Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total37
Critical1
High12
Medium23
Reset
Showing 21-37 of 37 records
Threat Entry Updated 2024-11-21

CVE-2022-2448 - Before 0 Plugin

The reSmush.it WordPress plugin before 0.4.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when unfiltered_html is disallowed.

PLUGIN Before 0

CVE-2022-2448

MEDIUM CVSS 4.8 2022-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2863 - Before 0 Plugin

The Migration, Backup, Staging WordPress plugin before 0.9.76 does not sanitise and validate a parameter before using it to read the content of a file, allowing high privilege users to read any file from the web server via a Traversal attack

PLUGIN Before 0

CVE-2022-2863

MEDIUM CVSS 4.9 2022-09-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1539 - Before 0 Plugin

The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.

PLUGIN Before 0

CVE-2022-1539

HIGH CVSS 8.8 2022-07-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2187 - Before 0 Plugin

The Contact Form 7 Captcha WordPress plugin before 0.1.2 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

PLUGIN Before 0

CVE-2022-2187

MEDIUM CVSS 6.1 2022-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0418 - Before 0 Plugin

The Event List WordPress plugin before 0.8.8 does not sanitise and escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks against other admin even when the unfiltered_html is disallowed

PLUGIN Before 0

CVE-2022-0418

MEDIUM CVSS 4.8 2022-05-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0531 - Before 0 Plugin

The Migration, Backup, Staging WordPress plugin before 0.9.70 does not sanitise and escape the sub_page parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting

PLUGIN Before 0

CVE-2022-0531

MEDIUM CVSS 6.1 2022-04-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0150 - Before 0 Plugin

The WP Accessibility Helper (WAH) WordPress plugin before 0.6.0.7 does not sanitise and escape the wahi parameter before outputting back its base64 decode value in the page, leading to a Reflected Cross-Site Scripting issue

PLUGIN Before 0

CVE-2022-0150

MEDIUM CVSS 6.1 2022-02-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24994 - Before 0 Plugin

The Migration, Backup, Staging WordPress plugin before 0.9.69 does not have authorisation when adding remote storages, and does not sanitise as well as escape a parameter from such unauthenticated requests before outputting it in admin page, leading to a Stored Cross-Site Scripting issue

PLUGIN Before 0

CVE-2021-24994

MEDIUM CVSS 6.1 2022-02-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0134 - Before 0 Plugin

The AnyComment WordPress plugin before 0.2.18 does not have CSRF checks in the Import and Revert HyperComments features, allowing attackers to make logged in admin perform such actions via a CSRF attack

PLUGIN Before 0

CVE-2022-0134

HIGH CVSS 8.8 2022-02-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0279 - Before 0 Plugin

The AnyComment WordPress plugin before 0.2.18 is affected by a race condition when liking/disliking a comment/reply, which could allow any authenticated user to quickly raise their rating or lower the rating of other users

PLUGIN Before 0

CVE-2022-0279

LOW CVSS 3.1 2022-02-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24936 - Before 0 Plugin

The WP Extra File Types WordPress plugin before 0.5.1 does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks

PLUGIN Before 0

CVE-2021-24936

HIGH CVSS 8.0 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24865 - Before 0 Plugin

The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue

PLUGIN Before 0

CVE-2021-24865

HIGH CVSS 7.2 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24838 - Before 0 Plugin

The AnyComment WordPress plugin before 0.3.5 has an API endpoint which passes user input via the redirect parameter to the wp_redirect() function without being validated first, leading to an Open Redirect issue, which according to the vendor, is a feature.

PLUGIN Before 0

CVE-2021-24838

MEDIUM CVSS 6.1 2022-01-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24914 - Before 0 Plugin

The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, ...). They will also be able to display an arbitrary Knowledge Base. The second…

PLUGIN Before 0

CVE-2021-24914

HIGH CVSS 8.0 2021-12-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24591 - Before 0 Plugin

The Highlight WordPress plugin before 0.9.3 does not sanitise its CustomCSS setting, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN Before 0

CVE-2021-24591

MEDIUM CVSS 5.4 2021-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24565 - Before 0 Plugin

The Contact Form 7 Captcha WordPress plugin before 0.0.9 does not have any CSRF check in place when saving its settings, allowing attacker to make a logged in user with the manage_options change them. Furthermore, the settings are not escaped when output in attributes, leading to a Stored Cross-Site Scripting issue.

PLUGIN Before 0

CVE-2021-24565

HIGH CVSS 8.8 2021-08-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24451 - Before 0 Plugin

The Export Users With Meta WordPress plugin before 0.6.5 did not escape the list of roles to export before using them in a SQL statement in the export functionality, available to admins, leading to an authenticated SQL Injection.

PLUGIN Before 0

CVE-2021-24451

HIGH CVSS 7.2 2021-07-06
Open Full Technical Breakdown
Scroll to top