Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,198
Critical182
High652
Medium2,340
Reset
Showing 3081-3100 of 3198 records
Threat Entry Updated 2024-11-21

CVE-2021-25100 - Changeset Plugin

The GiveWP WordPress plugin before 2.17.3 does not escape the s parameter before outputting it back in an attribute in the Donation Forms dashboard, leading to a Reflected Cross-Site Scripting

PLUGIN Changeset

CVE-2021-25100

MEDIUM CVSS 6.1 2022-02-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25099 - Changeset Plugin

The GiveWP WordPress plugin before 2.17.3 does not sanitise and escape the form_id parameter before outputting it back in the response of an unauthenticated request via the give_checkout_login AJAX action, leading to a Reflected Cross-Site Scripting

PLUGIN Changeset

CVE-2021-25099

MEDIUM CVSS 6.1 2022-02-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0513 - Changeset Plugin

The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the exclusion_reason parameter found in the ~/includes/class-wp-statistics-exclusion.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive information, in versions up to and including 13.1.4. This requires the "Record Exclusions" option to be enabled on the vulnerable site.

PLUGIN Changeset

CVE-2022-0513

CRITICAL CVSS 9.8 2022-02-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0201 - Changeset Plugin

The Permalink Manager Lite WordPress plugin before 2.2.15 and Permalink Manager Pro WordPress plugin before 2.2.15 do not sanitise and escape query parameters before outputting them back in the debug page, leading to a Reflected Cross-Site Scripting issue

PLUGIN Changeset

CVE-2022-0201

MEDIUM CVSS 6.1 2022-02-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0193 - Changeset Plugin

The Complianz WordPress plugin before 6.0.0 does not escape the s parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

PLUGIN Changeset

CVE-2022-0193

MEDIUM CVSS 6.1 2022-02-14
Open Full Technical Breakdown
Threat Entry Updated 2025-04-15

CVE-2022-0176 - Changeset Plugin

The PowerPack Lite for Beaver Builder WordPress plugin before 1.2.9.3 does not sanitise and escape the tab parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

PLUGIN Changeset

CVE-2022-0176

MEDIUM CVSS 6.1 2022-02-14
Open Full Technical Breakdown
Threat Entry Updated 2026-03-20

CVE-2021-25115 - Changeset Plugin

The WP Photo Album Plus WordPress plugin before 8.0.10 was vulnerable to Stored Cross-Site Scripting (XSS). Error log content was handled improperly, therefore any user, even unauthenticated, could cause arbitrary javascript to be executed in the admin panel.

PLUGIN Changeset

CVE-2021-25115

MEDIUM CVSS 6.4 2022-02-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25107 - Changeset Plugin

The Form Store to DB WordPress plugin before 1.1.1 does not sanitise and escape parameter keys before outputting it back in the created entry, allowing unauthenticated attacker to perform Cross-Site Scripting attacks against admin

PLUGIN Changeset

CVE-2021-25107

MEDIUM CVSS 6.1 2022-02-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25033 - Changeset Plugin

The WordPress Newsletter Plugin WordPress plugin before 1.6.5 does not validate the to parameter before redirecting the user to its given value, leading to an open redirect issue

PLUGIN Changeset

CVE-2021-25033

MEDIUM CVSS 6.1 2022-02-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25050 - Changeset Plugin

The Remove Footer Credit WordPress plugin before 1.0.11 does properly sanitise its settings, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed.

PLUGIN Changeset

CVE-2021-25050

MEDIUM CVSS 4.8 2022-02-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0149 - Changeset Plugin

The WooCommerce Stored Exporter WordPress plugin before 2.7.1 was affected by a Reflected Cross-Site Scripting (XSS) vulnerability in the woo_ce admin page.

PLUGIN Changeset

CVE-2022-0149

MEDIUM CVSS 6.1 2022-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0148 - Changeset Plugin

The All-in-one Floating Contact Form, Call, Chat, and 50+ Social Icon Tabs WordPress plugin before 2.0.4 was vulnerable to reflected XSS on the my-sticky-elements-leads admin page.

PLUGIN Changeset

CVE-2022-0148

MEDIUM CVSS 5.4 2022-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25108 - Changeset Plugin

The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

PLUGIN Changeset

CVE-2021-25108

HIGH CVSS 7.1 2022-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25095 - Changeset Plugin

The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

PLUGIN Changeset

CVE-2021-25095

HIGH CVSS 7.1 2022-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25077 - Changeset Plugin

The Store Toolkit for WooCommerce WordPress plugin before 2.3.2 does not sanitise and escape the tab parameter before outputting it back in an admin page in an error message, leading to a Reflected Cross-Site Scripting

PLUGIN Changeset

CVE-2021-25077

MEDIUM CVSS 6.1 2022-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24993 - Changeset Plugin

The Ultimate Product Catalog WordPress plugin before 5.0.26 does not have authorisation and CSRF checks in some AJAX actions, which could allow any authenticated users, such as subscriber to call them and add arbitrary products, or change the plugin's settings for example

PLUGIN Changeset

CVE-2021-24993

MEDIUM CVSS 6.5 2022-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0218 - Changeset Plugin

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site.

PLUGIN Changeset

CVE-2022-0218

HIGH CVSS 8.3 2022-02-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25085 - Changeset Plugin

The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting

PLUGIN Changeset

CVE-2021-25085

MEDIUM CVSS 6.1 2022-02-01
Open Full Technical Breakdown
Scroll to top