Vulnerabilities > Cozmoslabs

DATE CVE VULNERABILITY TITLE RISK
2021-08-02 CVE-2021-24448 Cross-site Scripting vulnerability in Cozmoslabs Profile Builder
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.8 does not sanitise or escape its 'Modify default Redirect Delay timer' setting, allowing high privilege users to use JavaScript code in it, even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue
network
low complexity
cozmoslabs CWE-79
4.8
2021-08-02 CVE-2021-24473 Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture
The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pictures of other users (including those with higher roles).
network
low complexity
cozmoslabs CWE-639
5.5
2021-04-05 CVE-2021-24170 Information Exposure vulnerability in Cozmoslabs User Profile Picture
The REST API endpoint get_users in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the upload_files capability.
network
low complexity
cozmoslabs CWE-200
5.0
2019-08-22 CVE-2015-9337 Improper Access Control vulnerability in Cozmoslabs Profile Builder
The profile-builder plugin before 2.1.4 for WordPress has no access control for activating or deactivating addons via AJAX.
network
low complexity
cozmoslabs CWE-284
5.0
2019-08-21 CVE-2016-10911 Cross-site Scripting vulnerability in Cozmoslabs Profile Builder
The profile-builder plugin before 2.4.2 for WordPress has multiple XSS issues.
network
cozmoslabs CWE-79
4.3
2019-08-21 CVE-2015-9328 Cross-site Scripting vulnerability in Cozmoslabs Profile Builder
The profile-builder plugin before 2.2.5 for WordPress has XSS.
network
cozmoslabs CWE-79
4.3
2019-08-21 CVE-2014-10380 Cross-site Scripting vulnerability in Cozmoslabs Profile Builder
The profile-builder plugin before 1.1.66 for WordPress has multiple XSS issues in forms.
network
cozmoslabs CWE-79
4.3
2017-10-06 CVE-2014-8492 Cross-site Scripting vulnerability in Cozmoslabs Profile Builder
Multiple cross-site scripting (XSS) vulnerabilities in assets/misc/fallback-page.php in the Profile Builder plugin before 2.0.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) site_name, (2) message, or (3) site_url parameter.
network
cozmoslabs CWE-79
4.3