VYPR

Profilepress

by WordPress

Source repositories

CVEs (30)

  • CVE-2021-34621CriJul 7, 2021
    risk 0.72cvss 9.8epss 0.69

    A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .

  • CVE-2021-34624CriJul 7, 2021
    risk 0.64cvss 9.8epss 0.07

    A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 -…

  • CVE-2021-34623CriJul 7, 2021
    risk 0.64cvss 9.8epss 0.02

    A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 -…

  • CVE-2021-34622CriJul 7, 2021
    risk 0.64cvss 9.8epss 0.04

    A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects…

  • CVE-2024-9947HigOct 23, 2024
    risk 0.53cvss 8.1epss 0.01

    The ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.11.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to…

  • CVE-2026-3453HigMar 11, 2026
    risk 0.46cvss 8.1epss 0.00

    The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout…

  • CVE-2023-23830HigMay 3, 2023
    risk 0.46cvss 7.1epss 0.00

    Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.4 versions.

  • CVE-2022-45083MedJan 19, 2024
    risk 0.43cvss 6.6epss 0.01

    Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, User Registration Form,…

  • CVE-2026-41556MedJun 15, 2026
    risk 0.42cvss 6.5epss 0.00

    Subscriber Cross Site Scripting (XSS) in ProfilePress <= 4.16.13 versions.

  • CVE-2024-2867MedMay 2, 2024
    risk 0.42cvss 6.4epss 0.00

    The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 4.15.4 due to…

  • CVE-2024-1806MedMar 13, 2024
    risk 0.42cvss 6.4epss 0.01

    The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.15.1 due to…

  • CVE-2024-1409MedMar 13, 2024
    risk 0.42cvss 6.4epss 0.00

    The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [reg-select-role] shortcode in all versions up to, and including, 4.15.0…

  • CVE-2024-1570MedFeb 29, 2024
    risk 0.42cvss 6.4epss 0.00

    The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login-password shortcode in all versions up to, and including, 4.14.4…

  • CVE-2024-1519MedFeb 29, 2024
    risk 0.42cvss 6.5epss 0.01

    The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 4.14.4 due to insufficient…

  • CVE-2024-1408MedFeb 29, 2024
    risk 0.42cvss 6.4epss 0.01

    The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including,…

  • CVE-2023-23820MedMay 3, 2023
    risk 0.42cvss 6.5epss 0.00

    Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.4 versions.

  • CVE-2021-24522MedAug 9, 2021
    risk 0.40cvss 6.1epss 0.01

    The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the…

  • CVE-2023-23996MedApr 6, 2023
    risk 0.38cvss 5.9epss 0.00

    Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.3 versions.

  • CVE-2022-4698MedDec 23, 2022
    risk 0.36cvss 5.5epss 0.01

    The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several form fields in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2022-4697MedDec 23, 2022
    risk 0.36cvss 5.5epss 0.01

    The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp_user_cover_default_image_url’ parameter in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…

Page 1 of 2