Unknown Paid Memberships Pro vulnerabilities

CVE-2024-1279 [MEDIUM] CWE-284 CVE-2024-1279: The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the cont The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users' sensitive metadata.

CVE-2023-0631 [HIGH] CWE-89 CVE-2023-0631: The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query.

CVE-2022-4830 [MEDIUM] CWE-79 CVE-2022-4830: The Paid Memberships Pro WordPress plugin before 2.9.9 does not validate and escape some of its shor The Paid Memberships Pro WordPress plugin before 2.9.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

CVE-2021-25114 [CRITICAL] CWE-89 CVE-2021-25114: The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of i The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection

CVE-2021-24979 [MEDIUM] CWE-79 CVE-2021-24979: The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before output The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting