Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
13 vulnerabilities by azzaroco
CVE-2026-25357 (GCVE-0-2026-25357)
Vulnerability from cvelistv5 – Published: 2026-03-25 16:14 – Updated: 2026-03-26 17:07
VLAI?
Title
WordPress Ultimate Membership Pro plugin <= 13.7 - Account Takeover vulnerability
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7.
Severity ?
8.1 (High)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | Ultimate Membership Pro |
Affected:
n/a , ≤ <= 13.7
(custom)
|
Date Public ?
2026-03-25 17:12
Credits
Phat RiO | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T17:07:32.077061Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T17:07:53.985Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://codecanyon.net",
"defaultStatus": "unaffected",
"packageName": "indeed-membership-pro",
"product": "Ultimate Membership Pro",
"vendor": "azzaroco",
"versions": [
{
"changes": [
{
"at": "13.7.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c= 13.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-03-25T17:12:24.761Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.\u003cp\u003eThis issue affects Ultimate Membership Pro: from n/a through \u003c= 13.7.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through \u003c= 13.7."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "Authentication Abuse"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T16:14:44.726Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/indeed-membership-pro/vulnerability/wordpress-ultimate-membership-pro-plugin-13-7-account-takeover-vulnerability?_s_id=cve"
}
],
"title": "WordPress Ultimate Membership Pro plugin \u003c= 13.7 - Account Takeover vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-25357",
"datePublished": "2026-03-25T16:14:44.726Z",
"dateReserved": "2026-02-02T12:52:48.541Z",
"dateUpdated": "2026-03-26T17:07:53.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28113 (GCVE-0-2026-28113)
Vulnerability from cvelistv5 – Published: 2026-03-05 05:54 – Updated: 2026-04-01 14:15
VLAI?
Title
WordPress Ultimate Learning Pro plugin <= 3.9.1 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Reflected XSS.This issue affects Ultimate Learning Pro: from n/a through <= 3.9.1.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | Ultimate Learning Pro |
Affected:
0 , ≤ 3.9.1
(custom)
|
Date Public ?
2026-04-01 16:06
Credits
Bonds | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-28113",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T16:51:57.999049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:53:43.054Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "indeed-learning-pro",
"product": "Ultimate Learning Pro",
"vendor": "azzaroco",
"versions": [
{
"lessThanOrEqual": "3.9.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bonds | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:06:01.868Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Reflected XSS.\u003cp\u003eThis issue affects Ultimate Learning Pro: from n/a through \u003c= 3.9.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Reflected XSS.This issue affects Ultimate Learning Pro: from n/a through \u003c= 3.9.1."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:15:45.836Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/indeed-learning-pro/vulnerability/wordpress-ultimate-learning-pro-plugin-3-9-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Ultimate Learning Pro plugin \u003c= 3.9.1 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-28113",
"datePublished": "2026-03-05T05:54:27.757Z",
"dateReserved": "2026-02-25T12:14:07.578Z",
"dateUpdated": "2026-04-01T14:15:45.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64251 (GCVE-0-2025-64251)
Vulnerability from cvelistv5 – Published: 2025-12-16 08:12 – Updated: 2026-04-01 14:10
VLAI?
Title
WordPress Ultimate Learning Pro plugin <= 3.9.3 - Arbitrary Content Deletion vulnerability
Summary
Missing Authorization vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Learning Pro: from n/a through <= 3.9.3.
Severity ?
4.9 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | Ultimate Learning Pro |
Affected:
0 , ≤ 3.9.3
(custom)
|
Date Public ?
2026-04-01 16:01
Credits
Bonds | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-64251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T17:27:16.297894Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T17:27:20.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "indeed-learning-pro",
"product": "Ultimate Learning Pro",
"vendor": "azzaroco",
"versions": [
{
"lessThanOrEqual": "3.9.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bonds | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:01:24.437Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Ultimate Learning Pro: from n/a through \u003c= 3.9.3.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Learning Pro: from n/a through \u003c= 3.9.3."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:10:17.764Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/indeed-learning-pro/vulnerability/wordpress-ultimate-learning-pro-plugin-3-9-3-arbitrary-content-deletion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Ultimate Learning Pro plugin \u003c= 3.9.3 - Arbitrary Content Deletion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-64251",
"datePublished": "2025-12-16T08:12:49.880Z",
"dateReserved": "2025-10-29T03:08:17.828Z",
"dateUpdated": "2026-04-01T14:10:17.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-13846 (GCVE-0-2024-13846)
Vulnerability from cvelistv5 – Published: 2025-02-21 11:09 – Updated: 2026-04-08 17:30
VLAI?
Title
Indeed Ultimate Learning Pro <= 3.9 - Authenticated (Administrator+) SQL Injection via post_id Parameter
Summary
The Indeed Ultimate Learning Pro plugin for WordPress is vulnerable to time-based SQL Injection via the ‘post_id’ parameter in all versions up to, and including, 3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | Indeed Ultimate Learning Pro |
Affected:
0 , ≤ 3.9
(semver)
|
Credits
Pham Van Tam
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13846",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-21T13:19:46.777923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-21T13:20:21.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Indeed Ultimate Learning Pro",
"vendor": "azzaroco",
"versions": [
{
"lessThanOrEqual": "3.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pham Van Tam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Indeed Ultimate Learning Pro plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018post_id\u2019 parameter in all versions up to, and including, 3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:30:52.126Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9ccd2cc-ee5e-40e3-905d-21884ec01f72?source=cve"
},
{
"url": "https://codecanyon.net/item/ultimate-learning-pro-wordpress-plugin/21772657"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-20T21:27:43.000Z",
"value": "Disclosed"
}
],
"title": "Indeed Ultimate Learning Pro \u003c= 3.9 - Authenticated (Administrator+) SQL Injection via post_id Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13846",
"datePublished": "2025-02-21T11:09:35.235Z",
"dateReserved": "2025-02-06T22:56:34.567Z",
"dateUpdated": "2026-04-08T17:30:52.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56069 (GCVE-0-2024-56069)
Vulnerability from cvelistv5 – Published: 2025-01-02 09:12 – Updated: 2026-04-01 15:40
VLAI?
Title
WordPress WP SuperBackup plugin <= 2.3.3 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Reflected XSS.This issue affects WP SuperBackup: from n/a through <= 2.3.3.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | WP SuperBackup |
Affected:
0 , ≤ 2.3.3
(custom)
|
Date Public ?
2026-04-01 16:31
Credits
Dave Jong (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56069",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T17:35:38.323052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T19:14:28.303Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://codecanyon.net",
"defaultStatus": "unaffected",
"packageName": "indeed-wp-superbackup",
"product": "WP SuperBackup",
"vendor": "azzaroco",
"versions": [
{
"changes": [
{
"at": "2.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dave Jong (Patchstack)"
}
],
"datePublic": "2026-04-01T16:31:03.547Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Reflected XSS.\u003cp\u003eThis issue affects WP SuperBackup: from n/a through \u003c= 2.3.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Reflected XSS.This issue affects WP SuperBackup: from n/a through \u003c= 2.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:40:28.992Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/indeed-wp-superbackup/vulnerability/wordpress-wp-superbackup-plugin-2-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP SuperBackup plugin \u003c= 2.3.3 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-56069",
"datePublished": "2025-01-02T09:12:19.543Z",
"dateReserved": "2024-12-14T19:43:18.742Z",
"dateUpdated": "2026-04-01T15:40:28.992Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56070 (GCVE-0-2024-56070)
Vulnerability from cvelistv5 – Published: 2024-12-31 13:35 – Updated: 2026-04-01 15:40
VLAI?
Title
WordPress WP SuperBackup plugin <= 2.3.3 - Multiple Subscriber+ Broken Access Control vulnerabilities
Summary
Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through <= 2.3.3.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | WP SuperBackup |
Affected:
0 , ≤ 2.3.3
(custom)
|
Date Public ?
2026-04-01 16:31
Credits
Dave Jong (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56070",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T16:08:48.264985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T16:09:06.328Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://codecanyon.net",
"defaultStatus": "unaffected",
"packageName": "indeed-wp-superbackup",
"product": "WP SuperBackup",
"vendor": "azzaroco",
"versions": [
{
"changes": [
{
"at": "2.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dave Jong (Patchstack)"
}
],
"datePublic": "2026-04-01T16:31:01.790Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WP SuperBackup: from n/a through \u003c= 2.3.3.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through \u003c= 2.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:40:29.156Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/indeed-wp-superbackup/vulnerability/wordpress-wp-superbackup-plugin-2-3-3-multiple-subscriber-broken-access-control-vulnerabilities?_s_id=cve"
}
],
"title": "WordPress WP SuperBackup plugin \u003c= 2.3.3 - Multiple Subscriber+ Broken Access Control vulnerabilities"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-56070",
"datePublished": "2024-12-31T13:35:46.941Z",
"dateReserved": "2024-12-14T19:43:18.742Z",
"dateUpdated": "2026-04-01T15:40:29.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56064 (GCVE-0-2024-56064)
Vulnerability from cvelistv5 – Published: 2024-12-31 12:54 – Updated: 2026-04-01 15:40
VLAI?
Title
WordPress WP SuperBackup plugin <= 2.3.3 - Unauthenticated Arbitrary File Upload vulnerability
Summary
Unrestricted Upload of File with Dangerous Type vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Upload a Web Shell to a Web Server.This issue affects WP SuperBackup: from n/a through <= 2.3.3.
Severity ?
No CVSS data available.
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | WP SuperBackup |
Affected:
0 , ≤ 2.3.3
(custom)
|
Date Public ?
2026-04-01 16:31
Credits
Dave Jong (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56064",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T16:12:57.404164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T16:13:14.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://codecanyon.net",
"defaultStatus": "unaffected",
"packageName": "indeed-wp-superbackup",
"product": "WP SuperBackup",
"vendor": "azzaroco",
"versions": [
{
"changes": [
{
"at": "2.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dave Jong (Patchstack)"
}
],
"datePublic": "2026-04-01T16:31:02.263Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Upload a Web Shell to a Web Server.\u003cp\u003eThis issue affects WP SuperBackup: from n/a through \u003c= 2.3.3.\u003c/p\u003e"
}
],
"value": "Unrestricted Upload of File with Dangerous Type vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Upload a Web Shell to a Web Server.This issue affects WP SuperBackup: from n/a through \u003c= 2.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-650",
"descriptions": [
{
"lang": "en",
"value": "Upload a Web Shell to a Web Server"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:40:28.174Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/indeed-wp-superbackup/vulnerability/wordpress-wp-superbackup-plugin-2-3-3-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP SuperBackup plugin \u003c= 2.3.3 - Unauthenticated Arbitrary File Upload vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-56064",
"datePublished": "2024-12-31T12:54:21.074Z",
"dateReserved": "2024-12-14T19:43:18.741Z",
"dateUpdated": "2026-04-01T15:40:28.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56068 (GCVE-0-2024-56068)
Vulnerability from cvelistv5 – Published: 2024-12-31 12:51 – Updated: 2026-04-01 15:40
VLAI?
Title
WordPress WP SuperBackup plugin <= 2.3.3 - Subscriber+ PHP Object Injection vulnerability
Summary
Deserialization of Untrusted Data vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup.This issue affects WP SuperBackup: from n/a through <= 2.3.3.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | WP SuperBackup |
Affected:
0 , ≤ 2.3.3
(custom)
|
Date Public ?
