CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-10547 – WP Membership <= 1.6.2 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-10547
08 Nov 2024 — The WP Membership plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the user_profile_image_upload() function in all versions up to, and including, 1.6.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/wp-membership/10066554 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 11EXPL: 1CVE-2020-36666 – Multiple e-plugins - Subscriber+ Privilege Escalation
https://notcve.org/view.php?id=CVE-2020-36666
06 Mar 2023 — The directory-pro WordPress plugin before 1.9.5, final-user-wp-frontend-user-profiles WordPress plugin before 1.2.2, producer-retailer WordPress plugin through TODO, photographer-directory WordPress plugin before 1.0.9, real-estate-pro WordPress plugin before 1.7.1, institutions-directory WordPress plugin before 1.3.1, lawyer-directory WordPress plugin before 1.2.9, doctor-listing WordPress plugin before 1.3.6, Hotel Listing WordPress plugin before 1.3.7, fitness-trainer WordPress plugin before 1.4.1, wp-me... • https://codecanyon.net/user/e-plugins • CWE-266: Incorrect Privilege Assignment •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3CVE-2015-4039 – WP Membership <= 1.2.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-4039
21 May 2015 — Multiple cross-site scripting (XSS) vulnerabilities in the WP Membership plugin 1.2.3 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via unspecified (1) profile fields or (2) new post content. NOTE: CVE-2015-4038 can be used to bypass the administrator confirmation step for vector 2. Múltiples vulnerabilidades de tipo cross-site scripting (XSS) en el plugin WP Membership versión 1.2.3 para WordPress, permiten a usuarios autenticados remotos inyectar script web o HTML a... • https://packetstorm.news/files/id/132011 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •