Profilepress
by WordPress
Source repositories
CVEs (30)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-34621 | Cri | 0.72 | 9.8 | 0.69 | Jul 7, 2021 | A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. . | ||
| CVE-2021-34624 | Cri | 0.64 | 9.8 | 0.07 | Jul 7, 2021 | A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 -… | ||
| CVE-2021-34623 | Cri | 0.64 | 9.8 | 0.02 | Jul 7, 2021 | A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 -… | ||
| CVE-2021-34622 | Cri | 0.64 | 9.8 | 0.04 | Jul 7, 2021 | A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects… | ||
| CVE-2024-9947 | Hig | 0.53 | 8.1 | 0.01 | Oct 23, 2024 | The ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.11.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to… | ||
| CVE-2026-3453 | Hig | 0.46 | 8.1 | 0.00 | Mar 11, 2026 | The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout… | ||
| CVE-2023-23830 | Hig | 0.46 | 7.1 | 0.00 | May 3, 2023 | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.4 versions. | ||
| CVE-2022-45083 | Med | 0.43 | 6.6 | 0.01 | Jan 19, 2024 | Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, User Registration Form,… | ||
| CVE-2026-41556 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Cross Site Scripting (XSS) in ProfilePress <= 4.16.13 versions. | ||
| CVE-2024-2867 | Med | 0.42 | 6.4 | 0.00 | May 2, 2024 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 4.15.4 due to… | ||
| CVE-2024-1806 | Med | 0.42 | 6.4 | 0.01 | Mar 13, 2024 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.15.1 due to… | ||
| CVE-2024-1409 | Med | 0.42 | 6.4 | 0.00 | Mar 13, 2024 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [reg-select-role] shortcode in all versions up to, and including, 4.15.0… | ||
| CVE-2024-1570 | Med | 0.42 | 6.4 | 0.00 | Feb 29, 2024 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login-password shortcode in all versions up to, and including, 4.14.4… | ||
| CVE-2024-1519 | Med | 0.42 | 6.5 | 0.01 | Feb 29, 2024 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 4.14.4 due to insufficient… | ||
| CVE-2024-1408 | Med | 0.42 | 6.4 | 0.01 | Feb 29, 2024 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including,… | ||
| CVE-2023-23820 | Med | 0.42 | 6.5 | 0.00 | May 3, 2023 | Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.4 versions. | ||
| CVE-2021-24522 | Med | 0.40 | 6.1 | 0.01 | Aug 9, 2021 | The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the… | ||
| CVE-2023-23996 | Med | 0.38 | 5.9 | 0.00 | Apr 6, 2023 | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.3 versions. | ||
| CVE-2022-4698 | Med | 0.36 | 5.5 | 0.01 | Dec 23, 2022 | The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several form fields in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with… | ||
| CVE-2022-4697 | Med | 0.36 | 5.5 | 0.01 | Dec 23, 2022 | The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp_user_cover_default_image_url’ parameter in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated… |
- risk 0.72cvss 9.8epss 0.69
A vulnerability in the user registration component found in the ~/src/Classes/RegistrationAuth.php file of the ProfilePress WordPress plugin made it possible for users to register on sites as an administrator. This issue affects versions 3.0.0 - 3.1.3. .
- risk 0.64cvss 9.8epss 0.07
A vulnerability in the file uploader component found in the ~/src/Classes/FileUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 -…
- risk 0.64cvss 9.8epss 0.02
A vulnerability in the image uploader component found in the ~/src/Classes/ImageUploader.php file of the ProfilePress WordPress plugin made it possible for users to upload arbitrary files during user registration or during profile updates. This issue affects versions 3.0.0 -…
- risk 0.64cvss 9.8epss 0.04
A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects…
- risk 0.53cvss 8.1epss 0.01
The ProfilePress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.11.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to…
- risk 0.46cvss 8.1epss 0.00
The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the change_plan_sub_id parameter in the process_checkout() function. The ppress_process_checkout…
- risk 0.46cvss 7.1epss 0.00
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.4 versions.
- risk 0.43cvss 6.6epss 0.01
Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, User Registration Form,…
- risk 0.42cvss 6.5epss 0.00
Subscriber Cross Site Scripting (XSS) in ProfilePress <= 4.16.13 versions.
- risk 0.42cvss 6.4epss 0.00
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 4.15.4 due to…
- risk 0.42cvss 6.4epss 0.01
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.15.1 due to…
- risk 0.42cvss 6.4epss 0.00
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [reg-select-role] shortcode in all versions up to, and including, 4.15.0…
- risk 0.42cvss 6.4epss 0.00
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login-password shortcode in all versions up to, and including, 4.14.4…
- risk 0.42cvss 6.5epss 0.01
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 4.14.4 due to insufficient…
- risk 0.42cvss 6.4epss 0.01
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's edit-profile-text-box shortcode in all versions up to, and including,…
- risk 0.42cvss 6.5epss 0.00
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.4 versions.
- risk 0.40cvss 6.1epss 0.01
The User Registration, User Profile, Login & Membership – ProfilePress (Formerly WP User Avatar) WordPress plugin before 3.1.11's widget for tabbed login/register was not properly escaped and could be used in an XSS attack which could lead to wp-admin access. Further, the…
- risk 0.38cvss 5.9epss 0.00
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in ProfilePress Membership Team ProfilePress plugin <= 4.5.3 versions.
- risk 0.36cvss 5.5epss 0.01
The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several form fields in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
- risk 0.36cvss 5.5epss 0.01
The ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp_user_cover_default_image_url’ parameter in versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…
Page 1 of 2