2026-04-01 16:31
Credits
Dave Jong (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56068",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T17:56:01.690961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T17:58:07.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://codecanyon.net",
"defaultStatus": "unaffected",
"packageName": "indeed-wp-superbackup",
"product": "WP SuperBackup",
"vendor": "azzaroco",
"versions": [
{
"changes": [
{
"at": "2.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dave Jong (Patchstack)"
}
],
"datePublic": "2026-04-01T16:31:03.109Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup.\u003cp\u003eThis issue affects WP SuperBackup: from n/a through \u003c= 2.3.3.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup.This issue affects WP SuperBackup: from n/a through \u003c= 2.3.3."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:40:28.818Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/indeed-wp-superbackup/vulnerability/wordpress-wp-superbackup-plugin-2-3-3-subscriber-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP SuperBackup plugin \u003c= 2.3.3 - Subscriber+ PHP Object Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-56068",
"datePublished": "2024-12-31T12:51:45.293Z",
"dateReserved": "2024-12-14T19:43:18.742Z",
"dateUpdated": "2026-04-01T15:40:28.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56067 (GCVE-0-2024-56067)
Vulnerability from cvelistv5 – Published: 2024-12-31 12:48 – Updated: 2026-04-01 15:40
VLAI?
Title
WordPress WP SuperBackup plugin <= 2.3.3 - Unauthenticated Backup File Download Vulnerability
Summary
Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through <= 2.3.3.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | WP SuperBackup |
Affected:
0 , ≤ 2.3.3
(custom)
|
Date Public ?
2026-04-01 16:31
Credits
Dave Jong (Patchstack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56067",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-31T17:59:38.664292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-31T17:59:49.723Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://codecanyon.net",
"defaultStatus": "unaffected",
"packageName": "indeed-wp-superbackup",
"product": "WP SuperBackup",
"vendor": "azzaroco",
"versions": [
{
"changes": [
{
"at": "2.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dave Jong (Patchstack)"
}
],
"datePublic": "2026-04-01T16:31:02.017Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects WP SuperBackup: from n/a through \u003c= 2.3.3.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP SuperBackup: from n/a through \u003c= 2.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:40:28.655Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/indeed-wp-superbackup/vulnerability/wordpress-wp-superbackup-plugin-2-3-3-unauthenticated-backup-file-download-vulnerability?_s_id=cve"
}
],
"title": "WordPress WP SuperBackup plugin \u003c= 2.3.3 - Unauthenticated Backup File Download Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-56067",
"datePublished": "2024-12-31T12:48:21.629Z",
"dateReserved": "2024-12-14T19:43:18.742Z",
"dateUpdated": "2026-04-01T15:40:28.655Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9290 (GCVE-0-2024-9290)
Vulnerability from cvelistv5 – Published: 2024-12-13 09:27 – Updated: 2026-04-08 17:02
VLAI?
Title
Super Backup & Clone - Migrate for WordPress <= 2.3.3 - Unauthenticated Arbitrary File Upload
Summary
The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and a missing capability check on the ibk_restore_migrate_check() function in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity ?
9.8 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | Super Backup & Clone - Migrate for WordPress |
Affected:
0 , ≤ 2.3.3
(semver)
|
Credits
Tonn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-23T20:09:29.194501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-23T20:09:37.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Super Backup \u0026 Clone - Migrate for WordPress",
"vendor": "azzaroco",
"versions": [
{
"lessThanOrEqual": "2.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tonn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Super Backup \u0026 Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and a missing capability check on the ibk_restore_migrate_check() function in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:02:38.179Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c31d9b3-38b1-49a1-b361-ffe97e02bff0?source=cve"
},
{
"url": "https://codecanyon.net/item/super-backup-clone-migrate-for-wordpress/12943030"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-12T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Super Backup \u0026 Clone - Migrate for WordPress \u003c= 2.3.3 - Unauthenticated Arbitrary File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9290",
"datePublished": "2024-12-13T09:27:28.638Z",
"dateReserved": "2024-09-27T15:51:16.610Z",
"dateUpdated": "2026-04-08T17:02:38.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43242 (GCVE-0-2024-43242)
Vulnerability from cvelistv5 – Published: 2024-08-19 17:09 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress Indeed Ultimate Membership Pro plugin <= 12.7 - Unauthenticated PHP Object Injection vulnerability
Summary
Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | Ultimate Membership Pro |
Affected:
0 , ≤ 12.7
(custom)
|
Date Public ?
