Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
9 vulnerabilities by Tips and Tricks HQ
CVE-2026-28070 (GCVE-0-2026-28070)
Vulnerability from cvelistv5 – Published: 2026-03-19 05:20 – Updated: 2026-04-23 14:14
VLAI?
Title
WordPress WP eMember plugin <= v10.2.2 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through <= v10.2.2.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tips and Tricks HQ | WP eMember |
Affected:
0 , ≤ v10.2.2
(custom)
|
Date Public ?
2026-04-22 14:18
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T14:48:26.061366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T14:49:02.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-eMember",
"product": "WP eMember",
"vendor": "Tips and Tricks HQ",
"versions": [
{
"lessThanOrEqual": "v10.2.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:18:37.905Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WP eMember: from n/a through \u003c= v10.2.2.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through \u003c= v10.2.2."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:14:11.237Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-eMember/vulnerability/wordpress-wp-emember-plugin-v10-2-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP eMember plugin \u003c= v10.2.2 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-28070",
"datePublished": "2026-03-19T05:20:03.784Z",
"dateReserved": "2026-02-25T12:13:39.590Z",
"dateUpdated": "2026-04-23T14:14:11.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28073 (GCVE-0-2026-28073)
Vulnerability from cvelistv5 – Published: 2026-03-19 05:18 – Updated: 2026-04-23 14:14
VLAI?
Title
WordPress WP eMember theme <= v10.2.2 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Reflected XSS.This issue affects WP eMember: from n/a through <= v10.2.2.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tips and Tricks HQ | WP eMember |
Affected:
0 , ≤ v10.2.2
(custom)
|
Date Public ?
2026-04-22 14:18
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T13:56:48.267333Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T13:57:47.747Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-eMember",
"product": "WP eMember",
"vendor": "Tips and Tricks HQ",
"versions": [
{
"lessThanOrEqual": "v10.2.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:18:38.341Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Reflected XSS.\u003cp\u003eThis issue affects WP eMember: from n/a through \u003c= v10.2.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Tips and Tricks HQ WP eMember wp-eMember allows Reflected XSS.This issue affects WP eMember: from n/a through \u003c= v10.2.2."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:14:11.238Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wp-eMember/vulnerability/wordpress-wp-emember-theme-v10-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP eMember theme \u003c= v10.2.2 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-28073",
"datePublished": "2026-03-19T05:18:56.777Z",
"dateReserved": "2026-02-25T12:13:47.059Z",
"dateUpdated": "2026-04-23T14:14:11.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56279 (GCVE-0-2024-56279)
Vulnerability from cvelistv5 – Published: 2025-01-07 10:49 – Updated: 2026-04-23 13:58
VLAI?
Title
WordPress Compact WP Audio Player plugin <= 1.9.14 - Server Side Request Forgery (SSRF) vulnerability
Summary
Server-Side Request Forgery (SSRF) vulnerability in mra13 Compact WP Audio Player compact-wp-audio-player allows Server Side Request Forgery.This issue affects Compact WP Audio Player: from n/a through <= 1.9.14.
Severity ?
6.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mra13 | Compact WP Audio Player |
Affected:
0 , ≤ 1.9.14
(custom)
|
Date Public ?
2026-04-22 14:34
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56279",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T14:31:37.759680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T14:32:03.313Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "compact-wp-audio-player",
"product": "Compact WP Audio Player",
"vendor": "mra13",
"versions": [
{
"changes": [
{
"at": "1.9.15",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.9.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "theviper17 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:34:07.922Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in mra13 Compact WP Audio Player compact-wp-audio-player allows Server Side Request Forgery.\u003cp\u003eThis issue affects Compact WP Audio Player: from n/a through \u003c= 1.9.14.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in mra13 Compact WP Audio Player compact-wp-audio-player allows Server Side Request Forgery.This issue affects Compact WP Audio Player: from n/a through \u003c= 1.9.14."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "Server Side Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:58:33.344Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/compact-wp-audio-player/vulnerability/wordpress-compact-wp-audio-player-plugin-1-9-14-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress Compact WP Audio Player plugin \u003c= 1.9.14 - Server Side Request Forgery (SSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-56279",
"datePublished": "2025-01-07T10:49:23.286Z",
"dateReserved": "2024-12-18T19:04:43.976Z",
"dateUpdated": "2026-04-23T13:58:33.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-48285 (GCVE-0-2023-48285)
Vulnerability from cvelistv5 – Published: 2024-06-04 10:23 – Updated: 2024-08-02 21:23
VLAI?
Title
WordPress Accept Stripe Payments plugin <= 2.0.79 - Content Injection vulnerability
Summary
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.This issue affects Stripe Payments: from n/a through 2.0.79.
Severity ?
