ERP
by WordPress
Source repositories
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-2705 | Hig | 0.47 | 7.3 | 0.00 | Mar 24, 2025 | A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The… | ||
| CVE-2025-67546 | Med | 0.42 | 6.5 | 0.00 | Dec 18, 2025 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs WP ERP erp allows Retrieve Embedded Sensitive Data.This issue affects WP ERP: from n/a through <= 1.16.6. | ||
| CVE-2025-2706 | Med | 0.41 | 6.3 | 0.00 | Mar 24, 2025 | A vulnerability classified as critical was found in Digiwin ERP 5.0.1. Affected by this vulnerability is an unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely.… | ||
| CVE-2025-63008 | Med | 0.27 | 5.3 | 0.00 | Dec 9, 2025 | Missing Authorization vulnerability in weDevs WP ERP erp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through <= 1.16.7. | ||
| CVE-2023-2744 | 0.02 | — | 0.03 | Jun 27, 2023 | The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin. | |||
| CVE-2023-2743 | 0.00 | — | 0.00 | Jun 27, 2023 | The ERP WordPress plugin before 1.12.4 does not sanitise and escape the employee_name parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | |||
| CVE-2022-34001 | 0.00 | — | 0.01 | Jul 19, 2022 | Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously. | |||
| CVE-2021-30112 | 0.00 | — | 0.01 | Apr 8, 2021 | Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to validate the CSRF token for a POST request… | |||
| CVE-2021-30114 | 0.00 | — | 0.01 | Apr 8, 2021 | Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. The application fails to validate the CSRF token for a POST request using admin privilege. |
- risk 0.47cvss 7.3epss 0.00
A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The…
- risk 0.42cvss 6.5epss 0.00
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs WP ERP erp allows Retrieve Embedded Sensitive Data.This issue affects WP ERP: from n/a through <= 1.16.6.
- risk 0.41cvss 6.3epss 0.00
A vulnerability classified as critical was found in Digiwin ERP 5.0.1. Affected by this vulnerability is an unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely.…
- risk 0.27cvss 5.3epss 0.00
Missing Authorization vulnerability in weDevs WP ERP erp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through <= 1.16.7.
- CVE-2023-2744Jun 27, 2023risk 0.02cvss —epss 0.03
The ERP WordPress plugin before 1.12.4 does not properly sanitise and escape the `type` parameter in the `erp/v1/accounting/v1/people` REST API endpoint before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.
- CVE-2023-2743Jun 27, 2023risk 0.00cvss —epss 0.00
The ERP WordPress plugin before 1.12.4 does not sanitise and escape the employee_name parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- CVE-2022-34001Jul 19, 2022risk 0.00cvss —epss 0.01
Unit4 ERP through 7.9 allows XXE via ExecuteServerProcessAsynchronously.
- CVE-2021-30112Apr 8, 2021risk 0.00cvss —epss 0.01
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a student_leave_application request through module/core/studentleaveapplication/create. The application fails to validate the CSRF token for a POST request…
- CVE-2021-30114Apr 8, 2021risk 0.00cvss —epss 0.01
Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vulnerability that allows a remote attacker to create a voucher payment request through module/accounting/voucher/create. The application fails to validate the CSRF token for a POST request using admin privilege.