Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,046
Critical0
High3,046
Medium0
Reset
Showing 2621-2640 of 3046 records
Threat Entry Updated 2025-05-21

CVE-2022-3119 - Oauth Client Single Sign On Plugin

The OAuth client Single Sign On WordPress plugin before 3.0.4 does not have authorisation and CSRF when updating its settings, which could allow unauthenticated attackers to update them and change the OAuth endpoints to ones they controls, allowing them to then be authenticated as admin if they know the correct email address

PLUGIN Oauth Client Single Sign On

CVE-2022-3119

HIGH CVSS 7.5 2022-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-22

CVE-2022-3076 - Cm Download Manager Plugin

The CM Download Manager WordPress plugin before 2.8.6 allows high privilege users such as admin to upload arbitrary files by setting the any extension via the plugin's setting, which could be used by admins of multisite blog to upload PHP files for example.

PLUGIN Cm Download Manager

CVE-2022-3076

HIGH CVSS 7.2 2022-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-22

CVE-2022-2987 - Before 3 Plugin

The Ldap WP Login / Active Directory Integration WordPress plugin before 3.0.2 does not have any authorisation and CSRF checks when updating it's settings (which are hooked to the init action), allowing unauthenticated attackers to update them. Attackers could set their own LDAP server to be used to authenticated users, therefore bypassing the current authentication

PLUGIN Before 3

CVE-2022-2987

HIGH CVSS 7.5 2022-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2022-2903 - Ninja Forms Contact Form Plugin

The Ninja Forms Contact Form WordPress plugin before 3.6.13 unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.

PLUGIN Ninja Forms Contact Form

CVE-2022-2903

HIGH CVSS 7.2 2022-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2022-2352 - Before 2 Plugin

The Post SMTP Mailer/Email Log WordPress plugin before 2.1.7 does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example.

PLUGIN Before 2

CVE-2022-2352

HIGH CVSS 7.2 2022-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2021-24890 - Scripts Organizer Plugin

The Scripts Organizer WordPress plugin before 3.0 does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file

PLUGIN Scripts Organizer

CVE-2021-24890

HIGH CVSS 8.8 2022-09-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-3142 - Before 7 Plugin

The NEX-Forms WordPress plugin before 7.9.7 does not properly sanitise and escape user input before using it in SQL statements, leading to SQL injections. The attack can be executed by anyone who is permitted to view the forms statistics chart, by default administrators, however can be configured otherwise via the plugin settings.

PLUGIN Before 7

CVE-2022-3142

HIGH CVSS 8.8 2022-09-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-3141 - Translate Multilingual Sites Plugin

The Translate Multilingual sites WordPress plugin before 2.3.3 is vulnerable to an authenticated SQL injection. By adding a new language (via the settings page) containing specific special characters, the backticks in the SQL query can be surpassed and a time-based blind payload can be injected.

PLUGIN Translate Multilingual Sites

CVE-2022-3141

HIGH CVSS 8.8 2022-09-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2958 - Before 3 Plugin

The BadgeOS WordPress plugin before 3.7.1.3 does not sanitise and escape parameters before using them in SQL statements via AJAX actions available to any authenticated users, leading to SQL Injections

PLUGIN Before 3

CVE-2022-2958

HIGH CVSS 8.8 2022-09-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1194 - Mobile Events Manager Plugin

The Mobile Events Manager WordPress plugin before 1.4.8 does not properly escape the Enquiry source field when exporting events, or the Paid for field when exporting transactions as CSV, leading to a CSV injection vulnerability.

PLUGIN Mobile Events Manager

CVE-2022-1194

HIGH CVSS 8.8 2022-09-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2798 - Affiliates Manager Plugin

The Affiliates Manager WordPress plugin before 2.9.14 does not validate and sanitise the affiliate data, which could allow users registering as affiliate to perform CSV injection attacks against an admin exporting the data

PLUGIN Affiliates Manager

CVE-2022-2798

HIGH CVSS 8.0 2022-09-16
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2022-2542 - Ucontext For Clickbank Plugin

The uContext for Clickbank plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Ucontext For Clickbank

CVE-2022-2542

HIGH CVSS 8.8 2022-09-06
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2022-2541 - Ucontext For Amazon Plugin

The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Ucontext For Amazon

CVE-2022-2541

HIGH CVSS 8.8 2022-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2540 - Link Optimizer Lite Plugin

The Link Optimizer Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 1.4.5. This is due to missing nonce validation on the admin_page function found in the ~/admin.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Link Optimizer Lite

CVE-2022-2540

HIGH CVSS 8.8 2022-09-06
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2022-2518 - Stockists Manager Plugin

The Stockists Manager for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2.1. This is due to missing nonce validation on the stockist_settings_main() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Stockists Manager

CVE-2022-2518

HIGH CVSS 8.8 2022-09-06
Open Full Technical Breakdown
Scroll to top