VYPR

Paid Membership

by WordPress

Source repositories

CVEs (9)

  • CVE-2025-31075MedMar 28, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in videowhisper MicroPayments paid-membership allows Stored XSS.This issue affects MicroPayments: from n/a through <= 2.9.29.

  • CVE-2024-13391MedJan 18, 2025
    risk 0.42cvss 6.4epss 0.00

    The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_content_upload_guest' shortcode in all versions up to, and including, 2.9.29 due to…

  • CVE-2023-23488Jan 20, 2023
    risk 0.03cvss epss 0.92

    The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.

  • CVE-2024-13120Feb 13, 2025
    risk 0.00cvss epss 0.00

    The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site…

  • CVE-2024-1279Mar 11, 2024
    risk 0.00cvss epss 0.01

    The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users' sensitive metadata.

  • CVE-2023-0631Mar 20, 2023
    risk 0.00cvss epss 0.60

    The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query.

  • CVE-2022-4830Feb 13, 2023
    risk 0.00cvss epss 0.65

    The Paid Memberships Pro WordPress plugin before 2.9.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be…

  • CVE-2022-27629Apr 20, 2022
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in 'MicroPayments - Paid Author Subscriptions, Content, Downloads, Membership' versions prior to 1.9.6 allows a remote unauthenticated attacker to hijack the authentication of an administrator and perform unintended operation via…

  • CVE-2021-25114Feb 7, 2022
    risk 0.00cvss epss 0.82

    The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection