cbcvebase.

Properfraction Profilepress vulnerabilities

35 known vulnerabilities affecting properfraction/profilepress.

Total CVEs
35
CISA KEV
0
Public exploits
5
Exploited in wild
4
Severity breakdown
CRITICAL4HIGH4MEDIUM26LOW1

Vulnerabilities

Page 2 of 2
CVE-2022-47444P4MEDIUMCVSS 6.1≤ 4.5.32023-03-29
CVE-2022-47444 [MEDIUM] CWE-79 CVE-2022-47444: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team Paid Memb Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin <= 4.5.3 versions.
nvd
CVE-2024-1570P4MEDIUMCVSS 5.4fixed in 4.15.02024-02-29
CVE-2024-1570 [MEDIUM] CWE-79 CVE-2024-1570: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login-password shortcode in all versions up to, and including, 4.14.4 due to insufficient input sanitization and output escaping on user supplied att
nvd
CVE-2024-1046P4MEDIUMCVSS 5.4≤ 4.14.32024-02-05
CVE-2024-1046 [MEDIUM] CWE-79 CVE-2024-1046: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'reg-number-field' shortcode in all versions up to, and including, 4.14.3 due to insufficient input sanitization and output escaping on user supplied a
nvd
CVE-2024-2861P4MEDIUMCVSS 5.4fixed in 4.15.92024-05-23
CVE-2024-2861 [MEDIUM] CWE-79 CVE-2024-2861: The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ProfilePr The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ProfilePress User Panel widget in all versions up to, and including, 4.15.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inj
nvd
CVE-2023-23830P4MEDIUMCVSS 6.1fixed in 4.5.52023-05-03
CVE-2023-23830 [MEDIUM] CWE-79 CVE-2023-23830: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePr Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.4 versions.
nvd
CVE-2023-23820P4MEDIUMCVSS 5.4fixed in 4.5.52023-05-03
CVE-2023-23820 [MEDIUM] CWE-79 CVE-2023-23820: Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.4 versions.
nvd
CVE-2024-10518P4MEDIUMCVSS 4.8fixed in 4.15.152024-12-12
CVE-2024-10518 [MEDIUM] CWE-79 CVE-2024-10518: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Membership Plan settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is di
nvd
CVE-2024-10517P4MEDIUMCVSS 4.8fixed in 4.15.52024-12-12
CVE-2024-10517 [MEDIUM] CWE-79 CVE-2024-10517: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is
nvd
CVE-2024-13119P4MEDIUMCVSS 4.8fixed in 4.15.202025-02-13
CVE-2024-13119 [MEDIUM] CWE-79 CVE-2024-13119: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for ex
nvd
CVE-2024-13120P4MEDIUMCVSS 4.8fixed in 4.15.202025-02-13
CVE-2024-13120 [MEDIUM] CWE-79 CVE-2024-13120: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for ex
nvd
CVE-2021-24450P4MEDIUMCVSS 4.8fixed in 3.1.82021-08-02
CVE-2021-24450 [MEDIUM] CWE-79 CVE-2021-24450: The User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) Wo The User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.8 did not sanitise or escape some of its settings before saving them and outputting them back in the page, allowing high privilege users such as admin to set JavaScript payloads in them even when the unfiltered_html capability
nvd
CVE-2022-4697P4MEDIUMCVSS 4.8fixed in 4.5.12022-12-23
CVE-2022-4697 [MEDIUM] CWE-79 CVE-2022-4697: The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp_user_ The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp_user_cover_default_image_url’ parameter in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary
nvd
CVE-2022-4698P4MEDIUMCVSS 4.8fixed in 4.5.12022-12-23
CVE-2022-4698 [MEDIUM] CWE-79 CVE-2022-4698: The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several form The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several form fields in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that wi
nvd
CVE-2023-23996P4MEDIUMCVSS 4.8fixed in 4.5.42023-04-06
CVE-2023-23996 [MEDIUM] CWE-79 CVE-2023-23996: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team Profi Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.3 versions.
nvd
CVE-2024-13121P4LOWCVSS 3.5fixed in 4.15.202025-02-13
CVE-2024-13121 [LOW] CWE-79 CVE-2024-13121: The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for examp
nvd
Properfraction Profilepress vulnerabilities | cvebase