Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total920
Critical920
High0
Medium0
Reset
Showing 661-680 of 920 records
Threat Entry Updated 2024-11-21

CVE-2023-6699 - Wp Compress Plugin

The WP Compress – Image Optimizer [All-In-One] plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.10.33 via the css parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Wp Compress

CVE-2023-6699

CRITICAL CVSS 9.1 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-5877 - Affiliate Toolkit Plugin

The affiliate-toolkit WordPress plugin before 3.4.3 lacks authorization and authentication for requests to it's affiliate-toolkit-starter/tools/atkp_imagereceiver.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URL's, including RFC1918 private addresses, leading to a Server Side Request Forgery (SSRF) issue.

PLUGIN Affiliate Toolkit

CVE-2023-5877

CRITICAL CVSS 9.8 2024-01-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-52182 - Ari Stream Quiz Plugin

Deserialization of Untrusted Data vulnerability in ARI Soft ARI Stream Quiz – WordPress Quizzes Builder.This issue affects ARI Stream Quiz – WordPress Quizzes Builder: from n/a through 1.3.0.

PLUGIN Ari Stream Quiz

CVE-2023-52182

CRITICAL CVSS 9.9 2023-12-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-51419 - Bertha Ai Plugin

Unrestricted Upload of File with Dangerous Type vulnerability in Bertha.Ai BERTHA AI. Your AI co-pilot for WordPress and Chrome.This issue affects BERTHA AI. Your AI co-pilot for WordPress and Chrome: from n/a through 1.11.10.7.

PLUGIN Bertha Ai

CVE-2023-51419

CRITICAL CVSS 10.0 2023-12-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-40606 - Kanban Boards For Wordpress Plugin

Improper Control of Generation of Code ('Code Injection') vulnerability in Kanban for WordPress Kanban Boards for WordPress.This issue affects Kanban Boards for WordPress: from n/a through 2.5.21.

PLUGIN Kanban Boards For Wordpress

CVE-2023-40606

CRITICAL CVSS 9.1 2023-12-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5991 - Hotel Booking Lite Plugin

The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server

PLUGIN Hotel Booking Lite

CVE-2023-5991

CRITICAL CVSS 9.8 2023-12-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-29384 - Jobwp Plugin

Unrestricted Upload of File with Dangerous Type vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: from n/a through 2.0.

PLUGIN Jobwp

CVE-2023-29384

CRITICAL CVSS 10.0 2023-12-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-49750 - Submitting Coupons Theme

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoonthemes Couponis - Affiliate & Submitting Coupons WordPress Theme.This issue affects Couponis - Affiliate & Submitting Coupons WordPress Theme: from n/a before 2.2.

THEME Submitting Coupons

CVE-2023-49750

CRITICAL CVSS 9.3 2023-12-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6272 - Theme My Login 2fa Plugin

The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits.

PLUGIN Theme My Login 2fa

CVE-2023-6272

CRITICAL CVSS 9.8 2023-12-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6553 - Backup Migration Plugin

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.

PLUGIN Backup Migration

CVE-2023-6553

CRITICAL CVSS 9.8 2023-12-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-35039 - Password Reset With Code For Wordpress Rest Api Plugin

Improper Restriction of Excessive Authentication Attempts vulnerability in Be Devious Web Development Password Reset with Code for WordPress REST API allows Authentication Abuse.This issue affects Password Reset with Code for WordPress REST API: from n/a through 0.0.15.

PLUGIN Password Reset With Code For Wordpress Rest Api

CVE-2023-35039

CRITICAL CVSS 9.8 2023-12-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5761 - Burst Statistics Plugin

The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'url' parameter in versions 1.4.0 to 1.4.6.1 (free) and versions 1.4.0 to 1.5.0 (pro) due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Burst Statistics

CVE-2023-5761

CRITICAL CVSS 9.8 2023-12-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2023-5952 - Welcart E Commerce Plugin

The Welcart e-Commerce WordPress plugin before 2.9.5 unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog

PLUGIN Welcart E Commerce

CVE-2023-5952

CRITICAL CVSS 9.8 2023-12-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5604 - Asgaros Forum Plugin

The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution.

PLUGIN Asgaros Forum

CVE-2023-5604

CRITICAL CVSS 9.8 2023-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5559 - 10web Booster Plugin

The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.

PLUGIN 10web Booster

CVE-2023-5559

CRITICAL CVSS 9.1 2023-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2449 - Userpro Plugin

The UserPro plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 5.1.1. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (userpro_process_form). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-2448 and CVE-2023-2446, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this…

PLUGIN Userpro

CVE-2023-2449

CRITICAL CVSS 9.8 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2437 - Userpro Plugin

The UserPro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.1. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. An attacker can leverage CVE-2023-2448 and CVE-2023-2446 to get the user's email address to successfully exploit this vulnerability.

PLUGIN Userpro

CVE-2023-2437

CRITICAL CVSS 9.8 2023-11-22
Open Full Technical Breakdown
Scroll to top