Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

  1. Reconshell
  2. Vulnerabilities (CVE)
Filtered by vendor Strangerstudios Subscribe
Total 6 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-23488 1 Strangerstudios 1 Paid Memberships Pro 2023-01-26 N/A 9.8 CRITICAL
The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route.
CVE-2021-25114 1 Strangerstudios 1 Paid Memberships Pro 2022-02-10 7.5 HIGH 9.8 CRITICAL
The Paid Memberships Pro WordPress plugin before 2.6.7 does not escape the discount_code in one of its REST route (available to unauthenticated users) before using it in a SQL statement, leading to a SQL injection
CVE-2021-24979 1 Strangerstudios 1 Paid Memberships Pro 2022-01-06 4.3 MEDIUM 6.1 MEDIUM
The Paid Memberships Pro WordPress plugin before 2.6.6 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
CVE-2015-5532 1 Strangerstudios 1 Paid Memberships Pro 2021-04-06 4.3 MEDIUM 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in the Paid Memberships Pro (PMPro) plugin before 1.8.4.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) s parameter to membershiplevels.php, (2) memberslist.php, or (3) orders.php in adminpages/ or the (4) edit parameter to adminpages/membershiplevels.php.
CVE-2014-8801 1 Strangerstudios 1 Paid Memberships Pro 2021-03-23 5.0 MEDIUM N/A
Directory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax.php.
CVE-2020-5579 1 Strangerstudios 1 Paid Memberships Pro 2021-03-23 6.5 MEDIUM 7.2 HIGH
SQL injection vulnerability in the Paid Memberships versions prior to 2.3.3 allows attacker with administrator rights to execute arbitrary SQL commands via unspecified vectors.