Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total632
Critical40
High107
Medium472
Reset
Showing 581-600 of 632 records
Threat Entry Updated 2024-11-21

CVE-2021-24464 - Before 2 Plugin

The YouTube Embed, Playlist and Popup by WpDevArt WordPress plugin before 2.3.9 did not escape, validate or sanitise some of its shortcode options, available to users with a role as low as Contributor, leading to an authenticated Stored Cross-Site Scripting issue.

PLUGIN Before 2

CVE-2021-24464

MEDIUM CVSS 5.4 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24425 - Before 2 Plugin

The Floating Notification Bar, Sticky Menu on Scroll, and Sticky Header for Any Theme – myStickymenu WordPress plugin before 2.5.2 does not sanitise or escape its Bar Text settings, allowing hight privilege users to use malicious JavaScript in it, leading to a Stored Cross-Site Scripting issue, which will be triggered in the plugin's setting, as well as all front-page of the blog (when the Welcome bar is active)

PLUGIN Before 2

CVE-2021-24425

MEDIUM CVSS 4.8 2021-08-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24452 - Before 2 Plugin

The W3 Total Cache WordPress plugin before 2.1.5 was affected by a reflected Cross-Site Scripting (XSS) issue within the "extension" parameter in the Extensions dashboard, when the 'Anonymously track usage to improve product quality' setting is enabled, as the parameter is output in a JavaScript context without proper escaping. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.

PLUGIN Before 2

CVE-2021-24452

MEDIUM CVSS 6.1 2021-07-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24436 - Before 2 Plugin

The W3 Total Cache WordPress plugin before 2.1.4 was vulnerable to a reflected Cross-Site Scripting (XSS) security vulnerability within the "extension" parameter in the Extensions dashboard, which is output in an attribute without being escaped first. This could allow an attacker, who can convince an authenticated admin into clicking a link, to run malicious JavaScript within the user's web browser, which could lead to full site compromise.

PLUGIN Before 2

CVE-2021-24436

MEDIUM CVSS 6.1 2021-07-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24420 - Before 2 Plugin

The Request a Quote WordPress plugin before 2.3.4 did not sanitise and escape some of its quote fields when adding/editing a quote as admin, leading to Stored Cross-Site scripting issues when the quote is output in the 'All Quotes" table.

PLUGIN Before 2

CVE-2021-24420

MEDIUM CVSS 5.4 2021-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24427 - Before 2 Plugin

The W3 Total Cache WordPress plugin before 2.1.3 did not sanitise or escape some of its CDN settings, allowing high privilege users to use JavaScript in them, which will be output in the page, leading to an authenticated Stored Cross-Site Scripting issue

PLUGIN Before 2

CVE-2021-24427

MEDIUM CVSS 4.8 2021-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24409 - Before 2 Plugin

The Prismatic WordPress plugin before 2.8 does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator

PLUGIN Before 2

CVE-2021-24409

MEDIUM CVSS 6.1 2021-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24408 - Before 2 Plugin

The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.

PLUGIN Before 2

CVE-2021-24408

MEDIUM CVSS 5.4 2021-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24389 - Before 2 Plugin

The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability.

PLUGIN Before 2

CVE-2021-24389

MEDIUM CVSS 6.1 2021-07-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24376 - Before 2 Plugin

The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the "Import Settings" functionality to achieve Remote Code Execution.

PLUGIN Before 2

CVE-2021-24376

CRITICAL CVSS 9.8 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24377 - Before 2 Plugin

The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It is a bypass of CVE-2020-24948.

PLUGIN Before 2

CVE-2021-24377

HIGH CVSS 8.1 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24378 - Before 2 Plugin

The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute when a victim visits index.html inside the plugin directory.

PLUGIN Before 2

CVE-2021-24378

MEDIUM CVSS 4.8 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24361 - Before 2 Plugin

In the Location Manager WordPress plugin before 2.1.0.10, the AJAX action gd_popular_location_list did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues.

PLUGIN Before 2

CVE-2021-24361

CRITICAL CVSS 9.8 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24369 - Before 2 Plugin

In the GetPaid WordPress plugin before 2.3.4, users with the contributor role and above can create a new Payment Form, however the Label and Help Text input fields were not getting sanitized properly. So it was possible to inject malicious content such as img tags, leading to a Stored Cross-Site Scripting issue which is triggered when the form will be edited, for example when an admin reviews it and could lead to privilege escalation.

PLUGIN Before 2

CVE-2021-24369

MEDIUM CVSS 5.4 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24339 - Before 2 Plugin

The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Menu Label' field parameter.

PLUGIN Before 2

CVE-2021-24339

MEDIUM CVSS 5.4 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24338 - Before 2 Plugin

The Pods – Custom Content Types and Fields WordPress plugin before 2.7.27 was vulnerable to an Authenticated Stored Cross-Site Scripting (XSS) security vulnerability within the 'Singular Label' field parameter.

PLUGIN Before 2

CVE-2021-24338

MEDIUM CVSS 5.4 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24356 - Before 2 Plugin

In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activate_plugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites.

PLUGIN Before 2

CVE-2021-24356

HIGH CVSS 8.8 2021-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24354 - Before 2 Plugin

A lack of capability checks and insufficient nonce check on the AJAX action in the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, made it possible for authenticated users to install arbitrary plugins on vulnerable sites.

PLUGIN Before 2

CVE-2021-24354

HIGH CVSS 8.8 2021-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24353 - Before 2 Plugin

The import_data function of the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4 had no capability or nonce checks making it possible for unauthenticated users to import a set of site redirects.

PLUGIN Before 2

CVE-2021-24353

HIGH CVSS 8.8 2021-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24352 - Before 2 Plugin

The export_data function of the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4 had no capability or nonce checks making it possible for unauthenticated users to export a site's redirects.

PLUGIN Before 2

CVE-2021-24352

HIGH CVSS 8.8 2021-06-14
Open Full Technical Breakdown
Scroll to top