-2024-3210 affects the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress for WordPress. It is a Stored XSS via the reg-single-checkbox shortcode in all versions up to 4.15.5 due to insufficient input sanitization and output es...
CVE-2023-23820
The CVE-2023-23820 entry concerns the WordPress ProfilePress Plugin (Membership Team) versions <= 4.5.4. The vulnerability is a stored XSS that requires authentication (contributors or higher) to exploit. The available documents specify the issue as an Auth. (contributor+) Stored Cross-Site Sc...
CVE-2022-45083
The CVE-2022-45083 entry concerns the ProfilePress Membership Team Paid Membership Plugin for WordPress, with a deserialization of untrusted data vulnerability. Affected components include the ProfilePress: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Rest...
CVE-2024-10518
CVE-2024-10518 is an Admin+ Stored XSS vulnerability in the WordPress ProfilePress suite (Paid Membership Plugin/Ecommerce/User Registration Form/Login Form/User Profile & Restrict Content) up to version 4.15.15. The issue arises from unsanitized Membership Plan settings, enabling stored XSS by h...
CVE-2024-1535
ProfilePress WordPress plugin (formerly named ProfilePress/Restrict Content) is affected by CVE-2024-1535. According to the sources, versions up to 4.15.2 are vulnerable to stored cross-site scripting via the plugin’s shortcodes due to insufficient input sanitization and output escaping on user-s...
CVE-2023-50882
CVE-2023-50882 affects the ProfilePress WordPress plugin (wp-user-avatar component). The vulnerability is a Missing Authorization / Broken Access Control issue in ProfilePress versions n/a through 4.13.2, exploitable by unauthenticated users due to incorrectly configured access control. PatchStac...
CVE-2024-1409
CVE-2024-1409 affects the WordPress ProfilePress (Paid Membership Plugin) via the reg-select-role shortcode. The vulnerability is a Stored XSS due to insufficient input sanitization and output escaping on user-supplied attributes in all versions up to 4.15.0. Exploitation requires authenticated a...
CVE-2023-23996
CVE-2023-23996 affects the WordPress ProfilePress Plugin (ProfilePress Membership Team ProfilePress)