Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total920
Critical920
High0
Medium0
Reset
Showing 681-700 of 920 records
Threat Entry Updated 2024-11-21

CVE-2023-5652 - Wp Hotel Booking Plugin

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input before using it in a SQL statement of a function hooked to admin_init, allowing unauthenticated users to perform SQL injections

PLUGIN Wp Hotel Booking

CVE-2023-5652

CRITICAL CVSS 9.8 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5640 - Article Analytics Plugin

The Article Analytics WordPress plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection vulnerability.

PLUGIN Article Analytics

CVE-2023-5640

CRITICAL CVSS 9.8 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5340 - Five Star Restaurant Menu And Food Ordering Plugin

The Five Star Restaurant Menu and Food Ordering WordPress plugin before 2.4.11 unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog.

PLUGIN Five Star Restaurant Menu And Food Ordering

CVE-2023-5340

CRITICAL CVSS 9.8 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2023-45074 - Advanced Page Visit Counter Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Page Visit Counter Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress allows SQL Injection.This issue affects Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress: from n/a through 7.1.1.

PLUGIN Advanced Page Visit Counter

CVE-2023-45074

CRITICAL CVSS 9.8 2023-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2023-45069 - Video Gallery Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Video Gallery by Total-Soft Video Gallery – Best WordPress YouTube Gallery Plugin allows SQL Injection.This issue affects Video Gallery – Best WordPress YouTube Gallery Plugin: from n/a through 2.1.3.

PLUGIN Video Gallery

CVE-2023-45069

CRITICAL CVSS 9.8 2023-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2023-35911 - Contact Form Generator Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Creative Solutions Contact Form Generator : Creative form builder for WordPress allows SQL Injection.This issue affects Contact Form Generator : Creative form builder for WordPress: from n/a through 2.6.0.

PLUGIN Contact Form Generator

CVE-2023-35911

CRITICAL CVSS 9.8 2023-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-19

CVE-2023-36529 - Allows Sql Injection Theme

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme allows SQL Injection.This issue affects Houzez - Real Estate WordPress Theme: from n/a through 1.3.4.

THEME Allows Sql Injection

CVE-2023-36529

CRITICAL CVSS 9.8 2023-11-03
Open Full Technical Breakdown
Threat Entry Updated 2025-02-19

CVE-2023-26015 - Mappress Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Chris Richardson MapPress Maps for WordPress mappress-google-maps-for-wordpress allows SQL Injection.This issue affects MapPress Maps for WordPress: from n/a through 2.85.4.

PLUGIN Mappress

CVE-2023-26015

CRITICAL CVSS 9.8 2023-11-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3277 - Mstore Api Plugin

The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's email address. We are disclosing this issue as the developer has not yet released a patch, but continues to release updates and we escalated this issue to the plugin's team 30 days ago.

PLUGIN Mstore Api

CVE-2023-3277

CRITICAL CVSS 9.8 2023-11-03
Open Full Technical Breakdown
Threat Entry Updated 2025-02-19

CVE-2023-36508 - Messages Database Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress contact-form-to-db allows SQL Injection.This issue affects Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress: from n/a through 1.7.1.

PLUGIN Messages Database

CVE-2023-36508

CRITICAL CVSS 9.8 2023-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-02-19

CVE-2023-24410 - Fastest Contact Form Builder Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Contact Form - WPManageNinja LLC Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms fluentform allows SQL Injection.This issue affects Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms: from n/a through 4.3.25.

PLUGIN Fastest Contact Form Builder

CVE-2023-24410

CRITICAL CVSS 9.8 2023-10-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5843 - Ads By Datafeedr Com Plugin

The Ads by datafeedr.com plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 1.1.3 via the 'dfads_ajax_load_ads' function. This allows unauthenticated attackers to execute code on the server. The parameters of the callable function are limited, they cannot be specified arbitrarily.

PLUGIN Ads By Datafeedr Com

CVE-2023-5843

CRITICAL CVSS 9.0 2023-10-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5199 - Php To Page Plugin

The PHP to Page plugin for WordPress is vulnerable Local File Inclusion to Remote Code Execution in versions up to, and including, 0.3 via the 'php-to-page' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to include local file and potentially execute code on the server. While subscribers may need to poison log files or otherwise get a file installed in order to achieve remote code execution, author and above users can upload files by default and achieve remote code execution easily.

PLUGIN Php To Page

CVE-2023-5199

CRITICAL CVSS 9.9 2023-10-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5820 - Thumbnail Slider With Lightbox Plugin

The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the addedit functionality. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Thumbnail Slider With Lightbox

CVE-2023-5820

CRITICAL CVSS 9.6 2023-10-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5414 - Icegram Express Plugin

The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information including those belonging to other sites, for example in shared hosting environments.

PLUGIN Icegram Express

CVE-2023-5414

CRITICAL CVSS 9.1 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4488 - Dropbox Folder Share Plugin

The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

PLUGIN Dropbox Folder Share

CVE-2023-4488

CRITICAL CVSS 9.8 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2025-05-12

CVE-2023-5241 - Wpbot Plugin

The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcld_openai_upload_pagetraining_file function. This allows subscriber-level attackers to append "

PLUGIN Wpbot

CVE-2023-5241

CRITICAL CVSS 9.6 2023-10-19
Open Full Technical Breakdown
Threat Entry Updated 2025-05-12

CVE-2023-5212 - Wpbot Plugin

The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 4.8.9 as well as version 4.9.2. This makes it possible for authenticated attackers with subscriber privileges to delete arbitrary files on the server, which makes it possible to take over affected sites as well as others sharing the same hosting account. Version 4.9.1 originally addressed the issue, but it was reintroduced in 4.9.2 and fixed again in 4.9.3.

PLUGIN Wpbot

CVE-2023-5212

CRITICAL CVSS 9.6 2023-10-19
Open Full Technical Breakdown
Scroll to top