CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30896 – WordPress WP ERP plugin <= 1.13.4 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-30896
27 Mar 2025 — Missing Authorization vulnerability in weDevs WP ERP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP ERP: from n/a through 1.13.4. The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.13.4. This makes it possible for authenticated attackers, with Subscriber-level access and ... • https://patchstack.com/database/wordpress/plugin/erp/vulnerability/wordpress-wp-erp-plugin-1-13-4-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2706 – Digiwin ERP UploadAjaxAPI.ashx unrestricted upload
https://notcve.org/view.php?id=CVE-2025-2706
24 Mar 2025 — A vulnerability classified as critical was found in Digiwin ERP 5.0.1. Affected by this vulnerability is an unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Rain1er/report/blob/main/THNlcnBf/RCE_5.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2705 – Digiwin ERP FileUploadApi.ashx DoWebUpload unrestricted upload
https://notcve.org/view.php?id=CVE-2025-2705
24 Mar 2025 — A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Rain1er/report/blob/main/THNlcnBf/RCE_3.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1646 – Lumsoft ERP ASPX File UploadAjaxAPI.ashx unrestricted upload
https://notcve.org/view.php?id=CVE-2025-1646
25 Feb 2025 — A vulnerability, which was classified as critical, has been found in Lumsoft ERP 8. Affected by this issue is some unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx of the component ASPX File Handler. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Rain1er/report/blob/main/Lserp/fileUpload_3.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1165 – Lumsoft ERP FileUploadApi.ashx DoWebUpload unrestricted upload
https://notcve.org/view.php?id=CVE-2025-1165
11 Feb 2025 — A vulnerability, which was classified as critical, was found in Lumsoft ERP 8. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Rain1er/report/blob/main/Lserp/fileUpload_1.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7837 – SQLi in Firmanet Software's ERP
https://notcve.org/view.php?id=CVE-2024-7837
22 Nov 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Firmanet Software ERP allows SQL Injection.This issue affects ERP: through 22.11.2024. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. • https://www.usom.gov.tr/bildirim/tr-24-1868 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47640 – WordPress WP ERP plugin <= 1.13.2 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-47640
21 Oct 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in weDevs WP ERP allows Reflected XSS.This issue affects WP ERP: from n/a through 1.13.2. The WP ERP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.13.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully tri... • https://patchstack.com/database/vulnerability/erp/wordpress-wp-erp-plugin-1-13-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45765 – WordPress WP ERP plugin <= 1.12.6 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2023-45765
12 Oct 2023 — Missing Authorization vulnerability in weDevs WP ERP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through 1.12.6. The WP ERP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple admin notice dismissal function in versions up to, and including, 1.12.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss admin notifications. • https://patchstack.com/database/wordpress/plugin/erp/vulnerability/wordpress-wp-erp-plugin-1-12-6-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 2%CPEs: 1EXPL: 3CVE-2022-30076 – ENTAB ERP 1.0 - Username PII leak
https://notcve.org/view.php?id=CVE-2022-30076
10 Apr 2023 — ENTAB ERP 1.0 allows attackers to discover users' full names via a brute force attack with a series of student usernames such as s10000 through s20000. There is no rate limiting. ENTAB ERP version 1.0 suffers from a username information leak due to a lack of rate limiting. • https://packetstorm.news/files/id/171777 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8967 – GESIO SQL injection vulnerability
https://notcve.org/view.php?id=CVE-2020-8967
01 Jun 2020 — There is an improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in php files of GESIO ERP. GESIO ERP all versions prior to 11.2 allows malicious users to retrieve all database information. Se presenta una vulnerabilidad de Neutralización inapropiada de Elementos Especiales usados en un comando SQL (SQL Injection) en los archivos php de GESIO ERP. GESIO ERP todas las versiones anteriores a 11.2, permite a usuarios maliciosos recuperar toda la información de la bas... • https://www.incibe-cert.es/en/early-warning/security-advisories/gesio-sql-injection-vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •