Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,045
Critical0
High3,045
Medium0
Reset
Showing 2261-2280 of 3045 records
Threat Entry Updated 2024-11-21

CVE-2023-50856 - Funnel Builder Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits.This issue affects Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits: from n/a through 2.14.3.

PLUGIN Funnel Builder

CVE-2023-50856

HIGH CVSS 7.6 2023-12-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-51501 - Allows Reflected Xss Theme

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Undsgn Uncode - Creative & WooCommerce WordPress Theme allows Reflected XSS.This issue affects Uncode - Creative & WooCommerce WordPress Theme: from n/a through 2.8.6.

THEME Allows Reflected Xss

CVE-2023-51501

HIGH CVSS 7.1 2023-12-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5931 - Buddypress And Bbpress Plugin

The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 does not validate files to be uploaded, which could allow attackers with a low-privilege account (e.g. subscribers) to upload arbitrary files such as PHP on the server

PLUGIN Buddypress And Bbpress

CVE-2023-5931

HIGH CVSS 8.8 2023-12-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5674 - Before 1 Plugin

The WP Mail Log WordPress plugin before 1.1.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor.

PLUGIN Before 1

CVE-2023-5674

HIGH CVSS 8.8 2023-12-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6250 - Before 2 Plugin

The BestWebSoft's Like & Share WordPress plugin before 2.74 discloses the content of password protected posts to unauthenticated users via a meta tag

PLUGIN Before 2

CVE-2023-6250

HIGH CVSS 7.5 2023-12-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6114 - Duplicator Pro Plugin

The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data. When directory listing is enabled in the web server, this allows unauthenticated attackers to discover and access these sensitive files, which include a full database dump and a zip archive of the site.

PLUGIN Duplicator Pro

CVE-2023-6114

HIGH CVSS 7.5 2023-12-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5939 - Buddypress And Bbpress Plugin

The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 loads the contents of the import file in an unsafe manner, leading to remote code execution by privileged users.

PLUGIN Buddypress And Bbpress

CVE-2023-5939

HIGH CVSS 7.2 2023-12-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5673 - Before 1 Plugin

The WP Mail Log WordPress plugin before 1.1.3 does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution.

PLUGIN Before 1

CVE-2023-5673

HIGH CVSS 8.8 2023-12-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5645 - Before 1 Plugin

The WP Mail Log WordPress plugin before 1.1.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor.

PLUGIN Before 1

CVE-2023-5645

HIGH CVSS 8.8 2023-12-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5644 - Before 1 Plugin

The WP Mail Log WordPress plugin before 1.1.3 does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users.

PLUGIN Before 1

CVE-2023-5644

HIGH CVSS 7.6 2023-12-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5203 - Wp Sessions Time Monitoring Full Automatic Plugin

The WP Sessions Time Monitoring Full Automatic WordPress plugin before 1.0.9 does not sanitize the request URL or query parameters before using them in an SQL query, allowing unauthenticated attackers to extract sensitive data from the database via blind time based SQL injection techniques, or in some cases an error/union based technique.

PLUGIN Wp Sessions Time Monitoring Full Automatic

CVE-2023-5203

HIGH CVSS 7.5 2023-12-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6971 - Backup Migration Plugin

The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. NOTE: Successful exploitation of this vulnerability requires that the target server's php.ini is configured with 'allow_url_include' set to 'on'. This feature is deprecated as of PHP 7.4 and is disabled by default, but can still be explicitly enabled in later versions of PHP.

PLUGIN Backup Migration

CVE-2023-6971

HIGH CVSS 8.1 2023-12-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6972 - Backup Migration Plugin

The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

PLUGIN Backup Migration

CVE-2023-6972

HIGH CVSS 7.5 2023-12-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-7002 - Backup Migration Plugin

The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands on the host operating system.

PLUGIN Backup Migration

CVE-2023-7002

HIGH CVSS 7.2 2023-12-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-48288 - Jobwp Plugin

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: from n/a through 2.1.

PLUGIN Jobwp

CVE-2023-48288

HIGH CVSS 7.5 2023-12-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-49826 - Soledad Plugin

Deserialization of Untrusted Data vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1.

PLUGIN Soledad

CVE-2023-49826

HIGH CVSS 8.1 2023-12-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-29096 - Messages Database Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress.This issue affects Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress: from n/a through 1.7.0.

PLUGIN Messages Database

CVE-2023-29096

HIGH CVSS 8.5 2023-12-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-29432 - Vulnerability In Favethemes Houzez Real Estate

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme.This issue affects Houzez - Real Estate WordPress Theme: from n/a before 2.8.3.

THEME Vulnerability In Favethemes Houzez Real Estate

CVE-2023-29432

HIGH CVSS 8.2 2023-12-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-28788 - Most Wanted Analytics Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Page Visit Counter Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress.This issue affects Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress: from n/a through 6.4.2.

PLUGIN Most Wanted Analytics

CVE-2023-28788

HIGH CVSS 7.1 2023-12-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-30750 - Cm Popup Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CreativeMindsSolutions CM Popup Plugin for WordPress.This issue affects CM Popup Plugin for WordPress: from n/a through 1.5.10.

PLUGIN Cm Popup

CVE-2023-30750

HIGH CVSS 8.5 2023-12-20
Open Full Technical Breakdown
Scroll to top