CVE-2023-50376 – WordPress Simple Membership Plugin <= 4.3.8 is vulnerable to Unauth. Reflected Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-50376
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider Simple Membership allows Reflected XSS.This issue affects Simple Membership: from n/a through 4.3.8. Neutralización incorrecta de la entrada durante la vulnerabilidad de generación de páginas web ('Cross site scripting') en smp7, wp.Insider Simple Membership permite XSS reflejado. Este problema afecta a Simple Membership: desde n/a hasta 4.3.8. The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in all versions up to 4.3.9 (exclusive) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/simple-membership/wordpress-simple-membership-plugin-4-3-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-6882 – Simple Membership <= 4.3.8 - Reflected Cross-Site Scripting Vulnerability via environment_mode
https://notcve.org/view.php?id=CVE-2023-6882
The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘environment_mode’ parameter in all versions up to, and including, 4.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El complemento Simple Membership para WordPress es vulnerable a Cross-Site Scripting reflejado a través del parámetro 'environment_mode' en todas las versiones hasta la 4.3.8 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutan si logran engañar a un usuario para que realice una acción como hacer clic en un enlace. • https://plugins.trac.wordpress.org/changeset/3010737/simple-membership https://www.wordfence.com/threat-intel/vulnerabilities/id/366165fe-93e5-49ab-b2e5-1de624f22286?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-41957 – WordPress Simple Membership plugin <= 4.3.4 - Unauthenticated Membership Role Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2023-41957
Improper Privilege Management vulnerability in smp7, wp.Insider Simple Membership allows Privilege Escalation.This issue affects Simple Membership: from n/a through 4.3.4. Vulnerabilidad de gestión de privilegios incorrecta en smp7, wp.Insider Simple Membership permite la escalada de privilegios. Este problema afecta a Simple Membership: desde n/a hasta 4.3.4. The Simple Membership plugin for WordPress is vulnerable to privilege escalation due to missing input validation on the create_swpm_user function in versions up to, and including, 4.3.4. This makes it possible for unauthenticated attackers to register users with arbitrary membership levels. • https://patchstack.com/database/vulnerability/simple-membership/wordpress-simple-membership-plugin-4-3-4-unauthenticated-membership-role-privilege-escalation-vulnerability?_s_id=cve • CWE-20: Improper Input Validation CWE-269: Improper Privilege Management •
CVE-2023-41956 – WordPress Simple Membership plugin <= 4.3.4 - Authenticated Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2023-41956
Improper Authentication vulnerability in smp7, wp.Insider Simple Membership.This issue affects Simple Membership: from n/a through 4.3.4. Vulnerabilidad de autenticación incorrecta en smp7, wp.Insider Simple Membership. Este problema afecta a Simple Membership: desde n/a hasta 4.3.4. The Simple Membership plugin for WordPress is vulnerable to account takeover due to missing input validation on the process_password_reset_using_link function in versions up to, and including, 4.3.4. This makes it possible for authenticated attackers to gain access to arbitrary accounts on the site via the password reset functionality. • https://patchstack.com/database/vulnerability/simple-membership/wordpress-simple-membership-plugin-4-3-4-authenticated-account-takeover-vulnerability?_s_id=cve • CWE-20: Improper Input Validation CWE-287: Improper Authentication •
CVE-2023-4719 – Simple Membership <= 4.3.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-4719
The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `list_type` parameter in versions up to, and including, 4.3.5 due to insufficient input sanitization and output escaping. Using this vulnerability, unauthenticated attackers could inject arbitrary web scripts into pages that are being executed if they can successfully trick a user into taking an action, such as clicking a malicious link. El plugin Simple Membership para WordPress es vulnerable a Cross-Site Scripting (XSS) reflejado a través del parámetro "list_type" en versiones hasta, e incluyendo, la 4.3.5 debido a una insuficiente sanitización de entrada y escape de salida. Utilizando esta vulnerabilidad, los atacantes no autenticados podrían inyectar scripts web arbitrarios en las páginas que se están ejecutando si pueden engañar con éxito a un usuario para que realice una acción, como hacer clic en un enlace malicioso. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2962730%40simple-membership&new=2962730%40simple-membership&sfp_email=&sfph_mail= https://wordpress.org/plugins/simple-membership https://www.wordfence.com/threat-intel/vulnerabilities/id/e4b10172-7e54-4ff8-9fbb-41d160ce49e4?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •