Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,273
Critical855
High2,814
Medium10,408
Reset
Showing 5601-5620 of 14273 records
Threat Entry Updated 2025-01-31

CVE-2024-13216 - Ht Event Plugin

The HT Event – WordPress Event Manager Plugin for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.7 via the 'render' function in /includes/widgets/htevent_sponsor.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data.

PLUGIN Ht Event

CVE-2024-13216

MEDIUM CVSS 4.3 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-11886 - Lead Capturing Call To Actions By Vcita Plugin

The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vCitaMeetingScheduler ' shortcode in all versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Lead Capturing Call To Actions By Vcita

CVE-2024-11886

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2024-13100 - Opsi Israel Domestic Shipments Plugin

The OPSI Israel Domestic Shipments WordPress plugin through 2.6.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Opsi Israel Domestic Shipments

CVE-2024-13100

MEDIUM CVSS 6.1 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-12275 - Canvasflow Plugin

The Canvasflow for WordPress plugin through 1.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Canvasflow

CVE-2024-12275

MEDIUM CVSS 6.1 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2024-12772 - Ninja Tables Plugin

The Ninja Tables WordPress plugin before 5.0.17 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, leading to a Cross Site Scripting vulnerability.

PLUGIN Ninja Tables

CVE-2024-12772

MEDIUM CVSS 5.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2024-12872 - Zalomeni Plugin

The Zalomení WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Zalomeni

CVE-2024-12872

MEDIUM CVSS 4.8 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2025-0493 - Multivendorx Plugin

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Limited Local File Inclusion in all versions up to, and including, 4.2.14 via the tabname parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included

PLUGIN Multivendorx

CVE-2025-0493

CRITICAL CVSS 9.8 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2025-0507 - Ticketmeo – Sell Tickets – Event Ticketing Plugin

The Ticketmeo – Sell Tickets – Event Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ticketmeo – Sell Tickets – Event Ticketing

CVE-2025-0507

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-03-25

CVE-2024-10867 - Borderless Plugin

The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Borderless

CVE-2024-10867

MEDIUM CVSS 5.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2025-0470 - Forminator Forms Plugin

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the title parameter in all versions up to, and including, 1.38.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Forminator Forms

CVE-2025-0470

MEDIUM CVSS 6.1 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13463 - Seatreg Plugin

The SeatReg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'seatreg' shortcode in all versions up to, and including, 1.56.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Seatreg

CVE-2024-13463

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13767 - Live 2d Plugin

The Live2DWebCanvas plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ClearFiles() function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Live 2d

CVE-2024-13767

HIGH CVSS 8.1 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13399 - Gosign Posts Slider Block Plugin

The Gosign – Posts Slider Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'posts-slider-block' block in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Gosign Posts Slider Block

CVE-2024-13399

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13397 - Wordpress Radio Streaming Plugin

The WPRadio – WordPress Radio Streaming Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpradio_player' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wordpress Radio Streaming

CVE-2024-13397

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13396 - Frictionless Plugin

The Frictionless plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'frictionless_form' shortcode[s] in all versions up to, and including, 0.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Frictionless

CVE-2024-13396

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2024-13742 - Icontrolwp Plugin

The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on…

PLUGIN Icontrolwp

CVE-2024-13742

CRITICAL CVSS 9.8 2025-01-30
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2024-13720 - Wp Image Uploader Plugin

The WP Image Uploader plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the gky_image_uploader_main_function() function in all versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Wp Image Uploader

CVE-2024-13720

HIGH CVSS 8.8 2025-01-30
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13707 - Wp Image Uploader Plugin

The WP Image Uploader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the gky_image_uploader_main_function() function. This makes it possible for unauthenticated attackers to delete arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp Image Uploader

CVE-2024-13707

HIGH CVSS 8.8 2025-01-30
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13705 - Stageshow Plugin

The StageShow plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 9.8.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Stageshow

CVE-2024-13705

MEDIUM CVSS 6.1 2025-01-30
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2024-13715 - Zstore Manager Basic Plugin

The zStore Manager Basic plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the zstore_clear_cache() function in all versions up to, and including, 3.311. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's cache.

PLUGIN Zstore Manager Basic

CVE-2024-13715

MEDIUM CVSS 4.3 2025-01-30
Open Full Technical Breakdown
Scroll to top