Filtered by vendor Wedevs Subscriptions
Total 33 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-3194 1 Wedevs 1 Dokan 2024-11-21 5.4 Medium
The Dokan WordPress plugin before 3.6.4 allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators.
CVE-2021-36826 1 Wedevs 1 Wp Project Manager 2024-11-21 5.4 Medium
Authenticated (subscriber or higher user role if allowed to access projects) Stored Cross-Site Scripting (XSS) vulnerability in weDevs WP Project Manager plugin <= 2.4.13 versions.
CVE-2021-25076 1 Wedevs 1 Wp User Frontend 2024-11-21 8.8 High
The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting
CVE-2021-24649 1 Wedevs 1 Wp User Frontend 2024-11-21 9.8 Critical
The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as admin
CVE-2021-24292 1 Wedevs 1 Happy Addons For Elementor 2024-11-21 5.4 Medium
The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The “Card” widget accepts a “title_tag” parameter. Although the element control lists a fixed set of possible html tags, it is possible to send a ‘save_builder’ request with the “heading_tag” set to “script”, and the actual “title” parameter set to JavaScript to be executed within the script tags added by the “heading_tag” parameter.
CVE-2020-36748 1 Wedevs 1 Dokan 2024-11-21 4.3 Medium
The Dokan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.8. This is due to missing or incorrect nonce validation on the handle_order_export() function. This makes it possible for unauthenticated attackers to trigger an order export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2020-36745 1 Wedevs 1 Wp Project Manager 2024-11-21 4.3 Medium
The WP Project Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.0. This is due to missing or incorrect nonce validation on the do_updates() function. This makes it possible for unauthenticated attackers to trigger updates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2020-36735 1 Wedevs 1 Wp Erp 2024-11-21 4.3 Medium
The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.3. This is due to missing or incorrect nonce validation on the handle_leave_calendar_filter, add_enable_disable_option_save, leave_policies, process_bulk_action, and process_crm_contact functions. This makes it possible for unauthenticated attackers to modify the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2024-10174 1 Wedevs 1 Wp Project Manager 2024-11-13 7.3 High
The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.13 via the 'Abstract_Permission' class due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to spoof their identity to that of an administrator and access all of the plugins REST routes.
CVE-2024-8739 1 Wedevs 1 Recaptcha Integration 2024-11-04 6.1 Medium
The ReCaptcha Integration for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2024-47640 1 Wedevs 1 Wp Erp 2024-10-31 7.1 High
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in weDevs WP ERP allows Reflected XSS.This issue affects WP ERP: from n/a through 1.13.2.
CVE-2024-8801 1 Wedevs 1 Happy Addons For Elementor 2024-09-30 4.3 Medium
The Happy Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.2 via the Content Switcher widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including private, draft, and pending Elementor templates.
CVE-2024-38693 1 Wedevs 1 Wp User Frontend 2024-09-13 7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs WP User Frontend allows SQL Injection.This issue affects WP User Frontend: from n/a through 4.0.7.