VYPR
Vendor

finance.js

Products
1
CVEs
4
Across products
4
Status
Private

Products

1

Recent CVEs

4
  • CVE-2024-13097MedFeb 1, 2025
    risk 0.35cvss 5.4epss 0.01

    The WP Finance WordPress plugin through 1.3.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

  • CVE-2024-13096MedFeb 1, 2025
    risk 0.30cvss 4.6epss 0.00

    The WP Finance WordPress plugin through 1.3.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

  • CVE-2025-56571Sep 30, 2025
    risk 0.00cvss epss 0.00

    Finance.js v4.1.0 contains a Denial of Service (DoS) vulnerability via the IRR function’s depth parameter. Improper handling of the recursion/iteration limit can lead to excessive CPU usage, causing application stalls or crashes.

  • CVE-2025-56572Sep 30, 2025
    risk 0.00cvss epss 0.01

    An issue in finance.js v.4.1.0 allows a remote attacker to cause a denial of service via the seekZero() parameter.