2026-04-01 16:27
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:azzaroco:ultimate_membership_pro:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "ultimate_membership_pro",
"vendor": "azzaroco",
"versions": [
{
"lessThanOrEqual": "12.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43242",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T13:52:29.251791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T15:01:00.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://codecanyon.net",
"defaultStatus": "unaffected",
"packageName": "indeed-membership-pro",
"product": "Ultimate Membership Pro",
"vendor": "azzaroco",
"versions": [
{
"changes": [
{
"at": "12.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "12.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:19.052Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.\u003cp\u003eThis issue affects Ultimate Membership Pro: from n/a through \u003c= 12.7.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through \u003c= 12.7."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:45.858Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/indeed-membership-pro/vulnerability/wordpress-indeed-ultimate-membership-pro-plugin-12-6-unauthenticated-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Indeed Ultimate Membership Pro plugin \u003c= 12.7 - Unauthenticated PHP Object Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43242",
"datePublished": "2024-08-19T17:09:19.273Z",
"dateReserved": "2024-08-09T09:20:24.968Z",
"dateUpdated": "2026-04-01T15:34:45.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43240 (GCVE-0-2024-43240)
Vulnerability from cvelistv5 – Published: 2024-08-19 17:07 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress Indeed Ultimate Membership Pro plugin <= 12.7 - Unauthenticated Privilege Escalation vulnerability
Summary
Improper Authentication vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7.
Severity ?
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | Ultimate Membership Pro |
Affected:
0 , ≤ 12.7
(custom)
|
Date Public ?
2026-04-01 16:27
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpindeed:ultimate_membership_pro:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "ultimate_membership_pro",
"vendor": "wpindeed",
"versions": [
{
"lessThanOrEqual": "12.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43240",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T17:15:57.297001Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T17:21:05.288Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://codecanyon.net",
"defaultStatus": "unaffected",
"packageName": "indeed-membership-pro",
"product": "Ultimate Membership Pro",
"vendor": "azzaroco",
"versions": [
{
"changes": [
{
"at": "12.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "12.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:09.158Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authentication vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.\u003cp\u003eThis issue affects Ultimate Membership Pro: from n/a through \u003c= 12.7.\u003c/p\u003e"
}
],
"value": "Improper Authentication vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through \u003c= 12.7."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:45.526Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/indeed-membership-pro/vulnerability/wordpress-indeed-ultimate-membership-pro-plugin-12-6-unauthenticated-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress Indeed Ultimate Membership Pro plugin \u003c= 12.7 - Unauthenticated Privilege Escalation vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43240",
"datePublished": "2024-08-19T17:07:00.787Z",
"dateReserved": "2024-08-09T09:20:24.968Z",
"dateUpdated": "2026-04-01T15:34:45.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43241 (GCVE-0-2024-43241)
Vulnerability from cvelistv5 – Published: 2024-08-18 21:27 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress Indeed Ultimate Membership Pro plugin <= 12.7 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azzaroco | Ultimate Membership Pro |
Affected:
0 , ≤ 12.7
(custom)
|
Date Public ?
2026-04-01 16:27
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43241",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T15:05:16.467164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T13:28:41.210Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://codecanyon.net",
"defaultStatus": "unaffected",
"packageName": "indeed-membership-pro",
"product": "Ultimate Membership Pro",
"vendor": "azzaroco",
"versions": [
{
"changes": [
{
"at": "12.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "12.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:18.538Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.\u003cp\u003eThis issue affects Ultimate Membership Pro: from n/a through \u003c= 12.7.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through \u003c= 12.7."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:45.694Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/indeed-membership-pro/vulnerability/wordpress-indeed-ultimate-membership-pro-plugin-12-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Indeed Ultimate Membership Pro plugin \u003c= 12.7 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43241",
"datePublished": "2024-08-18T21:27:01.320Z",
"dateReserved": "2024-08-09T09:20:24.968Z",
"dateUpdated": "2026-04-01T15:34:45.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}