Properfraction Profilepress vulnerabilities
35 known vulnerabilities affecting properfraction/profilepress.
Total CVEs
35
CISA KEV
0
Public exploits
5
Exploited in wild
4
Severity breakdown
CRITICAL4HIGH4MEDIUM26LOW1
Vulnerabilities
Page 1 of 2
CVE-2021-34621P1CRITICALCVSS 9.8ExploitedPoC≥ 3.0.0, ≤ 3.1.32021-07-07
CVE-2021-34621 [CRITICAL] CWE-269 CVE-2021-34621: A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php f
A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .
nvd
CVE-2021-34624P1CRITICALCVSS 9.8ExploitedPoC≥ 3.0.0, ≤ 3.1.32021-07-07
CVE-2021-34624 [CRITICAL] CWE-434 CVE-2021-34624: A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of t
A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .
nvd
CVE-2021-34622P1HIGHCVSS 8.8ExploitedPoC≥ 3.0.0, ≤ 3.1.32021-07-07
CVE-2021-34622 [HIGH] CWE-269 CVE-2021-34622: A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php
A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .
nvd
CVE-2023-41954P2HIGHCVSS 8.6ExploitedPoCfixed in 4.13.22024-05-17
CVE-2023-41954 [HIGH] CWE-269 CVE-2023-41954: Improper Privilege Management vulnerability in ProfilePress Membership Team ProfilePress allows Priv
Improper Privilege Management vulnerability in ProfilePress Membership Team ProfilePress allows Privilege Escalation.This issue affects ProfilePress: from n/a through 4.13.1.
nvd
CVE-2024-9947P2CRITICALCVSS 9.8fixed in 4.11.22024-10-23
CVE-2024-9947 [CRITICAL] CWE-287 CVE-2024-9947: The ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up
The ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.11.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they
nvd
CVE-2021-34623P2CRITICALCVSS 9.8≥ 3.0.0, ≤ 3.1.32021-07-07
CVE-2021-34623 [CRITICAL] CWE-434 CVE-2021-34623: A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of
A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .
nvd
CVE-2021-24522P3MEDIUMCVSS 6.1PoCfixed in 3.1.112021-08-09
CVE-2021-24522 [MEDIUM] CWE-79 CVE-2021-24522: The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) Wor
The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $_POST as $_GET which meant that in some case
nvd
CVE-2022-45083P3HIGHCVSS 7.2fixed in 4.4.02024-01-19
CVE-2022-45083 [HIGH] CWE-502 CVE-2022-45083: Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plug
Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress: from n/a through
nvd
CVE-2023-44150P3HIGHCVSS 7.5fixed in 4.13.32023-11-30
CVE-2023-44150 [HIGH] CWE-200 CVE-2023-44150: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ProfilePress Membership
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress: fro
nvd
CVE-2026-41556P4MEDIUMCVSS 6.5≥ n/a, ≤ 4.16.132026-06-15
CVE-2026-41556 [MEDIUM] CWE-79 CVE-2026-41556: Subscriber Cross Site Scripting (XSS) in ProfilePress <= 4.16.13 versions.
Subscriber Cross Site Scripting (XSS) in ProfilePress <= 4.16.13 versions.
nvd
CVE-2024-11083P4MEDIUMCVSS 5.3fixed in 4.15.192024-11-27
CVE-2024-11083 [MEDIUM] CWE-200 CVE-2024-11083: The ProfilePress plugin for WordPress is vulnerable to Sensitive Information Exposure in all version
The ProfilePress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.15.18 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
nvd
CVE-2023-50882P4MEDIUMCVSS 5.3fixed in 4.13.3≤ 4.13.22024-12-09
CVE-2023-50882 [MEDIUM] CWE-862 CVE-2023-50882: Missing Authorization vulnerability in properfraction ProfilePress wp-user-avatar allows Exploiting
Missing Authorization vulnerability in properfraction ProfilePress wp-user-avatar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProfilePress: from n/a through <= 4.13.2.
nvd
CVE-2023-41953P4MEDIUMCVSS 5.3fixed in 4.13.22024-12-09
CVE-2023-41953 [MEDIUM] CWE-862 CVE-2023-41953: Missing Authorization vulnerability in ProfilePress Membership Team ProfilePress.This issue affects
Missing Authorization vulnerability in ProfilePress Membership Team ProfilePress.This issue affects ProfilePress: from n/a through 4.13.1.
nvd
CVE-2024-1519P4MEDIUMCVSS 6.1fixed in 4.15.02024-02-29
CVE-2024-1519 [MEDIUM] CWE-79 CVE-2024-1519: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 4.14.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthent
nvd
CVE-2024-1408P4MEDIUMCVSS 5.4fixed in 4.15.02024-02-29
CVE-2024-1408 [MEDIUM] CWE-79 CVE-2024-1408: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including, 4.14.4 due to insufficient input sanitization and output escaping on user suppl
nvd
CVE-2024-1535P4MEDIUMCVSS 5.4fixed in 4.15.32024-03-13
CVE-2024-1535 [MEDIUM] CWE-79 CVE-2024-1535: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.15.2 due to insufficient input sanitization and output escaping on user supplied attributes. Thi
nvd
CVE-2024-1806P4MEDIUMCVSS 5.4fixed in 4.15.22024-03-13
CVE-2024-1806 [MEDIUM] CWE-79 CVE-2024-1806: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.15.1 due to insufficient input sanitization and output escaping on user supplied attributes. Thi
nvd
CVE-2024-1409P4MEDIUMCVSS 5.4fixed in 4.15.12024-03-13
CVE-2024-1409 [MEDIUM] CWE-79 CVE-2024-1409: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [reg-select-role] shortcode in all versions up to, and including, 4.15.0 due to insufficient input sanitization and output escaping on user supplied
nvd
CVE-2024-3210P4MEDIUMCVSS 5.4fixed in 4.15.62024-04-10
CVE-2024-3210 [MEDIUM] CWE-79 CVE-2024-3210: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'reg-single-checkbox' shortcode in all versions up to, and including, 4.15.5 due to insufficient input sanitization and output escaping on user suppl
nvd
CVE-2024-2867P4MEDIUMCVSS 5.4fixed in 4.15.52024-05-02
CVE-2024-2867 [MEDIUM] CWE-20 CVE-2024-2867: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 4.15.4 due to insufficient input sanitization and output escaping. This makes it possible for authenti
nvd
1 / 2Next →