Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total632
Critical40
High107
Medium472
Reset
Showing 521-540 of 632 records
Threat Entry Updated 2024-11-21

CVE-2021-24813 - Before 2 Plugin

The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN Before 2

CVE-2021-24813

MEDIUM CVSS 4.8 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24793 - Before 2 Plugin

The WPeMatico RSS Feed Fetcher WordPress plugin before 2.6.12 does not escape the Feed URL added to a campaign before outputting it in an attribute, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Before 2

CVE-2021-24793

MEDIUM CVSS 4.8 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24781 - Before 2 Plugin

The Image Source Control WordPress plugin before 2.3.1 allows users with a role as low as Contributor to change arbitrary post meta fields of arbitrary posts (even those they should not be able to edit)

PLUGIN Before 2

CVE-2021-24781

MEDIUM CVSS 4.3 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24682 - Before 2 Plugin

The Cool Tag Cloud WordPress plugin before 2.26 does not escape the style attribute of the cool_tag_cloud shortcode, which could allow users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2021-24682

MEDIUM CVSS 5.4 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24722 - Before 2 Plugin

The Restaurant Menu by MotoPress WordPress plugin before 2.4.2 does not properly sanitize or escape inputs when creating new menu items, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN Before 2

CVE-2021-24722

MEDIUM CVSS 4.8 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24624 - Before 2 Plugin

The MP3 Audio Player for Music, Radio & Podcast by Sonaar WordPress plugin before 2.4.2 does not properly sanitize or escape data in some of its Playlist settings, allowing high privilege users to perform Cross-Site Scripting attacks

PLUGIN Before 2

CVE-2021-24624

MEDIUM CVSS 4.8 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24769 - Before 2 Plugin

The Permalink Manager Lite WordPress plugin before 2.2.13.1 does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL Injection

PLUGIN Before 2

CVE-2021-24769

HIGH CVSS 7.2 2021-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24779 - Before 2 Plugin

The WP Debugging WordPress plugin before 2.11.0 has its update_settings() function hooked to admin_init and is missing any authorisation and CSRF checks, as a result, the settings can be updated by unauthenticated users.

PLUGIN Before 2

CVE-2021-24779

MEDIUM CVSS 6.5 2021-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24489 - Before 2 Plugin

The Request a Quote WordPress plugin before 2.3.9 does not sanitise, validate or escape some of its settings in the admin dashboard, leading to authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.

PLUGIN Before 2

CVE-2021-24489

MEDIUM CVSS 4.8 2021-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24754 - Before 2 Plugin

The MainWP Child Reports WordPress plugin before 2.0.8 does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue

PLUGIN Before 2

CVE-2021-24754

HIGH CVSS 7.2 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24752 - Before 2 Plugin

Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the Essential Widgets WordPress plugin before 1.9, To Top WordPress plugin before 2.3, Header Enhancement WordPress plugin before 1.5, Generate Child Theme WordPress plugin before 1.6, Essential Content Types WordPress plugin before 1.9, Catch Web Tools WordPress plugin before 2.7, Catch Under Construction WordPress plugin before 1.4, Catch Themes Demo Import WordPress plugin before 1.6, Catch Sticky Menu WordPress plugin before…

PLUGIN Before 2

CVE-2021-24752

MEDIUM CVSS 5.7 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24675 - Before 2 Plugin

The One User Avatar WordPress plugin before 2.3.7 does not check for CSRF when updating the Avatar in page where the [avatar_upload] shortcode is embed. As a result, attackers could make logged in user change their avatar via a CSRF attack

PLUGIN Before 2

CVE-2021-24675

MEDIUM CVSS 6.5 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24672 - Before 2 Plugin

The One User Avatar WordPress plugin before 2.3.7 does not escape the link and target attributes of its shortcode, allowing users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks

PLUGIN Before 2

CVE-2021-24672

MEDIUM CVSS 5.4 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24416 - Before 2 Plugin

The StreamCast – Radio Player for WordPress plugin before 2.1.1 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode

PLUGIN Before 2

CVE-2021-24416

MEDIUM CVSS 5.4 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24412 - Before 2 Plugin

The Html5 Audio Player – Audio Player for WordPress plugin before 2.1.3 does not sanitise or validate the parameters from its shortcode, allowing users with a role as low as contributor to set Cross-Site Scripting payload in them which will be triggered in the page/s with the embed malicious shortcode

PLUGIN Before 2

CVE-2021-24412

MEDIUM CVSS 5.4 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24654 - Before 2 Plugin

The User Registration WordPress plugin before 2.0.2 does not properly sanitise the user_registration_profile_pic_url value when submitted directly via the user_registration_update_profile_details AJAX action. This could allow any authenticated user, such as subscriber, to perform Stored Cross-Site attacks when their profile is viewed

PLUGIN Before 2

CVE-2021-24654

MEDIUM CVSS 5.4 2021-10-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24660 - Before 2 Plugin

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's shortcode.

PLUGIN Before 2

CVE-2021-24660

MEDIUM CVSS 5.4 2021-09-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24661 - Before 2 Plugin

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10, with Saved Templates Addon enabled, allows users with Contributor roles or higher to read password-protected or private post contents the user is otherwise unable to read, given the post ID.

PLUGIN Before 2

CVE-2021-24661

MEDIUM CVSS 4.3 2021-09-27
Open Full Technical Breakdown
Scroll to top