Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total632
Critical40
High107
Medium472
Reset
Showing 161-180 of 632 records
Threat Entry Updated 2025-04-01

CVE-2024-1231 - Before 2 Plugin

The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins unpublish downloads via a CSRF attack

PLUGIN Before 2

CVE-2024-1231

MEDIUM CVSS 6.8 2024-03-25
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2024-1232 - Before 2 Plugin

The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack

PLUGIN Before 2

CVE-2024-1232

MEDIUM CVSS 4.8 2024-03-25
Open Full Technical Breakdown
Threat Entry Updated 2025-06-27

CVE-2024-1564 - Before 2 Plugin

The wp-schema-pro WordPress plugin before 2.7.16 does not validate post access allowing a contributor user to access custom fields on any post regardless of post type or status via a shortcode

PLUGIN Before 2

CVE-2024-1564

MEDIUM CVSS 4.3 2024-03-25
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2023-7246 - Before 2 Plugin

The System Dashboard WordPress plugin before 2.8.10 does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks

PLUGIN Before 2

CVE-2023-7246

MEDIUM CVSS 5.4 2024-03-20
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2024-0820 - Before 2 Plugin

The Jobs for WordPress plugin before 2.7.4 does not sanitise and escape some parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

PLUGIN Before 2

CVE-2024-0820

MEDIUM CVSS 5.4 2024-03-18
Open Full Technical Breakdown
Threat Entry Updated 2025-05-09

CVE-2024-1290 - Before 2 Plugin

The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take over any accounts.

PLUGIN Before 2

CVE-2024-1290

MEDIUM CVSS 6.5 2024-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-05-01

CVE-2024-1068 - Before 2 Plugin

The 404 Solution WordPress plugin before 2.35.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins.

PLUGIN Before 2

CVE-2024-1068

HIGH CVSS 7.2 2024-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-05-01

CVE-2024-0561 - Before 2 Plugin

The Ultimate Posts Widget WordPress plugin before 2.3.1 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 2

CVE-2024-0561

MEDIUM CVSS 5.4 2024-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2024-1279 - Before 2 Plugin

The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users' sensitive metadata.

PLUGIN Before 2

CVE-2024-1279

MEDIUM CVSS 4.3 2024-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-05-01

CVE-2023-7165 - Before 2 Plugin

The JetBackup WordPress plugin before 2.0.9.9 doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files.

PLUGIN Before 2

CVE-2023-7165

HIGH CVSS 7.5 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-01

CVE-2023-6585 - Before 2 Plugin

The WP JobSearch WordPress plugin before 2.3.4 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server

PLUGIN Before 2

CVE-2023-6585

HIGH CVSS 7.5 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-01

CVE-2023-6584 - Before 2 Plugin

The WP JobSearch WordPress plugin before 2.3.4 does not prevent attackers from logging-in as any users with the only knowledge of that user's email address.

PLUGIN Before 2

CVE-2023-6584

HIGH CVSS 7.5 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-04-08

CVE-2023-7203 - Before 2 Plugin

The Smart Forms WordPress plugin before 2.6.87 does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as deleting entries.

PLUGIN Before 2

CVE-2023-7203

MEDIUM CVSS 6.1 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0420 - Before 2 Plugin

The MapPress Maps for WordPress plugin before 2.88.15 does not sanitize and escape the map title when outputting it back in the admin dashboard, allowing Contributors and above roles to perform Stored Cross-Site Scripting attacks

PLUGIN Before 2

CVE-2024-0420

MEDIUM CVSS 5.4 2024-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-0421 - Before 2 Plugin

The MapPress Maps for WordPress plugin before 2.88.16 is affected by an IDOR as it does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts.

PLUGIN Before 2

CVE-2024-0421

MEDIUM CVSS 5.3 2024-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-0248 - Before 2 Plugin

The EazyDocs WordPress plugin before 2.4.0 re-introduced CVE-2023-6029 (https://wpscan.com/vulnerability/7a0aaf85-8130-4fd7-8f09-f8edc929597e/) in 2.3.8, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. The issue was partially fixed in 2.3.9.

PLUGIN Before 2

CVE-2024-0248

MEDIUM CVSS 4.3 2024-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-06-20

CVE-2023-6278 - Before 2 Plugin

The Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo WordPress plugin before 2.2.25 does not sanitise and escape the biteship_error and biteship_message parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 2

CVE-2023-6278

MEDIUM CVSS 6.1 2024-01-29
Open Full Technical Breakdown
Threat Entry Updated 2025-05-29

CVE-2023-7199 - Before 2 Plugin

The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request

PLUGIN Before 2

CVE-2023-7199

MEDIUM CVSS 5.3 2024-01-29
Open Full Technical Breakdown
Threat Entry Updated 2025-05-30

CVE-2023-7170 - Before 2 Plugin

The EventON-RSVP WordPress plugin before 2.9.5 does not sanitise and escape some parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 2

CVE-2023-7170

MEDIUM CVSS 6.1 2024-01-22
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2023-5006 - Before 2 Plugin

The WP Discord Invite WordPress plugin before 2.5.1 does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in administrator to submit a crafted request.

PLUGIN Before 2

CVE-2023-5006

MEDIUM CVSS 6.5 2024-01-17
Open Full Technical Breakdown
Scroll to top