Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,198
Critical182
High652
Medium2,340
Reset
Showing 3041-3060 of 3198 records
Threat Entry Updated 2024-11-21

CVE-2022-0478 - Changeset Plugin

The Event Manager and Tickets Selling for WooCommerce WordPress plugin before 3.5.8 does not validate and escape the post_author_gutenberg parameter before using it in a SQL statement when creating/editing events, which could allow users with a role as low as contributor to perform SQL Injection attacks

PLUGIN Changeset

CVE-2022-0478

HIGH CVSS 8.8 2022-03-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0399 - Changeset Plugin

The Advanced Product Labels for WooCommerce WordPress plugin before 1.2.3.7 does not sanitise and escape the tax_color_set_type parameter before outputting it back in the berocket_apl_color_listener AJAX action's response, leading to a Reflected Cross-Site Scripting

PLUGIN Changeset

CVE-2022-0399

MEDIUM CVSS 6.1 2022-03-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0248 - Changeset Plugin

The Contact Form Submissions WordPress plugin before 1.7.3 does not sanitise and escape additional fields in contact form requests before outputting them in the related submission. As a result, unauthenticated attacker could perform Cross-Site Scripting attacks against admins viewing the malicious submission

PLUGIN Changeset

CVE-2022-0248

MEDIUM CVSS 6.1 2022-03-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0161 - Changeset Plugin

The ARI Fancy Lightbox WordPress plugin before 1.3.9 does not sanitise and escape the msg parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

PLUGIN Changeset

CVE-2022-0161

MEDIUM CVSS 6.1 2022-03-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0147 - Changeset Plugin

The Cookie Information | Free GDPR Consent Solution WordPress plugin before 2.0.8 does not escape user data before outputting it back in attributes in the admin dashboard, leading to a Reflected Cross-Site Scripting issue

PLUGIN Changeset

CVE-2022-0147

MEDIUM CVSS 6.1 2022-03-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25026 - Changeset Plugin

The Patreon WordPress plugin before 1.8.2 does not sanitise and escape the field "Custom Patreon Page name", which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN Changeset

CVE-2021-25026

MEDIUM CVSS 5.5 2022-03-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0441 - Changeset Plugin

The MasterStudy LMS WordPress plugin before 2.7.6 does to validate some parameters given when registering a new account, allowing unauthenticated users to register as an admin

PLUGIN Changeset

CVE-2022-0441

CRITICAL CVSS 9.8 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0420 - Changeset Plugin

The RegistrationMagic WordPress plugin before 5.0.2.2 does not sanitise and escape the rm_form_id parameter before using it in a SQL statement in the Automation admin dashboard, allowing high privilege users to perform SQL injection attacks

PLUGIN Changeset

CVE-2022-0420

HIGH CVSS 7.2 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0422 - Changeset Plugin

The White Label CMS WordPress plugin before 2.2.9 does not sanitise and validate the wlcms[_login_custom_js] parameter before outputting it back in the response while previewing, leading to a Reflected Cross-Site Scripting issue

PLUGIN Changeset

CVE-2022-0422

MEDIUM CVSS 6.1 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0426 - Changeset Plugin

The Product Feed PRO for WooCommerce WordPress plugin before 11.2.3 does not escape the rowCount parameter before outputting it back in an attribute via the woosea_categories_dropdown AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting

PLUGIN Changeset

CVE-2022-0426

MEDIUM CVSS 5.4 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0535 - Changeset Plugin

The E2Pdf WordPress plugin before 1.16.45 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN Changeset

CVE-2022-0535

MEDIUM CVSS 4.8 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0384 - Changeset Plugin

The Video Conferencing with Zoom WordPress plugin before 3.8.17 does not have authorisation in its vczapi_get_wp_users AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog

PLUGIN Changeset

CVE-2022-0384

MEDIUM CVSS 4.3 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24961 - Changeset Plugin

The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 does not escape some of its shortcode argument, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks

PLUGIN Changeset

CVE-2021-24961

MEDIUM CVSS 5.4 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24960 - Changeset Plugin

The WordPress File Upload WordPress plugin before 4.16.3, wordpress-file-upload-pro WordPress plugin before 4.16.3 allows users with a role as low as Contributor to configure the upload form in a way that allows uploading of SVG files, which could be then be used for Cross-Site Scripting attacks

PLUGIN Changeset

CVE-2021-24960

MEDIUM CVSS 5.4 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24216 - Changeset Plugin

The All-in-One WP Migration WordPress plugin before 7.41 does not validate uploaded files' extension, which allows administrators to upload PHP files on their site, even on multisite installations.

PLUGIN Changeset

CVE-2021-24216

HIGH CVSS 7.2 2022-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0412 - Changeset Plugin

The TI WooCommerce Wishlist WordPress plugin before 1.40.1, TI WooCommerce Wishlist Pro WordPress plugin before 1.40.1 do not sanitise and escape the item_id parameter before using it in a SQL statement via the wishlist/remove_product REST endpoint, allowing unauthenticated attackers to perform SQL injection attacks

PLUGIN Changeset

CVE-2022-0412

CRITICAL CVSS 9.8 2022-02-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0411 - Changeset Plugin

The Asgaros Forum WordPress plugin before 2.0.0 does not sanitise and escape the post_id parameter before using it in a SQL statement via a REST route of the plugin (accessible to any authenticated user), leading to a SQL injection

PLUGIN Changeset

CVE-2022-0411

HIGH CVSS 8.8 2022-02-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-23911 - Changeset Plugin

The Testimonial WordPress Plugin WordPress plugin before 1.4.7 does not validate and escape the id parameter before using it in a SQL statement when retrieving a testimonial to edit, leading to a SQL Injection

PLUGIN Changeset

CVE-2022-23911

HIGH CVSS 7.2 2022-02-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0383 - Changeset Plugin

The WP Review Slider WordPress plugin before 11.0 does not sanitise and escape the pid parameter when copying a Twitter source, which could allow a high privilege users to perform SQL Injections attacks

PLUGIN Changeset

CVE-2022-0383

HIGH CVSS 7.2 2022-02-28
Open Full Technical Breakdown
Scroll to top