Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,194
Critical182
High651
Medium2,337
Reset
Showing 2601-2620 of 3194 records
Threat Entry Updated 2025-01-28

CVE-2024-1108 - Changeset Plugin

The Plugin Groups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_init() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to change the settings of the plugin, which can also cause a denial of service due to a misconfiguration.

PLUGIN Changeset

CVE-2024-1108

MEDIUM CVSS 6.5 2024-02-21
Open Full Technical Breakdown
Threat Entry Updated 2025-02-04

CVE-2024-1510 - Changeset Plugin

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's su_tooltip shortcode in all versions up to, and including, 7.0.2 due to insufficient input sanitization and output escaping on user supplied attributes and user supplied tags. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Changeset

CVE-2024-1510

MEDIUM CVSS 6.4 2024-02-20
Open Full Technical Breakdown
Threat Entry Updated 2024-12-18

CVE-2024-1512 - Changeset Plugin

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Changeset

CVE-2024-1512

CRITICAL CVSS 9.8 2024-02-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-23

CVE-2024-0708 - Changeset Plugin

The Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers to access landing pages that may not be public.

PLUGIN Changeset

CVE-2024-0708

MEDIUM CVSS 5.3 2024-02-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0842 - Changeset Plugin

The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 1.2.5. This is due to direct access of the backuply/restore_ins.php file and. This makes it possible for unauthenticated attackers to make excessive requests that result in the server running out of resources.

PLUGIN Changeset

CVE-2024-0842

HIGH CVSS 7.5 2024-02-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1122 - Changeset Plugin

The Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data.

PLUGIN Changeset

CVE-2024-1122

MEDIUM CVSS 5.3 2024-02-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0965 - Changeset Plugin

The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's page restriction and view page content.

PLUGIN Changeset

CVE-2024-0965

MEDIUM CVSS 5.3 2024-02-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1079 - Changeset Plugin

The Quiz Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_show_results() function in all versions up to, and including, 6.5.2.4. This makes it possible for unauthenticated attackers to fetch arbitrary quiz results which can contain PII.

PLUGIN Changeset

CVE-2024-1079

MEDIUM CVSS 5.3 2024-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1078 - Changeset Plugin

The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to, and including, 6.5.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary quizzes.

PLUGIN Changeset

CVE-2024-1078

MEDIUM CVSS 4.3 2024-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1037 - Changeset Plugin

The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Changeset

CVE-2024-1037

MEDIUM CVSS 6.1 2024-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0628 - Changeset Plugin

The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.23.5 via the RSS feed source in admin settings. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Changeset

CVE-2024-0628

LOW CVSS 3.8 2024-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0256 - Changeset Plugin

The Starbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Profile Display Name and Social Settings in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Changeset

CVE-2024-0256

MEDIUM CVSS 6.4 2024-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1072 - Changeset Plugin

The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the seedprod_lite_new_lpage function in all versions up to, and including, 6.15.21. This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin. Version 6.15.22 addresses this issue but introduces a bug affecting admin pages. We suggest upgrading to 6.15.23.

PLUGIN Changeset

CVE-2024-1072

HIGH CVSS 8.2 2024-02-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1075 - Changeset Plugin

The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to maintenance mode bypass and information disclosure in all versions up to, and including, 2.37. This is due to the plugin improperly validating the request path. This makes it possible for unauthenticated attackers to bypass maintenance mode and view pages that should be hidden.

PLUGIN Changeset

CVE-2024-1075

LOW CVSS 3.7 2024-02-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0869 - Changeset Plugin

The Instant Images – One Click Image Uploads from Unsplash, Openverse, Pixabay and Pexels plugin for WordPress is vulnerable to unauthorized arbitrary options update due to an insufficient check that neglects to verify whether the updated option belongs to the plugin on the instant-images/license REST API endpoint in all versions up to, and including, 6.1.0. This makes it possible for authors and higher to update arbitrary options.

PLUGIN Changeset

CVE-2024-0869

HIGH CVSS 8.8 2024-02-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1046 - Changeset Plugin

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'reg-number-field' shortcode in all versions up to, and including, 4.14.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Changeset

CVE-2024-1046

MEDIUM CVSS 6.4 2024-02-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0954 - Changeset Plugin

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting through editing context via the 'data-eael-wrapper-link' wrapper in all versions up to, and including, 5.9.7 due to insufficient input sanitization and output escaping on user supplied protocols. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Changeset

CVE-2024-0954

MEDIUM CVSS 6.4 2024-02-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0969 - Changeset Plugin

The ARMember plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.21 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "Default Restriction" feature and view restricted post content.

PLUGIN Changeset

CVE-2024-0969

MEDIUM CVSS 5.3 2024-02-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0859 - Changeset Plugin

The Affiliates Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.34. This is due to missing or incorrect nonce validation on the process_bulk_action function in ListAffiliatesTable.php. This makes it possible for unauthenticated attackers to delete affiliates via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Changeset

CVE-2024-0859

MEDIUM CVSS 4.3 2024-02-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0823 - Changeset Plugin

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Link To' url in carousels in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Changeset

CVE-2024-0823

MEDIUM CVSS 5.4 2024-02-05
Open Full Technical Breakdown
Scroll to top