Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total58
Critical4
High9
Medium43
Reset
Showing 41-58 of 58 records
Threat Entry Updated 2024-11-21

CVE-2022-1396 - Before 7 Plugin

The Donorbox WordPress plugin before 7.1.7 does not sanitise and escape its Campaign URL settings before outputting it in an attribute, leading to a Stored Cross-Site Scripting issue even when the unfiltered_html capability is disallowed

PLUGIN Before 7

CVE-2022-1396

MEDIUM CVSS 4.8 2022-04-25
Open Full Technical Breakdown
Threat Entry Updated 2025-03-17

CVE-2022-1153 - Before 7 Plugin

The LayerSlider WordPress plugin before 7.1.2 does not sanitise and escape Project's slug before outputting it back in various place, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed

PLUGIN Before 7

CVE-2022-1153

MEDIUM CVSS 4.8 2022-04-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24987 - Before 7 Plugin

The Social Share, Social Login and Social Comments Plugin WordPress plugin before 7.13.30 does not sanitise and escape the urls parameter in its the_champ_sharing_count AJAX action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue.

PLUGIN Before 7

CVE-2021-24987

MEDIUM CVSS 6.1 2022-04-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0760 - Before 7 Plugin

The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection

PLUGIN Before 7

CVE-2022-0760

CRITICAL CVSS 9.8 2022-03-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24216 - Before 7 Plugin

The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.

PLUGIN Before 7

CVE-2021-24216

HIGH CVSS 7.2 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25034 - Before 7 Plugin

The WP User WordPress plugin before 7.0 does not sanitise and escape some parameters in pages where the [wp_user] shortcode is used, leading to Reflected Cross-Site Scripting issues

PLUGIN Before 7

CVE-2021-25034

MEDIUM CVSS 6.1 2022-02-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25093 - Before 7 Plugin

The Link Library WordPress plugin before 7.2.8 does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request

PLUGIN Before 7

CVE-2021-25093

HIGH CVSS 7.5 2022-02-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25092 - Before 7 Plugin

The Link Library WordPress plugin before 7.2.8 does not have CSRF check when resetting library settings, allowing attackers to make a logged in admin reset arbitrary settings via a CSRF attack

PLUGIN Before 7

CVE-2021-25092

MEDIUM CVSS 6.5 2022-02-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25091 - Before 7 Plugin

The Link Library WordPress plugin before 7.2.9 does not sanitise and escape the settingscopy parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

PLUGIN Before 7

CVE-2021-25091

MEDIUM CVSS 6.1 2022-02-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24944 - Before 7 Plugin

The Custom Dashboard & Login Page WordPress plugin before 7.0 does not sanitise some of its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Before 7

CVE-2021-24944

MEDIUM CVSS 4.8 2022-02-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24934 - Before 7 Plugin

The Visual CSS Style Editor WordPress plugin before 7.5.4 does not sanitise and escape the wyp_page_type parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue

PLUGIN Before 7

CVE-2021-24934

MEDIUM CVSS 6.1 2022-02-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24981 - Before 7 Plugin

The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory.

PLUGIN Before 7

CVE-2021-24981

HIGH CVSS 7.5 2021-12-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24822 - Before 7 Plugin

The Stylish Cost Calculator WordPress plugin before 7.0.4 does not have any authorisation and CSRF checks on some of its AJAX actions (available to authenticated users), which could allow any authenticated users, such as subscriber to call them, and perform Stored Cross-Site Scripting attacks against logged in admin, as well as frontend users due to the lack of sanitisation and escaping in some parameters

PLUGIN Before 7

CVE-2021-24822

MEDIUM CVSS 5.4 2021-11-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24806 - Before 7 Plugin

The wpDiscuz WordPress plugin before 7.3.4 does check for CSRF when adding, editing and deleting comments, which could allow attacker to make logged in users such as admin edit and delete arbitrary comment, or the user who made the comment to edit it via a CSRF attack. Attackers could also make logged in users post arbitrary comment.

PLUGIN Before 7

CVE-2021-24806

MEDIUM CVSS 4.3 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24691 - Before 7 Plugin

The Quiz And Survey Master WordPress plugin before 7.3.2 does not escape the Quiz Url Slug setting before outputting it in some pages, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN Before 7

CVE-2021-24691

MEDIUM CVSS 4.8 2021-10-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24368 - Before 7 Plugin

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This could allow for privilege escalation by inducing a logged in admin to open a malicious link

PLUGIN Before 7

CVE-2021-24368

MEDIUM CVSS 6.1 2021-06-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24221 - Before 7 Plugin

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin before 7.1.12 did not sanitise the result_id GET parameter on pages with the [qsm_result] shortcode without id attribute, concatenating it in a SQL statement and leading to an SQL injection. The lowest role allowed to use this shortcode in post or pages being author, such user could gain unauthorised access to the DBMS. If the shortcode (without the id attribute) is embed on a public page or post, then unauthenticated users could exploit the injection.

PLUGIN Before 7

CVE-2021-24221

HIGH CVSS 8.8 2021-04-12
Open Full Technical Breakdown
Threat Entry Updated 2025-03-24

CVE-2021-24177 - Before 7 Plugin

In the default configuration of the File Manager WordPress plugin before 7.1, a Reflected XSS can occur on the endpoint /wp-admin/admin.php?page=wp_file_manager_properties when a payload is submitted on the User-Agent parameter. The payload is then reflected back on the web application response.

PLUGIN Before 7

CVE-2021-24177

MEDIUM CVSS 5.4 2021-04-05
Open Full Technical Breakdown
Scroll to top