Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total632
Critical40
High107
Medium472
Reset
Showing 501-520 of 632 records
Threat Entry Updated 2024-11-21

CVE-2021-24970 - Before 2 Plugin

The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue

PLUGIN Before 2

CVE-2021-24970

HIGH CVSS 7.2 2021-12-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24972 - Before 2 Plugin

The Pixel Cat WordPress plugin before 2.6.3 does not escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

PLUGIN Before 2

CVE-2021-24972

MEDIUM CVSS 4.8 2021-12-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24943 - Before 2 Plugin

The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the event_id in the rtec_send_unregister_link AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL injection.

PLUGIN Before 2

CVE-2021-24943

CRITICAL CVSS 9.8 2021-12-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24931 - Before 2 Plugin

The Secure Copy Content Protection and Content Locking WordPress plugin before 2.8.2 does not escape the sccp_id parameter of the ays_sccp_results_export_file AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an SQL injection.

PLUGIN Before 2

CVE-2021-24931

CRITICAL CVSS 9.8 2021-12-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24924 - Before 2 Plugin

The Email Log WordPress plugin before 2.4.8 does not escape the d parameter before outputting it back in an attribute in the Log page, leading to a Reflected Cross-Site Scripting issue

PLUGIN Before 2

CVE-2021-24924

MEDIUM CVSS 6.1 2021-12-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24759 - Before 2 Plugin

The PDF.js Viewer WordPress plugin before 2.0.2 does not escape some of its shortcode and Gutenberg Block attributes, which could allow users with a role as low as Contributor to to perform Cross-Site Scripting attacks

PLUGIN Before 2

CVE-2021-24759

MEDIUM CVSS 5.4 2021-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-10-17

CVE-2021-24755 - Before 2 Plugin

The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user

PLUGIN Before 2

CVE-2021-24755

HIGH CVSS 8.8 2021-11-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24876 - Before 2 Plugin

The Registrations for the Events Calendar WordPress plugin before 2.7.5 does not escape the v parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting

PLUGIN Before 2

CVE-2021-24876

MEDIUM CVSS 6.1 2021-11-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24883 - Before 2 Plugin

The Popup Anything WordPress plugin before 2.0.4 does not escape the Link Text and Button Text fields of Popup, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

PLUGIN Before 2

CVE-2021-24883

MEDIUM CVSS 5.4 2021-11-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24758 - Before 2 Plugin

The Email Log WordPress plugin before 2.4.7 does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections

PLUGIN Before 2

CVE-2021-24758

HIGH CVSS 8.8 2021-11-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24802 - Before 2 Plugin

The Colorful Categories WordPress plugin before 2.0.15 does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack

PLUGIN Before 2

CVE-2021-24802

MEDIUM CVSS 6.5 2021-11-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24776 - Before 2 Plugin

The WP Performance Score Booster WordPress plugin before 2.1 does not have CSRF check when saving its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

PLUGIN Before 2

CVE-2021-24776

MEDIUM CVSS 4.3 2021-11-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24844 - Before 2 Plugin

The Affiliates Manager WordPress plugin before 2.8.7 does not validate the orderby parameter before using it in an SQL statement in the admin dashboard, leading to an SQL Injection issue

PLUGIN Before 2

CVE-2021-24844

HIGH CVSS 7.2 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24832 - Before 2 Plugin

The WP SEO Redirect 301 WordPress plugin before 2.3.2 does not have CSRF in place when deleting redirects, which could allow attackers to make a logged in admin delete them via a CSRF attack

PLUGIN Before 2

CVE-2021-24832

MEDIUM CVSS 4.3 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24783 - Before 2 Plugin

The Post Expirator WordPress plugin before 2.6.0 does not have proper capability checks in place, which could allow users with a role as low as Contributor to schedule deletion of arbitrary posts.

PLUGIN Before 2

CVE-2021-24783

MEDIUM CVSS 6.5 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24721 - Before 2 Plugin

The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations.

PLUGIN Before 2

CVE-2021-24721

MEDIUM CVSS 6.5 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24798 - Before 2 Plugin

The WP Header Images WordPress plugin before 2.0.1 does not sanitise and escape the t parameter before outputting it back in the plugin's settings page, leading to a Reflected Cross-Site Scripting issue

PLUGIN Before 2

CVE-2021-24798

MEDIUM CVSS 6.1 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24710 - Before 2 Plugin

The Print-O-Matic WordPress plugin before 2.0.3 does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Before 2

CVE-2021-24710

MEDIUM CVSS 4.8 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24575 - Before 2 Plugin

The School Management System – WPSchoolPress WordPress plugin before 2.1.10 does not properly sanitize or use prepared statements before using POST variable in SQL queries, leading to SQL injection in multiple actions available to various authenticated users, from simple subscribers/students to teachers and above.

PLUGIN Before 2

CVE-2021-24575

HIGH CVSS 8.8 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24664 - Before 2 Plugin

The School Management System – WPSchoolPress WordPress plugin before 2.1.17 sanitise some fields using sanitize_text_field() but does not escape them before outputting in attributes, resulting in Stored Cross-Site Scripting issues.

PLUGIN Before 2

CVE-2021-24664

MEDIUM CVSS 4.8 2021-11-08
Open Full Technical Breakdown
Scroll to top