CVE-2024-47640 – WordPress WP ERP plugin <= 1.13.2 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-47640
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in weDevs WP ERP allows Reflected XSS.This issue affects WP ERP: from n/a through 1.13.2. The WP ERP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.13.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/erp/wordpress-wp-erp-plugin-1-13-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-45765 – WP ERP <= 1.12.6 - Missing Authorization via admin notice dismissal
https://notcve.org/view.php?id=CVE-2023-45765
The WP ERP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple admin notice dismissal function in versions up to, and including, 1.12.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss admin notifications. • CWE-862: Missing Authorization •
CVE-2022-30076 – ENTAB ERP 1.0 - Username PII leak
https://notcve.org/view.php?id=CVE-2022-30076
ENTAB ERP 1.0 allows attackers to discover users' full names via a brute force attack with a series of student usernames such as s10000 through s20000. There is no rate limiting. ENTAB ERP version 1.0 suffers from a username information leak due to a lack of rate limiting. • https://www.exploit-db.com/exploits/51335 http://packetstormsecurity.com/files/171777/ENTAB-ERP-1.0-Information-Disclosure.html •
CVE-2020-8967 – GESIO SQL injection vulnerability
https://notcve.org/view.php?id=CVE-2020-8967
There is an improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in php files of GESIO ERP. GESIO ERP all versions prior to 11.2 allows malicious users to retrieve all database information. Se presenta una vulnerabilidad de Neutralización inapropiada de Elementos Especiales usados en un comando SQL (SQL Injection) en los archivos php de GESIO ERP. GESIO ERP todas las versiones anteriores a 11.2, permite a usuarios maliciosos recuperar toda la información de la base de datos. • https://www.incibe-cert.es/en/early-warning/security-advisories/gesio-sql-injection-vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •