Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total920
Critical920
High0
Medium0
Reset
Showing 741-760 of 920 records
Threat Entry Updated 2026-04-08

CVE-2021-4340 - Ulisting Plugin

The uListing plugin for WordPress is vulnerable to generic SQL Injection via the ‘listing_id’ parameter in versions up to, and including, 1.6.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Ulisting

CVE-2021-4340

CRITICAL CVSS 9.8 2023-06-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2987 - Wordapp Plugin

The Wordapp plugin for WordPress is vulnerable to authorization bypass due to an use of insufficiently unique cryptographic signature on the 'wa_pdx_op_config_set' function in versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to the plugin to change the 'validation_token' in the plugin config, providing access to the plugin's remote control functionalities, such as creating an admin access URL, which can be used for privilege escalation.

PLUGIN Wordapp

CVE-2023-2987

CRITICAL CVSS 9.8 2023-05-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2734 - Mstore Api Plugin

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

PLUGIN Mstore Api

CVE-2023-2734

CRITICAL CVSS 9.8 2023-05-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2733 - Mstore Api Plugin

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. This is due to insufficient verification on the user being supplied during the coupon redemption REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

PLUGIN Mstore Api

CVE-2023-2733

CRITICAL CVSS 9.8 2023-05-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2732 - Mstore Api Plugin

The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.

PLUGIN Mstore Api

CVE-2023-2732

CRITICAL CVSS 9.8 2023-05-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2276 - Wcfm Membership Plugin

The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.

PLUGIN Wcfm Membership

CVE-2023-2276

CRITICAL CVSS 9.8 2023-05-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2704 - Bp Social Connect Plugin

The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.5. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

PLUGIN Bp Social Connect

CVE-2023-2704

CRITICAL CVSS 9.8 2023-05-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2499 - Registrationmagic Plugin

The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.2.1.0. This is due to insufficient verification on the user being supplied during a Google social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

PLUGIN Registrationmagic

CVE-2023-2499

CRITICAL CVSS 9.8 2023-05-16
Open Full Technical Breakdown
Threat Entry Updated 2026-03-06

CVE-2023-0600 - Before 6 Plugin

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 6.9 does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks.

PLUGIN Before 6

CVE-2023-0600

CRITICAL CVSS 9.8 2023-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-12

CVE-2023-1650 - Ai Chatbot Plugin

The AI ChatBot WordPress plugin before 4.4.7 unserializes user input from cookies via an AJAX action available to unauthenticated users, which could allow them to perform PHP Object Injection when a suitable gadget is present on the blog

PLUGIN Ai Chatbot

CVE-2023-1650

CRITICAL CVSS 9.8 2023-05-08
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2023-1730 - Before 3 Plugin

The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks

PLUGIN Before 3

CVE-2023-1730

CRITICAL CVSS 9.8 2023-05-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2297 - Profile Builder Plugin

The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on…

PLUGIN Profile Builder

CVE-2023-2297

CRITICAL CVSS 9.8 2023-04-27
Open Full Technical Breakdown
Threat Entry Updated 2025-02-04

CVE-2023-1020 - Wp Live Chat Shoutbox Plugin

The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

PLUGIN Wp Live Chat Shoutbox

CVE-2023-1020

CRITICAL CVSS 9.8 2023-04-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2027 - Zm Ajax Login Register Plugin

The ZM Ajax Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.2. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

PLUGIN Zm Ajax Login Register

CVE-2023-2027

CRITICAL CVSS 9.8 2023-04-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-28121 - Woocommerce Payments Plugin

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.

PLUGIN Woocommerce Payments

CVE-2023-28121

CRITICAL CVSS 9.8 2023-04-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2023-1478 - Before 3 Plugin

The Hummingbird WordPress plugin before 3.4.2 does not validate the generated file path for page cache files before writing them, leading to a path traversal vulnerability in the page cache module.

PLUGIN Before 3

CVE-2023-1478

CRITICAL CVSS 9.8 2023-04-10
Open Full Technical Breakdown
Threat Entry Updated 2025-02-27

CVE-2023-0037 - 10web Map Builder For Google Maps Plugin

The 10Web Map Builder for Google Maps WordPress plugin before 1.0.73 does not properly sanitise and escape some parameters before using them in an SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

PLUGIN 10web Map Builder For Google Maps

CVE-2023-0037

CRITICAL CVSS 9.8 2023-03-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-26326 - Buddyforms Plugin

The BuddyForms WordPress plugin, in versions prior to 2.7.8, was affected by an unauthenticated insecure deserialization issue. An unauthenticated attacker could leverage this issue to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present.

PLUGIN Buddyforms

CVE-2023-26326

CRITICAL CVSS 9.8 2023-02-23
Open Full Technical Breakdown
Scroll to top