Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,198
Critical182
High652
Medium2,340
Reset
Showing 3161-3180 of 3198 records
Threat Entry Updated 2024-11-21

CVE-2021-24710 - Changeset Plugin

The Print-O-Matic WordPress plugin before 2.0.3 does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Changeset

CVE-2021-24710

MEDIUM CVSS 4.8 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24616 - Changeset Plugin

The AddToAny Share Buttons WordPress plugin before 1.7.48 does not escape its Image URL button setting, which could lead allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Changeset

CVE-2021-24616

MEDIUM CVSS 4.8 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24594 - Changeset Plugin

The Translate WordPress – Google Language Translator WordPress plugin before 6.0.12 does not sanitise and escape some of its settings before outputting it in various pages, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Changeset

CVE-2021-24594

MEDIUM CVSS 4.8 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39346 - Changeset Plugin

The Google Maps Easy WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/modules/marker_groups/views/tpl/mgrEditMarkerGroup.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.9.33. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

PLUGIN Changeset

CVE-2021-39346

MEDIUM CVSS 4.8 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24809 - Changeset Plugin

The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions

PLUGIN Changeset

CVE-2021-24809

HIGH CVSS 8.8 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24808 - Changeset Plugin

The BP Better Messages WordPress plugin before 1.9.9.41 sanitise (with sanitize_text_field) but does not escape the 'subject' parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

PLUGIN Changeset

CVE-2021-24808

MEDIUM CVSS 6.1 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24813 - Changeset Plugin

The Events Made Easy WordPress plugin before 2.2.24 does not sanitise and escape Custom Field Names, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN Changeset

CVE-2021-24813

MEDIUM CVSS 4.8 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24781 - Changeset Plugin

The Image Source Control WordPress plugin before 2.3.1 allows users with a role as low as Contributor to change arbitrary post meta fields of arbitrary posts (even those they should not be able to edit)

PLUGIN Changeset

CVE-2021-24781

MEDIUM CVSS 4.3 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24570 - Changeset Plugin

The Accept Donations with PayPal WordPress plugin before 1.3.1 offers a function to create donation buttons, which internally are posts. The process to create a new button is lacking a CSRF check. An attacker could use this to make an authenticated admin create a new button. Furthermore, one of the Button field is not escaped before being output in an attribute when editing a Button, leading to a Stored Cross-Site Scripting issue as well.

PLUGIN Changeset

CVE-2021-24570

MEDIUM CVSS 4.3 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24885 - Changeset Plugin

The YOP Poll WordPress plugin before 6.1.2 does not escape the perpage parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting

PLUGIN Changeset

CVE-2021-24885

MEDIUM CVSS 6.1 2021-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24608 - Changeset Plugin

The Formidable Form Builder – Contact Form, Survey & Quiz Forms Plugin for WordPress plugin before 5.0.07 does not sanitise and escape its Form's Labels, allowing high privileged users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

PLUGIN Changeset

CVE-2021-24608

MEDIUM CVSS 4.8 2021-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39352 - Changeset Plugin

The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.

PLUGIN Changeset

CVE-2021-39352

HIGH CVSS 7.2 2021-10-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39357 - Changeset Plugin

The Leaky Paywall WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the ~/class.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.16.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

PLUGIN Changeset

CVE-2021-39357

MEDIUM CVSS 5.5 2021-10-21
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2021-39354 - Changeset Plugin

The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2.

PLUGIN Changeset

CVE-2021-39354

MEDIUM CVSS 4.8 2021-10-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39321 - Changeset Plugin

Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user supplied inputs via the import_config function found in the ~/admin/class-sassy-social-share-admin.php file. This can be exploited by underprivileged authenticated users due to a missing capability check on the import_config function.

PLUGIN Changeset

CVE-2021-39321

HIGH CVSS 8.8 2021-10-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39328 - Changeset Plugin

The Simple Job Board WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $job_board_privacy_policy_label variable echo'd out via the ~/admin/settings/class-simple-job-board-settings-privacy.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.9.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

PLUGIN Changeset

CVE-2021-39328

MEDIUM CVSS 5.5 2021-10-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39349 - Changeset Plugin

The Author Bio Box WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/includes/admin/class-author-bio-box-admin.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 3.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.

PLUGIN Changeset

CVE-2021-39349

MEDIUM CVSS 5.5 2021-10-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39317 - Changeset Plugin

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer

PLUGIN Changeset

CVE-2021-39317

HIGH CVSS 8.8 2021-10-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-14

CVE-2021-39350 - Changeset Plugin

The FV Flowplayer Video Player WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the player_id parameter found in the ~/view/stats.php file which allows attackers to inject arbitrary web scripts, in versions 7.5.0.727 - 7.5.2.727.

PLUGIN Changeset

CVE-2021-39350

MEDIUM CVSS 6.1 2021-10-06
Open Full Technical Breakdown
Scroll to top