Vendor CVEs
Thimpress
All CVEs
78 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-47448 | Med | 0.28 | 4.3 | 0.00 | May 7, 2025 | Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.1.9. | ||
| CVE-2024-6088 | Med | 0.28 | 5.3 | 0.01 | Jul 2, 2024 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to… | ||
| CVE-2024-4444 | Med | 0.28 | 5.3 | 0.01 | May 14, 2024 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes it possible for unauthenticated… | ||
| CVE-2020-36757 | Med | 0.28 | 4.3 | 0.00 | Jul 12, 2023 | The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.1. This is due to missing or incorrect nonce validation on the admin_add_order_item() function. This makes it possible for unauthenticated attackers to… | ||
| CVE-2024-6099 | Med | 0.27 | 5.3 | 0.00 | Jul 2, 2024 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible… | ||
| CVE-2023-6223 | Med | 0.21 | 4.3 | 0.00 | Jan 11, 2024 | The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for… | ||
| CVE-2024-7855 | 0.05 | — | 0.15 | Oct 2, 2024 | The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and… | |||
| CVE-2024-13128 | 0.00 | — | 0.00 | May 15, 2025 | The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in… | |||
| CVE-2024-13127 | 0.00 | — | 0.00 | May 15, 2025 | The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in… | |||
| CVE-2024-13599 | 0.00 | — | 0.00 | Jan 25, 2025 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output escaping of a lesson name. This makes it possible for authenticated… | |||
| CVE-2024-13447 | 0.00 | — | 0.00 | Jan 22, 2025 | The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with… | |||
| CVE-2024-12370 | 0.00 | — | 0.00 | Jan 17, 2025 | The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices. | |||
| CVE-2024-9881 | 0.00 | — | 0.00 | Dec 12, 2024 | The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite… | |||
| CVE-2024-10010 | 0.00 | — | 0.00 | Dec 12, 2024 | The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite… | |||
| CVE-2024-12283 | 0.00 | — | 0.00 | Dec 11, 2024 | The WP Pipes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘x1’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject… | |||
| CVE-2024-39641 | 0.00 | — | 0.00 | Aug 26, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.6.8.2. | |||
| CVE-2024-6589 | 0.00 | — | 0.01 | Jul 25, 2024 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.6.8.2 via the 'render_content_block_template' function. This makes it possible for authenticated attackers, with Contributor-level access… | |||
| CVE-2023-36515 | 0.00 | — | 0.00 | Jun 19, 2024 | Missing Authorization vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.3. | |||
| CVE-2023-36516 | 0.00 | — | 0.00 | Jun 19, 2024 | Missing Authorization vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.3. | |||
| CVE-2024-35697 | 0.00 | — | 0.00 | Jun 8, 2024 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ThimPress Eduma allows Reflected XSS.This issue affects Eduma: from n/a through 5.4.7. | |||
| CVE-2023-40009 | 0.00 | — | 0.00 | Oct 3, 2023 | Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Pipes plugin <= 1.4.0 versions. | |||
| CVE-2022-45355 | 0.00 | — | 0.01 | Mar 29, 2023 | Auth. (admin+) SQL Injection (SQLi) vulnerability in ThimPress WP Pipes plugin <= 1.33 versions. | |||
| CVE-2021-36852 | 0.00 | — | 0.00 | Aug 22, 2022 | Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking plugin <= 1.10.5 at WordPress. | |||
| CVE-2022-29443 | 0.00 | — | 0.00 | Jun 15, 2022 | Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Nicdark's Hotel Booking plugin <= 3.0 at WordPress. | |||
| CVE-2021-39348 | 0.00 | — | 0.05 | Oct 21, 2021 | The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web… | |||
| CVE-2018-16174 | 0.00 | — | 0.01 | Jan 9, 2019 | Open redirect vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||
| CVE-2018-16175 | 0.00 | — | 0.01 | Jan 9, 2019 | SQL injection vulnerability in the LearnPress prior to version 3.1.0 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2018-16173 | 0.00 | — | 0.01 | Jan 9, 2019 | Cross-site scripting vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
- risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.1.9.
- risk 0.28cvss 5.3epss 0.01
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized user registration due to a missing capability check on the 'register' function in all versions up to, and including, 4.2.6.8.1. This makes it possible for unauthenticated attackers to…
- risk 0.28cvss 5.3epss 0.01
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 4.2.6.5. This is due to missing checks in the 'create_account' function in the checkout. This makes it possible for unauthenticated…
- risk 0.28cvss 4.3epss 0.00
The WP Hotel Booking plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.10.1. This is due to missing or incorrect nonce validation on the admin_add_order_item() function. This makes it possible for unauthenticated attackers to…
- risk 0.27cvss 5.3epss 0.00
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'check_validate_fields' function in the checkout. This makes it possible…
- risk 0.21cvss 4.3epss 0.00
The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for…
- CVE-2024-7855Oct 2, 2024risk 0.05cvss —epss 0.15
The WP Hotel Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_review() function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with subscriber-level access and…
- CVE-2024-13128May 15, 2025risk 0.00cvss —epss 0.00
The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…
- CVE-2024-13127May 15, 2025risk 0.00cvss —epss 0.00
The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in…
- CVE-2024-13599Jan 25, 2025risk 0.00cvss —epss 0.00
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output escaping of a lesson name. This makes it possible for authenticated…
- CVE-2024-13447Jan 22, 2025risk 0.00cvss —epss 0.00
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and including, 2.1.6. This makes it possible for authenticated attackers, with…
- CVE-2024-12370Jan 17, 2025risk 0.00cvss —epss 0.00
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices.
- CVE-2024-9881Dec 12, 2024risk 0.00cvss —epss 0.00
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…
- CVE-2024-10010Dec 12, 2024risk 0.00cvss —epss 0.00
The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…
- CVE-2024-12283Dec 11, 2024risk 0.00cvss —epss 0.00
The WP Pipes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘x1’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject…
- CVE-2024-39641Aug 26, 2024risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.6.8.2.
- CVE-2024-6589Jul 25, 2024risk 0.00cvss —epss 0.01
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.6.8.2 via the 'render_content_block_template' function. This makes it possible for authenticated attackers, with Contributor-level access…
- CVE-2023-36515Jun 19, 2024risk 0.00cvss —epss 0.00
Missing Authorization vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.3.
- CVE-2023-36516Jun 19, 2024risk 0.00cvss —epss 0.00
Missing Authorization vulnerability in ThimPress LearnPress.This issue affects LearnPress: from n/a through 4.2.3.
- CVE-2024-35697Jun 8, 2024risk 0.00cvss —epss 0.00
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ThimPress Eduma allows Reflected XSS.This issue affects Eduma: from n/a through 5.4.7.
- CVE-2023-40009Oct 3, 2023risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Pipes plugin <= 1.4.0 versions.
- CVE-2022-45355Mar 29, 2023risk 0.00cvss —epss 0.01
Auth. (admin+) SQL Injection (SQLi) vulnerability in ThimPress WP Pipes plugin <= 1.33 versions.
- CVE-2021-36852Aug 22, 2022risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking plugin <= 1.10.5 at WordPress.
- CVE-2022-29443Jun 15, 2022risk 0.00cvss —epss 0.00
Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in Nicdark's Hotel Booking plugin <= 3.0 at WordPress.
- CVE-2021-39348Oct 21, 2021risk 0.00cvss —epss 0.05
The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web…
- CVE-2018-16174Jan 9, 2019risk 0.00cvss —epss 0.01
Open redirect vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- CVE-2018-16175Jan 9, 2019risk 0.00cvss —epss 0.01
SQL injection vulnerability in the LearnPress prior to version 3.1.0 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors.
- CVE-2018-16173Jan 9, 2019risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability in LearnPress prior to version 3.1.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Page 2 of 2