Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,047
Critical0
High3,047
Medium0
Reset
Showing 2841-2860 of 3047 records
Threat Entry Updated 2026-03-06

CVE-2021-24750 - Before 4 Plugin

The WP Visitor Statistics (Real Time Traffic) WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks

PLUGIN Before 4

CVE-2021-24750

HIGH CVSS 8.8 2021-12-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24739 - Logo Carousel Plugin

The Logo Carousel WordPress plugin before 3.4.2 allows users with a role as low as Contributor to duplicate and view arbitrary private posts made by other users via the Carousel Duplication feature

PLUGIN Logo Carousel

CVE-2021-24739

HIGH CVSS 8.1 2021-12-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24848 - Mediamaticajaxrenamecategory Ajax Action Of The Mediamatic Plugin

The mediamaticAjaxRenameCategory AJAX action of the Mediamatic WordPress plugin before 2.8.1, available to any authenticated user, does not sanitise the categoryID parameter before using it in a SQL statement, leading to an SQL injection

PLUGIN Mediamaticajaxrenamecategory Ajax Action Of The Mediamatic

CVE-2021-24848

HIGH CVSS 8.8 2021-12-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24945 - Before 2 Plugin

The Like Button Rating ♥ LikeBtn WordPress plugin before 2.6.38 does not have any authorisation and CSRF checks in the likebtn_export_votes AJAX action, which could allow any authenticated user, such as subscriber, to get a list of email and IP addresses of people who liked content from the blog.

PLUGIN Before 2

CVE-2021-24945

HIGH CVSS 8.0 2021-12-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24970 - All In One Video Gallery Plugin

The All-in-One Video Gallery WordPress plugin before 2.5.0 does not sanitise and validate the tab parameter before using it in a require statement in the admin dashboard, leading to a Local File Inclusion issue

PLUGIN All In One Video Gallery

CVE-2021-24970

HIGH CVSS 7.2 2021-12-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24861 - Quotes Collection Plugin

The Quotes Collection WordPress plugin through 2.5.2 does not validate and escape the bulkcheck parameter before using it in a SQL statement, leading to a SQL injection

PLUGIN Quotes Collection

CVE-2021-24861

HIGH CVSS 7.2 2021-12-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24747 - Before 3 Plugin

The SEO Booster WordPress plugin before 3.8 allows for authenticated SQL injection via the "fn_my_ajaxified_dataloader_ajax" AJAX request as the $_REQUEST['order'][0]['dir'] parameter is not properly escaped leading to blind and error-based SQL injections.

PLUGIN Before 3

CVE-2021-24747

HIGH CVSS 7.2 2021-12-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24914 - To Live Chat Plugin

The Tawk.To Live Chat WordPress plugin before 0.6.0 does not have capability and CSRF checks in the tawkto_setwidget and tawkto_removewidget AJAX actions, available to any authenticated user. The first one allows low-privileged users (including simple subscribers) to change the 'tawkto-embed-widget-page-id' and 'tawkto-embed-widget-widget-id' parameters. Any authenticated user can thus link the vulnerable website to their own Tawk.to instance. Consequently, they will be able to monitor the vulnerable website and interact with its visitors (receive contact messages, answer, ...). They will also be able to display an arbitrary Knowledge Base. The second…

PLUGIN To Live Chat

CVE-2021-24914

HIGH CVSS 8.0 2021-12-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24917 - Wps Hide Login Plugin

The WPS Hide Login WordPress plugin before 1.9.1 has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.

PLUGIN Wps Hide Login

CVE-2021-24917

HIGH CVSS 7.5 2021-12-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-42364 - Stetic Plugin

The Stetic WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the stats_page function found in the ~/stetic.php file, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.0.6.

PLUGIN Stetic

CVE-2021-42364

HIGH CVSS 8.8 2021-11-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-42358 - Contact Form With Captcha Plugin

The Contact Form With Captcha WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation in the ~/cfwc-form.php file during contact form submission, which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 1.6.2.

PLUGIN Contact Form With Captcha

CVE-2021-42358

HIGH CVSS 8.8 2021-11-29
Open Full Technical Breakdown
Threat Entry Updated 2025-10-17

CVE-2021-24755 - Before 2 Plugin

The myCred WordPress plugin before 2.3 does not validate or escape the fields parameter before using it in a SQL statement, leading to an SQL injection exploitable by any authenticated user

PLUGIN Before 2

CVE-2021-24755

HIGH CVSS 8.8 2021-11-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24748 - Email Before Download Plugin

The Email Before Download WordPress plugin before 6.8 does not properly validate and escape the order and orderby GET parameters before using them in SQL statements, leading to authenticated SQL injection issues

PLUGIN Email Before Download

CVE-2021-24748

HIGH CVSS 8.8 2021-11-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24860 - Bsk Pdf Manager Plugin

The BSK PDF Manager WordPress plugin before 3.1.2 does not validate and escape the orderby and order parameters before using them in a SQL statement, leading to a SQL injection issue

PLUGIN Bsk Pdf Manager

CVE-2021-24860

HIGH CVSS 7.2 2021-11-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-44223 - WordPress Core

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

CORE WordPress Core

CVE-2021-44223

HIGH CVSS 8.1 2021-11-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-20846 - Push Notifications For Wp Plugin

Cross-site request forgery (CSRF) vulnerability in Push Notifications for WordPress (Lite) versions prior to 6.0.1 allows a remote attacker to hijack the authentication of an administrator and conduct an arbitrary operation via a specially crafted web page.

PLUGIN Push Notifications For Wp

CVE-2021-20846

HIGH CVSS 8.8 2021-11-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24892 - Advanced Forms Plugin

Insecure Direct Object Reference in edit function of Advanced Forms (Free & Pro) before 1.6.9 allows authenticated remote attacker to change arbitrary user's email address and request for reset password, which could lead to take over of WordPress's administrator account. To exploit this vulnerability, an attacker must register to obtain a valid WordPress's user and use such user to authenticate with WordPress in order to exploit the vulnerable edit function.

PLUGIN Advanced Forms

CVE-2021-24892

HIGH CVSS 8.8 2021-11-23
Open Full Technical Breakdown
Scroll to top