Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,046
Critical0
High3,046
Medium0
Reset
Showing 2681-2700 of 3046 records
Threat Entry Updated 2024-11-21

CVE-2022-2240 - Request A Quote Plugin

The Request a Quote WordPress plugin through 2.3.7 does not validate uploaded CSV files, allowing unauthenticated users to attach a malicious CSV file to a quote, which could lead to a CSV injection once an admin download and open it

PLUGIN Request A Quote

CVE-2022-2240

HIGH CVSS 8.8 2022-07-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1539 - Exports And Reports Plugin

The Exports and Reports WordPress plugin before 0.9.2 does not sanitize and validate data when generating the CSV to export, which could lead to a CSV injection, by the use of Microsoft Excel DDE function, or to leak data via maliciously injected hyperlinks.

PLUGIN Exports And Reports

CVE-2022-1539

HIGH CVSS 8.8 2022-07-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2219 - Before 2 Plugin

The Unyson WordPress plugin before 2.7.27 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

PLUGIN Before 2

CVE-2022-2219

HIGH CVSS 7.2 2022-07-25
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2022-2444 - Visualizer Plugin

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the…

PLUGIN Visualizer

CVE-2022-2444

HIGH CVSS 8.8 2022-07-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2443 - Freemind Wp Browser Plugin

The FreeMind WP Browser plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.2. This is due to missing nonce protection on the FreemindOptions() function found in the ~/freemind-wp-browser.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link.

PLUGIN Freemind Wp Browser

CVE-2022-2443

HIGH CVSS 8.8 2022-07-18
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2022-2435 - Anymind Widget Plugin

The AnyMind Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.1. This is due to missing nonce protection on the createDOMStructure() function found in the ~/anymind-widget-id.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site’s administrator into performing an action such as clicking on a link.

PLUGIN Anymind Widget

CVE-2022-2435

HIGH CVSS 8.8 2022-07-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2039 - Free Live Chat Support Plugin

The Free Live Chat Support plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.11. This is due to missing nonce protection on the livesupporti_settings() function found in the ~/livesupporti.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link.

PLUGIN Free Live Chat Support

CVE-2022-2039

HIGH CVSS 8.8 2022-07-18
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2022-2001 - Dx Share Selection Plugin

The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link.

PLUGIN Dx Share Selection

CVE-2022-2001

HIGH CVSS 8.8 2022-07-18
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2022-1912 - Button Widget Smartsoft Plugin

The Button Widget Smartsoft plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.1. This is due to missing nonce validation on the smartsoftbutton_settings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Button Widget Smartsoft

CVE-2022-1912

HIGH CVSS 8.8 2022-07-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1672 - Insights From Google Pagespeed Plugin

The Insights from Google PageSpeed WordPress plugin before 4.0.7 does not verify for CSRF before doing various actions such as deleting Custom URLs, which could allow attackers to make a logged in admin perform such actions via CSRF attacks

PLUGIN Insights From Google Pagespeed

CVE-2022-1672

HIGH CVSS 8.8 2022-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24655 - Wp User Manager Plugin

The WP User Manager WordPress plugin before 2.6.3 does not ensure that the user ID to reset the password of is related to the reset key given. As a result, any authenticated user can reset the password (to an arbitrary value) of any user knowing only their ID, and gain access to their account.

PLUGIN Wp User Manager

CVE-2021-24655

HIGH CVSS 7.5 2022-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2268 - Import Any Xml Or Csv File To Plugin

The Import any XML or CSV File to WordPress plugin before 3.6.8 accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

PLUGIN Import Any Xml Or Csv File To

CVE-2022-2268

HIGH CVSS 7.2 2022-07-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1903 - Before 3 Plugin

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover (even the administrator) due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username

PLUGIN Before 3

CVE-2022-1903

HIGH CVSS 8.1 2022-06-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1977 - Before 6 Plugin

The Import Export All WordPress Images, Users & Post Types WordPress plugin before 6.5.3 does not fully validate the file to be imported via an URL before making an HTTP request to it, which could allow high privilege users such as admin to perform Blind SSRF attacks

PLUGIN Before 6

CVE-2022-1977

HIGH CVSS 7.2 2022-06-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1572 - Html2wp Plugin

The HTML2WP WordPress plugin through 1.0.0 does not have authorisation and CSRF checks in an AJAX action, available to any authenticated users such as subscriber, which could allow them to delete arbitrary file

PLUGIN Html2wp

CVE-2022-1572

HIGH CVSS 8.1 2022-06-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-1939 - Allow Svg Files Plugin

The Allow svg files WordPress plugin before 1.1 does not properly validate uploaded files, which could allow high privilege users such as admin to upload PHP files even when they are not allowed to

PLUGIN Allow Svg Files

CVE-2022-1939

HIGH CVSS 7.2 2022-06-20
Open Full Technical Breakdown
Scroll to top