Cozmoslabs

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2024-6708 1Cozmoslabs 1Profile Builder Jun 4, 2025 May 15, 2025 N/A· v4 4.8 MEDIUM· v3 N/A· v2 The User Profile Builder WordPress plugin before 3.12.2 does not sanitise and escape some parameters before outputting its content on the admin area, which allows Admin+ users to perform Cross-Site Scripting attacks.
CVE-2024-12919 1Cozmoslabs 1Membership & Content Restriction Paid Member Subscriptions Jan 22, 2025 Jan 14, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due t...Show more The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.13.7. This is due to the pms_pb_payment_redirect_link function using the user-controlled value supplied via the 'pms_payment_id' parameter to authenticate users without any further identity validation. This makes it possible for unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site.Show less
CVE-2024-11291 1Cozmoslabs 1Membership & Content Restriction Paid Member Subscriptions Feb 4, 2025 Dec 18, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via t...Show more The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.4 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as logged-in users.Show less
CVE-2024-10261 1Cozmoslabs 1Membership & Content Restriction Paid Member Subscriptions Jan 29, 2025 Nov 9, 2024 N/A· v4 7.3 HIGH· v3 N/A· v2 The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. T...Show more The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.Show less
CVE-2024-9222 1Cozmoslabs 1Membership & Content Restriction Paid Member Subscriptions Oct 8, 2024 Oct 2, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriat...Show more The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.12.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.Show less
CVE-2024-6695 1Cozmoslabs 1Profile Builder Jan 2, 2026 Jul 31, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 it's possible for an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions. This is due to improper logic flow on the user registration process.
CVE-2024-6366 1Cozmoslabs 1Profile Builder May 30, 2025 Jul 29, 2024 N/A· v4 9.1 CRITICAL· v3 N/A· v2 The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
CVE-2024-5639 1Cozmoslabs 1User Profile Picture Apr 8, 2026 Jun 21, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a...Show more The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update the profile picture of any user.Show less
CVE-2023-51522 1Cozmoslabs 1Paid Membership Subscriptions Apr 28, 2026 Mar 15, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Paid Member Subscriptions.This issue affects Paid Member Subscriptions: from n/a through 2.10.4.
CVE-2024-1390 1Cozmoslabs 1Membership & Content Restriction Paid Member Subscriptions Apr 8, 2026 Feb 29, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creati...Show more The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the creating_pricing_table_page function in all versions up to, and including, 2.11.1. This makes it possible for authenticated attackers, with subscriber access or higher, to create pricing tables.Show less
CVE-2024-1389 1Cozmoslabs 1Membership & Content Restriction Paid Member Subscriptions Apr 8, 2026 Feb 29, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_st...Show more The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pms_stripe_connect_handle_authorization_return function in all versions up to, and including, 2.11.1. This makes it possible for unauthenticated attackers to change the Stripe payment keys.Show less
CVE-2024-0324 1Cozmoslabs 1Profile Builder Apr 8, 2026 Feb 5, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_fa...Show more The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wppb_two_factor_authentication_settings_update' function in all versions up to, and including, 3.10.8. This makes it possible for unauthenticated attackers to enable or disable the 2FA functionality present in the Premium version of the plugin for arbitrary user roles.Show less
CVE-2024-22140 1Cozmoslabs 1Profile Builder Apr 28, 2026 Jan 31, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder Pro.This issue affects Profile Builder Pro: from n/a through 3.10.0.
CVE-2024-22141 1Cozmoslabs 1Profile Builder Apr 28, 2026 Jan 24, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Cozmoslabs Profile Builder Pro.This issue affects Profile Builder Pro: from n/a through 3.10.0.
CVE-2024-22142 1Cozmoslabs 1Profile Builder Apr 28, 2026 Jan 13, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozmoslabs Profile Builder Pro allows Reflected XSS.This issue affects Profile Builder Pro: from n/a through 3.10.0.
CVE-2023-6504 1Cozmoslabs 1Profile Builder Apr 8, 2026 Jan 11, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wppb_toolbox_userm...Show more The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wppb_toolbox_usermeta_handler function in all versions up to, and including, 3.10.7. This makes it possible for authenticated attackers, with contributor-level access and above, to expose sensitive information within user metadata.Show less
CVE-2023-47669 1Cozmoslabs 1Profile Builder Nov 21, 2024 Nov 13, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin <= 3.10.3 versions.
CVE-2023-4059 1Cozmoslabs 1Profile Builder Mar 6, 2025 Sep 4, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Profile Builder WordPress plugin before 3.9.8 lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the...Show more The Profile Builder WordPress plugin before 3.9.8 lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blogShow less
CVE-2023-2297 1Cozmoslabs 1Profile Builder Apr 8, 2026 Apr 27, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password res...Show more The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability.Show less
CVE-2023-25968 1Cozmoslabs 1Client Portal Nov 21, 2024 Mar 15, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs, Madalin Ungureanu, Antohe Cristian Client Portal – Private user pages and login plugin <= 1.1.8 versions.

12 Next