cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-11083,https://securityvulnerability.io/vulnerability/CVE-2024-11083,Unauthenticated Attackers Can Extract Sensitive Data via WordPress Core Search,"The ProfilePress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.15.18 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.",Wordpress,"Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress",5.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-11-27T05:31:54.074Z,0
CVE-2024-9947,https://securityvulnerability.io/vulnerability/CVE-2024-9947,Authenticatiom Bypass Vulnerability in ProfilePress Pro Plugin for WordPress,"The ProfilePress Pro plugin for WordPress exhibits a vulnerability that allows for authentication bypass, enabling unauthenticated attackers to gain access to any existing user account, including those with administrative privileges. This security issue arises from inadequate verification processes associated with the social login tokens used within the plugin. If an attacker possesses the email of a user who has not previously created an account for the social login service that issues the token, they can exploit this flaw to log in as that user. This presents a significant risk to websites utilizing the affected plugin versions, as it compromises account security and potentially exposes sensitive site operations.",Wordpress,Profilepress Pro,9.8,CRITICAL,0.000910000002477318,false,,false,false,false,,false,false,2024-10-23T06:45:06.442Z,0
CVE-2024-2861,https://securityvulnerability.io/vulnerability/CVE-2024-2861,Stored Cross-Site Scripting Vulnerability in ProfilePress Plugin,"The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ProfilePress User Panel widget in all versions up to, and including, 4.15.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,"Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress",6.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-23T09:32:32.877Z,0
CVE-2024-2867,https://securityvulnerability.io/vulnerability/CVE-2024-2867,Stored Cross-Site Scripting in ProfilePress by WPExperts,"The ProfilePress plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate input sanitization and output escaping in the 'title' parameter. Authenticated attackers with contributor access or higher can inject malicious web scripts into pages, leading to execution whenever a user visits the compromised page. This vulnerability affects all versions up to and including 4.15.4, posing a risk to user data and site integrity.",Wordpress,"Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress",6.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-02T16:52:04.809Z,0
CVE-2024-3210,https://securityvulnerability.io/vulnerability/CVE-2024-3210,Stored Cross-Site Scripting Vulnerability in ProfilePress Ecommerce Plugin,"The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'reg-single-checkbox' shortcode in all versions up to, and including, 4.15.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,"Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress",5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-04-10T05:32:23.418Z,0
CVE-2024-1806,https://securityvulnerability.io/vulnerability/CVE-2024-1806,Stored Cross-Site Scripting Vulnerability in ProfilePress Plugin,"The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.15.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,"Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress",5.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-03-13T15:27:17.016Z,0
CVE-2024-1409,https://securityvulnerability.io/vulnerability/CVE-2024-1409,Stored Cross-Site Scripting in Paid Membership Plugin for WordPress by ProfilePress,"The Paid Membership Plugin for WordPress, developed by ProfilePress, is exposed to a Stored Cross-Site Scripting vulnerability through its [reg-select-role] shortcode. This vulnerability affects all plugin versions up to and including 4.15.0, where inadequate input sanitization and output escaping on user-supplied attributes allows authenticated attackers with contributor-level permissions to inject arbitrary web scripts. These scripts execute when any user accesses a compromised page, potentially compromising user data and application security.",Wordpress,"Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress",5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-03-13T15:26:49.245Z,0
CVE-2024-1535,https://securityvulnerability.io/vulnerability/CVE-2024-1535,Stored Cross-Site Scripting Vulnerability in ProfilePress Plugin for WordPress,"The ProfilePress plugin for WordPress contains a stored cross-site scripting vulnerability that arises from inadequate input sanitization and output escaping of user-supplied attributes in its shortcodes. This flaw allows authenticated attackers with contributor-level or higher permissions to inject malicious scripts that will execute when other users access the affected pages. All versions up to and including 4.15.2 are impacted, making it crucial for site administrators to address this security risk to protect their users from potential exploits.",Wordpress,"Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profilepress",5.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-03-13T15:26:43.832Z,0
CVE-2024-1408,https://securityvulnerability.io/vulnerability/CVE-2024-1408,Stored Cross-Site Scripting Vulnerability in ProfilePress Ecommerce Plugin,"The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including, 4.14.4 due to insufficient input sanitization and output escaping on user supplied attributes such as 'type'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,"Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress",5.4,MEDIUM,0.0005699999746866524,false,,false,false,false,,false,false,2024-02-29T01:43:00.000Z,0
CVE-2024-1519,https://securityvulnerability.io/vulnerability/CVE-2024-1519,Stored Cross-Site Scripting Vulnerability in ProfilePress Paid Membership Plugin,"The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 4.14.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires a member listing page to be active and using the Gerbera theme.",Wordpress,"Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress",6.1,MEDIUM,0.0005600000149570405,false,,false,false,false,,false,false,2024-02-29T01:43:00.000Z,0
