cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-1173,https://securityvulnerability.io/vulnerability/CVE-2024-1173,SQL Injection Vulnerability in WP ERP - WooCommerce CRM & Accounting Plugin,"The WP ERP plugin, which offers a complete HR solution along with recruitment and job listings features, has a vulnerability related to time-based SQL Injection. This issue arises from insufficient escaping of the user-supplied 'id' parameter in all versions up to and including 1.13.1. The lack of proper preparation in the SQL query allows authenticated attackers—especially those with accounting manager or admin access—to inject additional SQL commands. This could lead to unauthorized access to sensitive information within the database, significantly impacting data integrity and confidentiality.",Wordpress,WP Erp | Complete Hr Solution With Recruitment & Job Listings | WooCommerce Crm & Accounting,7.2,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,2024-05-02T16:52:26.030Z,0
CVE-2024-0952,https://securityvulnerability.io/vulnerability/CVE-2024-0952,WP ERP HR Solution Vulnerable to SQL Injection,"The WooCommerce CRM & Accounting plugin for WordPress is at risk due to a time-based SQL injection vulnerability exploiting the user-supplied 'id' parameter. Present in all plugin versions up to and including 1.12.9, the imperfection arises from inadequate escaping of parameters and insufficient preparation of SQL queries. This flaw allows authenticated attackers with accounting manager or higher privileges to execute additional SQL commands within existing queries, potentially leading to the exposure of sensitive information stored within the database.",Wordpress,WP Erp | Complete Hr Solution With Recruitment & Job Listings | WooCommerce Crm & Accounting,7.2,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-04-09T18:59:32.870Z,0
CVE-2024-0956,https://securityvulnerability.io/vulnerability/CVE-2024-0956,WP ERP HR Solution Vulnerable to SQL Injection,"The WooCommerce CRM & Accounting plugin for WordPress, developed by WP ERP, exhibits a vulnerability that allows time-based SQL injection through the 'id' parameter in the REST route erp/v1/accounting/v1/vendors/1/products/. This flaw arises from inadequate escaping of the user-supplied parameter and insufficient preparation of the SQL query prior to execution. Authenticated attackers, typically those possessing admin or accounting manager roles, can exploit this weakness to append malicious SQL queries. This exploitation can lead to potential unauthorized access to sensitive information stored within the database, posing significant risks to data integrity and security.",Wordpress,WP Erp | Complete Hr Solution With Recruitment & Job Listings | WooCommerce Crm & Accounting,7.2,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-03-29T06:44:03.130Z,0
CVE-2024-0609,https://securityvulnerability.io/vulnerability/CVE-2024-0609,WP ERP HR Solution Vulnerable to Stored Cross-Site Scripting,"The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress experiences a vulnerability related to Stored Cross-Site Scripting. This issue arises from inadequate input sanitization and output escaping in the 'api_key' parameter. Attackers without authentication can exploit this vulnerability to inject arbitrary web scripts into pages. The injected scripts will execute for any user who visits the affected page, potentially compromising the integrity of user data and the overall security of the website.",Wordpress,WP Erp | Complete Hr Solution With Recruitment & Job Listings | WooCommerce Crm & Accounting,6.1,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-03-29T06:44:01.574Z,0
CVE-2024-0608,https://securityvulnerability.io/vulnerability/CVE-2024-0608,SQL Injection Vulnerability in WP ERP's HR Solution,"The WP ERP (Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting) for WordPress is prone to a union-based SQL Injection vulnerability. This occurs via the 'email' parameter in all versions up to and including 1.12.9. The vulnerability is attributed to insufficient escaping of user-supplied input and a lack of proper preparation in the SQL query. Authenticated attackers with subscriber-level access can exploit this flaw to inject additional SQL queries into existing ones, potentially gaining unauthorized access to sensitive database information.",Wordpress,WP Erp | Complete Hr Solution With Recruitment & Job Listings | WooCommerce Crm & Accounting,8.8,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-03-29T06:44:01.096Z,0
CVE-2024-0913,https://securityvulnerability.io/vulnerability/CVE-2024-0913,WP ERP HR Solution Vulnerable to SQL Injection,"The WP ERP plugin, a comprehensive solution for human resources and accounting on WordPress, is susceptible to a time-based SQL injection through the erp/v1/accounting/v1/transactions/sales REST API endpoint in all versions up to and including 1.12.9. This vulnerability arises from inadequate escaping of the user-input parameters 'status' and 'customer_id', coupled with insufficient preparation in the existing SQL query. Authenticated attackers holding accounting manager or admin privileges can exploit this security flaw to inject additional SQL statements into existing queries, potentially allowing them to retrieve sensitive data from the database.",Wordpress,WP Erp | Complete Hr Solution With Recruitment & Job Listings | WooCommerce Crm & Accounting,7.2,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-03-29T06:43:59.567Z,0
CVE-2020-36735,https://securityvulnerability.io/vulnerability/CVE-2020-36735,Cross-Site Request Forgery in WP ERP Plugin for WordPress,"The WP ERP plugin, which offers comprehensive HR and recruitment solutions for WordPress sites, contains a vulnerability that arises from inadequate nonce validation. This issue affects versions up to and including 1.6.3, allowing attackers to exploit functions such as handle_leave_calendar_filter, add_enable_disable_option_save, leave_policies, process_bulk_action, and process_crm_contact. An attacker can craft a malicious link that, when clicked by an unsuspecting site administrator, could lead to unauthorized changes to plugin settings, compromising the integrity of the WordPress site.",Wordpress,WP Erp | Complete Hr Solution With Recruitment & Job Listings | WooCommerce Crm & Accounting,4.3,MEDIUM,0.0004900000058114529,false,,false,false,false,,false,false,2023-07-01T02:54:23.831Z,0
CVE-2023-2744,https://securityvulnerability.io/vulnerability/CVE-2023-2744,WP ERP < 1.12.4 - Admin+ SQL Injection,"The ERP Plugin for WordPress prior to version 1.12.4 contains a vulnerability that allows the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint to be manipulated. Due to inadequate sanitization and escaping of this parameter before it is utilized in a SQL statement, high privilege users, including administrators, can exploit this vulnerability to perform unauthorized SQL queries. This could lead to unauthorized data access or modification, making it crucial for users to update to the latest version.",Wordpress,WP Erp | Complete Hr Solution With Recruitment & Job Listings | WooCommerce Crm & Accounting,7.2,HIGH,0.002520000096410513,false,,false,false,true,true,false,false,2023-06-27T14:15:00.000Z,0
CVE-2023-2743,https://securityvulnerability.io/vulnerability/CVE-2023-2743,WP ERP < 1.12.4 - Reflected Cross-Site Scripting,"The ERP WordPress plugin before 1.12.4 does not sanitise and escape the employee_name parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.",Wordpress,WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting,6.1,MEDIUM,0.0007200000109151006,false,,false,false,false,,false,false,2023-06-27T14:15:00.000Z,0