CVE-2024-47640 – WordPress WP ERP plugin <= 1.13.2 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-47640
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in weDevs WP ERP allows Reflected XSS.This issue affects WP ERP: from n/a through 1.13.2. The WP ERP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.13.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/erp/wordpress-wp-erp-plugin-1-13-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-45765 – WP ERP <= 1.12.6 - Missing Authorization via admin notice dismissal
https://notcve.org/view.php?id=CVE-2023-45765
The WP ERP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple admin notice dismissal function in versions up to, and including, 1.12.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss admin notifications. • CWE-862: Missing Authorization •
CVE-2022-3944 – jerryhanjj ERP Commodity Management inventory.php uploadImages unrestricted upload
https://notcve.org/view.php?id=CVE-2022-3944
A vulnerability was found in jerryhanjj ERP. It has been declared as critical. Affected by this vulnerability is the function uploadImages of the file application/controllers/basedata/inventory.php of the component Commodity Management. The manipulation leads to unrestricted upload. The attack can be launched remotely. • https://github.com/jerryhanjj/ERP/issues/3 https://vuldb.com/?id.213451 • CWE-266: Incorrect Privilege Assignment CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2022-3118 – Sourcecodehero ERP System Project processlogin.php sql injection
https://notcve.org/view.php?id=CVE-2022-3118
A vulnerability was found in Sourcecodehero ERP System Project. It has been rated as critical. This issue affects some unknown processing of the file /pages/processlogin.php. The manipulation of the argument user leads to sql injection. The attack may be initiated remotely. • https://s2.loli.net/2022/09/02/N4FESXldmKWvQOw.png https://vuldb.com/?id.207845 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2022-28930
https://notcve.org/view.php?id=CVE-2022-28930
ERP-Pro v3.7.5 was discovered to contain a SQL injection vulnerability via the component /base/SysEveMenuAuthPointMapper.xml.. Se ha detectado que ERP-Pro versión v3.7.5, contiene una vulnerabilidad de inyección SQL por medio del componente /base/SysEveMenuAuthPointMapper.xml • https://gitee.com/doc_wei01/erp-pro/issues/I515R4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •