Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,046
Critical0
High3,046
Medium0
Reset
Showing 2361-2380 of 3046 records
Threat Entry Updated 2026-04-08

CVE-2021-4334 - Fancy Product Designer Plugin

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9. This makes it possible for authenticated attackers with subscriber-level permissions to modify site options, including setting the default role to administrator which can allow privilege escalation.

PLUGIN Fancy Product Designer

CVE-2021-4334

HIGH CVSS 8.8 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5576 - Migration Backup Staging Plugin

The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 0.9.91 via Google Drive API secrets stored in plaintext in the publicly visible plugin source. This could allow unauthenticated attackers to impersonate the WPVivid Google Drive account via the API if they can trick a user into reauthenticating via another vulnerability or social engineering.

PLUGIN Migration Backup Staging

CVE-2023-5576

HIGH CVSS 8.0 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4598 - Slimstat Analytics Plugin

The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Slimstat Analytics

CVE-2023-4598

HIGH CVSS 8.8 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4274 - Migration Backup Staging Plugin

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 0.9.89. This allows authenticated attackers with administrative privileges to delete the contents of arbitrary directories on the server, which can be a critical issue in a shared environments.

PLUGIN Migration Backup Staging

CVE-2023-4274

HIGH CVSS 8.7 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4402 - Essential Blocks Plugin

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

PLUGIN Essential Blocks

CVE-2023-4402

HIGH CVSS 8.1 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5336 - Ipanorama 360 Wordpress Virtual Tour Builder Plugin

The iPanorama 360 – WordPress Virtual Tour Builder plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Ipanorama 360 Wordpress Virtual Tour Builder

CVE-2023-5336

HIGH CVSS 8.8 2023-10-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5538 - Mpoperationlogs Plugin

The MpOperationLogs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the IP Request Headers in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mpoperationlogs

CVE-2023-5538

HIGH CVSS 7.2 2023-10-18
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-5133 - This User Activity Log Pro Plugin

This user-activity-log-pro WordPress plugin before 2.3.4 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.

PLUGIN This User Activity Log Pro

CVE-2023-5133

HIGH CVSS 7.5 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-5003 - Ldap Integration Plugin

The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.10 stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs. Unfortunately, this log file is never removed, and remains accessible to any users knowing the URL to do so.

PLUGIN Ldap Integration

CVE-2023-5003

HIGH CVSS 7.5 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4971 - Weaver Xtreme Theme Support Plugin

The Weaver Xtreme Theme Support WordPress plugin before 6.3.1 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog.

PLUGIN Weaver Xtreme Theme Support

CVE-2023-4971

HIGH CVSS 7.2 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4861 - File Manager Pro Plugin

The File Manager Pro WordPress plugin before 1.8.1 allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution.

PLUGIN File Manager Pro

CVE-2023-4861

HIGH CVSS 7.2 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4776 - School Management System Plugin

The School Management System WordPress plugin before 2.2.5 uses the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers.

PLUGIN School Management System

CVE-2023-4776

HIGH CVSS 8.8 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4691 - Wordpress Online Booking And Scheduling Plugin

The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

PLUGIN Wordpress Online Booking And Scheduling

CVE-2023-4691

HIGH CVSS 7.2 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4643 - Enable Media Replace Plugin

The Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog

PLUGIN Enable Media Replace

CVE-2023-4643

HIGH CVSS 8.8 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3154 - Wordpress Gallery Plugin

The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.

PLUGIN Wordpress Gallery

CVE-2023-3154

HIGH CVSS 7.5 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-3155 - Wordpress Gallery Plugin

The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.

PLUGIN Wordpress Gallery

CVE-2023-3155

HIGH CVSS 7.2 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4827 - File Manager Pro Plugin

The File Manager Pro WordPress plugin before 1.8 does not properly check the CSRF nonce in the `fs_connector` AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell.

PLUGIN File Manager Pro

CVE-2023-4827

HIGH CVSS 8.8 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3392 - Before 3 Plugin

The Read More & Accordion WordPress plugin before 3.2.7 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

PLUGIN Before 3

CVE-2023-3392

HIGH CVSS 7.2 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4300 - Import Xml And Rss Feeds Plugin

The Import XML and RSS Feeds WordPress plugin before 2.1.4 does not filter file extensions for uploaded files, allowing an attacker to upload a malicious PHP file, leading to Remote Code Execution.

PLUGIN Import Xml And Rss Feeds

CVE-2023-4300

HIGH CVSS 7.2 2023-09-25
Open Full Technical Breakdown
Scroll to top