Filtered by vendor Cozmoslabs
Subscriptions
Total
51 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9222 | 2 Cozmoslabs, Iovamihai | 2 Membership \& Content Restriction - Paid Member Subscriptions, Paid Membership Subscriptions Effortless Memberships Recurring Payments And Content Restriction | 2026-04-08 | 6.1 Medium |
| The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.12.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-27413 | 2 Cozmoslabs, Wordpress | 2 Profile Builder, Wordpress | 2026-04-03 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro: from n/a before 3.14.0. | ||||
| CVE-2024-6695 | 1 Cozmoslabs | 1 Profile Builder | 2026-01-02 | 9.8 Critical |
| it's possible for an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This is due to improper logic flow on the user registration process. | ||||
| CVE-2024-22141 | 1 Cozmoslabs | 1 Profile Builder | 2025-06-17 | 6.5 Medium |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Cozmoslabs Profile Builder Pro.This issue affects Profile Builder Pro: from n/a through 3.10.0. | ||||
| CVE-2024-6708 | 1 Cozmoslabs | 1 Profile Builder | 2025-06-04 | 4.8 Medium |
| The User Profile Builder WordPress plugin before 3.12.2 does not sanitise and escape some parameters before outputting its content on the admin area, which allows Admin+ users to perform Cross-Site Scripting attacks. | ||||
| CVE-2024-6366 | 1 Cozmoslabs | 1 Profile Builder | 2025-05-30 | 9.1 Critical |
| The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP. | ||||
| CVE-2014-8492 | 1 Cozmoslabs | 1 Profile Builder | 2025-04-20 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in assets/misc/fallback-page.php in the Profile Builder plugin before 2.0.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) site_name, (2) message, or (3) site_url parameter. | ||||
| CVE-2023-51522 | 1 Cozmoslabs | 1 Paid Membership Subscriptions | 2025-04-10 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Paid Member Subscriptions.This issue affects Paid Member Subscriptions: from n/a through 2.10.4. | ||||
| CVE-2022-4442 | 1 Cozmoslabs | 1 Custom Post Types And Custom Fields Creator | 2025-04-04 | 4.8 Medium |
| The Custom Post Types and Custom Fields creator WordPress plugin before 2.3.3 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup). | ||||
| CVE-2023-4059 | 1 Cozmoslabs | 1 Profile Builder | 2025-03-06 | 4.3 Medium |
| The Profile Builder WordPress plugin before 3.9.8 lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blog | ||||
| CVE-2021-36915 | 1 Cozmoslabs | 1 Profile Builder | 2025-02-20 | 4.2 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder plugin <= 3.6.0 at WordPress allows uploading the JSON file and updating the options. Requires Import and Export add-on. | ||||
| CVE-2024-11291 | 1 Cozmoslabs | 1 Membership \& Content Restriction - Paid Member Subscriptions | 2025-02-04 | 5.3 Medium |
| The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users. | ||||
| CVE-2022-0653 | 1 Cozmoslabs | 1 Profile Builder | 2025-01-31 | 6.1 Medium |
| The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1. | ||||
| CVE-2024-10261 | 1 Cozmoslabs | 2 Membership \& Content Restriction - Paid Member Subscriptions, Paid Member Subscriptions | 2025-01-29 | 7.3 High |
| The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-12919 | 1 Cozmoslabs | 1 Membership \& Content Restriction - Paid Member Subscriptions | 2025-01-22 | 9.8 Critical |
| The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the 'pms_payment_id' parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site. | ||||
| CVE-2024-22142 | 1 Cozmoslabs | 1 Profile Builder | 2024-11-21 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozmoslabs Profile Builder Pro allows Reflected XSS.This issue affects Profile Builder Pro: from n/a through 3.10.0. | ||||
| CVE-2024-22140 | 1 Cozmoslabs | 1 Profile Builder | 2024-11-21 | 8.8 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder Pro.This issue affects Profile Builder Pro: from n/a through 3.10.0. | ||||
| CVE-2023-47669 | 1 Cozmoslabs | 1 Profile Builder | 2024-11-21 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin <= 3.10.3 versions. | ||||
| CVE-2023-25968 | 1 Cozmoslabs | 1 Client Portal | 2024-11-21 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs, Madalin Ungureanu, Antohe Cristian Client Portal – Private user pages and login plugin <= 1.1.8 versions. | ||||
| CVE-2022-3141 | 1 Cozmoslabs | 1 Translatepress | 2024-11-21 | 8.8 High |
| The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected. | ||||