Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total276
Critical15
High50
Medium205
Reset
Showing 261-276 of 276 records
Threat Entry Updated 2024-11-21

CVE-2021-24370 - Before 4 Plugin

The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.

PLUGIN Before 4

CVE-2021-24370

CRITICAL CVSS 9.8 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2021-24366 - Before 4 Plugin

The Admin Columns WordPress plugin before 4.3 and Admin Columns Pro WordPress plugin before 5.5.1 do not sanitise and escape its Label settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 4

CVE-2021-24366

MEDIUM CVSS 5.4 2021-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24347 - Before 4 Plugin

The SP Project & Document Manager WordPress plugin before 4.22 allows users to upload files, however, the plugin attempts to prevent php and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that php files could still be uploaded by changing the file extension's case, for example, from "php" to "pHP".

PLUGIN Before 4

CVE-2021-24347

HIGH CVSS 8.8 2021-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24358 - Before 4 Plugin

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an Open Redirect issue.

PLUGIN Before 4

CVE-2021-24358

MEDIUM CVSS 6.1 2021-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24351 - Before 4 Plugin

The theplus_more_post AJAX action of The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.12 did not properly sanitise some of its fields, leading to a reflected Cross-Site Scripting (exploitable on both unauthenticated and authenticated users)

PLUGIN Before 4

CVE-2021-24351

MEDIUM CVSS 6.1 2021-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24359 - Before 4 Plugin

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.11 did not properly check that a user requesting a password reset was the legitimate user, allowing an attacker to send an arbitrary reset password email to a registered user on behalf of the WordPress site. Such issue could be chained with an open redirect (CVE-2021-24358) in version below 4.1.10, to include a crafted password reset link in the email, which would lead to an account takeover.

PLUGIN Before 4

CVE-2021-24359

MEDIUM CVSS 5.3 2021-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24343 - Before 4 Plugin

The iFlyChat WordPress plugin before 4.7.0 does not sanitise its APP ID setting before outputting it back in the page, leading to an authenticated Stored Cross-Site Scripting issue

PLUGIN Before 4

CVE-2021-24343

MEDIUM CVSS 4.8 2021-06-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24335 - Before 4 Theme

The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue

THEME Before 4

CVE-2021-24335

MEDIUM CVSS 6.1 2021-06-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24334 - Before 4 Plugin

The Instant Images – One Click Unsplash Uploads WordPress plugin before 4.4.0.1 did not properly validate and sanitise its unsplash_download_w and unsplash_download_h parameter settings (/wp-admin/upload.php?page=instant-images), only validating them client side before saving them, leading to a Stored Cross-Site Scripting issue.

PLUGIN Before 4

CVE-2021-24334

MEDIUM CVSS 5.4 2021-06-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24294 - Before 4 Plugin

The dsgvoaio_write_log AJAX action of the DSGVO All in one for WP WordPress plugin before 4.0 did not sanitise or escape some POST parameter submitted before outputting them in the Log page in the administrator dashboard (wp-admin/admin.php?page=dsgvoaiofree-show-log). This could allow unauthenticated attackers to gain unauthorised access by using an XSS payload to create a rogue administrator account, which will be trigged when an administrator will view the logs.

PLUGIN Before 4

CVE-2021-24294

MEDIUM CVSS 6.1 2021-05-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24308 - Before 4 Plugin

The 'State' field of the Edit profile page of the LMS by LifterLMS – Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.1 is not properly sanitised when output in the About section of the profile page, leading to a stored Cross-Site Scripting issue. This could allow low privilege users (such as students) to elevate their privilege via an XSS attack when an admin will view their profile.

PLUGIN Before 4

CVE-2021-24308

MEDIUM CVSS 5.4 2021-05-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24244 - Before 4 Plugin

An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.8 did not have capability checks, allowing low privilege users, such as subscribers, to update the license options (key, email).

PLUGIN Before 4

CVE-2021-24244

MEDIUM CVSS 6.5 2021-05-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24243 - Before 4 Plugin

An AJAX action registered by the WPBakery Page Builder (Visual Composer) Clipboard WordPress plugin before 4.5.6 did not have capability checks nor sanitization, allowing low privilege users (subscriber+) to call it and set XSS payloads, which will be triggered in all backend pages.

PLUGIN Before 4

CVE-2021-24243

MEDIUM CVSS 5.4 2021-05-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24257 - Before 4 Plugin

The “Premium Addons for Elementor” WordPress Plugin before 4.2.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.

PLUGIN Before 4

CVE-2021-24257

MEDIUM CVSS 5.4 2021-05-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24255 - Before 4 Plugin

The Essential Addons for Elementor Lite WordPress Plugin before 4.5.4 has two widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, both via a similar method.

PLUGIN Before 4

CVE-2021-24255

MEDIUM CVSS 5.4 2021-05-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24175 - Before 4 Plugin

The Plus Addons for Elementor Page Builder WordPress plugin before 4.1.7 was being actively exploited to by malicious actors to bypass authentication, allowing unauthenticated users to log in as any user (including admin) by just providing the related username, as well as create accounts with arbitrary roles, such as admin. These issues can be exploited even if registration is disabled, and the Login widget is not active.

PLUGIN Before 4

CVE-2021-24175

CRITICAL CVSS 9.8 2021-04-05
Open Full Technical Breakdown
Scroll to top