Skip to main content

Wp Emember

14 CVEs product

Monthly

CVE-2026-54811 CRITICAL Act Now

Unauthenticated SQL injection in the WP eMember WordPress plugin versions prior to 10.9.4 allows remote attackers to inject arbitrary SQL through unsanitized input handled by the plugin. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the vulnerable component; no public exploit identified at time of analysis.

SQLi Wp Emember
NVD VulDB
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-49077 MEDIUM This Month

Sensitive data exposure in the WP eMember WordPress plugin (Tips and Tricks HQ) through version 10.2.2 allows unauthenticated remote attackers to retrieve embedded sensitive system information via a network request. The vulnerability is classified under CWE-497, meaning internally sensitive data is reachable from an unauthorized control sphere - in this case, the open internet without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation probability from EPSS data was not provided, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially reachable from any network source.

Information Disclosure Wp Emember
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-28070 MEDIUM This Month

WP eMember through version 10.2.2 contains an authorization bypass flaw that allows unauthenticated remote attackers to circumvent access control restrictions and view protected content. The vulnerability stems from improper validation of security level configurations, enabling unauthorized information disclosure without user interaction. No patch is currently available for this issue.

Authentication Bypass Wp Emember
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-28073 HIGH This Week

A reflected cross-site scripting (XSS) vulnerability exists in the WP eMember WordPress plugin by Tips and Tricks HQ, affecting all versions up to and including 10.2.2. An attacker can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript in the victim's browser context. This vulnerability has been publicly disclosed by Patchstack with no indication of active exploitation in the wild or KEV listing at this time.

XSS Wp Emember
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2024-5081 MEDIUM POC This Month

The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF Wp Emember
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-5744 MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
CVSS 3.1
6.8
EPSS
0.4%
CVE-2024-5715 HIGH POC This Week

The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
CVSS 3.1
7.1
EPSS
0.4%
CVE-2024-5080 HIGH POC This Week

The wp-eMember WordPress plugin before 10.6.6 does not validate files to be uploaded, which could allow admins to upload arbitrary files such as PHP on the server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP File Upload Wp Emember
NVD WPScan
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-5079 MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape some of the fields when members register, which allows unauthenticated users to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-5077 MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF Wp Emember
NVD WPScan
CVSS 3.1
6.8
EPSS
0.2%
CVE-2024-5076 HIGH POC This Week

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Wp Emember
NVD WPScan
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-5075 MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
CVSS 3.1
5.9
EPSS
0.3%
CVE-2024-5074 MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-4749 HIGH POC This Week

The wp-eMember WordPress plugin before 10.3.9 does not sanitize and escape the "fieldId" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
CVSS 3.1
8.3
EPSS
0.4%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Unauthenticated SQL injection in the WP eMember WordPress plugin versions prior to 10.9.4 allows remote attackers to inject arbitrary SQL through unsanitized input handled by the plugin. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the vulnerable component; no public exploit identified at time of analysis.

SQLi Wp Emember
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Sensitive data exposure in the WP eMember WordPress plugin (Tips and Tricks HQ) through version 10.2.2 allows unauthenticated remote attackers to retrieve embedded sensitive system information via a network request. The vulnerability is classified under CWE-497, meaning internally sensitive data is reachable from an unauthorized control sphere - in this case, the open internet without credentials. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation probability from EPSS data was not provided, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms this is trivially reachable from any network source.

Information Disclosure Wp Emember
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

WP eMember through version 10.2.2 contains an authorization bypass flaw that allows unauthenticated remote attackers to circumvent access control restrictions and view protected content. The vulnerability stems from improper validation of security level configurations, enabling unauthorized information disclosure without user interaction. No patch is currently available for this issue.

Authentication Bypass Wp Emember
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

A reflected cross-site scripting (XSS) vulnerability exists in the WP eMember WordPress plugin by Tips and Tricks HQ, affecting all versions up to and including 10.2.2. An attacker can craft malicious URLs that, when clicked by authenticated users, execute arbitrary JavaScript in the victim's browser context. This vulnerability has been publicly disclosed by Patchstack with no indication of active exploitation in the wild or KEV listing at this time.

XSS Wp Emember
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 6.8
MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
EPSS 0% CVSS 7.1
HIGH POC This Week

The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
EPSS 1% CVSS 8.8
HIGH POC This Week

The wp-eMember WordPress plugin before 10.6.6 does not validate files to be uploaded, which could allow admins to upload arbitrary files such as PHP on the server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP File Upload +1
NVD WPScan
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape some of the fields when members register, which allows unauthenticated users to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
EPSS 0% CVSS 6.8
MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS CSRF +1
NVD WPScan
EPSS 0% CVSS 8.8
HIGH POC This Week

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress CSRF Wp Emember
NVD WPScan
EPSS 0% CVSS 5.9
MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
EPSS 0% CVSS 5.4
MEDIUM POC This Month

The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan
EPSS 0% CVSS 8.3
HIGH POC This Week

The wp-eMember WordPress plugin before 10.3.9 does not sanitize and escape the "fieldId" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Emember
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy