Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,046
Critical0
High3,046
Medium0
Reset
Showing 2821-2840 of 3046 records
Threat Entry Updated 2024-11-21

CVE-2021-25036 - All In One Seo Plugin

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.

PLUGIN All In One Seo

CVE-2021-25036

HIGH CVSS 8.8 2022-01-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25054 - Wpcalc Plugin

The WPcalc WordPress plugin through 2.1 does not sanitize user input into the 'did' parameter and uses it in a SQL statement, leading to an authenticated SQL Injection vulnerability.

PLUGIN Wpcalc

CVE-2021-25054

HIGH CVSS 8.8 2022-01-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25053 - Before 2 Plugin

The WP Coder WordPress plugin before 2.5.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.

PLUGIN Before 2

CVE-2021-25053

HIGH CVSS 8.8 2022-01-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25052 - Button Generator Plugin

The Button Generator WordPress plugin before 2.3.3 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.

PLUGIN Button Generator

CVE-2021-25052

HIGH CVSS 8.8 2022-01-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25051 - Before 5 Plugin

The Modal Window WordPress plugin before 5.2.2 within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.

PLUGIN Before 5

CVE-2021-25051

HIGH CVSS 8.8 2022-01-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24948 - Plus Addons For Elementor Pro Plugin

The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not validate the qvquery parameter of the tp_get_dl_post_info_ajax AJAX action, which could allow unauthenticated users to retrieve sensitive information, such as private and draft posts

PLUGIN Plus Addons For Elementor Pro

CVE-2021-24948

HIGH CVSS 7.5 2022-01-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24862 - Before 5 Plugin

The RegistrationMagic WordPress plugin before 5.0.1.6 does not escape user input in its rm_chronos_ajax AJAX action before using it in a SQL statement when duplicating tasks in batches, which could lead to a SQL injection issue

PLUGIN Before 5

CVE-2021-24862

HIGH CVSS 7.2 2022-01-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-21662 - WordPress Core

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

CORE WordPress Core

CVE-2022-21662

HIGH CVSS 8.0 2022-01-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-21664 - WordPress Core

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

CORE WordPress Core

CVE-2022-21664

HIGH CVSS 7.4 2022-01-06
Open Full Technical Breakdown
Threat Entry Updated 2025-08-19

CVE-2022-21661 - WordPress Core

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

CORE WordPress Core

CVE-2022-21661

HIGH CVSS 8.0 2022-01-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25030 - Events Made Easy Plugin

The Events Made Easy WordPress plugin before 2.2.36 does not sanitise and escape the search_text parameter before using it in a SQL statement via the eme_searchmail AJAX action, available to any authenticated users. As a result, users with a role as low as subscriber can call it and perform SQL injection attacks

PLUGIN Events Made Easy

CVE-2021-25030

HIGH CVSS 8.8 2022-01-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-25023 - Pagespeed Optimization Suite Plugin

The Speed Booster Pack ⚡ PageSpeed Optimization Suite WordPress plugin before 4.3.3.1 does not escape the sbp_convert_table_name parameter before using it in a SQL statement to convert the related table, leading to an SQL injection

PLUGIN Pagespeed Optimization Suite

CVE-2021-25023

HIGH CVSS 7.2 2022-01-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24893 - Stars Rating Plugin

The Stars Rating WordPress plugin before 3.5.1 does not validate the submitted rating, allowing submission of long integer, causing a Denial of Service in the comments section, or pending comment dashboard depending if the user sent it as unauthenticated or authenticated.

PLUGIN Stars Rating

CVE-2021-24893

HIGH CVSS 7.5 2022-01-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24831 - All Ajax Actions Of The Tab Plugin

All AJAX actions of the Tab WordPress plugin before 1.3.2 are available to both unauthenticated and authenticated users, allowing unauthenticated attackers to modify various data in the plugin, such as add/edit/delete arbitrary tabs.

PLUGIN All Ajax Actions Of The Tab

CVE-2021-24831

HIGH CVSS 7.5 2022-01-03
Open Full Technical Breakdown
Threat Entry Updated 2025-05-22

CVE-2021-24786 - Download Monitor Plugin

The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue

PLUGIN Download Monitor

CVE-2021-24786

HIGH CVSS 7.2 2022-01-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24998 - Before 3 Plugin

The Simple JWT Login WordPress plugin before 3.3.0 can be used to create new WordPress user accounts with a randomly generated password. The password is generated using the str_shuffle PHP function that "does not generate cryptographically secure values, and should not be used for cryptographic purposes" according to PHP's documentation.

PLUGIN Before 3

CVE-2021-24998

HIGH CVSS 7.5 2021-12-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24753 - Before 1 Plugin

The Rich Reviews by Starfish WordPress plugin before 1.9.6 does not properly validate the orderby GET parameter of the pending reviews page before using it in a SQL statement, leading to an authenticated SQL injection issue

PLUGIN Before 1

CVE-2021-24753

HIGH CVSS 7.2 2021-12-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24846 - Function Of The Ni Woocommerce Custom Order Status Plugin

The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber

PLUGIN Function Of The Ni Woocommerce Custom Order Status

CVE-2021-24846

HIGH CVSS 8.8 2021-12-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24981 - Before 7 Plugin

The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cross-Site Request Forgery to Remote File Upload leading to arbitrary PHP shell uploads in the wp-content/plugins directory.

PLUGIN Before 7

CVE-2021-24981

HIGH CVSS 7.5 2021-12-21
Open Full Technical Breakdown
Threat Entry Updated 2026-03-06

CVE-2021-24750 - Before 4 Plugin

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

PLUGIN Before 4

CVE-2021-24750

HIGH CVSS 8.8 2021-12-21
Open Full Technical Breakdown
Scroll to top