Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total808
Critical39
High132
Medium616
Reset
Showing 121-140 of 808 records
Threat Entry Updated 2024-10-07

CVE-2024-5561 - Before 1 Plugin

The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 1

CVE-2024-5561

MEDIUM CVSS 4.8 2024-09-09
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6924 - Before 1 Plugin

The TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

PLUGIN Before 1

CVE-2024-6924

CRITICAL CVSS 9.8 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6925 - Before 1 Plugin

The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

PLUGIN Before 1

CVE-2024-6925

MEDIUM CVSS 4.3 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2025-05-16

CVE-2024-3673 - Before 1 Plugin

The Web Directory Free WordPress plugin before 1.7.3 does not validate a parameter before using it in an include(), which could lead to Local File Inclusion issues.

PLUGIN Before 1

CVE-2024-3673

CRITICAL CVSS 9.1 2024-08-30
Open Full Technical Breakdown
Threat Entry Updated 2025-05-27

CVE-2024-6459 - Before 1 Plugin

The News Element Elementor Blog Magazine WordPress plugin before 1.0.6 is vulnerable to Local File Inclusion via the template parameter. This makes it possible for unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

PLUGIN Before 1

CVE-2024-6459

CRITICAL CVSS 9.8 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2024-6270 - Before 1 Plugin

The Community Events WordPress plugin before 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 1

CVE-2024-6270

MEDIUM CVSS 4.8 2024-08-05
Open Full Technical Breakdown
Threat Entry Updated 2025-08-22

CVE-2024-6477 - Before 1 Plugin

The UsersWP WordPress plugin before 1.2.12 uses predictable filenames when an admin generates an export, which could allow unauthenticated attackers to download them and retrieve sensitive information such as IP, username, and email address

PLUGIN Before 1

CVE-2024-6477

HIGH CVSS 7.5 2024-08-03
Open Full Technical Breakdown
Threat Entry Updated 2025-04-10

CVE-2024-6529 - Before 1 Plugin

The Ultimate Classified Listings WordPress plugin before 1.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 1

CVE-2024-6529

HIGH CVSS 7.1 2024-08-01
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2024-6412 - Before 1 Plugin

The HTML Forms WordPress plugin before 1.3.34 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Before 1

CVE-2024-6412

MEDIUM CVSS 6.5 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-06

CVE-2024-6408 - Before 1 Plugin

The Slider by 10Web WordPress plugin before 1.2.57 does not sanitise and escape its Slider Title, which could allow high privilege users such as editors and above to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Before 1

CVE-2024-6408

MEDIUM CVSS 5.4 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-3669 - Before 1 Plugin

The Web Directory Free WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 1

CVE-2024-3669

MEDIUM CVSS 6.8 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-08-22

CVE-2024-1287 - Before 1 Plugin

The pmpro-member-directory WordPress plugin before 1.2.6 does not prevent users with at least the contributor role from leaking other users' sensitive information, including password hashes via an SQLi vector.

PLUGIN Before 1

CVE-2024-1287

MEDIUM CVSS 6.5 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-04-10

CVE-2024-5882 - Before 1 Plugin

The Ultimate Classified Listings WordPress plugin before 1.3 does not validate the `ucl_page` and `layout` parameters allowing unauthenticated users to access PHP files on the server from the listings page

PLUGIN Before 1

CVE-2024-5882

HIGH CVSS 7.5 2024-07-29
Open Full Technical Breakdown
Threat Entry Updated 2025-04-10

CVE-2024-5883 - Before 1 Plugin

The Ultimate Classified Listings WordPress plugin before 1.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 1

CVE-2024-5883

MEDIUM CVSS 4.7 2024-07-29
Open Full Technical Breakdown
Threat Entry Updated 2025-03-19

CVE-2024-6244 - Before 1 Plugin

The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Before 1

CVE-2024-6244

HIGH CVSS 8.8 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6271 - Before 1 Plugin

The Community Events WordPress plugin before 1.5 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete arbitrary events via a CSRF attack

PLUGIN Before 1

CVE-2024-6271

MEDIUM CVSS 5.4 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2024-6243 - Before 1 Plugin

The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled.

PLUGIN Before 1

CVE-2024-6243

MEDIUM CVSS 4.8 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5004 - Before 1 Plugin

The CM Popup Plugin for WordPress WordPress plugin before 1.6.6 does not sanitise and escape some of the campaign settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

PLUGIN Before 1

CVE-2024-5004

MEDIUM CVSS 4.8 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2025-03-17

CVE-2024-6289 - Before 1 Plugin

The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.

PLUGIN Before 1

CVE-2024-6289

MEDIUM CVSS 6.1 2024-07-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-20

CVE-2024-5713 - Before 1 Plugin

The If-So Dynamic Content Personalization WordPress plugin before 1.8.0.4 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

PLUGIN Before 1

CVE-2024-5713

MEDIUM CVSS 5.4 2024-07-13
Open Full Technical Breakdown
Scroll to top