Properfraction Profilepress vulnerabilities

CVE-2022-45083 [HIGH] CWE-502 CVE-2022-45083: Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plug Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress: from n/a through

CVE-2023-44150 [HIGH] CWE-200 CVE-2023-44150: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ProfilePress Membership Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress: fro

CVE-2023-23820 [MEDIUM] CWE-79 CVE-2023-23820: Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.4 versions.

CVE-2023-23830 [MEDIUM] CWE-79 CVE-2023-23830: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePr Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.4 versions.

CVE-2023-23996 [MEDIUM] CWE-79 CVE-2023-23996: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team Profi Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.3 versions.

CVE-2022-47444 [MEDIUM] CWE-79 CVE-2022-47444: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team Paid Memb Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin <= 4.5.3 versions.

CVE-2022-4698 [MEDIUM] CWE-79 CVE-2022-4698: The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several form The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several form fields in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that wi

CVE-2022-4697 [MEDIUM] CWE-79 CVE-2022-4697: The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp_user_ The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp_user_cover_default_image_url’ parameter in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary

CVE-2021-24522 [MEDIUM] CWE-79 CVE-2021-24522: The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) Wor The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the plugin in several places assigned $_POST as $_GET which meant that in some case

CVE-2021-24450 [MEDIUM] CWE-79 CVE-2021-24450: The User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) Wo The User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.8 did not sanitise or escape some of its settings before saving them and outputting them back in the page, allowing high privilege users such as admin to set JavaScript payloads in them even when the unfiltered_html capability

CVE-2021-34623 [CRITICAL] CWE-434 CVE-2021-34623: A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .

CVE-2021-34621 [CRITICAL] CWE-269 CVE-2021-34621: A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php f A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .

CVE-2021-34624 [CRITICAL] CWE-434 CVE-2021-34624: A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of t A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 - 3.1.3. .

CVE-2021-34622 [HIGH] CWE-269 CVE-2021-34622: A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .