← Back

Marvinlabs

marvinlabs

7 CVEs • 2 products

Products (2)

Click to collapse
Toggle
Wp Customer Area
wp_customer_area
6 CVEs
User Messages
user_messages
1 CVE

CVEs (7)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2024-13222
1Marvinlabs
1User Messages
May 13, 2025
Jan 31, 2025
N/A· v4
6.1 MEDIUM· v3
N/A· v2
The User Messages WordPress plugin through 1.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege user...Show more
The User Messages WordPress plugin through 1.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.Show less
CVE-2024-12436
1Marvinlabs
1Wp Customer Area
May 8, 2025
Jan 27, 2025
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks
CVE-2024-12280
1Marvinlabs
1Wp Customer Area
May 8, 2025
Jan 27, 2025
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF check in place when deleting its logs, which could allow attackers to make a logged in to delete them via a CSRF attack
CVE-2024-0665
1Marvinlabs
1Wp Customer Area
Apr 8, 2026
Jan 24, 2024
N/A· v4
6.1 MEDIUM· v3
N/A· v2
The WP Customer Area plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.1 due to insufficient input sanitization and output escaping. Th...Show more
The WP Customer Area plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.Show less
CVE-2023-6824
1Marvinlabs
1Wp Customer Area
Jun 11, 2025
Jan 16, 2024
N/A· v4
6.5 MEDIUM· v3
N/A· v2
The WP Customer Area WordPress plugin before 8.2.1 does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address.
CVE-2023-6741
1Marvinlabs
1Wp Customer Area
Jun 20, 2025
Jan 16, 2024
N/A· v4
4.3 MEDIUM· v3
N/A· v2
The WP Customer Area WordPress plugin before 8.2.1 does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address.
CVE-2017-18519
1Marvinlabs
1Wp Customer Area
Nov 21, 2024
Aug 20, 2019
N/A· v4
6.1 MEDIUM· v3
4.3 MEDIUM· v2
The customer-area plugin before 7.4.3 for WordPress has XSS via admin pages.