CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0913 – WP ERP <= 1.12.9 - Authenticated (Accounting Manager+) SQL Injection
https://notcve.org/view.php?id=CVE-2024-0913
28 Mar 2024 — The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the erp/v1/accounting/v1/transactions/sales REST API endpoint in all versions up to, and including, 1.12.9 due to insufficient escaping on the user supplied status and customer_id parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with accounting manager or admin privileges... • https://plugins.trac.wordpress.org/browser/erp/trunk/modules/accounting/includes/functions/transactions.php#L42 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0952 – WP ERP <= 1.12.9 - Authenticated (Accounting Manager+) SQL Injection via id
https://notcve.org/view.php?id=CVE-2024-0952
28 Mar 2024 — The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in all versions up to, and including, 1.12.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with accounting manager or admin privileges or higher, to append additional SQL queries into already existing qu... • https://plugins.trac.wordpress.org/changeset/3060269/erp/tags/1.13.0/modules/accounting/includes/functions/people.php • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0956 – WP ERP <= 1.12.9 - Authenticated (AccountingManager+) SQL Injection
https://notcve.org/view.php?id=CVE-2024-0956
28 Mar 2024 — The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter via the erp/v1/accounting/v1/vendors/1/products/ REST route in all versions up to, and including, 1.12.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin or accounting manager privileges, to appe... • https://plugins.trac.wordpress.org/browser/erp/trunk/modules/accounting/includes/functions/products.php#L387 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21747 – WordPress WP ERP Plugin <= 1.12.8 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2024-21747
05 Jan 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting.This issue affects WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting: from n/a through 1.12.8. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en weDevs WP ERP | Complete HR solution with recruitment... • https://patchstack.com/database/vulnerability/erp/wordpress-wp-erp-plugin-1-12-8-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6632 – Happy Addons for Elementor <= 3.9.1.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2023-6632
05 Jan 2024 — The Happy Addons for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via DOM in all versions up to and including 3.9.1.1 (versions up to 2.9.1.1 in Happy Addons for Elementor Pro) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. El complemento Happy Addons for Elementor ... • https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/extensions/scroll-to-top.php#L142 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51676 – WordPress Happy Addons for Elementor Plugin <= 3.9.1.1 is vulnerable to Server Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2023-51676
27 Dec 2023 — Server-Side Request Forgery (SSRF) vulnerability in Leevio Happy Addons for Elementor.This issue affects Happy Addons for Elementor: from n/a through 3.9.1.1. Vulnerabilidad de Server-Side Request Forgery (SSRF) en Leevio Happy Addons for Elementor. Este problema afecta a Happy Addons for Elementor: desde n/a hasta 3.9.1.1. The Happy Addons for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to 3.10.0 (exclusive). This makes it possible for authenticated attack... • https://patchstack.com/database/vulnerability/happy-elementor-addons/wordpress-happy-addons-for-elementor-plugin-3-9-1-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49860 – WordPress WP Project Manager Plugin <= 2.6.7 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-49860
07 Dec 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weDevs WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts allows Stored XSS.This issue affects WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts: from n/a through 2.6.7. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Scripting entre sitios') en weDevs WP ... • https://patchstack.com/database/vulnerability/wedevs-project-manager/wordpress-wp-project-manager-plugin-2-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40003 – WordPress WP Project Manager plugin <= 2.6.7 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-40003
07 Dec 2023 — Missing Authorization vulnerability in weDevs WP Project Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Project Manager: from n/a through 2.6.7. The WP Project Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an unknown function in versions up to, and including, 2.6.7. This makes it possible for unauthenticated attackers to perform an unauthorized action. • https://patchstack.com/database/wordpress/plugin/wedevs-project-manager/vulnerability/wordpress-wp-project-manager-plugin-2-6-7-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34383 – WordPress WP Project Manager Plugin <= 2.6.0 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-34383
04 Sep 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP Project Manager wedevs-project-manager allows SQL Injection.This issue affects WP Project Manager: from n/a through 2.6.0. Neutralización inadecuada de elementos especiales utilizados en una vulnerabilidad de comando SQL ('Inyección SQL') en weDevs WP Project Manager wedevs-project-manager permite la inyección SQL. Este problema afecta a WP Project Manager: desde n/a hasta 2.6.0. The WP Project Ma... • https://patchstack.com/database/vulnerability/wedevs-project-manager/wordpress-wp-project-manager-task-team-and-project-management-plugin-featuring-kanban-board-and-gantt-charts-plugin-2-6-0-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41236 – WordPress Happy Elementor Addons Pro Plugin <= 2.8.0 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41236
29 Aug 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Happy addons Happy Elementor Addons Pro plugin <= 2.8.0 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en Happy addons del complemento Happy Elementor Addons Pro en versiones <= 2.8.0. The Happy Elementor Addons Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via an unknown parameter in versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping. This... • https://patchstack.com/database/vulnerability/happy-elementor-addons-pro/wordpress-happy-elementor-addons-pro-plugin-2-8-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •