Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total808
Critical39
High132
Medium616
Reset
Showing 221-240 of 808 records
Threat Entry Updated 2024-11-21

CVE-2023-5641 - Before 1 Plugin

The Martins Free & Easy SEO BackLink Link Building Network WordPress plugin before 1.2.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 1

CVE-2023-5641

MEDIUM CVSS 6.1 2023-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5942 - Before 1 Plugin

The Medialist WordPress plugin before 1.4.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Before 1

CVE-2023-5942

MEDIUM CVSS 5.4 2023-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5738 - Before 1 Plugin

The WordPress Backup & Migration WordPress plugin before 1.4.4 does not sanitise and escape some parameters, which could allow users with a role as low as Subscriber to perform Cross-Site Scripting attacks.

PLUGIN Before 1

CVE-2023-5738

MEDIUM CVSS 5.4 2023-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5737 - Before 1 Plugin

The WordPress Backup & Migration WordPress plugin before 1.4.4 does not authorize some AJAX requests, allowing users with a role as low as Subscriber to update some plugin settings.

PLUGIN Before 1

CVE-2023-5737

MEDIUM CVSS 4.3 2023-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5119 - Before 1 Plugin

The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

PLUGIN Before 1

CVE-2023-5119

MEDIUM CVSS 4.8 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2025-03-25

CVE-2023-5601 - Before 1 Plugin

The WooCommerce Ninja Forms Product Add-ons WordPress plugin before 1.7.1 does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE.

PLUGIN Before 1

CVE-2023-5601

CRITICAL CVSS 9.8 2023-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5605 - Before 1 Plugin

The URL Shortify WordPress plugin before 1.7.9.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 1

CVE-2023-5605

MEDIUM CVSS 4.8 2023-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2023-5082 - Before 1 Plugin

The History Log by click5 WordPress plugin before 1.0.13 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it.

PLUGIN Before 1

CVE-2023-5082

HIGH CVSS 7.2 2023-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5360 - Before 1 Plugin

The Royal Elementor Addons and Templates WordPress plugin before 1.3.79 does not properly validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE.

PLUGIN Before 1

CVE-2023-5360

CRITICAL CVSS 9.8 2023-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-04-22

CVE-2023-5237 - Before 1 Plugin

The Memberlite Shortcodes WordPress plugin before 1.3.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin.

PLUGIN Before 1

CVE-2023-5237

MEDIUM CVSS 5.4 2023-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-5229 - Before 1 Plugin

The E2Pdf WordPress plugin before 1.20.20 does not sanitize and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN Before 1

CVE-2023-5229

MEDIUM CVSS 4.8 2023-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-5798 - Before 1 Plugin

The Assistant WordPress plugin before 1.4.4 does not validate a parameter before making a request to it via wp_remote_get(), which could allow users with a role as low as Editor to perform SSRF attacks

PLUGIN Before 1

CVE-2023-5798

HIGH CVSS 8.8 2023-10-26
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4861 - Before 1 Plugin

The File Manager Pro WordPress plugin before 1.8.1 allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution.

PLUGIN Before 1

CVE-2023-4861

HIGH CVSS 7.2 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-5087 - Before 1 Plugin

The Page Builder: Pagelayer WordPress plugin before 1.7.8 doesn't prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post's header or footer code.

PLUGIN Before 1

CVE-2023-5087

MEDIUM CVSS 5.4 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5057 - Before 1 Plugin

The ActivityPub WordPress plugin before 1.0.0 does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks

PLUGIN Before 1

CVE-2023-5057

MEDIUM CVSS 5.4 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4862 - Before 1 Plugin

The File Manager Pro WordPress plugin before 1.8.1 does not adequately validate and escape some inputs, leading to XSS by high-privilege users.

PLUGIN Before 1

CVE-2023-4862

MEDIUM CVSS 4.8 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4819 - Before 1 Plugin

The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts.

PLUGIN Before 1

CVE-2023-4819

MEDIUM CVSS 6.1 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4687 - Before 1 Plugin

The Page Builder: Pagelayer WordPress plugin before 1.7.7 doesn't prevent unauthenticated attackers from updating a post's header or footer code on scheduled posts.

PLUGIN Before 1

CVE-2023-4687

MEDIUM CVSS 6.1 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4821 - Before 1 Plugin

The Drag and Drop Multiple File Upload for WooCommerce WordPress plugin before 1.1.1 does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts.

PLUGIN Before 1

CVE-2023-4821

MEDIUM CVSS 5.4 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4798 - Before 1 Plugin

The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks.

PLUGIN Before 1

CVE-2023-4798

MEDIUM CVSS 5.4 2023-10-16
Open Full Technical Breakdown
Scroll to top