Page 3 of 13 results (0.002 seconds)

CVSS: 9.8EPSS: 2%CPEs: 3EXPL: 1

CVE-2021-25114 – Paid Memberships Pro < 2.6.7 - Unauthenticated Blind SQL Injection

https://notcve.org/view.php?id=CVE-2021-25114

The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection El plugin Paid Memberships Pro de WordPress versiones anteriores a 2.6.7, no escapa el discount_code en una de sus rutas REST (disponible para usuarios no autenticados) antes de usarlo en una sentencia SQL, conllevando a una inyección SQL • https://wpscan.com/vulnerability/6c25a5f0-a137-4ea5-9422-8ae393d7b76b https://www.paidmembershipspro.com/pmpro-update-2-6-7-security-release • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

CVE-2021-24979 – Paid Memberships Pro < 2.6.6 - Reflected Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2021-24979

The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting El plugin Paid Memberships Pro de WordPress versiones anteriores a 2.6.6, no escapa del parámetro s antes de devolverlo a un atributo en una página de administración, conllevando a un problema de tipo Cross-Site Scripting Reflejado • https://plugins.trac.wordpress.org/changeset/2632369/paid-memberships-pro/tags/2.6.6/adminpages/discountcodes.php https://wpscan.com/vulnerability/fc011990-4ec1-4553-901d-4ff1f482cb79 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-20678 – Paid Memberships Pro <= 2.5.5 - Authenticated SQL Injection

https://notcve.org/view.php?id=CVE-2021-20678

SQL injection vulnerability in the Paid Memberships Pro versions prior to 2.5.6 allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. Una vulnerabilidad de inyección SQL en las versiones de Paid Memberships Pro anteriores a 2.5.6, permite a atacantes autenticados remotamente ejecutar comandos SQL arbitrarios por medio de vectores no especificados • https://jvn.jp/en/jp/JVN08191557/index.html https://wordpress.org/plugins/paid-memberships-pro https://www.paidmembershipspro.com/pmpro-update-2-5-6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •