Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,046
Critical0
High3,046
Medium0
Reset
Showing 2561-2580 of 3046 records
Threat Entry Updated 2024-11-21

CVE-2023-1372 - Wh Testimonials Plugin

The WH Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters such as wh_homepage, wh_text_short, wh_text_full and in versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wh Testimonials

CVE-2023-1372

HIGH CVSS 7.2 2023-03-13
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4331 - Plus Addons For Elementor Plugin

The Plus Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin adds a registration form to the Elementor page builders functionality. As part of the registration form, users can choose which role to set as the default for users upon registration. This field is not hidden for lower-level users so any user with access to the Elementor page builder, such as contributors, can set the default role to administrator. Since contributors can not publish posts,…

PLUGIN Plus Addons For Elementor

CVE-2021-4331

HIGH CVSS 8.8 2023-03-07
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4330 - Envato Elements Plugin

The Envato Elements & Download and Template Kit – Import plugins for WordPress are vulnerable to arbitrary file uploads due to insufficient validation of file type upon extracting uploaded Zip files in the installFreeTemplateKit and uploadTemplateKitZipFile functions. This makes it possible for attackers with contributor-lever permissions and above to upload arbitrary files and potentially gain remote code execution in versions up to and including 1.0.13 of Template Kit – Import and versions up to and including 2.0.10 of Envato Elements & Download.

PLUGIN Envato Elements

CVE-2021-4330

HIGH CVSS 8.8 2023-03-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-0084 - Metform Elementor Contact Form Builder Plugin

The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page.

PLUGIN Metform Elementor Contact Form Builder

CVE-2023-0084

HIGH CVSS 7.2 2023-03-02
Open Full Technical Breakdown
Threat Entry Updated 2025-03-18

CVE-2023-0381 - Gigpress Plugin

The GigPress WordPress plugin through 2.3.28 does not validate and escape some of its shortcode attributes before using them in SQL statement/s, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks

PLUGIN Gigpress

CVE-2023-0381

HIGH CVSS 8.8 2023-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-03-10

CVE-2023-0487 - My Sticky Elements Plugin

The My Sticky Elements WordPress plugin before 2.0.9 does not properly sanitise and escape a parameter before using it in a SQL statement when deleting messages, leading to a SQL injection exploitable by high privilege users such as admin

PLUGIN My Sticky Elements

CVE-2023-0487

HIGH CVSS 7.2 2023-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-03-10

CVE-2023-0331 - Correos Oficial Plugin

The Correos Oficial WordPress plugin through 1.2.0.2 does not have an authorization check user input validation when generating a file path, allowing unauthenticated attackers to download arbitrary files from the server.

PLUGIN Correos Oficial

CVE-2023-0331

HIGH CVSS 7.5 2023-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-03-10

CVE-2023-0279 - Media Library Assistant Plugin

The Media Library Assistant WordPress plugin before 3.06 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

PLUGIN Media Library Assistant

CVE-2023-0279

HIGH CVSS 7.2 2023-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-03-10

CVE-2023-0278 - Before 2 Plugin

The GeoDirectory WordPress plugin before 2.2.24 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

PLUGIN Before 2

CVE-2023-0278

HIGH CVSS 7.2 2023-02-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-26325 - Reviewx Plugin

The 'rx_export_review' action in the ReviewX WordPress Plugin, is affected by an authenticated SQL injection vulnerability in the 'filterValue' and 'selectedColumns' parameters.

PLUGIN Reviewx

CVE-2023-26325

HIGH CVSS 8.8 2023-02-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-0895 - Wp Coder Plugin

The WP Coder – add custom html, css and js code plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in versions up to, and including, 2.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrative privileges to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wp Coder

CVE-2023-0895

HIGH CVSS 7.2 2023-02-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-0263 - Wp Yelp Review Slider Plugin

The WP Yelp Review Slider WordPress plugin before 7.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

PLUGIN Wp Yelp Review Slider

CVE-2023-0263

HIGH CVSS 8.8 2023-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2023-0262 - Wp Airbnb Review Slider Plugin

The WP Airbnb Review Slider WordPress plugin before 3.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

PLUGIN Wp Airbnb Review Slider

CVE-2023-0262

HIGH CVSS 8.8 2023-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2023-0261 - Wp Tripadvisor Review Slider Plugin

The WP TripAdvisor Review Slider WordPress plugin before 10.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

PLUGIN Wp Tripadvisor Review Slider

CVE-2023-0261

HIGH CVSS 8.8 2023-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2023-0260 - Wp Review Slider Plugin

The WP Review Slider WordPress plugin before 12.2 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

PLUGIN Wp Review Slider

CVE-2023-0260

HIGH CVSS 8.8 2023-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2023-0259 - Wp Google Review Slider Plugin

The WP Google Review Slider WordPress plugin before 11.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as subscriber.

PLUGIN Wp Google Review Slider

CVE-2023-0259

HIGH CVSS 8.8 2023-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2023-0255 - Enable Media Replace Plugin

The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.

PLUGIN Enable Media Replace

CVE-2023-0255

HIGH CVSS 8.8 2023-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2023-0220 - Pinpoint Booking System Plugin

The Pinpoint Booking System WordPress plugin before 2.9.9.2.9 does not validate and escape one of its shortcode attributes before using it in a SQL statement, which could allow any authenticated users, such as subscriber to perform SQL Injection attacks.

PLUGIN Pinpoint Booking System

CVE-2023-0220

HIGH CVSS 8.8 2023-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2023-0098 - Before 115 Does Not Escape Some Parameters Plugin

The Simple URLs WordPress plugin before 115 does not escape some parameters before using them in various SQL statements used by AJAX actions available by any authenticated users, leading to a SQL injection exploitable by low privilege users such as subscriber.

PLUGIN Before 115 Does Not Escape Some Parameters

CVE-2023-0098

HIGH CVSS 8.8 2023-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2023-0080 - Customer Reviews For Woocommerce Plugin

The Customer Reviews for WooCommerce WordPress plugin before 5.16.0 does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their content. RCE could also be achieved if the attacker manage to upload a malicious image containing PHP code, and then include it via the affected attribute, on a default WP install, authors could easily achieve that given that they have the upload_file…

PLUGIN Customer Reviews For Woocommerce

CVE-2023-0080

HIGH CVSS 8.8 2023-02-13
Open Full Technical Breakdown
Scroll to top