Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,046
Critical0
High3,046
Medium0
Reset
Showing 2381-2400 of 3046 records
Threat Entry Updated 2025-04-22

CVE-2023-4238 - Folders Access Plugin

The Prevent files / folders access WordPress plugin before 2.5.2 does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server.

PLUGIN Folders Access

CVE-2023-4238

HIGH CVSS 7.2 2023-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3664 - Fileorganizer Plugin

The FileOrganizer WordPress plugin through 1.0.2 does not restrict functionality on multisite instances, allowing site admins to gain full control over the server.

PLUGIN Fileorganizer

CVE-2023-3664

HIGH CVSS 7.2 2023-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3025 - Dropbox Folder Share Plugin

The Dropbox Folder Share plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.9.7 via the 'link' parameter. This can allow unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Dropbox Folder Share

CVE-2023-3025

HIGH CVSS 7.2 2023-09-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4916 - Login With Phone Number Plugin

The Login with phone number plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.6. This is due to missing nonce validation on the 'lwp_update_password_action' function. This makes it possible for unauthenticated attackers to change user password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Login With Phone Number

CVE-2023-4916

HIGH CVSS 8.8 2023-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4213 - Simplr Registration Form Plus Plugin

The Simplr Registration Form Plus+ plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.4.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber-level permissions or above to change user passwords and potentially take over administrator accounts.

PLUGIN Simplr Registration Form Plus

CVE-2023-4213

HIGH CVSS 8.8 2023-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4153 - Ban Users Plugin

The BAN Users plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.5.3 due to a missing capability check on the 'w3dev_save_ban_user_settings_callback' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify the plugin settings to access the ban and unban functionality and set the role of the unbanned user.

PLUGIN Ban Users

CVE-2023-4153

HIGH CVSS 8.8 2023-09-13
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4314 - Before 2 Plugin

The wpDataTables WordPress plugin before 2.1.66 does not validate the "Serialized PHP array" input data before deserializing the data. This allows admins to deserialize arbitrary data which may lead to remote code execution if a suitable gadget chain is present on the server. This is impactful in environments where admin users should not be allowed to execute arbitrary code, such as multisite.

PLUGIN Before 2

CVE-2023-4314

HIGH CVSS 7.2 2023-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4278 - Masterstudy Lms Plugin

The MasterStudy LMS WordPress Plugin WordPress plugin before 3.0.18 does not have proper checks in place during registration allowing anyone to register on the site as an instructor. They can then add courses and/or posts.

PLUGIN Masterstudy Lms

CVE-2023-4278

HIGH CVSS 7.5 2023-09-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4719 - Simple Membership Plugin

The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `list_type` parameter in versions up to, and including, 4.3.5 due to insufficient input sanitization and output escaping. Using this vulnerability, unauthenticated attackers could inject arbitrary web scripts into pages that are being executed if they can successfully trick a user into taking an action, such as clicking a malicious link.

PLUGIN Simple Membership

CVE-2023-4719

HIGH CVSS 7.2 2023-09-06
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4019 - Media From Ftp Plugin

The Media from FTP WordPress plugin before 11.17 does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.

PLUGIN Media From Ftp

CVE-2023-4019

HIGH CVSS 8.8 2023-09-04
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4279 - This User Activity Log Plugin

This User Activity Log WordPress plugin before 1.6.7 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value. This may be used to hide the source of malicious traffic.

PLUGIN This User Activity Log

CVE-2023-4279

HIGH CVSS 7.5 2023-09-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3677 - Woocommerce Pdf Invoice Builder Plugin

The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to SQL Injection via the pageId parameter in versions up to, and including, 1.2.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for subscribers or higher to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Woocommerce Pdf Invoice Builder

CVE-2023-3677

HIGH CVSS 8.8 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3636 - Wp Project Manager Plugin

The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the 'save_users_map_name' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'usernames' parameter.

PLUGIN Wp Project Manager

CVE-2023-3636

HIGH CVSS 8.8 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2229 - Rduplicator Plugin

The Quick Post Duplicator for WordPress is vulnerable to SQL Injection via the ‘post_id’ parameter in versions up to, and including, 2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Rduplicator

CVE-2023-2229

HIGH CVSS 8.8 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2188 - Colibri Page Builder Plugin

The Colibri Page Builder for WordPress is vulnerable to SQL Injection via the ‘post_id’ parameter in versions up to, and including, 1.0.227 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator-level privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Colibri Page Builder

CVE-2023-2188

HIGH CVSS 7.2 2023-08-31
Open Full Technical Breakdown
Scroll to top