CVSS: 9.8EPSS: 11%CPEs: 1EXPL: 2CVE-2025-2563 – User Registration & Membership < 4.1.2- Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-2563
24 Mar 2025 — The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges The User Registration & Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 4.1.1. This is due to insufficient restrictions on role type in the 'prepare_members_data()' function. This makes it possible for un... • https://github.com/ubaydev/CVE-2025-2563 • CWE-269: Improper Privilege Management •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13119 – ProfilePress < 4.15.20 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-13119
23 Jan 2025 — The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for ... • https://wpscan.com/vulnerability/32600a45-a8cd-446c-9aa2-0621a02a9754 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13120 – ProfilePress < 4.15.20 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-13120
23 Jan 2025 — The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for ... • https://wpscan.com/vulnerability/5b70798c-c30d-42e6-ac72-821c5568b9b5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13121 – Paid Membership Plugin < 4.15.20 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-13121
23 Jan 2025 — The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for ... • https://wpscan.com/vulnerability/59ee8fe5-4820-4d52-b17a-7044631c40c1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10517 – ProfilePress < 4.15.15 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-10517
21 Nov 2024 — The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – Profil... • https://wpscan.com/vulnerability/f7c3a990-458e-4e15-b427-0b37de120740 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10518 – ProfilePress < 4.15.15 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-10518
21 Nov 2024 — The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Membership Plan settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfileP... • https://wpscan.com/vulnerability/a1e5ad16-6240-4920-888a-36fbac22cc71 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-1290 – Formidable Registration < 2.12 - Contributor+ Arbitrary User Password Reset To Account Takeover
https://notcve.org/view.php?id=CVE-2024-1290
19 Feb 2024 — The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts. El complemento User Registration de WordPress anterior a 2.12 no impide que los usuarios con al menos el rol de colaborador muestren códigos cortos confidenciales, lo que les permite generar y filtrar URL válidas para restablecer contraseñas, que pueden us... • https://wpscan.com/vulnerability/a60187d4-9491-435a-bc36-8dd348a1ffa3 • CWE-862: Missing Authorization •