5.3 (Medium)
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tips and Tricks HQ | Stripe Payments |
Affected:
n/a , ≤ 2.0.79
(custom)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tipsandtricks-hq:accept_stripe:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "accept_stripe",
"vendor": "tipsandtricks-hq",
"versions": [
{
"lessThanOrEqual": "2.0.79",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-48285",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-04T20:34:06.403529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T20:35:06.940Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:23:39.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/stripe-payments/wordpress-accept-stripe-payments-plugin-2-0-79-content-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "stripe-payments",
"product": "Stripe Payments",
"vendor": "Tips and Tricks HQ",
"versions": [
{
"changes": [
{
"at": "2.0.80",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.0.79",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Joshua Chan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.\u003cp\u003eThis issue affects Stripe Payments: from n/a through 2.0.79.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.This issue affects Stripe Payments: from n/a through 2.0.79."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T10:23:00.172Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/stripe-payments/wordpress-accept-stripe-payments-plugin-2-0-79-content-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 2.0.80 or a higher version."
}
],
"value": "Update to 2.0.80 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Accept Stripe Payments plugin \u003c= 2.0.79 - Content Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-48285",
"datePublished": "2024-06-04T10:23:00.172Z",
"dateReserved": "2023-11-13T23:43:33.533Z",
"dateUpdated": "2024-08-02T21:23:39.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-30527 (GCVE-0-2024-30527)
Vulnerability from cvelistv5 – Published: 2024-05-17 08:20 – Updated: 2024-08-02 01:38
VLAI?
Title
WordPress WP Express Checkout plugin <= 2.3.7 - Price Manipulation vulnerability
Summary
Improper Validation of Specified Quantity in Input vulnerability in Tips and Tricks HQ WP Express Checkout (Accept PayPal Payments) allows Manipulating Hidden Fields.This issue affects WP Express Checkout (Accept PayPal Payments): from n/a through 2.3.7.
Severity ?
7.5 (High)
CWE
- CWE-1284 - Improper Validation of Specified Quantity in Input
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tips and Tricks HQ | WP Express Checkout (Accept PayPal Payments) |
Affected:
n/a , ≤ 2.3.7
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-30527",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-17T11:59:04.820325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:39:30.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:38:59.983Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wp-express-checkout/wordpress-wp-express-checkout-plugin-2-3-7-price-manipulation-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wp-express-checkout",
"product": "WP Express Checkout (Accept PayPal Payments)",
"vendor": "Tips and Tricks HQ",
"versions": [
{
"changes": [
{
"at": "2.3.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Xinzhi Luo (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Validation of Specified Quantity in Input vulnerability in Tips and Tricks HQ WP Express Checkout (Accept PayPal Payments) allows Manipulating Hidden Fields.\u003cp\u003eThis issue affects WP Express Checkout (Accept PayPal Payments): from n/a through 2.3.7.\u003c/p\u003e"
}
],
"value": "Improper Validation of Specified Quantity in Input vulnerability in Tips and Tricks HQ WP Express Checkout (Accept PayPal Payments) allows Manipulating Hidden Fields.This issue affects WP Express Checkout (Accept PayPal Payments): from n/a through 2.3.7."
}
],
"impacts": [
{
"capecId": "CAPEC-162",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-162 Manipulating Hidden Fields"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1284",
"description": "CWE-1284 Improper Validation of Specified Quantity in Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-17T08:20:59.609Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wp-express-checkout/wordpress-wp-express-checkout-plugin-2-3-7-price-manipulation-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 2.3.8 or a higher version."
}
],
"value": "Update to 2.3.8 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WP Express Checkout plugin \u003c= 2.3.7 - Price Manipulation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-30527",
"datePublished": "2024-05-17T08:20:59.609Z",
"dateReserved": "2024-03-27T12:56:45.184Z",
"dateUpdated": "2024-08-02T01:38:59.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-33591 (GCVE-0-2024-33591)
Vulnerability from cvelistv5 – Published: 2024-04-29 10:10 – Updated: 2024-08-02 02:36
VLAI?
Title
WordPress Easy Accept Payments for PayPal plugin <= 4.9.10 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Tips and Tricks HQ Easy Accept Payments.This issue affects Easy Accept Payments: from n/a through 4.9.10.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tips and Tricks HQ | Easy Accept Payments |
Affected:
n/a , ≤ 4.9.10
(custom)
|
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tips_and_tricks_hq:all_in_one_wordpress_security_and_firewall:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "all_in_one_wordpress_security_and_firewall",
"vendor": "tips_and_tricks_hq",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-33591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-29T16:58:15.728399Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:44:17.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T02:36:04.047Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/wordpress-easy-paypal-payment-or-donation-accept-plugin/wordpress-easy-accept-payments-for-paypal-plugin-4-9-10-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wordpress-easy-paypal-payment-or-donation-accept-plugin",
"product": "Easy Accept Payments",
"vendor": "Tips and Tricks HQ",
"versions": [
{
"changes": [
{
"at": "5.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.9.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Joshua Chan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Tips and Tricks HQ Easy Accept Payments.\u003cp\u003eThis issue affects Easy Accept Payments: from n/a through 4.9.10.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Tips and Tricks HQ Easy Accept Payments.This issue affects Easy Accept Payments: from n/a through 4.9.10.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-29T10:10:52.661Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/wordpress-easy-paypal-payment-or-donation-accept-plugin/wordpress-easy-accept-payments-for-paypal-plugin-4-9-10-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 5.0 or a higher version."
