Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total563
Critical20
High112
Medium421
Reset
Showing 401-420 of 563 records
Threat Entry Updated 2024-11-21

CVE-2022-1549 - Through 1 Plugin

The WP Athletics WordPress plugin through 1.1.7 does not sanitize parameters before storing them in the database, nor does it escape the values when outputting them back in the admin dashboard, leading to a Stored Cross-Site Scripting vulnerability.

PLUGIN Through 1

CVE-2022-1549

MEDIUM CVSS 5.4 2022-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1594 - Through 1 Plugin

The HC Custom WP-Admin URL WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, allowing them to change the login URL

PLUGIN Through 1

CVE-2022-1594

MEDIUM CVSS 4.3 2022-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0885 - Through 1 Plugin

The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.

PLUGIN Through 1

CVE-2022-0885

CRITICAL CVSS 9.8 2022-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1202 - Through 1 Plugin

The WP-CRM WordPress plugin through 1.2.1 does not validate and sanitise fields when exporting people to a CSV file, leading to a CSV injection vulnerability.

PLUGIN Through 1

CVE-2022-1202

HIGH CVSS 7.8 2022-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1336 - Through 1 Plugin

The Carousel CK WordPress plugin through 1.1.0 does not sanitize and escape Slide's descriptions, which could allow high-privileged users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed

PLUGIN Through 1

CVE-2022-1336

MEDIUM CVSS 4.8 2022-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25116 - Through 1 Plugin

The Enqueue Anything WordPress plugin through 1.0.1 does not have authorisation and CSRF checks in the remove_asset AJAX action, and does not ensure that the item to be deleted is actually an asset. As a result, low privilege users such as subscriber could delete arbitrary assets, as well as put arbitrary posts in the trash.

PLUGIN Through 1

CVE-2021-25116

MEDIUM CVSS 6.5 2022-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1685 - Through 1 Plugin

The Five Minute Webshop WordPress plugin through 1.3.2 does not properly validate and sanitise the orderby parameter before using it in a SQL statement via the Manage Products admin page, leading to an SQL Injection

PLUGIN Through 1

CVE-2022-1685

MEDIUM CVSS 4.9 2022-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1712 - Through 1 Plugin

The LiveSync for WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Through 1

CVE-2022-1712

MEDIUM CVSS 4.3 2022-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1687 - Through 1 Plugin

The Logo Slider WordPress plugin through 1.4.8 does not sanitise and escape the lsp_slider_id parameter before using it in a SQL statement via the Manage Slider Images admin page, leading to an SQL Injection

PLUGIN Through 1

CVE-2022-1687

LOW CVSS 2.7 2022-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1686 - Through 1 Plugin

The Five Minute Webshop WordPress plugin through 1.3.2 does not sanitise and escape the id parameter before using it in a SQL statement when editing a product via the admin dashboard, leading to an SQL Injection

PLUGIN Through 1

CVE-2022-1686

LOW CVSS 2.7 2022-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1684 - Through 1 Plugin

The Cube Slider WordPress plugin through 1.2 does not sanitise and escape the idslider parameter before using it in various SQL queries, leading to SQL Injections exploitable by high privileged users such as admin

PLUGIN Through 1

CVE-2022-1684

LOW CVSS 2.7 2022-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1506 - Through 1 Plugin

The WP Born Babies WordPress plugin through 1.0 does not sanitise and escape some of its fields, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

PLUGIN Through 1

CVE-2022-1506

MEDIUM CVSS 5.4 2022-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1646 - Through 1 Plugin

The Simple Real Estate Pack WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

PLUGIN Through 1

CVE-2022-1646

MEDIUM CVSS 4.8 2022-05-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1644 - Through 1 Plugin

The Call&Book Mobile Bar WordPress plugin through 1.2.2 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

PLUGIN Through 1

CVE-2022-1644

MEDIUM CVSS 4.8 2022-05-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1643 - Through 1 Plugin

The Birthdays Widget WordPress plugin through 1.7.18 does not sanitise and escape some of its fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

PLUGIN Through 1

CVE-2022-1643

MEDIUM CVSS 4.8 2022-05-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1542 - Through 1 Plugin

The HPB Dashboard WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

PLUGIN Through 1

CVE-2022-1542

MEDIUM CVSS 4.8 2022-05-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1387 - Through 1 Plugin

The No Future Posts WordPress plugin through 1.4 does not escape its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks when unfiltered_html is disallowed

PLUGIN Through 1

CVE-2022-1387

MEDIUM CVSS 4.8 2022-05-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1558 - Through 1 Plugin

The Curtain WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

PLUGIN Through 1

CVE-2022-1558

MEDIUM CVSS 4.8 2022-05-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1218 - Through 1 Plugin

The Domain Replace WordPress plugin through 1.3.8 does not sanitise and escape a parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

PLUGIN Through 1

CVE-2022-1218

MEDIUM CVSS 6.1 2022-05-23
Open Full Technical Breakdown
Scroll to top