Filtered by vendor Thimpress
Subscriptions
Total
80 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-60227 | 2 Thimpress, Wordpress | 2 Wp Pipes, Wordpress | 2025-10-23 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes wp-pipes allows Path Traversal.This issue affects WP Pipes: from n/a through <= 1.4.3. | ||||
| CVE-2025-49992 | 2 Thimpress, Wordpress | 2 Learnpress Export Import, Wordpress | 2025-10-23 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress Export Import learnpress-import-export allows Reflected XSS.This issue affects LearnPress Export Import: from n/a through <= 4.0.9. | ||||
| CVE-2025-11372 | 2 Thimpress, Wordpress | 2 Learnpress, Wordpress | 2025-10-21 | 6.5 Medium |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to modification of data in all versions up to, and including, 4.2.9.2. This is due to missing capability checks on the Admin Tools REST endpoints which are registered with permission_callback set to __return_true. This makes it possible for unauthenticated attackers to perform destructive database operations including dropping indexes on any table (including WordPress core tables like wp_options), creating duplicate configuration entries, and degrading site performance via the /wp-json/lp/v1/admin/tools/create-indexs endpoint granted they can provide table names. | ||||
| CVE-2025-57987 | 2 Thimpress, Wordpress | 2 Wp Events Manager, Wordpress | 2025-09-23 | 5.3 Medium |
| Missing Authorization vulnerability in ThimPress WP Events Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Events Manager: from n/a through 2.2.1. | ||||
| CVE-2025-8942 | 2 Thimpress, Wordpress | 2 Wp Hotel Booking, Wordpress | 2025-09-22 | 9.1 Critical |
| The WP Hotel Booking WordPress plugin before 2.2.3 lacks proper server-side validation for review ratings, allowing an attacker to manipulate the rating value (e.g., sending negative or out-of-range values) by intercepting and modifying requests. | ||||
| CVE-2025-28977 | 2 Thimpress, Wordpress | 2 Wp Pipes, Wordpress | 2025-08-21 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Pipes allows Reflected XSS. This issue affects WP Pipes: from n/a through 1.4.3. | ||||
| CVE-2025-28979 | 2 Thimpress, Wordpress | 2 Wp Pipes, Wordpress | 2025-08-14 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress WP Pipes allows PHP Local File Inclusion. This issue affects WP Pipes: from n/a through 1.4.3. | ||||
| CVE-2025-28982 | 2 Thimpress, Wordpress | 2 Wp Pipes, Wordpress | 2025-07-21 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThimPress WP Pipes allows SQL Injection. This issue affects WP Pipes: from n/a through 1.4.3. | ||||
| CVE-2024-12283 | 2 Thimpress, Wordpress | 2 Wp Pipes, Wordpress | 2025-07-13 | 6.1 Medium |
| The WP Pipes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘x1’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-39642 | 1 Thimpress | 1 Learnpress | 2025-07-12 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in ThimPress LearnPress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LearnPress: from n/a through 4.2.6.8.2. | ||||
| CVE-2025-22739 | 2 Thimpress, Wordpress | 2 Learnpress, Wordpress | 2025-07-12 | 5.3 Medium |
| Missing Authorization vulnerability in ThimPress LearnPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through 4.2.7.5. | ||||
| CVE-2025-24740 | 2 Thimpress, Wordpress | 2 Learnpress, Wordpress | 2025-07-12 | 4.7 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in ThimPress LearnPress. This issue affects LearnPress: from n/a through 4.2.7.1. | ||||
| CVE-2025-48267 | 1 Thimpress | 1 Wp Pipes | 2025-06-24 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes allows Path Traversal. This issue affects WP Pipes: from n/a through 1.4.2. | ||||
| CVE-2025-39460 | 1 Thimpress | 1 Eduma | 2025-06-24 | 5.3 Medium |
| Missing Authorization vulnerability in ThimPress Eduma allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eduma: from n/a through 5.6.4. | ||||
| CVE-2025-47448 | 1 Thimpress | 1 Wp Hotel Booking | 2025-06-24 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking allows Cross Site Request Forgery. This issue affects WP Hotel Booking: from n/a through 2.1.9. | ||||
| CVE-2025-47664 | 1 Thimpress | 1 Wp Pipes | 2025-06-24 | 4.4 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in ThimPress WP Pipes allows Server Side Request Forgery. This issue affects WP Pipes: from n/a through 1.4.2. | ||||
| CVE-2023-6223 | 1 Thimpress | 1 Learnpress | 2025-06-03 | 4.3 Medium |
| The LearnPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.5.7 via the /wp-json/lp/v1/profile/course-tab REST API due to missing validation on the 'userID' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve the details of another user's course progress. | ||||
| CVE-2023-6634 | 1 Thimpress | 1 Learnpress | 2025-06-03 | 8.1 High |
| The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution. | ||||
| CVE-2024-13127 | 1 Thimpress | 1 Learnpress | 2025-05-22 | 4.8 Medium |
| The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-13128 | 1 Thimpress | 1 Learnpress | 2025-05-22 | 4.8 Medium |
| The LearnPress WordPress plugin before 4.2.7.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||