Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total632
Critical40
High107
Medium472
Reset
Showing 541-560 of 632 records
Threat Entry Updated 2024-11-21

CVE-2021-24652 - Before 2 Plugin

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10 performs incorrect checks before allowing any logged in user to perform some ajax based requests, allowing any user to modify, delete or add ultp_options values.

PLUGIN Before 2

CVE-2021-24652

MEDIUM CVSS 6.5 2021-09-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24632 - Before 2 Plugin

The Recipe Card Blocks by WPZOOM WordPress plugin before 2.8.1 does not escape the message parameter before outputting it back in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

PLUGIN Before 2

CVE-2021-24632

MEDIUM CVSS 6.1 2021-09-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24659 - Before 2 Plugin

The PostX – Gutenberg Blocks for Post Grid WordPress plugin before 2.4.10 allows users with a role as low as Contributor to perform Stored Cross-Site Scripting attacks via the plugin's block.

PLUGIN Before 2

CVE-2021-24659

MEDIUM CVSS 5.4 2021-09-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24634 - Before 2 Plugin

The Recipe Card Blocks by WPZOOM WordPress plugin before 2.8.3 does not properly sanitise or escape some of the properties of the Recipe Card Block (such as ingredientsLayout, iconSet, steps, ingredients, recipeTitle, or settings), which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2021-24634

MEDIUM CVSS 5.4 2021-09-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24610 - Before 2 Plugin

The TranslatePress WordPress plugin before 2.0.9 does not implement a proper sanitisation on the translated strings. The 'trp_sanitize_string' function only removes script tag with a regex, still allowing other HTML tags and attributes to execute javascript, which could lead to authenticated Stored Cross-Site Scripting issues.

PLUGIN Before 2

CVE-2021-24610

MEDIUM CVSS 4.8 2021-09-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24569 - Before 2 Plugin

The Cookie Notice & Compliance for GDPR / CCPA WordPress plugin before 2.1.2 does not escape the value of its Button Text setting when outputting it in an attribute in the frontend, allowing high privilege users such as admin to perform Cross-Site Scripting even when the unfiltered_html capability is disallowed.

PLUGIN Before 2

CVE-2021-24569

MEDIUM CVSS 4.8 2021-09-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24635 - Before 2 Plugin

The Visual Link Preview WordPress plugin before 2.2.3 does not enforce authorisation on several AJAX actions and has the CSRF nonce displayed for all authenticated users, allowing any authenticated user (such as subscriber) to call them and 1) Get and search through title and content of Draft post, 2) Get title of a password-protected post as well as 3) Upload an image from an URL

PLUGIN Before 2

CVE-2021-24635

MEDIUM CVSS 5.4 2021-09-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24585 - Before 2 Plugin

The Timetable and Event Schedule WordPress plugin before 2.4.0 outputs the Hashed Password, Username and Email Address (along other less sensitive data) of the user related to the Even Head of the Timeslot in the response when requesting the event Timeslot data with a user with the edit_posts capability. Combined with the other Unauthorised Event Timeslot Modification issue (https://wpscan.com/reports/submissions/4699/) where an arbitrary user ID can be set, this could allow low privilege users with the edit_posts capability (such as author) to retrieve sensitive User data by iterating over the user_id

PLUGIN Before 2

CVE-2021-24585

MEDIUM CVSS 6.5 2021-09-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24584 - Before 2 Plugin

The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when updating a timeslot, allowing any user with the edit_posts capability (contributor+) to update arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be perform via CSRF against a logged in with such capability. In versions before 2.3.19, the lack of sanitisation and escaping in some of the fields, like the descritption could also lead to Stored XSS issues

PLUGIN Before 2

CVE-2021-24584

MEDIUM CVSS 5.4 2021-09-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24583 - Before 2 Plugin

The Timetable and Event Schedule WordPress plugin before 2.4.2 does not have proper access control when deleting a timeslot, allowing any user with the edit_posts capability (contributor+) to delete arbitrary timeslot from any events. Furthermore, no CSRF check is in place as well, allowing such attack to be performed via CSRF against a logged in with such capability

PLUGIN Before 2

CVE-2021-24583

MEDIUM CVSS 4.3 2021-09-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24728 - Before 2 Plugin

The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.

PLUGIN Before 2

CVE-2021-24728

HIGH CVSS 8.8 2021-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24726 - Before 2 Plugin

The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue

PLUGIN Before 2

CVE-2021-24726

HIGH CVSS 8.8 2021-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24724 - Before 2 Plugin

The Timetable and Event Schedule by MotoPress WordPress plugin before 2.3.19 does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s

PLUGIN Before 2

CVE-2021-24724

MEDIUM CVSS 5.4 2021-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24725 - Before 2 Plugin

The Comment Link Remove and Other Comment Tools WordPress plugin before 2.1.6 does not have CSRF check in its 'Delete comments easily', which could allow attackers to make logged in admin delete arbitrary comments

PLUGIN Before 2

CVE-2021-24725

MEDIUM CVSS 4.3 2021-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24621 - Before 2 Plugin

The WP Courses LMS WordPress plugin before 2.0.44 does not sanitise its Video Embed Code, allowing malicious code to be injected in it by high privilege users, even when the unfiltered_html capability is disallowed, which could lead to Stored Cross-Site Scripting issues

PLUGIN Before 2

CVE-2021-24621

MEDIUM CVSS 4.8 2021-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24508 - Before 2 Plugin

The Smash Balloon Social Post Feed WordPress plugin before 2.19.2 does not sanitise or escape the feedID POST parameter in its feed_locator AJAX action (available to both authenticated and unauthenticated users) before outputting a truncated version of it in the admin dashboard, leading to an unauthenticated Stored Cross-Site Scripting issue which will be executed in the context of a logged in administrator.

PLUGIN Before 2

CVE-2021-24508

MEDIUM CVSS 6.1 2021-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24599 - Before 2 Plugin

The Email Encoder – Protect Email Addresses WordPress plugin before 2.1.2 has an endpoint that requires no authentication and will render a user supplied value in the HTML response without escaping or sanitizing the data.

PLUGIN Before 2

CVE-2021-24599

MEDIUM CVSS 6.1 2021-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24601 - Before 2 Plugin

The WPFront Notification Bar WordPress plugin before 2.1.0.08087 does not properly sanitise and escape its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Before 2

CVE-2021-24601

MEDIUM CVSS 5.4 2021-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24580 - Before 2 Plugin

The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue

PLUGIN Before 2

CVE-2021-24580

HIGH CVSS 8.8 2021-08-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24438 - Before 2 Plugin

The ShareThis Dashboard for Google Analytics WordPress plugin before 2.5.2 does not sanitise or escape the 'ga_action' parameter in the stats view before outputting it back in an attribute when the plugin is connected to a Google Analytics account, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator

PLUGIN Before 2

CVE-2021-24438

MEDIUM CVSS 6.1 2021-08-30
Open Full Technical Breakdown
Scroll to top