GCVE - cpe:2.3:a:wedevs:wp_erp:-:*:*:*:*:wordpress:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:wedevs:wp_erp:-:*:*:*:*:wordpress:*:*

part: a version: - update: *

Vendor	Wedevs (`74af2ef9-c755-5b07-93a2-5a3afa051904`)
Product	Wp Erp (`59ffc0ab-f740-5808-8906-7dfc2d960835`)
Edition	*
Language	*
Software edition	*
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2024-6666`	vulnerable	2026-06-03 14:58:03.824389	WP ERP <= 1.13.0 - Authenticated (Accounting Manager+) SQL Injection via vendor_id HIGH (8.8) The WP ERP plugin for WordPress is vulnerable to SQL Injection via the ‘vendor_id’ and 'status' parameter in all versions up to, and including, 1.13.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Accounting Manager access (erp_ac_view_sales_summary capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Published: 2024-07-11T06:43:13.765Z Updated: 2026-04-08T17:29:08.534Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/e23335c9-0830-4c6b-8e0d-6897a7176ba5?source=cve https://plugins.trac.wordpress.org/changeset/3064874/erp/tags/1.13.1/modules/accounting/includes/functions/transactions.php	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-0956`	vulnerable	2026-06-03 14:54:04.565036	WP ERP <= 1.13.0 - Authenticated (AccountingManager+) SQL Injection MEDIUM (4.9) The WP ERP \| Complete HR solution with recruitment & job listings \| WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter via the erp/v1/accounting/v1/vendors/1/products/ REST route in all versions up to, and including, 1.13.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin or accounting manager privileges, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Published: 2024-03-29T06:44:03.130Z Updated: 2026-04-08T17:25:55.580Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/d4e04650-624a-4440-b166-8de0f24bb1dd?source=cve https://plugins.trac.wordpress.org/browser/erp/trunk/modules/accounting/includes/functions/products.php#L387 https://plugins.trac.wordpress.org/changeset/3064874	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-0952`	vulnerable	2026-06-03 14:54:04.556408	WP ERP <= 1.12.9 - Authenticated (Accounting Manager+) SQL Injection via id HIGH (7.2) The WP ERP \| Complete HR solution with recruitment & job listings \| WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in all versions up to, and including, 1.12.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with accounting manager or admin privileges or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Published: 2024-04-09T18:59:32.870Z Updated: 2026-04-08T17:32:57.411Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/f3ba06f9-de51-49ea-87c1-4583e939314b?source=cve https://plugins.trac.wordpress.org/changeset/3060269/erp/tags/1.13.0/modules/accounting/includes/functions/people.php	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-0608`	vulnerable	2026-06-03 14:54:03.046114	WP ERP \| Complete HR solution with recruitment & job listings \| WooCommerce CRM & Accounting <= 1.13.1 - Authenticated (Subscriber+) SQL Injection MEDIUM (6.5) The WP ERP \| Complete HR solution with recruitment & job listings \| WooCommerce CRM & Accounting plugin for WordPress is vulnerable to union-based SQL Injection via the 'email' parameter in all versions up to, and including, 1.13.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Published: 2024-03-29T06:44:01.096Z Updated: 2026-04-08T17:02:14.099Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/79da7239-0343-465e-8dda-44ff440939c4?source=cve https://plugins.trac.wordpress.org/browser/erp/trunk/includes/Admin/Ajax.php#L471 https://plugins.trac.wordpress.org/changeset/3071807	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.