Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total632
Critical40
High107
Medium472
Reset
Showing 561-580 of 632 records
Threat Entry Updated 2024-11-21

CVE-2021-24593 - Before 2 Plugin

The Business Hours Indicator WordPress plugin before 2.3.5 does not sanitise or escape its 'Now closed message" setting when outputting it in the backend and frontend, leading to an Authenticated Stored Cross-Site Scripting issue

PLUGIN Before 2

CVE-2021-24593

MEDIUM CVSS 5.4 2021-08-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24528 - Before 2 Plugin

The FluentSMTP WordPress plugin before 2.0.1 does not sanitize parameters before storing the settings in the database, nor does the plugin escape the values before outputting them when viewing the SMTP settings set by this plugin, leading to a stored cross site scripting (XSS) vulnerability. Only users with roles capable of managing plugins can modify the plugin's settings.

PLUGIN Before 2

CVE-2021-24528

MEDIUM CVSS 5.4 2021-08-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24592 - Before 2 Plugin

The Sitewide Notice WP WordPress plugin before 2.3 does not sanitise some of its settings before outputting them in frontend pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN Before 2

CVE-2021-24592

MEDIUM CVSS 4.8 2021-08-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24564 - Before 2 Plugin

The WPFront Scroll Top WordPress plugin before 2.0.6.07225 does not sanitise or escape its Image ALT setting before outputting it attributes, leading to an Authenticated Stored Cross-Site Scripting issues even when the unfiltered_html capability is disallowed.

PLUGIN Before 2

CVE-2021-24564

MEDIUM CVSS 5.4 2021-08-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24574 - Before 2 Plugin

The Simple Banner WordPress plugin before 2.10.4 does not sanitise and escape one of its settings, allowing high privilege users such as admin to use Cross-Site Scripting payload even when the unfiltered_html capability is disallowed.

PLUGIN Before 2

CVE-2021-24574

MEDIUM CVSS 4.8 2021-08-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24524 - Before 2 Plugin

The GiveWP – Donation Plugin and Fundraising Platform WordPress plugin before 2.12.0 did not escape the Donation Level setting of its Donation Forms, allowing high privilege users to use Cross-Site Scripting payloads in them.

PLUGIN Before 2

CVE-2021-24524

MEDIUM CVSS 4.8 2021-08-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24518 - Before 2 Plugin

The WPFront Notification Bar WordPress plugin before 2.0.0.07176 does not sanitise or escape its Custom CSS setting, allowing high privilege users such as admin to set XSS payload in it even when the unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issue

PLUGIN Before 2

CVE-2021-24518

MEDIUM CVSS 4.8 2021-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24521 - Before 2 Plugin

The Side Menu Lite – add sticky fixed buttons WordPress plugin before 2.2.1 does not properly sanitize input values from the browser when building an SQL statement. Users with the administrator role or permission to manage this plugin could perform an SQL Injection attack.

PLUGIN Before 2

CVE-2021-24521

HIGH CVSS 7.2 2021-08-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24499 - Before 2 Theme

The Workreap WordPress theme before 2.2.2 AJAX actions workreap_award_temp_file_uploader and workreap_temp_file_uploader did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.

THEME Before 2

CVE-2021-24499

CRITICAL CVSS 9.8 2021-08-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24501 - Before 2 Theme

The Workreap WordPress theme before 2.2.2 had several AJAX actions missing authorization checks to verify that a user was authorized to perform critical operations such as modifying or deleting objects. This allowed a logged in user to modify or delete objects belonging to other users on the site.

THEME Before 2

CVE-2021-24501

HIGH CVSS 8.1 2021-08-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24500 - Before 2 Theme

Several AJAX actions available in the Workreap WordPress theme before 2.2.2 lacked CSRF protections, as well as allowing insecure direct object references that were not validated. This allows an attacker to trick a logged in user to submit a POST request to the vulnerable site, potentially modifying or deleting arbitrary objects on the target site.

THEME Before 2

CVE-2021-24500

HIGH CVSS 8.1 2021-08-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24509 - Before 2 Plugin

The Page View Count WordPress plugin before 2.4.9 does not escape the postid parameter of pvc_stats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.

PLUGIN Before 2

CVE-2021-24509

MEDIUM CVSS 5.4 2021-08-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24503 - Before 2 Plugin

The Popular Brand Icons – Simple Icons WordPress plugin before 2.7.8 does not sanitise or validate some of its shortcode parameters, such as "color", "size" or "class", allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.

PLUGIN Before 2

CVE-2021-24503

MEDIUM CVSS 5.4 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24472 - Before 2 Plugin

The OnAir2 WordPress theme before 3.9.9.2 and QT KenthaRadio WordPress plugin before 2.0.2 have exposed proxy functionality to unauthenticated users, sending requests to this proxy functionality will have the web server fetch and display the content from any URI, this would allow for SSRF (Server Side Request Forgery) and RFI (Remote File Inclusion) vulnerabilities on the website.

PLUGIN Before 2

CVE-2021-24472

CRITICAL CVSS 9.8 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24492 - Before 2 Plugin

The hndtst_action_instance_callback AJAX call of the Handsome Testimonials & Reviews WordPress plugin before 2.1.1, available to any authenticated users, does not sanitise, validate or escape the hndtst_previewShortcodeInstanceId POST parameter before using it in a SQL statement, leading to an SQL Injection issue.

PLUGIN Before 2

CVE-2021-24492

HIGH CVSS 8.8 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24484 - Before 2 Plugin

The get_reports() function in the Secure Copy Content Protection and Content Locking WordPress plugin before 2.6.7 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

PLUGIN Before 2

CVE-2021-24484

HIGH CVSS 7.2 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24488 - Before 2 Plugin

The slider import search feature and tab parameter of the Post Grid WordPress plugin before 2.1.8 settings are not properly sanitised before being output back in the pages, leading to Reflected Cross-Site Scripting issues

PLUGIN Before 2

CVE-2021-24488

MEDIUM CVSS 6.1 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24473 - Before 2 Plugin

The User Profile Picture WordPress plugin before 2.6.0 was affected by an IDOR issue, allowing users with the upload_image capability (by default author and above) to change and delete the profile pictures of other users (including those with higher roles).

PLUGIN Before 2

CVE-2021-24473

MEDIUM CVSS 5.4 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24463 - Before 2 Plugin

The get_sliders() function in the Image Slider by Ays- Responsive Slider and Carousel WordPress plugin before 2.5.0 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

PLUGIN Before 2

CVE-2021-24463

HIGH CVSS 8.8 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24458 - Before 2 Plugin

The get_ays_popupboxes() and get_popup_categories() functions of the Popup box WordPress plugin before 2.3.4 did not use whitelist or validate the orderby parameter before using it in SQL statements passed to the get_results() DB calls, leading to SQL injection issues in the admin dashboard

PLUGIN Before 2

CVE-2021-24458

HIGH CVSS 8.8 2021-08-02
Open Full Technical Breakdown
Scroll to top