Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,273
Critical855
High2,814
Medium10,408
Reset
Showing 5201-5220 of 14273 records
Threat Entry Updated 2025-05-20

CVE-2024-13629 - Pushbiz Plugin

The pushBIZ WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Pushbiz

CVE-2024-13629

MEDIUM CVSS 6.1 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-13628 - Wp Pricing Table Plugin

The WP Pricing Table WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Wp Pricing Table

CVE-2024-13628

MEDIUM CVSS 6.1 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-13571 - Post Timeline Plugin

The Post Timeline WordPress plugin before 2.3.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Post Timeline

CVE-2024-13571

HIGH CVSS 7.1 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-12878 - Custom Block Builder Plugin

The Custom Block Builder WordPress plugin before 3.8.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Custom Block Builder

CVE-2024-12878

HIGH CVSS 7.1 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-20

CVE-2024-12737 - Services And Events Plugin

The WP BASE Booking of Appointments, Services and Events WordPress plugin before 5.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Services And Events

CVE-2024-12737

MEDIUM CVSS 6.1 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-13113 - Countdown Timer For Elementor Plugin

The Countdown Timer for Elementor WordPress plugin before 1.3.7 does not sanitise and escape some parameters when outputting them on the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.

PLUGIN Countdown Timer For Elementor

CVE-2024-13113

MEDIUM CVSS 5.9 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2024-12434 - Suremembers Plugin

The SureMembers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.10.6 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive data including restricted content.

PLUGIN Suremembers

CVE-2024-12434

MEDIUM CVSS 5.3 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2024-13560 - Subscriptions Memberships For Paypal Plugin

The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Subscriptions Memberships For Paypal

CVE-2024-13560

MEDIUM CVSS 4.3 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-10483 - Press Forum Plugin

The Simple:Press Forum WordPress plugin before 6.10.11 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.

PLUGIN Press Forum

CVE-2024-10483

HIGH CVSS 7.1 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-20

CVE-2024-10563 - Woocommerce Cart Count Shortcode Plugin

The WooCommerce Cart Count Shortcode WordPress plugin before 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Woocommerce Cart Count Shortcode

CVE-2024-10563

MEDIUM CVSS 5.4 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-10152 - Simple Certain Time To Show Content Plugin

The Simple Certain Time to Show Content WordPress plugin before 1.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Simple Certain Time To Show Content

CVE-2024-10152

HIGH CVSS 7.1 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2025-26913 - AR For WordPress Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webandprint AR For WordPress allows DOM-Based XSS. This issue affects AR For WordPress: from n/a through 7.7.

PLUGIN AR For WordPress

CVE-2025-26913

MEDIUM CVSS 6.5 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2025-1262 - Advanced Google Recaptcha Plugin

The Advanced Google reCaptcha plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.27 . This makes it possible for unauthenticated attackers to bypass the Built-in Math Captcha Verification.

PLUGIN Advanced Google Recaptcha

CVE-2025-1262

MEDIUM CVSS 5.3 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2024-13695 - Enfold Plugin

The Enfold theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.9 via the 'attachment_id' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Enfold

CVE-2024-13695

MEDIUM CVSS 6.4 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2024-13693 - Enfold Plugin

The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive information such as the Mailchimp API Key, reCAPTCHA Secret Key, or Envato private token if they are set.

PLUGIN Enfold

CVE-2024-13693

MEDIUM CVSS 5.3 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2024-13494 - Wordpress File Upload Plugin

The WordPress File Upload plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.25.2. This is due to missing or incorrect nonce validation on the 'wfu_file_details' function. This makes it possible for unauthenticated attackers to modify user data details associated with uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wordpress File Upload

CVE-2024-13494

MEDIUM CVSS 4.3 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2025-1128 - Everest Forms Plugin

The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.

PLUGIN Everest Forms

CVE-2025-1128

CRITICAL CVSS 9.8 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2025-1648 - Yawave Plugin

The Yawave plugin for WordPress is vulnerable to SQL Injection via the 'lbid' parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Yawave

CVE-2025-1648

HIGH CVSS 7.5 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2025-1063 - Classified Listing Plugin

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens.

PLUGIN Classified Listing

CVE-2025-1063

MEDIUM CVSS 5.3 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-10545 - Proofing And Plugin

The Photo Gallery, Sliders, Proofing and WordPress plugin before 3.59.9 does not sanitise and escape some of its Image settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Proofing And

CVE-2024-10545

LOW CVSS 3.5 2025-02-25
Open Full Technical Breakdown
Scroll to top