CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24979 – Paid Memberships Pro < 2.6.6 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24979
The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting El plugin Paid Memberships Pro de WordPress versiones anteriores a 2.6.6, no escapa del parámetro s antes de devolverlo a un atributo en una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2632369/paid-memberships-pro/tags/2.6.6/adminpages/discountcodes.php https://wpscan.com/vulnerability/fc011990-4ec1-4553-901d-4ff1f482cb79 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20678 – Paid Memberships Pro <= 2.5.5 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2021-20678
SQL injection vulnerability in the Paid Memberships Pro versions prior to 2.5.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. Una vulnerabilidad de inyección SQL en las versiones de Paid Memberships Pro anteriores a 2.5.6, permite a atacantes autenticados remotamente ejecutar comandos SQL arbitrarios por medio de vectores no especificados • https://jvn.jp/en/jp/JVN08191557/index.html https://wordpress.org/plugins/paid-memberships-pro https://www.paidmembershipspro.com/pmpro-update-2-5-6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-36754 – Paid Memberships Pro <= 2.4.2 - Cross-Site Request Forgery Bypass
https://notcve.org/view.php?id=CVE-2020-36754
The Paid Memberships Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.2. This is due to missing or incorrect nonce validation on the pmpro_page_save() function. This makes it possible for unauthenticated attackers to save pages via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El complemento Paid Memberships Pro para WordPress es vulnerable a Cross-Site Request Forgery (CSRF) en versiones hasta la 2.4.2 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función pmpro_page_save(). • https://blog.nintechnet.com/25-wordpress-plugins-vulnerable-to-csrf-attacks https://blog.nintechnet.com/more-wordpress-plugins-and-themes-vulnerable-to-csrf-attacks https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-1 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-2 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-3 https://blog.nintechnet.com/multiple-wordpress-plugins-fixed-csrf-vulnerabilities-part-4 https://blo • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5579 – Paid Memberships Pro < 2.3.3 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2020-5579
SQL injection vulnerability in the Paid Memberships versions prior to 2.3.3 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. Una vulnerabilidad de inyección SQL en el Paid Memberships versiones anteriores a 2.3.3, permite a atacantes con derechos de administrador ejecutar comandos SQL arbitrarios por medio de vectores no especificados. SQL injection vulnerability in the Paid Memberships versions prior to 2.3.3 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. The 'discount_code_id' found in the ~/adminpages/orders.php is the specific parameter that is vulnerable. • https://jvn.jp/en/jp/JVN20248858/index.html https://www.paidmembershipspro.com/pmpro-update-2-3-3-security-release • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2015-5532 – Paid Memberships Pro < 1.8.4.3 - Multiple Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-5532
Multiple cross-site scripting (XSS) vulnerabilities in the Paid Memberships Pro (PMPro) plugin before 1.8.4.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) s parameter to membershiplevels.php, (2) memberslist.php, or (3) orders.php in adminpages/ or the (4) edit parameter to adminpages/membershiplevels.php. Múltiples vulnerabilidades Cross-Site Scripting (XSS) en el plugin Paid Memberships Pro (PMPro) plugin en versiones anteriores a la 1.8.4.3 para WordPress permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante (1) el parámetro s en membershiplevels.php, (2) memberslist.php o (3) orders.php en adminpages/ o (4) el parámetro edit en adminpages/membershiplevels.php. WordPress Paid Memberships Pro plugin version 1.8.4.2 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/132812/WordPress-Paid-Memberships-Pro-1.8.4.2-Cross-Site-Scripting.html http://www.paidmembershipspro.com/2015/07/pmpro-updates-1-8-4-3-and-1-8-4-4 http://www.securityfocus.com/archive/1/536057/100/0/threaded https://github.com/strangerstudios/paid-memberships-pro/commit/add03e3ed90e9163e5a46e20e6c371a87ff5a677 https://wordpress.org/plugins/paid-memberships-pro/#developers https://wpvulndb.com/vulnerabilities/8109 https://www.htbridge.com/advisory/HTB23264 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •