Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,046
Critical0
High3,046
Medium0
Reset
Showing 2321-2340 of 3046 records
Threat Entry Updated 2024-11-21

CVE-2023-2440 - Userpro Plugin

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing nonce validation in the 'admin_page', 'userpro_verify_user' and 'verifyUnverifyAllUsers' functions. This makes it possible for unauthenticated attackers to modify the role of verified users to elevate verified user privileges to that of any user such as 'administrator' via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Userpro

CVE-2023-2440

HIGH CVSS 8.8 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6196 - Audio Merchant Plugin

The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the function audio_merchant_add_audio_file function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Audio Merchant

CVE-2023-6196

HIGH CVSS 8.8 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4214 - Apppresser Plugin

The AppPresser plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 4.2.5. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit.

PLUGIN Apppresser

CVE-2023-4214

HIGH CVSS 8.1 2023-11-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6187 - Paid Memberships Pro Plugin

The Paid Memberships Pro plugin for WordPress is vulnerable to arbitrary file uploads to insufficient file type validation in the 'pmpro_paypalexpress_session_vars_for_user_fields' function in versions up to, and including, 2.12.3. This makes it possible for authenticated attackers with subscriber privileges or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if 2Checkout (deprecated since version 2.6) or PayPal Express is set as the payment method and a custom user field is added that is only visible at profile, and…

PLUGIN Paid Memberships Pro

CVE-2023-6187

HIGH CVSS 7.5 2023-11-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-19

CVE-2023-41798 - Directorist Plugin

Improper Neutralization of Formula Elements in a CSV File vulnerability in wpWax Directorist – WordPress Business Directory Plugin with Classified Ads Listing.This issue affects Directorist – WordPress Business Directory Plugin with Classified Ads Listings: from n/a through 7.7.1.

PLUGIN Directorist

CVE-2023-41798

HIGH CVSS 8.8 2023-11-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5709 - Wd Widgettwitter Plugin

The WD WidgetTwitter plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wd Widgettwitter

CVE-2023-5709

HIGH CVSS 8.8 2023-11-07
Open Full Technical Breakdown
Threat Entry Updated 2025-03-24

CVE-2023-5355 - Awesome Support Plugin

The Awesome Support WordPress plugin before 6.1.5 does not sanitize file paths when deleting temporary attachment files, allowing a ticket submitter to delete arbitrary files on the server.

PLUGIN Awesome Support

CVE-2023-5355

HIGH CVSS 8.1 2023-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2023-5454 - Before 2 Plugin

The Templately WordPress plugin before 2.2.6 does not properly authorize the `saved-templates/delete` REST API call, allowing unauthenticated users to delete arbitrary posts.

PLUGIN Before 2

CVE-2023-5454

HIGH CVSS 7.5 2023-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2023-5082 - History Log By Click5 Plugin

The History Log by click5 WordPress plugin before 1.0.13 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin users when using the Smash Balloon Social Photo Feed plugin alongside it.

PLUGIN History Log By Click5

CVE-2023-5082

HIGH CVSS 7.2 2023-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2023-46823 - Imagelinks Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Avirtum ImageLinks Interactive Image Builder for WordPress allows SQL Injection.This issue affects ImageLinks Interactive Image Builder for WordPress: from n/a through 1.5.4.

PLUGIN Imagelinks

CVE-2023-46823

HIGH CVSS 7.2 2023-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-19

CVE-2023-35910 - Quasar Form Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nucleus_genius Quasar form free – Contact Form Builder for WordPress allows SQL Injection.This issue affects Quasar form free – Contact Form Builder for WordPress: from n/a through 6.0.

PLUGIN Quasar Form

CVE-2023-35910

HIGH CVSS 8.8 2023-11-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-19

CVE-2023-32121 - Zero Spam For Wordpress Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Highfivery LLC Zero Spam for WordPress allows SQL Injection.This issue affects Zero Spam for WordPress: from n/a through 5.4.4.

PLUGIN Zero Spam For Wordpress

CVE-2023-32121

HIGH CVSS 7.2 2023-11-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5860 - Icons Font Loader Plugin

The Icons Font Loader plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Icons Font Loader

CVE-2023-5860

HIGH CVSS 7.2 2023-11-02
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-5098 - Campaign Monitor Forms By Optin Cat Plugin

The Campaign Monitor Forms by Optin Cat WordPress plugin before 2.5.6 does not prevent users with low privileges (like subscribers) from overwriting any options on a site with the string "true", which could lead to a variety of outcomes, including DoS.

PLUGIN Campaign Monitor Forms By Optin Cat

CVE-2023-5098

HIGH CVSS 8.1 2023-10-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5099 - Html Filter And Csv File Search Plugin

The HTML filter and csv-file search plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.7 via the 'src' attribute of the 'csvsearch' shortcode. This allows authenticated attackers, with contributor-level permissions and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

PLUGIN Html Filter And Csv File Search

CVE-2023-5099

HIGH CVSS 8.8 2023-10-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5464 - Jquery Accordion Slideshow Plugin

The Jquery accordion slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Jquery Accordion Slideshow

CVE-2023-5464

HIGH CVSS 8.8 2023-10-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5439 - Wp Photo Text Slider 50 Plugin

The Wp photo text slider 50 plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with subscriber-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wp Photo Text Slider 50

CVE-2023-5439

HIGH CVSS 8.8 2023-10-31
Open Full Technical Breakdown
Scroll to top