Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,045
Critical0
High3,045
Medium0
Reset
Showing 2221-2240 of 3045 records
Threat Entry Updated 2025-06-02

CVE-2023-2655 - Contact Form Maker Plugin

The Contact Form by WD WordPress plugin through 1.13.23 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

PLUGIN Contact Form Maker

CVE-2023-2655

HIGH CVSS 7.2 2024-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-06-02

CVE-2021-24869 - Wp Fastest Cache Plugin

The WP Fastest Cache WordPress plugin before 0.9.5 does not escape user input in the set_urls_with_terms method before using it in a SQL statement, leading to an SQL injection exploitable by low privilege users such as subscriber

PLUGIN Wp Fastest Cache

CVE-2021-24869

HIGH CVSS 8.8 2024-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-06-20

CVE-2021-24151 - Before 1 Plugin

The WP Editor WordPress plugin before 1.2.7 did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the settings.

PLUGIN Before 1

CVE-2021-24151

HIGH CVSS 7.2 2024-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2023-6991 - Before 2 Plugin

The JSM file_get_contents() Shortcode WordPress plugin before 2.7.1 does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks.

PLUGIN Before 2

CVE-2023-6991

HIGH CVSS 8.8 2024-01-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-20

CVE-2023-5905 - Export Posts With Images Plugin

The DeMomentSomTres WordPress Export Posts With Images WordPress plugin through 20220825 does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts.

PLUGIN Export Posts With Images

CVE-2023-5905

HIGH CVSS 8.1 2024-01-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2023-6029 - Before 2 Plugin

The EazyDocs WordPress plugin before 2.3.6 does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing unauthenticated users to delete arbitrary posts, as well as add and delete documents/sections.

PLUGIN Before 2

CVE-2023-6029

HIGH CVSS 7.5 2024-01-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-20

CVE-2023-6620 - Post Smtp Mailer Plugin

The POST SMTP Mailer WordPress plugin before 2.8.7 does not properly sanitise and escape several parameters before using them in SQL statements, leading to a SQL injection exploitable by high privilege users such as admin.

PLUGIN Post Smtp Mailer

CVE-2023-6620

HIGH CVSS 7.2 2024-01-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6878 - Slick Social Share Buttons Plugin

The Slick Social Share Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dcssb_ajax_update' function in versions up to, and including, 2.4.11. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily.

PLUGIN Slick Social Share Buttons

CVE-2023-6878

HIGH CVSS 8.8 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6828 - Arforms Form Builder Plugin

The Contact Form, Survey & Popup Form Plugin for WordPress – ARForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ arf_http_referrer_url’ parameter in all versions up to, and including, 1.5.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Arforms Form Builder

CVE-2023-6828

HIGH CVSS 7.2 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6751 - Hostinger Plugin

The Hostinger plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the function publish_website in all versions up to, and including, 1.9.7. This makes it possible for unauthenticated attackers to enable and disable maintenance mode.

PLUGIN Hostinger

CVE-2023-6751

HIGH CVSS 7.3 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-6634 - Learnpress Plugin

The LearnPress plugin for WordPress is vulnerable to Command Injection in all versions up to, and including, 4.2.5.7 via the get_content function. This is due to the plugin making use of the call_user_func function with user input. This makes it possible for unauthenticated attackers to execute any public function with one parameter, which could result in remote code execution.

PLUGIN Learnpress

CVE-2023-6634

HIGH CVSS 8.1 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2025-06-10

CVE-2023-6636 - Greenshift Plugin

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation on the 'gspb_save_files' function in versions up to, and including, 7.6.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Greenshift

CVE-2023-6636

HIGH CVSS 7.2 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-6558 - Import Export Wordpress Users Plugin

The Export and Import Users and Customers plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'upload_import_file' function in versions up to, and including, 2.4.8. This makes it possible for authenticated attackers with shop manager-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Import Export Wordpress Users

CVE-2023-6558

HIGH CVSS 7.2 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6266 - Backup Migration Plugin

The Backup Migration plugin for WordPress is vulnerable to unauthorized access of data due to insufficient path and file validation on the BMI_BACKUP case of the handle_downloading function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to download back-up files which can contain sensitive information such as user passwords, PII, database credentials, and much more.

PLUGIN Backup Migration

CVE-2023-6266

HIGH CVSS 7.5 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5504 - Backwpup Plugin

The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the Log File Folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to…

PLUGIN Backwpup

CVE-2023-5504

HIGH CVSS 8.7 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-6220 - Piotnet Forms Plugin

The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'piotnetforms_ajax_form_builder' function in versions up to, and including, 1.0.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Piotnet Forms

CVE-2023-6220

HIGH CVSS 8.1 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5448 - Wp Register Profile With Shortcode Plugin

The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.9. This is due to missing or incorrect nonce validation on the update_password_validate function. This makes it possible for unauthenticated attackers to reset a user's password via a forged request granted they can trick the user into performing an action such as clicking on a link.

PLUGIN Wp Register Profile With Shortcode

CVE-2023-5448

HIGH CVSS 8.8 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2025-05-16

CVE-2023-6845 - Commenttweets Plugin

The CommentTweets WordPress plugin through 0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Commenttweets

CVE-2023-6845

HIGH CVSS 8.8 2024-01-08
Open Full Technical Breakdown
Threat Entry Updated 2025-06-18

CVE-2023-6532 - Wp Blogs Planetarium Plugin

The WP Blogs' Planetarium WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Wp Blogs Planetarium

CVE-2023-6532

HIGH CVSS 8.8 2024-01-08
Open Full Technical Breakdown
Scroll to top