Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,046
Critical0
High3,046
Medium0
Reset
Showing 2521-2540 of 3046 records
Threat Entry Updated 2025-01-24

CVE-2023-0812 - Ldap Integration Plugin

The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.1 does not have proper authorization or nonce values for some POST requests, leading to unauthenticated data disclosure.

PLUGIN Ldap Integration

CVE-2023-0812

HIGH CVSS 7.5 2023-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-01-24

CVE-2023-1549 - Ad Inserter Plugin

The Ad Inserter WordPress plugin before 2.7.27 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present

PLUGIN Ad Inserter

CVE-2023-1549

HIGH CVSS 7.2 2023-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-02-04

CVE-2023-2114 - Before 8 Plugin

The NEX-Forms WordPress plugin before 8.4 does not properly escape the `table` parameter, which is populated with user input, before concatenating it to an SQL query.

PLUGIN Before 8

CVE-2023-2114

HIGH CVSS 7.2 2023-05-08
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2023-0768 - Hotels Online Booking Engine Plugin

The Avirato hotels online booking engine WordPress plugin through 5.0.5 does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks.

PLUGIN Hotels Online Booking Engine

CVE-2023-0768

HIGH CVSS 8.8 2023-05-08
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2023-1408 - Video List Manager Plugin

The Video List Manager WordPress plugin through 1.7 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

PLUGIN Video List Manager

CVE-2023-1408

HIGH CVSS 7.2 2023-05-08
Open Full Technical Breakdown
Threat Entry Updated 2025-02-04

CVE-2023-1347 - Before 0 Plugin

The Customizer Export/Import WordPress plugin before 0.9.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present

PLUGIN Before 0

CVE-2023-1347

HIGH CVSS 7.2 2023-05-08
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-0603 - Sloth Logo Customizer Plugin

The Sloth Logo Customizer WordPress plugin through 2.0.2 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

PLUGIN Sloth Logo Customizer

CVE-2023-0603

HIGH CVSS 8.8 2023-05-08
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2023-1196 - Advanced Custom Fields Plugin

The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above to perform PHP Object Injection when a suitable gadget is present.

PLUGIN Advanced Custom Fields

CVE-2023-1196

HIGH CVSS 8.8 2023-05-02
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2023-1809 - Download Manager Plugin

The Download Manager WordPress plugin before 6.3.0 leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files.

PLUGIN Download Manager

CVE-2023-1809

HIGH CVSS 7.5 2023-05-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2023-1669 - Before 6 Plugin

The SEOPress WordPress plugin before 6.5.0.3 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

PLUGIN Before 6

CVE-2023-1669

HIGH CVSS 7.2 2023-05-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2023-0924 - Popup Plugin

The ZYREX POPUP WordPress plugin through 1.0 does not validate the type of files uploaded when creating a popup, allowing a high privileged user (such as an Administrator) to upload arbitrary files, even when modifying the file system is disallowed, such as in a multisite install.

PLUGIN Popup

CVE-2023-0924

HIGH CVSS 7.2 2023-05-02
Open Full Technical Breakdown
Threat Entry Updated 2025-02-04

CVE-2023-0388 - Random Text Plugin

The Random Text WordPress plugin through 0.3.0 does not properly sanitize and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers.

PLUGIN Random Text

CVE-2023-0388

HIGH CVSS 8.8 2023-04-24
Open Full Technical Breakdown
Threat Entry Updated 2025-03-05

CVE-2023-0765 - Gallery By Bestwebsoft Plugin

The Gallery by BestWebSoft WordPress plugin before 4.7.0 does not properly escape values used in SQL queries, leading to an Blind SQL Injection vulnerability. The attacker must have at least the privileges of an Author, and the vendor's Slider plugin (https://wordpress.org/plugins/slider-bws/) must also be installed for this vulnerability to be exploitable.

PLUGIN Gallery By Bestwebsoft

CVE-2023-0765

HIGH CVSS 8.8 2023-04-17
Open Full Technical Breakdown
Threat Entry Updated 2025-02-06

CVE-2023-0277 - Wc Fields Factory Plugin

The WC Fields Factory WordPress plugin through 4.1.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

PLUGIN Wc Fields Factory

CVE-2023-0277

HIGH CVSS 7.2 2023-04-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-1874 - Wp Data Access Plugin

The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wpda_role[]' parameter during a profile update. This requires the 'Enable role management' setting to be enabled for the site.

PLUGIN Wp Data Access

CVE-2023-1874

HIGH CVSS 7.5 2023-04-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2023-1381 - Before 4 Plugin

The WP Meta SEO WordPress plugin before 4.5.5 does not validate image file paths before attempting to manipulate the image files, leading to a PHAR deserialization vulnerability. Furthermore, the plugin contains a gadget chain which may be used in certain configurations to achieve remote code execution.

PLUGIN Before 4

CVE-2023-1381

HIGH CVSS 8.8 2023-04-10
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2023-1406 - Before 3 Plugin

The JetEngine WordPress plugin before 3.1.3.1 includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability.

PLUGIN Before 3

CVE-2023-1406

HIGH CVSS 8.8 2023-04-10
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2023-1425 - Before 2 Plugin

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins

PLUGIN Before 2

CVE-2023-1425

HIGH CVSS 7.2 2023-04-10
Open Full Technical Breakdown
Scroll to top