Strangerstudios

Paid Memberships Pro

24 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2024-1279

Exploit
  • EPSS 0.33%
  • Veröffentlicht 11.03.2024 18:15:17
  • Zuletzt bearbeitet 28.03.2025 19:15:17

The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users' sensitive metadata.

5.3

CVE-2024-0624

  • EPSS 3.96%
  • Veröffentlicht 25.01.2024 02:15:53
  • Zuletzt bearbeitet 21.11.2024 08:47:01

The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7. This is due to missing or incorrect nonce validatio...

5.3

CVE-2023-6855

  • EPSS 0.35%
  • Veröffentlicht 11.01.2024 09:15:52
  • Zuletzt bearbeitet 03.06.2025 14:15:41

The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to unauthorized modification of membership levels created by the plugin due to an incorrectly implemented capability check in t...

8.8

CVE-2023-6187

  • EPSS 19.7%
  • Veröffentlicht 18.11.2023 02:15:49
  • Zuletzt bearbeitet 21.11.2024 08:43:18

The Paid Memberships Pro plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'pmpro_paypalexpress_session_vars_for_user_fields' function in versions up to, and including, 2.12.3. This makes it poss...

4.3

CVE-2020-36754

Exploit
  • EPSS 0.14%
  • Veröffentlicht 20.10.2023 08:15:11
  • Zuletzt bearbeitet 21.11.2024 05:30:13

The Paid Memberships Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.2. This is due to missing or incorrect nonce validation on the pmpro_page_save() function. This makes it possible for una...

8.8

CVE-2023-0631

Exploit
  • EPSS 79.06%
  • Veröffentlicht 20.03.2023 16:15:12
  • Zuletzt bearbeitet 26.02.2025 15:15:18

The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query.

5.4

CVE-2022-4830

Exploit
  • EPSS 4.16%
  • Veröffentlicht 13.02.2023 15:15:20
  • Zuletzt bearbeitet 21.11.2024 07:36:01

The Paid Memberships Pro WordPress plugin before 2.9.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scrip...

9.8

CVE-2023-23488

  • EPSS 84.18%
  • Veröffentlicht 20.01.2023 18:15:10
  • Zuletzt bearbeitet 03.04.2025 20:15:22

The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.

9.8

CVE-2021-25114

Exploit
  • EPSS 78.52%
  • Veröffentlicht 07.02.2022 16:15:46
  • Zuletzt bearbeitet 21.11.2024 05:54:22

The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection

6.1

CVE-2021-24979

Exploit
  • EPSS 2.69%
  • Veröffentlicht 27.12.2021 11:15:09
  • Zuletzt bearbeitet 21.11.2024 05:54:07

The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting