VYPR

Vendor CVEs

Tipsandtricks Hq

All CVEs

30 total · sorted by risk
  • CVE-2022-3898HigNov 29, 2022
    risk 0.57cvss 8.8epss 0.00

    The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliates_menu method. This makes it possible for…

  • CVE-2021-24711HigOct 11, 2021
    risk 0.57cvss 8.8epss 0.01

    The del_reistered_domains AJAX action of the Software License Manager WordPress plugin before 4.5.1 does not have any CSRF checks, and is vulnerable to a CSRF attack

  • CVE-2021-20782HigJul 14, 2021
    risk 0.57cvss 8.8epss 0.01

    Cross-site request forgery (CSRF) vulnerability in Software License Manager versions prior to 4.4.6 allows remote attackers to hijack the authentication of administrators via unspecified vectors.

  • CVE-2026-28073HigMar 19, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a through v10.2.2.

  • CVE-2022-47588MedNov 3, 2023
    risk 0.44cvss 6.7epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tips and Tricks HQ, Peter Petreski Simple Photo Gallery simple-photo-gallery allows SQL Injection.This issue affects Simple Photo Gallery: from n/a through v1.8.1.

  • CVE-2025-22661MedJan 21, 2025
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vcita Online Payments – Get Paid with PayPal, Square & Stripe paypal-payment-button-by-vcita allows Stored XSS.This issue affects Online Payments – Get Paid with PayPal,…

  • CVE-2022-44737MedNov 22, 2022
    risk 0.42cvss 6.5epss 0.00

    Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Security (AIOS) – Security and Firewall (WordPress plugin) <= 5.1.0 on WordPress.

  • CVE-2022-3896MedNov 29, 2022
    risk 0.40cvss 6.1epss 0.01

    The WP Affiliate Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_SERVER["REQUEST_URI"] in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…

  • CVE-2021-24560MedSep 13, 2021
    risk 0.40cvss 6.1epss 0.01

    The Software License Manager WordPress plugin before 4.4.8 does not sanitise or escape the edit_record parameter before outputting it back in the page in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

  • CVE-2023-22685MedMay 12, 2023
    risk 0.38cvss 5.9epss 0.00

    Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Tips and Tricks HQ, Ruhul Amin Category Specific RSS feed Subscription plugin <= v2.2 versions.

  • CVE-2022-3897MedNov 29, 2022
    risk 0.36cvss 5.5epss 0.01

    The WP Affiliate Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in versions up to, and including, 6.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2026-28070MedMar 19, 2026
    risk 0.34cvss 5.3epss 0.00

    Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through v10.2.2.

  • CVE-2023-6497MedJan 27, 2024
    risk 0.29cvss 4.4epss 0.00

    The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automatic redirect URL setting in all versions up to and including 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for…

  • CVE-2023-22691MedMay 3, 2023
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Tips and Tricks HQ, Ruhul Amin Category Specific RSS feed Subscription plugin <= v2.1 versions.

  • CVE-2023-52147LowJun 4, 2024
    risk 0.24cvss 3.7epss 0.00

    Exposure of Sensitive Information to an Unauthorized Actor vulnerability in All In One WP Security & Firewall Team All In One WP Security & Firewall allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects All In One WP Security & Firewall: from n/a…

  • CVE-2014-6242Oct 2, 2014
    risk 0.03cvss epss 0.04

    Multiple SQL injection vulnerabilities in the All In One WP Security & Firewall plugin before 3.8.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) orderby or (2) order parameter in the aiowpsec page to wp-admin/admin.php. NOTE: this…

  • CVE-2024-11895Feb 18, 2025
    risk 0.00cvss epss 0.00

    The Online Payments – Get Paid with PayPal, Square & Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied…

  • CVE-2024-5081Aug 5, 2024
    risk 0.00cvss epss 0.00

    The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

  • CVE-2024-5744Jul 13, 2024
    risk 0.00cvss epss 0.00

    The wp-eMember WordPress plugin before 10.6.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

  • CVE-2024-5715Jul 13, 2024
    risk 0.00cvss epss 0.00

    The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

  • CVE-2024-5287Jul 13, 2024
    risk 0.00cvss epss 0.00

    The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in user change them via a CSRF attack

  • CVE-2024-5286Jul 13, 2024
    risk 0.00cvss epss 0.00

    The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

  • CVE-2024-5282Jul 13, 2024
    risk 0.00cvss epss 0.00

    The wp-affiliate-platform WordPress plugin before 6.5.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

  • CVE-2024-5076Jul 13, 2024
    risk 0.00cvss epss 0.00

    The wp-eMember WordPress plugin before 10.6.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

  • CVE-2024-5075Jul 13, 2024
    risk 0.00cvss epss 0.00

    The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

  • CVE-2024-5074Jul 13, 2024
    risk 0.00cvss epss 0.00

    The wp-eMember WordPress plugin before 10.6.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

  • CVE-2024-4749Jun 4, 2024
    risk 0.00cvss epss 0.00

    The wp-eMember WordPress plugin before 10.3.9 does not sanitize and escape the "fieldId" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.

  • CVE-2015-0895Mar 7, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the All In One WP Security & Firewall plugin before 3.9.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete logs of 404 (aka Not Found) HTTP status codes.

  • CVE-2015-0894Mar 7, 2015
    risk 0.00cvss epss 0.02

    SQL injection vulnerability in the All In One WP Security & Firewall plugin before 3.8.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2013-2705May 13, 2014
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the WordPress Simple Paypal Shopping Cart plugin before 3.6 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings.