Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total920
Critical920
High0
Medium0
Reset
Showing 581-600 of 920 records
Threat Entry Updated 2025-02-07

CVE-2024-5871 - Woocommerce Social Login Plugin

The WooCommerce - Social Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'woo_slg_verify' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

PLUGIN Woocommerce Social Login

CVE-2024-5871

CRITICAL CVSS 9.8 2024-06-15
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-2472 - Latepoint Plugin

The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account.

PLUGIN Latepoint

CVE-2024-2472

CRITICAL CVSS 9.1 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4936 - Canto Plugin

The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required allow_url_include to be enabled on the target site in order to exploit.

PLUGIN Canto

CVE-2024-4936

CRITICAL CVSS 9.8 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4371 - Codesigner Plugin

The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.1 via deserialization of untrusted input from the recently_viewed_products cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive…

PLUGIN Codesigner

CVE-2024-4371

CRITICAL CVSS 9.0 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-25

CVE-2024-3552 - Web Directory Free Plugin

The Web Directory Free WordPress plugin before 1.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based.

PLUGIN Web Directory Free

CVE-2024-3552

CRITICAL CVSS 9.8 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2026-02-25

CVE-2024-3922 - Dokan Plugin

The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Dokan

CVE-2024-3922

CRITICAL CVSS 10.0 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4898 - Instawp Connect Plugin

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.

PLUGIN Instawp Connect

CVE-2024-4898

CRITICAL CVSS 9.8 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-3549 - Blog2social Plugin

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the 'b2sSortPostType' parameter in all versions up to, and including, 7.4.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Blog2social

CVE-2024-3549

CRITICAL CVSS 9.9 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-05-01

CVE-2024-4620 - Arforms Premium Wordpress Form Builder Plugin

The ARForms - Premium WordPress Form Builder Plugin WordPress plugin before 6.6 allows unauthenticated users to modify uploaded files in such a way that PHP code can be uploaded when an upload file input is included on a form

PLUGIN Arforms Premium Wordpress Form Builder

CVE-2024-4620

CRITICAL CVSS 9.8 2024-06-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3592 - Quiz And Survey Master Plugin

The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'question_id' parameter in all versions up to, and including, 9.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Quiz And Survey Master

CVE-2024-3592

CRITICAL CVSS 9.9 2024-06-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5153 - Startklar Elmentor Addons Plugin

The Startklar Elementor Addons plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.15 via the 'dropzone_hash' parameter. This makes it possible for unauthenticated attackers to copy the contents of arbitrary files on the server, which can contain sensitive information, and to delete arbitrary directories, including the root WordPress directory.

PLUGIN Startklar Elmentor Addons

CVE-2024-5153

CRITICAL CVSS 9.1 2024-06-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4743 - Lifterlms Plugin

The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to SQL Injection via the orderBy attribute of the lifterlms_favorites shortcode in all versions up to, and including, 7.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Lifterlms

CVE-2024-4743

CRITICAL CVSS 9.8 2024-06-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4295 - Email Subscribers Newsletters Plugin

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Email Subscribers Newsletters

CVE-2024-4295

CRITICAL CVSS 9.8 2024-06-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4552 - Social Login Lite For Woocommerce Plugin

The Social Login Lite For WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.6.0. This is due to insufficient verification on the user being supplied during the social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

PLUGIN Social Login Lite For Woocommerce

CVE-2024-4552

CRITICAL CVSS 9.8 2024-06-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3820 - Table Charts Plugin

The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the 'id_key' parameter of the wdt_delete_table_row AJAX action in all versions up to, and including, 6.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Please note this only affects the premium…

PLUGIN Table Charts

CVE-2024-3820

CRITICAL CVSS 10.0 2024-06-01
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2024-3200 - Wpforo Forum Plugin

The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wpforo Forum

CVE-2024-3200

CRITICAL CVSS 9.9 2024-06-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3412 - Migration Backup Restore Plugin

The WP STAGING WordPress Backup Plugin – Migration Backup Restore plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wpstg_processing AJAX action in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Migration Backup Restore

CVE-2024-3412

CRITICAL CVSS 9.1 2024-05-29
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2024-3050 - Site Reviews Plugin

The Site Reviews WordPress plugin before 7.0.0 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to bypass IP-based blocking

PLUGIN Site Reviews

CVE-2024-3050

CRITICAL CVSS 9.1 2024-05-29
Open Full Technical Breakdown
Scroll to top