finance.js
by finance.js
CVEs (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-13097 | Med | 0.35 | 5.4 | 0.01 | Feb 1, 2025 | The WP Finance WordPress plugin through 1.3.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||
| CVE-2024-13096 | Med | 0.30 | 4.6 | 0.00 | Feb 1, 2025 | The WP Finance WordPress plugin through 1.3.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||
| CVE-2025-56571 | 0.00 | — | 0.00 | Sep 30, 2025 | Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes. | |||
| CVE-2025-56572 | 0.00 | — | 0.01 | Sep 30, 2025 | An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter. |
- risk 0.35cvss 5.4epss 0.01
The WP Finance WordPress plugin through 1.3.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- risk 0.30cvss 4.6epss 0.00
The WP Finance WordPress plugin through 1.3.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.
- CVE-2025-56571Sep 30, 2025risk 0.00cvss —epss 0.00
Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes.
- CVE-2025-56572Sep 30, 2025risk 0.00cvss —epss 0.01
An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.