Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,045
Critical0
High3,045
Medium0
Reset
Showing 2061-2080 of 3045 records
Threat Entry Updated 2025-03-12

CVE-2024-3067 - Woocommerce Google Feed Manager Plugin

The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 2.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This can also be used by unauthenticated attackers to inject malicious web scripts.

PLUGIN Woocommerce Google Feed Manager

CVE-2024-3067

HIGH CVSS 7.2 2024-04-16
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2024-32149 - Jobs For Wordpress Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Jobs for WordPress allows Reflected XSS.This issue affects Jobs for WordPress: from n/a through 2.7.5.

PLUGIN Jobs For Wordpress

CVE-2024-32149

HIGH CVSS 7.1 2024-04-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-08

CVE-2024-1755 - Nps Computy Plugin

The NPS computy WordPress plugin through 2.7.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Nps Computy

CVE-2024-1755

HIGH CVSS 8.8 2024-04-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-08

CVE-2024-2739 - Advanced Search Plugin

The Advanced Search WordPress plugin through 1.1.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Advanced Search

CVE-2024-2739

HIGH CVSS 8.7 2024-04-15
Open Full Technical Breakdown
Threat Entry Updated 2025-04-07

CVE-2024-0399 - Woocommerce Customers Manager Plugin

The WooCommerce Customers Manager WordPress plugin before 29.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role.

PLUGIN Woocommerce Customers Manager

CVE-2024-0399

HIGH CVSS 8.1 2024-04-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3211 - shopping_cart_and_ecommerce_store Plugin

The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to SQL Injection via the 'productid' attribute of the ec_addtocart shortcode in all versions up to, and including, 5.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN shopping_cart_and_ecommerce_store

CVE-2024-3211

HIGH CVSS 8.8 2024-04-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-27

CVE-2024-3054 - Migration Backup Staging Plugin

WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstg_get_custom_exclude_path_free action. This is due to the plugin not providing sufficient path validation on the tree_node[node][id] parameter. This makes it possible for authenticated attackers, with admin-level access and above, to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects. No POP chain is present in the vulnerable plugin. If a POP chain is present via an…

PLUGIN Migration Backup Staging

CVE-2024-3054

HIGH CVSS 7.2 2024-04-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6811 - language_translate_widget_for_word_press_conveythis Plugin

The Language Translate Widget for WordPress – ConveyThis plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api_key’ parameter in all versions up to, and including, 223 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN language_translate_widget_for_word_press_conveythis

CVE-2023-6811

HIGH CVSS 7.2 2024-04-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2693 - Link Whisper Free Plugin

The Link Whisper Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.7.1 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute…

PLUGIN Link Whisper Free

CVE-2024-2693

HIGH CVSS 8.8 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2501 - Hubbub Lite – Fast, Reliable Social Sharing Buttons Plugin

The Hubbub Lite – Fast, Reliable Social Sharing Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.33.1 via deserialization of untrusted input via the 'dpsp_maybe_unserialize' function. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data,…

PLUGIN Hubbub Lite – Fast, Reliable Social Sharing Buttons

CVE-2024-2501

HIGH CVSS 7.5 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-2344 - Avada Plugin

The Avada theme for WordPress is vulnerable to SQL Injection via the 'entry' parameter in all versions up to, and including, 7.11.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticted attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Avada

CVE-2024-2344

HIGH CVSS 7.2 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-2342 - Simply Schedule Appointments Plugin

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the customer_id parameter in all versions up to, and including, 1.6.7.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Simply Schedule Appointments

CVE-2024-2342

HIGH CVSS 8.8 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-2341 - Simply Schedule Appointments Plugin

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the keys parameter in all versions up to, and including, 1.6.7.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Simply Schedule Appointments

CVE-2024-2341

HIGH CVSS 8.8 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-09-30

CVE-2024-2125 - Envialosimple Plugin

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function. This makes it possible for unauthenticated attackers to upload malicious files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Envialosimple

CVE-2024-2125

HIGH CVSS 8.8 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-05-06

CVE-2024-2018 - Wp Activity Log Plugin

The WP Activity Log Premium plugin for WordPress is vulnerable to SQL Injection via the entry->roles parameter in all versions up to, and including, 4.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. One demonstrated attack included the injection of a PHP Object.

PLUGIN Wp Activity Log

CVE-2024-2018

HIGH CVSS 8.8 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-1991 - Registrationmagic Plugin

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator

PLUGIN Registrationmagic

CVE-2024-1991

HIGH CVSS 8.8 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-1990 - Registrationmagic Plugin

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to blind SQL Injection via the ‘id’ parameter of the RM_Form shortcode in all versions up to, and including, 5.3.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Registrationmagic

CVE-2024-1990

HIGH CVSS 8.8 2024-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-22

CVE-2024-1974 - Ht Mega Plugin

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4.6 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Ht Mega

CVE-2024-1974

HIGH CVSS 8.8 2024-04-09
Open Full Technical Breakdown
Scroll to top