CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2020-5579 – Paid Memberships Pro < 2.3.3 - Authenticated SQL Injection
https://notcve.org/view.php?id=CVE-2020-5579
SQL injection vulnerability in the Paid Memberships versions prior to 2.3.3 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. Una vulnerabilidad de inyección SQL en el Paid Memberships versiones anteriores a 2.3.3, permite a atacantes con derechos de administrador ejecutar comandos SQL arbitrarios por medio de vectores no especificados. SQL injection vulnerability in the Paid Memberships versions prior to 2.3.3 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. The 'discount_code_id' found in the ~/adminpages/orders.php is the specific parameter that is vulnerable. • https://jvn.jp/en/jp/JVN20248858/index.html https://www.paidmembershipspro.com/pmpro-update-2-3-3-security-release • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2015-5532 – Paid Memberships Pro < 1.8.4.3 - Multiple Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-5532
Multiple cross-site scripting (XSS) vulnerabilities in the Paid Memberships Pro (PMPro) plugin before 1.8.4.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) s parameter to membershiplevels.php, (2) memberslist.php, or (3) orders.php in adminpages/ or the (4) edit parameter to adminpages/membershiplevels.php. Múltiples vulnerabilidades Cross-Site Scripting (XSS) en el plugin Paid Memberships Pro (PMPro) plugin en versiones anteriores a la 1.8.4.3 para WordPress permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante (1) el parámetro s en membershiplevels.php, (2) memberslist.php o (3) orders.php en adminpages/ o (4) el parámetro edit en adminpages/membershiplevels.php. WordPress Paid Memberships Pro plugin version 1.8.4.2 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/132812/WordPress-Paid-Memberships-Pro-1.8.4.2-Cross-Site-Scripting.html http://www.paidmembershipspro.com/2015/07/pmpro-updates-1-8-4-3-and-1-8-4-4 http://www.securityfocus.com/archive/1/536057/100/0/threaded https://github.com/strangerstudios/paid-memberships-pro/commit/add03e3ed90e9163e5a46e20e6c371a87ff5a677 https://wordpress.org/plugins/paid-memberships-pro/#developers https://wpvulndb.com/vulnerabilities/8109 https://www.htbridge.com/advisory/HTB23264 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 3CVE-2014-8801 – Paid Memberships Pro < 1.7.15 - Directory Traversal
https://notcve.org/view.php?id=CVE-2014-8801
Directory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax.php. Vulnerabilidad de salto de directorio en services/getfile.php en el plugin Paid Memberships Pro anterior a 1.7.15 para WordPress permite a atacantes remotos leer ficheros arbitrarios a través de un .. (punto punto) en QUERY_STRING en una acción getfile en wp-admin/admin-ajax.php. Paid Memberships Pro version 1.7.14.2 suffers from a path traversal vulnerability. • https://www.exploit-db.com/exploits/35303 http://packetstormsecurity.com/files/129189/Paid-Memberships-Pro-1.7.14.2-Path-Traversal.html http://security.szurek.pl/paid-memberships-pro-17142-path-traversal.html http://www.exploit-db.com/exploits/35303 http://www.paidmembershipspro.com/2014/11/critical-security-update-pmpro-v1-7-15 http://www.securityfocus.com/bid/71293 https://exchange.xforce.ibmcloud.com/vulnerabilities/98805 https://wordpress.org/plugins/paid-memberships-pro/changelog • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •