Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,046
Critical0
High3,046
Medium0
Reset
Showing 2801-2820 of 3046 records
Threat Entry Updated 2024-11-21

CVE-2021-25108 - Before 2 Plugin

The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

PLUGIN Before 2

CVE-2021-25108

HIGH CVSS 7.1 2022-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25095 - Before 2 Plugin

The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.

PLUGIN Before 2

CVE-2021-25095

HIGH CVSS 7.1 2022-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24879 - Before 2 Plugin

The SupportCandy WordPress plugin before 2.2.7 does not have CSRF check in the wpsc_tickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter (stored in their cookies) with an XSS payload in it.

PLUGIN Before 2

CVE-2021-24879

HIGH CVSS 8.8 2022-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24839 - Before 2 Plugin

The SupportCandy WordPress plugin before 2.2.5 does not have authorisation and CSRF checks in its wpsc_tickets AJAX action, which could allow unauthenticated users to call it and delete arbitrary tickets via the set_delete_permanently_bulk_ticket setting_action. Other actions may be affected as well.

PLUGIN Before 2

CVE-2021-24839

HIGH CVSS 7.5 2022-02-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0218 - Wp Html Mail Plugin

The WP HTML Mail WordPress plugin is vulnerable to unauthorized access which allows unauthenticated attackers to retrieve and modify theme settings due to a missing capability check on the /themesettings REST-API endpoint found in the ~/includes/class-template-designer.php file, in versions up to and including 3.0.9. This makes it possible for attackers with no privileges to execute the endpoint and add malicious JavaScript to a vulnerable WordPress site.

PLUGIN Wp Html Mail

CVE-2022-0218

HIGH CVSS 8.3 2022-02-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25093 - Link Library Plugin

The Link Library WordPress plugin before 7.2.8 does not have authorisation in place when deleting links, allowing unauthenticated users to delete arbitrary links via a crafted request

PLUGIN Link Library

CVE-2021-25093

HIGH CVSS 7.5 2022-02-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24919 - Before 2 Plugin

The Wicked Folders WordPress plugin before 2.8.10 does not sanitise and escape the folder_id parameter before using it in a SQL statement in the wicked_folders_save_sort_order AJAX action, available to any authenticated user. leading to an SQL injection

PLUGIN Before 2

CVE-2021-24919

HIGH CVSS 8.8 2022-02-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24763 - Perfect Survey Plugin

The Perfect Survey WordPress plugin before 1.5.2 does not have proper authorisation nor CSRF checks in the save_global_setting AJAX action, allowing unauthenticated users to edit surveys and modify settings. Given the lack of sanitisation and escaping in the settings, this could also lead to a Stored Cross-Site Scripting issue which will be executed in the context of a user viewing any survey

PLUGIN Perfect Survey

CVE-2021-24763

HIGH CVSS 8.8 2022-02-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25076 - Before 3 Plugin

The WP User Frontend WordPress plugin before 3.5.26 does not validate and escape the status parameter before using it in a SQL statement in the Subscribers dashboard, leading to an SQL injection. Due to the lack of sanitisation and escaping, this could also lead to Reflected Cross-Site Scripting

PLUGIN Before 3

CVE-2021-25076

HIGH CVSS 8.8 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25073 - Before 1 Plugin

The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in various action, for example when deleting an ad, allowing attackers to make a logged in admin delete them via a CSRF attack

PLUGIN Before 1

CVE-2021-25073

HIGH CVSS 8.8 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25045 - Asgaros Forum Plugin

The Asgaros Forum WordPress plugin before 1.15.15 does not validate or escape the forum_id parameter before using it in a SQL statement when editing a forum, leading to an SQL injection issue

PLUGIN Asgaros Forum

CVE-2021-25045

HIGH CVSS 7.2 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24696 - Simple Download Monitor Plugin

The Simple Download Monitor WordPress plugin before 3.9.9 does not enforce nonce checks, which could allow attackers to perform CSRF attacks to 1) make admins export logs to exploit a separate log disclosure vulnerability (fixed in 3.9.6), 2) delete logs (fixed in 3.9.9), 3) remove thumbnail image from downloads

PLUGIN Simple Download Monitor

CVE-2021-24696

HIGH CVSS 8.8 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24936 - Wp Extra File Types Plugin

The WP Extra File Types WordPress plugin before 0.5.1 does not have CSRF check when saving its settings, nor sanitise and escape some of them, which could allow attackers to make a logged in admin change them and perform Cross-Site Scripting attacks

PLUGIN Wp Extra File Types

CVE-2021-24936

HIGH CVSS 8.0 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24906 - Protect Wp Admin Plugin

The Protect WP Admin WordPress plugin before 3.6.2 does not check for authorisation in the lib/pwa-deactivate.php file, which could allow unauthenticated users to disable the plugin (and therefore the protection offered) via a crafted request

PLUGIN Protect Wp Admin

CVE-2021-24906

HIGH CVSS 7.5 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24865 - Before 0 Plugin

The Advanced Custom Fields: Extended WordPress plugin before 0.8.8.7 does not validate the order and orderby parameters before using them in a SQL statement, leading to a SQL Injection issue

PLUGIN Before 0

CVE-2021-24865

HIGH CVSS 7.2 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24858 - Cookie Notification Plugin

The Cookie Notification Plugin for WordPress plugin before 1.0.9 does not sanitise or escape the id GET parameter before using it in a SQL statement, when retrieving the setting to edit in the admin dashboard, leading to an authenticated SQL Injection

PLUGIN Cookie Notification

CVE-2021-24858

HIGH CVSS 7.2 2022-01-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0215 - Side Cart Woocommerce Plugin

The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site. This affects versions

PLUGIN Side Cart Woocommerce

CVE-2022-0215

HIGH CVSS 8.8 2022-01-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-0236 - Wp Import Export Plugin

The WP Import Export WordPress plugin (both free and premium versions) is vulnerable to unauthenticated sensitive data disclosure due to a missing capability check on the download function wpie_process_file_download found in the ~/includes/classes/class-wpie-general.php file. This made it possible for unauthenticated attackers to download any imported or exported information from a vulnerable site which can contain sensitive information like user data. This affects versions up to, and including, 3.9.15.

PLUGIN Wp Import Export

CVE-2022-0236

HIGH CVSS 7.5 2022-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-14

CVE-2021-43353 - Crisp Plugin

The Crisp Live Chat WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the crisp_plugin_settings_page function found in the ~/crisp.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 0.31.

PLUGIN Crisp

CVE-2021-43353

HIGH CVSS 8.8 2022-01-18
Open Full Technical Breakdown
Scroll to top