Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total808
Critical39
High132
Medium616
Reset
Showing 681-700 of 808 records
Threat Entry Updated 2024-11-21

CVE-2021-24734 - Before 1 Plugin

The Compact WP Audio Player WordPress plugin before 1.9.7 does not escape some of its shortcodes attributes, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 1

CVE-2021-24734

MEDIUM CVSS 5.4 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24732 - Before 1 Plugin

The PDF Flipbook, 3D Flipbook WordPress – DearFlip WordPress plugin before 1.7.10 does not escape the class attribute of its shortcode before outputting it back in an attribute, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

PLUGIN Before 1

CVE-2021-24732

MEDIUM CVSS 5.4 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24740 - Before 1 Plugin

The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Before 1

CVE-2021-24740

MEDIUM CVSS 4.8 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24736 - Before 1 Plugin

The Easy Download Manager and File Sharing Plugin with frontend file upload – a better Media Library — Shared Files WordPress plugin before 1.6.57 does not sanitise and escape some of its settings before outputting them in attributes, which could lead to Stored Cross-Site Scripting issues.

PLUGIN Before 1

CVE-2021-24736

MEDIUM CVSS 4.8 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24413 - Before 1 Plugin

The Easy Twitter Feed WordPress plugin before 1.2 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode

PLUGIN Before 1

CVE-2021-24413

MEDIUM CVSS 5.4 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24683 - Before 1 Plugin

The Weather Effect WordPress plugin before 1.3.4 does not have any CSRF checks in place when saving its settings, and do not validate or escape them, which could lead to Stored Cross-Site Scripting issue.

PLUGIN Before 1

CVE-2021-24683

MEDIUM CVSS 5.4 2021-10-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24709 - Before 1 Plugin

The Weather Effect WordPress plugin before 1.3.6 does not properly validate and escape some of its settings (like *_size_leaf, *_flakes_leaf, *_speed) which could lead to Stored Cross-Site Scripting issues

PLUGIN Before 1

CVE-2021-24709

MEDIUM CVSS 4.8 2021-10-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24546 - Before 1 Plugin

The Gutenberg Block Editor Toolkit – EditorsKit WordPress plugin before 1.31.6 does not sanitise and validate the Conditional Logic of the Custom Visibility settings, allowing users with a role as low contributor to execute Arbitrary PHP code

PLUGIN Before 1

CVE-2021-24546

HIGH CVSS 8.8 2021-10-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24679 - Before 1 Plugin

The Bitcoin / AltCoin Payment Gateway for WooCommerce WordPress plugin before 1.6.1 does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue

PLUGIN Before 1

CVE-2021-24679

MEDIUM CVSS 6.1 2021-10-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24676 - Before 1 Plugin

The Better Find and Replace WordPress plugin before 1.2.9 does not escape the 's' GET parameter before outputting back in the All Masking Rules page, leading to a Reflected Cross-Site Scripting issue

PLUGIN Before 1

CVE-2021-24676

MEDIUM CVSS 6.1 2021-10-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24673 - Before 1 Plugin

The Appointment Hour Booking WordPress plugin before 1.3.16 does not escape some of the Calendar Form settings, allowing high privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Before 1

CVE-2021-24673

MEDIUM CVSS 4.8 2021-10-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24643 - Before 1 Plugin

The WP Map Block WordPress plugin before 1.2.3 does not escape some attributes of the WP Map Block, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

PLUGIN Before 1

CVE-2021-24643

MEDIUM CVSS 5.4 2021-09-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24633 - Before 1 Plugin

The Countdown Block WordPress plugin before 1.1.2 does not have authorisation in the eb_write_block_css AJAX action, which allows any authenticated user, such as Subscriber, to modify post contents displayed to users.

PLUGIN Before 1

CVE-2021-24633

MEDIUM CVSS 4.3 2021-09-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24618 - Before 1 Plugin

The Donate With QRCode WordPress plugin before 1.4.5 does not sanitise or escape its QRCode Image setting, which result into a Stored Cross-Site Scripting (XSS). Furthermore, the plugin also does not have any CSRF and capability checks in place when saving such setting, allowing any authenticated user (as low as subscriber), or unauthenticated user via a CSRF vector to update them and perform such attack.

PLUGIN Before 1

CVE-2021-24618

MEDIUM CVSS 5.4 2021-09-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24613 - Before 1 Plugin

The Post Views Counter WordPress plugin before 1.3.5 does not sanitise or escape its Post Views Label settings, which could allow high privilege users to perform Cross-Site Scripting attacks in the frontend even when the unfiltered_html capability is disallowed

PLUGIN Before 1

CVE-2021-24613

MEDIUM CVSS 4.8 2021-09-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24606 - Before 1 Plugin

The Availability Calendar WordPress plugin before 1.2.1 does not escape the category attribute from its shortcode before using it in a SQL statement, leading to a SQL Injection issue, which can be exploited by any user able to add shortcode to posts/pages, such as contributor+

PLUGIN Before 1

CVE-2021-24606

HIGH CVSS 8.8 2021-09-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24587 - Before 1 Plugin

The Splash Header WordPress plugin before 1.20.8 doesn't sanitise and escape some of its settings while outputting them in the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue.

PLUGIN Before 1

CVE-2021-24587

MEDIUM CVSS 5.4 2021-09-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24582 - Before 1 Plugin

The ThinkTwit WordPress plugin before 1.7.1 did not sanitise or escape its "Consumer key" setting before outputting it its settings page, leading to a Stored Cross-Site Scripting issue.

PLUGIN Before 1

CVE-2021-24582

MEDIUM CVSS 5.4 2021-09-20
Open Full Technical Breakdown
Scroll to top