CVE-2024-1570,https://securityvulnerability.io/vulnerability/CVE-2024-1570,Stored Cross-Site Scripting Vulnerability in ProfilePress Plugin,"The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login-password shortcode in all versions up to, and including, 4.14.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,"Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress",5.4,MEDIUM,0.0005699999746866524,false,,false,false,false,,false,false,2024-02-29T01:43:00.000Z,0
CVE-2024-1046,https://securityvulnerability.io/vulnerability/CVE-2024-1046,Stored Cross-Site Scripting Vulnerability in ProfilePress Ecommerce Plugin,"The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'reg-number-field' shortcode in all versions up to, and including, 4.14.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,"Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress",5.4,MEDIUM,0.0004799999878741801,false,,false,false,false,,false,false,2024-02-05T21:21:51.417Z,0
CVE-2022-4697,https://securityvulnerability.io/vulnerability/CVE-2022-4697,Stored Cross-Site Scripting in ProfilePress Plugin for WordPress,"The ProfilePress plugin for WordPress is susceptible to Stored Cross-Site Scripting due to inadequate sanitization of the 'wp_user_cover_default_image_url' parameter. This vulnerability allows authenticated users with administrator or higher privileges to embed malicious scripts, which can be executed when other users visit affected pages. The issue predominantly impacts multi-site configurations and those with disabled unfiltered_html settings, making it crucial for administrators to implement necessary security measures and update their installations.",Wordpress,"Paid Membership, Ecommerce, Registration Form, Login Form, User Profile, Paywall & Restrict Content – Profilepress",5.5,MEDIUM,0.0005000000237487257,false,,false,false,false,,false,false,2022-12-23T15:11:46.114Z,0
CVE-2022-4698,https://securityvulnerability.io/vulnerability/CVE-2022-4698,Stored Cross-Site Scripting in ProfilePress Plugin for WordPress,"The ProfilePress plugin for WordPress is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to inadequate input sanitization and output escaping. This issue exists in several form fields, affecting versions up to and including 4.5.0. Authenticated attackers with administrator-level access can exploit this vulnerability to inject arbitrary web scripts into pages, which will execute when users visit those pages. The vulnerability primarily impacts multi-site installations and those where unfiltered_html capability has been disabled.",Wordpress,"Paid Membership, Ecommerce, Registration Form, Login Form, User Profile, Paywall & Restrict Content – Profilepress",5.5,MEDIUM,0.0005000000237487257,false,,false,false,false,,false,false,2022-12-23T15:09:51.218Z,0
CVE-2021-24955,https://securityvulnerability.io/vulnerability/CVE-2021-24955,ProfilePress < 3.2.3 - Reflected Cross-Site Scripting,"The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not escape the data parameter of the pp_get_forms_by_builder_type AJAX action before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue",Wordpress,"User Registration, Login Form, User Profile & Membership – Profilepress (formerly WP User Avatar)",6.1,MEDIUM,0.0007399999885819852,false,,false,false,false,,false,false,2021-12-13T10:41:29.000Z,0
CVE-2021-24954,https://securityvulnerability.io/vulnerability/CVE-2021-24954,ProfilePress < 3.2.3 - Reflected Cross-Site Scripting,"The User Registration, Login Form, User Profile & Membership WordPress plugin before 3.2.3 does not sanitise and escape the ppress_cc_data parameter before outputting it back in an attribute of an admin dashboard page, leading to a Reflected Cross-Site Scripting issue",Wordpress,"User Registration, Login Form, User Profile & Membership – Profilepress (formerly WP User Avatar)",6.1,MEDIUM,0.0007399999885819852,false,,false,false,false,,false,false,2021-12-13T10:41:28.000Z,0
CVE-2021-24522,https://securityvulnerability.io/vulnerability/CVE-2021-24522,ProfilePress < 3.1.11 - Unauthenticated Cross-Site Scripting (XSS) in tabbed login/register widget,"The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $_POST as $_GET which meant that in some cases this could be replicated with just $_GET parameters and no need for $_POST values.",Wordpress,"User Registration, User Profile, Login & Membership – Profilepress (formerly WP User Avatar)",6.1,MEDIUM,0.0006699999794363976,false,,false,false,false,,false,false,2021-08-09T10:04:15.000Z,0
CVE-2021-24450,https://securityvulnerability.io/vulnerability/CVE-2021-24450,ProfilePress < 3.1.8 - Authenticated Stored XSS,"The User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.8 did not sanitise or escape some of its settings before saving them and outputting them back in the page, allowing high privilege users such as admin to set JavaScript payloads in them even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue",Wordpress,"User Registration, User Profiles, Login & Membership – Profilepress (formerly WP User Avatar)",4.8,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2021-08-02T10:32:00.000Z,0
CVE-2021-34621,https://securityvulnerability.io/vulnerability/CVE-2021-34621,ProfilePress 3.0 - 3.1.3 - Unauthenticated Privilege Escalation,A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .,Wordpress,Profilepress,9.8,CRITICAL,0.9101799726486206,false,,false,false,true,true,false,false,2021-07-07T13:15:00.000Z,0
CVE-2021-34622,https://securityvulnerability.io/vulnerability/CVE-2021-34622,ProfilePress 3.0 - 3.1.3 - Authenticated Privilege Escalation,A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .,Wordpress,Profilepress,9.8,CRITICAL,0.001129999989643693,false,,false,false,false,,false,false,2021-07-07T13:15:00.000Z,0
CVE-2021-34624,https://securityvulnerability.io/vulnerability/CVE-2021-34624,ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in File Uploader Component,A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .,Wordpress,Profilepress,9.8,CRITICAL,0.00750999990850687,false,,false,false,false,,false,false,2021-07-07T13:15:00.000Z,0
CVE-2021-34623,https://securityvulnerability.io/vulnerability/CVE-2021-34623,ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload in Image Uploader Component,A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .,Wordpress,Profilepress,9.8,CRITICAL,0.005849999841302633,false,,false,false,false,,false,false,2021-07-07T13:15:00.000Z,0