}
],
"value": "Update to 5.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Easy Accept Payments for PayPal plugin \u003c= 4.9.10 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-33591",
"datePublished": "2024-04-29T10:10:52.661Z",
"dateReserved": "2024-04-24T15:01:58.368Z",
"dateUpdated": "2024-08-02T02:36:04.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-20782 (GCVE-0-2021-20782)
Vulnerability from cvelistv5 – Published: 2021-07-14 01:20 – Updated: 2024-08-03 17:53
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in Software License Manager versions prior to 4.4.6 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Cross-site request forgery
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tips and Tricks HQ | Software License Manager |
Affected:
versions prior to 4.4.6
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:53:22.376Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/software-license-manager/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.tipsandtricks-hq.com/software-license-manager-plugin-for-wordpress"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN89054582/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Software License Manager",
"vendor": "Tips and Tricks HQ",
"versions": [
{
"status": "affected",
"version": "versions prior to 4.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in Software License Manager versions prior to 4.4.6 allows remote attackers to hijack the authentication of administrators via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site request forgery",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-14T01:20:28.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/software-license-manager/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.tipsandtricks-hq.com/software-license-manager-plugin-for-wordpress"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN89054582/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2021-20782",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Software License Manager",
"version": {
"version_data": [
{
"version_value": "versions prior to 4.4.6"
}
]
}
}
]
},
"vendor_name": "Tips and Tricks HQ"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in Software License Manager versions prior to 4.4.6 allows remote attackers to hijack the authentication of administrators via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site request forgery"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/software-license-manager/",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/software-license-manager/"
},
{
"name": "https://www.tipsandtricks-hq.com/software-license-manager-plugin-for-wordpress",
"refsource": "MISC",
"url": "https://www.tipsandtricks-hq.com/software-license-manager-plugin-for-wordpress"
},
{
"name": "https://jvn.jp/en/jp/JVN89054582/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN89054582/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2021-20782",
"datePublished": "2021-07-14T01:20:28.000Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:53:22.376Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5651 (GCVE-0-2020-5651)
Vulnerability from cvelistv5 – Published: 2020-10-21 15:15 – Updated: 2024-08-04 08:39
VLAI?
Summary
SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL.
Severity ?
No CVSS data available.
CWE
- SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tips and Tricks HQ | Simple Download Monitor |
Affected:
3.8.8 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.748Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/simple-download-monitor/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN31425618/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Simple Download Monitor",
"vendor": "Tips and Tricks HQ",
"versions": [
{
"status": "affected",
"version": "3.8.8 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL Injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T15:15:18.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/simple-download-monitor/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN31425618/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5651",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Simple Download Monitor",
"version": {
"version_data": [
{
"version_value": "3.8.8 and earlier"
}
]
}
}
]
},
"vendor_name": "Tips and Tricks HQ"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to execute arbitrary SQL commands via a specially crafted URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/simple-download-monitor/",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/simple-download-monitor/"
},
{
"name": "https://jvn.jp/en/jp/JVN31425618/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN31425618/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5651",
"datePublished": "2020-10-21T15:15:18.000Z",
"dateReserved": "2020-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:39:25.748Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5650 (GCVE-0-2020-5650)
Vulnerability from cvelistv5 – Published: 2020-10-21 15:15 – Updated: 2024-08-04 08:39
VLAI?
Summary
Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Tips and Tricks HQ | Simple Download Monitor |
Affected:
3.8.8 and earlier
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:39:25.910Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordpress.org/plugins/simple-download-monitor/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/en/jp/JVN31425618/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Simple Download Monitor",
"vendor": "Tips and Tricks HQ",
"versions": [
{
"status": "affected",
"version": "3.8.8 and earlier"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T15:15:17.000Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordpress.org/plugins/simple-download-monitor/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jvn.jp/en/jp/JVN31425618/index.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2020-5650",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Simple Download Monitor",
"version": {
"version_data": [
{
"version_value": "3.8.8 and earlier"
}
]
}
}
]
},
"vendor_name": "Tips and Tricks HQ"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting vulnerability in Simple Download Monitor 3.8.8 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wordpress.org/plugins/simple-download-monitor/",
"refsource": "MISC",
"url": "https://wordpress.org/plugins/simple-download-monitor/"
},
{
"name": "https://jvn.jp/en/jp/JVN31425618/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/en/jp/JVN31425618/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2020-5650",
"datePublished": "2020-10-21T15:15:17.000Z",
"dateReserved": "2020-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:39:25.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}