Profilepress
Monthly
Cross-site scripting in ProfilePress WordPress plugin versions up to and including 4.16.13 allows authenticated subscribers to inject malicious JavaScript payloads that execute in the browsers of other users - including administrators - who view affected content. The CVSS scope change (S:C) indicator confirms this is a stored or reflected XSS that crosses privilege boundaries, enabling low-privilege users to target higher-privilege accounts. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting in ProfilePress WordPress plugin versions up to and including 4.16.13 allows authenticated subscribers to inject malicious JavaScript payloads that execute in the browsers of other users - including administrators - who view affected content. The CVSS scope change (S:C) indicator confirms this is a stored or reflected XSS that crosses privilege boundaries, enabling low-privilege users to target higher-privilege accounts. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.