Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total125
Critical10
High22
Medium93
Reset
Showing 81-100 of 125 records
Threat Entry Updated 2024-11-21

CVE-2022-1251 - Before 6 Theme

The Ask me WordPress theme before 6.8.4 does not perform nonce checks when processing POST requests to the Edit Profile page, allowing an attacker to trick a user to change their profile information by sending a crafted request.

THEME Before 6

CVE-2022-1251

MEDIUM CVSS 4.3 2022-08-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1600 - Before 6 Plugin

The YOP Poll WordPress plugin before 6.4.3 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based limitations to vote in certain situations.

PLUGIN Before 6

CVE-2022-1600

MEDIUM CVSS 5.3 2022-08-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2133 - Before 6 Plugin

The OAuth Single Sign On WordPress plugin before 6.22.6 doesn't validate that OAuth access token requests are legitimate, which allows attackers to log onto the site with the only knowledge of a user's email address.

PLUGIN Before 6

CVE-2022-2133

MEDIUM CVSS 5.3 2022-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2099 - Before 6 Plugin

The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles

PLUGIN Before 6

CVE-2022-2099

MEDIUM CVSS 4.8 2022-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1977 - Before 6 Plugin

The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks

PLUGIN Before 6

CVE-2022-1977

HIGH CVSS 7.2 2022-06-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1424 - Before 6 Theme

The Ask me WordPress theme before 6.8.2 does not perform CSRF checks for any of its AJAX actions, allowing an attacker to trick logged in users to perform various actions on their behalf on the site.

THEME Before 6

CVE-2022-1424

MEDIUM CVSS 6.5 2022-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1241 - Before 6 Theme

The Ask me WordPress theme before 6.8.2 does not properly sanitise and escape several of the fields in the Edit Profile page, leading to Reflected Cross-Site Scripting issues

THEME Before 6

CVE-2022-1241

MEDIUM CVSS 6.1 2022-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1436 - Before 6 Plugin

The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitise and escape the wpcargo_tracking_number parameter before outputting it back in the page, which could allow attackers to perform reflected Cross-Site Scripting attacks.

PLUGIN Before 6

CVE-2022-1436

MEDIUM CVSS 6.1 2022-05-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1435 - Before 6 Plugin

The WPCargo Track & Trace WordPress plugin before 6.9.5 does not sanitize and escapes some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

PLUGIN Before 6

CVE-2022-1435

MEDIUM CVSS 4.8 2022-05-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1265 - Before 6 Plugin

The BulletProof Security WordPress plugin before 6.1 does not sanitize and escape some of its CAPTCHA settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Before 6

CVE-2022-1265

MEDIUM CVSS 4.8 2022-05-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0592 - Before 6 Plugin

The MapSVG WordPress plugin before 6.2.20 does not validate and escape a parameter via a REST endpoint before using it in a SQL statement, leading to a SQL Injection exploitable by unauthenticated users.

PLUGIN Before 6

CVE-2022-0592

CRITICAL CVSS 9.8 2022-05-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25086 - Before 6 Plugin

The Advanced Page Visit Counter WordPress plugin before 6.1.2 does not sanitise and escape some input before outputting it in an admin dashboard page, allowing unauthenticated attackers to perform Cross-Site Scripting attacks against admins viewing it

PLUGIN Before 6

CVE-2021-25086

MEDIUM CVSS 6.1 2022-05-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24957 - Before 6 Plugin

The Advanced Page Visit Counter WordPress plugin before 6.1.6 does not escape the artID parameter before using it in a SQL statement in the apvc_reset_count_art AJAX action, available to any authenticated user, leading to a SQL injection

PLUGIN Before 6

CVE-2021-24957

HIGH CVSS 8.8 2022-04-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0949 - Before 6 Plugin

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 6.930 does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbots_grava_fingerprint AJAX action, available to unauthenticated users, leading to a SQL injection

PLUGIN Before 6

CVE-2022-0949

CRITICAL CVSS 9.8 2022-04-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25070 - Before 6 Plugin

The Block Bad Bots WordPress plugin before 6.88 does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue

PLUGIN Before 6

CVE-2021-25070

CRITICAL CVSS 9.8 2022-03-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0364 - Before 6 Plugin

The Modern Events Calendar Lite WordPress plugin before 6.4.0 does not sanitize and escape some of the Hourly Schedule parameters which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks

PLUGIN Before 6

CVE-2022-0364

MEDIUM CVSS 5.4 2022-03-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25003 - Before 6 Plugin

The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE

PLUGIN Before 6

CVE-2021-25003

CRITICAL CVSS 9.8 2022-03-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0205 - Before 6 Plugin

The YOP Poll WordPress plugin before 6.3.5 does not sanitise and escape some of the settings (available to users with a role as low as author) before outputting them, leading to a Stored Cross-Site Scripting issue

PLUGIN Before 6

CVE-2022-0205

MEDIUM CVSS 5.4 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0360 - Before 6 Plugin

The Easy Drag And drop All Import : WP Ultimate CSV Importer WordPress plugin before 6.4.3 does not sanitise and escaped imported comments, which could allow high privilege users to import malicious ones (either intentionnaly or not) and lead to Stored Cross-Site Scripting issues

PLUGIN Before 6

CVE-2022-0360

MEDIUM CVSS 4.8 2022-02-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25112 - Before 6 Plugin

The WHMCS Bridge WordPress plugin before 6.4b does not sanitise and escape the error parameter before outputting it back in admin dashboard, leading to a Reflected Cross-Site Scripting

PLUGIN Before 6

CVE-2021-25112

MEDIUM CVSS 6.1 2022-02-28
Open Full Technical Breakdown
Scroll to top