Filtered by vendor Metagauss
Subscribe
Total
41 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8861 | 1 Metagauss | 1 Profilegrid | 2024-10-01 | N/A | 5.4 MEDIUM |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.9.3.2 due to incorrect use of the wp_kses_allowed_html function, which allows the 'onclick' attribute for certain HTML elements without sufficient restriction or context validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-8369 | 1 Metagauss | 1 Eventprime | 2024-09-26 | N/A | 5.3 MEDIUM |
| The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events. | |||||
| CVE-2024-39643 | 1 Metagauss | 1 Registrationmagic | 2024-09-11 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in RegistrationMagic Forms RegistrationMagic allows Stored XSS.This issue affects RegistrationMagic: from n/a through 6.0.0.1. | |||||
| CVE-2023-52117 | 1 Metagauss | 1 Profilegrid | 2024-07-29 | N/A | 6.3 MEDIUM |
| Missing Authorization vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid: from n/a through 5.6.6. | |||||
| CVE-2024-31275 | 1 Metagauss | 1 Eventprime | 2024-06-12 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in Metagauss EventPrime.This issue affects EventPrime: from n/a through 3.3.4. | |||||
| CVE-2024-5453 | 1 Metagauss | 1 Profilegrid | 2024-06-11 | N/A | 4.3 MEDIUM |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_dismissible_notice and pm_wizard_update_group_icon functions in all versions up to, and including, 5.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options to the value '1' or change group icons. | |||||
| CVE-2023-51509 | 1 Metagauss | 1 Registrationmagic | 2024-02-06 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login allows Reflected XSS.This issue affects RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login: from n/a through 5.2.4.1. | |||||
| CVE-2023-47645 | 1 Metagauss | 1 Registrationmagic | 2024-02-05 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in RegistrationMagic RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login allows Cross Site Request Forgery.This issue affects RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login: from n/a through 5.2.2.6. | |||||
| CVE-2023-50846 | 1 Metagauss | 1 Registrationmagic | 2024-02-05 | N/A | 7.2 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RegistrationMagic RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login.This issue affects RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login: from n/a through 5.2.4.5. | |||||
| CVE-2023-4252 | 1 Metagauss | 1 Eventprime | 2024-02-05 | N/A | 5.3 MEDIUM |
| The EventPrime WordPress plugin through 3.2.9 specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment. | |||||
| CVE-2023-6447 | 1 Metagauss | 1 Eventprime | 2024-02-05 | N/A | 5.3 MEDIUM |
| The EventPrime WordPress plugin before 3.3.6 lacks authentication and authorization, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id/event name. | |||||
| CVE-2023-47644 | 1 Metagauss | 1 Profilegrid | 2024-02-05 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in profilegrid ProfileGrid – User Profiles, Memberships, Groups and Communities.This issue affects ProfileGrid – User Profiles, Memberships, Groups and Communities: from n/a through 5.6.6. | |||||
| CVE-2023-3713 | 1 Metagauss | 1 Profilegrid | 2024-02-05 | N/A | 8.8 HIGH |
| The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'profile_magic_check_smtp_connection' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily. This can be used by attackers to achieve privilege escalation. | |||||
| CVE-2023-3714 | 1 Metagauss | 1 Profilegrid | 2024-02-05 | N/A | 8.8 HIGH |
| The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'edit_group' handler in versions up to, and including, 5.5.2. This makes it possible for authenticated attackers, with group ownership, to update group options, including the 'associate_role' parameter, which defines the member's role. This issue was partially patched in version 5.5.2 preventing privilege escalation, however, it was fully patched in 5.5.3. | |||||
| CVE-2022-38062 | 1 Metagauss | 1 Download Theme | 2024-02-05 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Theme plugin <= 1.0.9 versions. | |||||
| CVE-2023-3403 | 1 Metagauss | 1 Profilegrid | 2024-02-05 | N/A | 4.3 MEDIUM |
| The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pm_upload_csv' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with subscriber-level permissions or above to import new users and update existing users. | |||||
| CVE-2023-2548 | 1 Metagauss | 1 Registrationmagic | 2024-02-04 | N/A | 7.2 HIGH |
| The RegistrationMagic plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 5.2.0.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers, with administrator-level permissions and above, to change user passwords and potentially take over super-administrator accounts in multisite setup. | |||||
| CVE-2022-36345 | 1 Metagauss | 1 Download Plugin | 2024-02-04 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin <= 2.0.4 versions. | |||||
| CVE-2023-0940 | 1 Metagauss | 1 Profilegrid | 2024-02-04 | N/A | 8.8 HIGH |
| The ProfileGrid WordPress plugin before 5.3.1 provides an AJAX endpoint for resetting a user password but does not implement proper authorization. This allows a user with low privileges, such as subscriber, to change the password of any account, including Administrator ones. | |||||
| CVE-2023-33326 | 1 Metagauss | 1 Eventprime | 2024-02-04 | N/A | 6.1 MEDIUM |
| Unauth. Reflected (XSS) Cross-Site Scripting (XSS) vulnerability in EventPrime plugin <= 2.8.6 versions. | |||||