Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total443
Critical34
High82
Medium311
Reset
Showing 261-280 of 443 records
Threat Entry Updated 2025-05-22

CVE-2022-3069 - Before 3 Plugin

The WordLift WordPress plugin before 3.37.2 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Before 3

CVE-2022-3069

MEDIUM CVSS 4.8 2022-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2021-24890 - Before 3 Plugin

The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file

PLUGIN Before 3

CVE-2021-24890

HIGH CVSS 8.8 2022-09-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2840 - Before 3 Plugin

The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections

PLUGIN Before 3

CVE-2022-2840

CRITICAL CVSS 9.8 2022-09-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2958 - Before 3 Plugin

The BadgeOS WordPress plugin before 3.7.1.3 does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections

PLUGIN Before 3

CVE-2022-2958

HIGH CVSS 8.8 2022-09-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2635 - Before 3 Plugin

The Autoptimize WordPress plugin before 3.1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 3

CVE-2022-2635

MEDIUM CVSS 4.8 2022-09-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2657 - Before 3 Plugin

The Multivendor Marketplace Solution for WooCommerce WordPress plugin before 3.8.12 is lacking authorisation and CSRF in multiple AJAX actions, which could allow any authenticated users, such as subscriber to call them and suspend vendors (reporter by the submitter) or update arbitrary order status (identified by WPScan when verifying the issue) for example. Other unauthenticated attacks are also possible, either directly or via CSRF

PLUGIN Before 3

CVE-2022-2657

MEDIUM CVSS 4.3 2022-09-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2261 - Before 3 Plugin

The WPIDE WordPress plugin before 3.0 does not sanitize and validate the filename parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue.

PLUGIN Before 3

CVE-2022-2261

HIGH CVSS 7.2 2022-08-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2537 - Before 3 Plugin

The WooCommerce PDF Invoices & Packing Slips WordPress plugin before 3.0.1 does not sanitise and escape some parameters before outputting them back in an attributes of an admin page, leading to Reflected Cross-Site Scripting.

PLUGIN Before 3

CVE-2022-2537

MEDIUM CVSS 6.1 2022-08-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1123 - Before 3 Plugin

The Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) WordPress plugin before 3.12.5 does not properly sanitize some parameters before inserting them into SQL queries. As a result, high privilege users could perform SQL injection attacks.

PLUGIN Before 3

CVE-2022-1123

HIGH CVSS 7.2 2022-08-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2532 - Before 3 Plugin

The Feed Them Social WordPress plugin before 3.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

PLUGIN Before 3

CVE-2022-2532

MEDIUM CVSS 6.1 2022-08-22
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2022-2362 - Before 3 Plugin

The Download Manager WordPress plugin before 3.2.50 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based download blocking restrictions.

PLUGIN Before 3

CVE-2022-2362

HIGH CVSS 7.5 2022-08-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2383 - Before 3 Plugin

The Feed Them Social WordPress plugin before 3.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

PLUGIN Before 3

CVE-2022-2383

MEDIUM CVSS 6.1 2022-08-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2172 - Before 3 Plugin

The LinkWorth WordPress plugin before 3.3.4 does not implement nonce checks, which could allow attackers to make a logged in admin change settings via a CSRF attack.

PLUGIN Before 3

CVE-2022-2172

MEDIUM CVSS 4.3 2022-08-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2386 - Before 3 Plugin

The Crowdsignal Dashboard WordPress plugin before 3.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

PLUGIN Before 3

CVE-2022-2386

MEDIUM CVSS 6.1 2022-08-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2173 - Before 3 Plugin

The Advanced Database Cleaner WordPress plugin before 3.1.1 does not escape numerous generated URLs before outputting them back in href attributes of admin dashboard pages, leading to Reflected Cross-Site Scripting

PLUGIN Before 3

CVE-2022-2173

MEDIUM CVSS 6.1 2022-07-17
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2022-2168 - Before 3 Plugin

The Download Manager WordPress plugin before 3.2.44 does not escape a generated URL before outputting it back in an attribute of the history dashboard, leading to Reflected Cross-Site Scripting

PLUGIN Before 3

CVE-2022-2168

MEDIUM CVSS 6.1 2022-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2118 - Before 3 Plugin

The 404s WordPress plugin before 3.5.1 does not sanitise and escape its fields, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Before 3

CVE-2022-2118

MEDIUM CVSS 4.8 2022-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2091 - Before 3 Plugin

The Cache Images WordPress plugin before 3.2.1 does not implement nonce checks, which could allow attackers to make any logged user upload images via a CSRF attack.

PLUGIN Before 3

CVE-2022-2091

MEDIUM CVSS 6.5 2022-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1474 - Before 3 Plugin

The WP Event Manager WordPress plugin before 3.1.28 does not sanitise and escape its search before outputting it back in an attribute on the event dashboard, leading to a Reflected Cross-Site Scripting

PLUGIN Before 3

CVE-2022-1474

MEDIUM CVSS 6.1 2022-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2268 - Before 3 Plugin

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

PLUGIN Before 3

CVE-2022-2268

HIGH CVSS 7.2 2022-07-04
Open Full Technical Breakdown
Scroll to top