Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total471
Critical68
High135
Medium268
Reset
Showing 281-300 of 471 records
Threat Entry Updated 2024-12-06

CVE-2024-10836 - Flixita Theme

The Flixita theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.0.82 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

THEME Flixita

CVE-2024-10836

MEDIUM CVSS 6.1 2024-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-03

CVE-2024-11420 - Blocksy Theme

The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Info Block link parameter in all versions up to, and including, 2.0.77 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Blocksy

CVE-2024-11420

MEDIUM CVSS 6.4 2024-12-05
Open Full Technical Breakdown
Threat Entry Updated 2024-12-05

CVE-2024-10848 - Newsmunch Theme

The NewsMunch theme for WordPress is vulnerable to Stored Cross-Site Scripting via a malicious display name in all versions up to, and including, 1.0.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Newsmunch

CVE-2024-10848

MEDIUM CVSS 6.4 2024-12-05
Open Full Technical Breakdown
Threat Entry Updated 2025-02-10

CVE-2024-52478 - Allows Stored Xss Theme

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ben Marshall Jobify - Job Board WordPress Theme allows Stored XSS.This issue affects Jobify - Job Board WordPress Theme: from n/a through 4.2.3.

THEME Allows Stored Xss

CVE-2024-52478

MEDIUM CVSS 6.5 2024-12-02
Open Full Technical Breakdown
Threat Entry Updated 2025-02-10

CVE-2024-52479 - Allows Cross Site Request Forgery Theme

Cross-Site Request Forgery (CSRF) vulnerability in Ben Marshall Jobify - Job Board WordPress Theme allows Cross Site Request Forgery.This issue affects Jobify - Job Board WordPress Theme: from n/a through 4.2.3.

THEME Allows Cross Site Request Forgery

CVE-2024-52479

MEDIUM CVSS 4.3 2024-12-02
Open Full Technical Breakdown
Threat Entry Updated 2025-02-10

CVE-2024-52481 - Allows Relative Path Traversal Theme

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Astoundify Jobify - Job Board WordPress Theme allows Relative Path Traversal.This issue affects Jobify - Job Board WordPress Theme: from n/a through 4.2.3.

THEME Allows Relative Path Traversal

CVE-2024-52481

HIGH CVSS 7.5 2024-11-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-10623 - Forumengine Theme

The ForumEngine theme for WordPress is vulnerable to Reflected Cross-Site Scripting via a URL in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

THEME Forumengine

CVE-2024-10623

MEDIUM CVSS 6.1 2024-11-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-9830 - Bard Theme

The Bard theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.216. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

THEME Bard

CVE-2024-9830

MEDIUM CVSS 6.1 2024-11-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-29

CVE-2024-9777 - Ashe Theme

The Ashe theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.243. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

THEME Ashe

CVE-2024-9777

MEDIUM CVSS 6.1 2024-11-19
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2024-10470 - Wordpress Lms Theme

The WPLMS Learning Management System for WordPress, WordPress LMS theme for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation and permissions checks in the readfile and unlink functions in all versions up to, and including, 4.962. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The theme is vulnerable even when it is not activated.

THEME Wordpress Lms

CVE-2024-10470

CRITICAL CVSS 9.8 2024-11-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-12

CVE-2024-10674 - Th Shop Mania Theme

The Th Shop Mania theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the th_shop_mania_install_and_activate_callback() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins which can be leveraged to exploit other vulnerabilities and achieve remote code execution and privilege escalation.

THEME Th Shop Mania

CVE-2024-10674

HIGH CVSS 8.8 2024-11-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-12

CVE-2024-10673 - Top Store Theme

The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the top_store_install_and_activate_callback() function in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins which can contain other exploitable vulnerabilities to elevate privileges and gain remote code execution.

THEME Top Store

CVE-2024-10673

HIGH CVSS 8.8 2024-11-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-26

CVE-2024-9775 - Anih Creative Agency Wordpress Theme

The Anih - Creative Agency WordPress Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2024 due to an incomplete blacklist, insufficient input sanitization, and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

THEME Anih Creative Agency Wordpress Theme

CVE-2024-9775

MEDIUM CVSS 5.5 2024-11-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-06

CVE-2024-51682 - Builder For Elementor Allows Stored Xss Theme

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HasThemes HT Builder – WordPress Theme Builder for Elementor allows Stored XSS.This issue affects HT Builder – WordPress Theme Builder for Elementor: from n/a through 1.3.0.

THEME Builder For Elementor Allows Stored Xss

CVE-2024-51682

MEDIUM CVSS 6.5 2024-11-04
Open Full Technical Breakdown
Threat Entry Updated 2024-10-25

CVE-2024-10250 - Nioland Theme

The Nioland theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘s’ parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

THEME Nioland

CVE-2024-10250

MEDIUM CVSS 6.1 2024-10-23
Open Full Technical Breakdown
Threat Entry Updated 2025-05-22

CVE-2024-8486 - Shortcodes And Extra Features For Phlox Theme

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in the Modern Heading and Icon Picker widgets all versions up to, and including, 2.16.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Shortcodes And Extra Features For Phlox Theme

CVE-2024-8486

MEDIUM CVSS 6.4 2024-10-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-7434 - Ultrapress Theme

The UltraPress theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.1 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

THEME Ultrapress

CVE-2024-7434

HIGH CVSS 8.8 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-7433 - Empowerment Theme

The Empowerment theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.2 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

THEME Empowerment

CVE-2024-7433

HIGH CVSS 8.8 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-7432 - Unseen Blog Theme

The Unseen Blog theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

THEME Unseen Blog

CVE-2024-7432

HIGH CVSS 8.8 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-8516 - Themesflat Addons For Elementor

The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.1 via the render() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract limited post information from draft and future scheduled posts.

THEME Themesflat Addons For Elementor

CVE-2024-8516

MEDIUM CVSS 4.3 2024-09-25
Open Full Technical Breakdown
Scroll to top