Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total808
Critical39
High132
Medium616
Reset
Showing 601-620 of 808 records
Threat Entry Updated 2024-11-21

CVE-2021-24423 - Before 1 Plugin

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.6.59 does not sanitise its updraft_service settings, allowing high privilege users to set malicious JavaScript payload in it and leading to a Stored Cross-Site Scripting issue

PLUGIN Before 1

CVE-2021-24423

MEDIUM CVSS 4.8 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24733 - Before 1 Plugin

The WP Post Page Clone WordPress plugin before 1.2 allows users with a role as low as Contributor to clone and view other users' draft and password-protected posts which they cannot view normally.

PLUGIN Before 1

CVE-2021-24733

MEDIUM CVSS 4.3 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25024 - Before 1 Plugin

The EventCalendar WordPress plugin before 1.1.51 does not escape some user input before outputting it back in attributes, leading to Reflected Cross-SIte Scripting issues

PLUGIN Before 1

CVE-2021-25024

MEDIUM CVSS 6.1 2022-01-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24909 - Before 1 Plugin

The ACF Photo Gallery Field WordPress plugin before 1.7.5 does not sanitise and escape the post parameter in the includes/acf_photo_gallery_metabox_edit.php file before outputing back in an attribute, leading to a Reflected Cross-Site Scripting issue

PLUGIN Before 1

CVE-2021-24909

MEDIUM CVSS 6.1 2022-01-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25005 - Before 1 Plugin

The SEUR Oficial WordPress plugin before 1.7.0 does not sanitize and escape some of its settings allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN Before 1

CVE-2021-25005

MEDIUM CVSS 4.8 2022-01-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25025 - Before 1 Plugin

The EventCalendar WordPress plugin before 1.1.51 does not have proper authorisation and CSRF checks in the add_calendar_event AJAX actions, allowing users with a role as low as subscriber to create events

PLUGIN Before 1

CVE-2021-25025

MEDIUM CVSS 4.3 2022-01-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25047 - Before 1 Plugin

The 10Web Social Photo Feed WordPress plugin before 1.4.29 was affected by a reflected Cross-Site Scripting (XSS) vulnerability in the wdi_apply_changes admin page, allowing an attacker to perform such attack against any logged in users

PLUGIN Before 1

CVE-2021-25047

MEDIUM CVSS 6.1 2022-01-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25043 - Before 1 Plugin

The WOOCS WordPress plugin before 1.3.7.3 does not sanitise and escape the custom_prices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue

PLUGIN Before 1

CVE-2021-25043

MEDIUM CVSS 6.1 2022-01-10
Open Full Technical Breakdown
Threat Entry Updated 2025-05-22

CVE-2021-25022 - Before 1 Plugin

The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.66 does not sanitise and escape the backup_timestamp and job_id parameter before outputting then back in admin pages, leading to Reflected Cross-Site Scripting issues

PLUGIN Before 1

CVE-2021-25022

MEDIUM CVSS 6.1 2022-01-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24831 - Before 1 Plugin

All AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs.

PLUGIN Before 1

CVE-2021-24831

HIGH CVSS 7.5 2022-01-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24828 - Before 1 Plugin

The Mortgage Calculator / Loan Calculator WordPress plugin before 1.5.17 does not escape the some of the attributes of its mlcalc shortcode before outputting them, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

PLUGIN Before 1

CVE-2021-24828

MEDIUM CVSS 5.4 2022-01-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24997 - Before 1 Plugin

The WP Guppy WordPress plugin before 1.3 does not have any authorisation in some of the REST API endpoints, allowing any user to call them and could lead to sensitive information disclosure, such as usernames and chats between users, as well as be able to send messages as an arbitrary user

PLUGIN Before 1

CVE-2021-24997

MEDIUM CVSS 6.5 2021-12-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24967 - Before 1 Plugin

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads

PLUGIN Before 1

CVE-2021-24967

MEDIUM CVSS 6.1 2021-12-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24753 - Before 1 Plugin

The Rich Reviews by Starfish WordPress plugin before 1.9.6 does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue

PLUGIN Before 1

CVE-2021-24753

HIGH CVSS 7.2 2021-12-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24902 - Before 1 Plugin

The Typebot | Build beautiful conversational forms WordPress plugin before 1.4.3 does not sanitise and escape the Publish ID setting, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Before 1

CVE-2021-24902

MEDIUM CVSS 4.8 2021-12-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24846 - Before 1 Plugin

The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber

PLUGIN Before 1

CVE-2021-24846

HIGH CVSS 8.8 2021-12-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24907 - Before 1 Plugin

The Contact Form, Drag and Drop Form Builder for WordPress plugin before 1.8.0 does not escape the status parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

PLUGIN Before 1

CVE-2021-24907

MEDIUM CVSS 6.1 2021-12-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24855 - Before 1 Plugin

The Display Post Metadata WordPress plugin before 1.5.0 adds a shortcode to print out custom fields, however their content is not sanitised or escaped which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

PLUGIN Before 1

CVE-2021-24855

MEDIUM CVSS 5.4 2021-12-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24896 - Before 1 Plugin

The Caldera Forms WordPress plugin before 1.9.5 does not sanitise and escape the Form Name before outputting it in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Before 1

CVE-2021-24896

MEDIUM CVSS 4.8 2021-12-13
Open Full Technical Breakdown
Scroll to top