Vulnerabilities > Metagauss
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-17 | CVE-2022-41791 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Metagauss Profilegrid Auth. | 8.8 |
| 2022-11-14 | CVE-2022-3578 | Cross-site Scripting vulnerability in Metagauss Profilegrid The ProfileGrid WordPress plugin before 5.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | 6.1 |
| 2022-03-07 | CVE-2022-0420 | SQL Injection vulnerability in Metagauss Registrationmagic The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, allowing high privilege users to perform SQL injection attacks | 6.5 |
| 2022-02-01 | CVE-2021-24648 | Cross-site Scripting vulnerability in Metagauss Registrationmagic The RegistrationMagic WordPress plugin before 5.0.1.9 does not sanitise and escape the rm_search_value parameter before outputting back in an attribute, leading to a Reflected Cross-Site Scripting | 4.3 |
| 2022-01-18 | CVE-2022-0232 | Cross-site Scripting vulnerability in Metagauss Leadmagic The User Registration, Login & Landing Pages WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the loader_text parameter found in the ~/includes/templates/landing-page.php file which allows attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.2.7. | 3.5 |
| 2022-01-18 | CVE-2022-0233 | Cross-site Scripting vulnerability in Metagauss Profilegrid The ProfileGrid – User Profiles, Memberships, Groups and Communities WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping via the pm_user_avatar and pm_cover_image parameters found in the ~/admin/class-profile-magic-admin.php file which allows attackers with authenticated user access, such as subscribers, to inject arbitrary web scripts into their profile, in versions up to and including 1.2.7. | 3.5 |
| 2022-01-10 | CVE-2021-24862 | SQL Injection vulnerability in Metagauss Registrationmagic The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue | 6.5 |
| 2021-12-14 | CVE-2021-4073 | Improper Authentication vulnerability in Metagauss Registrationmagic The RegistrationMagic WordPress plugin made it possible for unauthenticated users to log in as any site user, including administrators, if they knew a valid username on the site due to missing identity validation in the social login function social_login_using_email() of the plugin. | 6.8 |
| 2021-11-23 | CVE-2021-24703 | Cross-Site Request Forgery (CSRF) vulnerability in Metagauss Download Plugin The Download Plugin WordPress plugin before 1.6.1 does not have capability and CSRF checks in the dpwap_plugin_activate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed. | 5.7 |
| 2020-03-12 | CVE-2020-8436 | Cross-site Scripting vulnerability in Metagauss Registrationmagic 4.6.0.0 XSS was discovered in the RegistrationMagic plugin 4.6.0.0 for WordPress via the rm_form_id, rm_tr, or form_name parameter. | 4.3 |