Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total922
Critical922
High0
Medium0
Reset
Showing 821-840 of 922 records
Threat Entry Updated 2024-11-21

CVE-2022-0769 - Users Ultra Plugin

The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the data_target parameter before it is being interpolated in an SQL statement and then executed via the rating_vote AJAX action (available to both unauthenticated and authenticated users), leading to an SQL Injection.

PLUGIN Users Ultra

CVE-2022-0769

CRITICAL CVSS 9.8 2022-04-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0693 - Master Elements Plugin

The Master Elements WordPress plugin through 8.0 does not validate and escape the meta_ids parameter of its remove_post_meta_condition AJAX action (available to both unauthenticated and authenticated users) before using it in a SQL statement, leading to an unauthenticated SQL Injection

PLUGIN Master Elements

CVE-2022-0693

CRITICAL CVSS 9.8 2022-04-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0657 - Before 1 Plugin

The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead ids before using them in a SQL statement via the rrtngg_delete_leads AJAX action, available to unauthenticated users, leading to an unauthenticated SQL injection issue. There is an attempt to sanitise the input, using sanitize_text_field(), however such function is not intended to prevent SQL injections.

PLUGIN Before 1

CVE-2022-0657

CRITICAL CVSS 9.8 2022-04-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0541 - Before 2 Plugin

The flo-launch WordPress plugin before 2.4.1 injects code into wp-config.php when creating a cloned site, allowing any attacker to initiate a new site install by setting the flo_custom_table_prefix cookie to an arbitrary value.

PLUGIN Before 2

CVE-2022-0541

CRITICAL CVSS 9.8 2022-04-25
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2022-0992 - Security Optimizer Plugin

The SiteGround Security plugin for WordPress is vulnerable to authentication bypass that allows unauthenticated users to log in as administrative users due to missing identity verification on initial 2FA set-up that allows unauthenticated and unauthorized users to configure 2FA for pending accounts. Upon successful configuration, the attacker is logged in as that user without access to a username/password pair which is the expected first form of authentication. This affects versions up to, and including, 1.2.5.

PLUGIN Security Optimizer

CVE-2022-0992

CRITICAL CVSS 9.8 2022-04-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1020 - Before 3 Plugin

The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument

PLUGIN Before 3

CVE-2022-1020

CRITICAL CVSS 9.8 2022-04-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0785 - Daily Prayer Time Plugin

The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection

PLUGIN Daily Prayer Time

CVE-2022-0785

CRITICAL CVSS 9.8 2022-04-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0142 - Visual Form Builder Plugin

The Visual Form Builder WordPress plugin before 3.0.8 is vulnerable to CSV injection allowing a user with low level or no privileges to inject a command that will be included in the exported CSV file, leading to possible code execution.

PLUGIN Visual Form Builder

CVE-2022-0142

CRITICAL CVSS 9.8 2022-04-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0949 - Block Bad Bots And Stop Bad Bots Crawlers And Spiders And Anti Spam Protection Plugin

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 6.930 does not properly sanitise and escape the fingerprint parameter before using it in a SQL statement via the stopbadbots_grava_fingerprint AJAX action, available to unauthenticated users, leading to a SQL injection

PLUGIN Block Bad Bots And Stop Bad Bots Crawlers And Spiders And Anti Spam Protection

CVE-2022-0949

CRITICAL CVSS 9.8 2022-04-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1165 - Blackhole For Bad Bots Plugin

The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.

PLUGIN Blackhole For Bad Bots

CVE-2022-1165

CRITICAL CVSS 9.1 2022-04-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0846 - Email Petitions Plugin

The SpeakOut! Email Petitions WordPress plugin before 2.14.15.1 does not sanitise and escape the id parameter before using it in a SQL statement via the dk_speakout_sendmail AJAX action, leading to an SQL Injection exploitable by unauthenticated users

PLUGIN Email Petitions

CVE-2022-0846

CRITICAL CVSS 9.8 2022-03-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0787 - Before 5 Plugin

The Limit Login Attempts (Spam Protection) WordPress plugin before 5.1 does not sanitise and escape some parameters before using them in SQL statements via AJAX actions (available to unauthenticated users), leading to SQL Injections

PLUGIN Before 5

CVE-2022-0787

CRITICAL CVSS 9.8 2022-03-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0784 - Title Experiments Free Plugin

The Title Experiments Free WordPress plugin before 9.0.1 does not sanitise and escape the id parameter before using it in a SQL statement via the wpex_titles AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection

PLUGIN Title Experiments Free

CVE-2022-0784

CRITICAL CVSS 9.8 2022-03-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0679 - Narnoo Distributor Plugin

The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it's configuration.

PLUGIN Narnoo Distributor

CVE-2022-0679

CRITICAL CVSS 9.8 2022-03-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0479 - Before 4 Plugin

The Popup Builder WordPress plugin before 4.1.1 does not sanitise and escape the sgpb-subscription-popup-id parameter before using it in a SQL statement in the All Subscribers admin dashboard, leading to a SQL injection, which could also be used to perform Reflected Cross-Site Scripting attack against a logged in admin opening a malicious link

PLUGIN Before 4

CVE-2022-0479

CRITICAL CVSS 9.8 2022-03-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25070 - Block Bad Bots Plugin

The Block Bad Bots WordPress plugin before 6.88 does not properly sanitise and escape the User Agent before using it in a SQL statement to record logs, leading to an SQL Injection issue

PLUGIN Block Bad Bots

CVE-2021-25070

CRITICAL CVSS 9.8 2022-03-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0888 - Ninja Forms File Uploads Extension Plugin

The Ninja Forms - File Uploads Extension WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/includes/ajax/controllers/uploads.php file which can be bypassed making it possible for unauthenticated attackers to upload malicious files that can be used to obtain remote code execution, in versions up to and including 3.3.0

PLUGIN Ninja Forms File Uploads Extension

CVE-2022-0888

CRITICAL CVSS 9.8 2022-03-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0760 - Before 7 Plugin

The Simple Link Directory WordPress plugin before 7.7.2 does not validate and escape the post_id parameter before using it in a SQL statement via the qcopd_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection

PLUGIN Before 7

CVE-2022-0760

CRITICAL CVSS 9.8 2022-03-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0747 - Before 4 Plugin

The Infographic Maker WordPress plugin before 4.3.8 does not validate and escape the post_id parameter before using it in a SQL statement via the qcld_upvote_action AJAX action (available to unauthenticated and authenticated users), leading to an unauthenticated SQL Injection

PLUGIN Before 4

CVE-2022-0747

CRITICAL CVSS 9.8 2022-03-21
Open Full Technical Breakdown
Scroll to top