Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,047
Critical0
High3,047
Medium0
Reset
Showing 2861-2880 of 3047 records
Threat Entry Updated 2024-11-21

CVE-2021-24877 - Mainwp Child Plugin

The MainWP Child WordPress plugin before 4.1.8 does not validate the orderby and order parameter before using them in a SQL statement, leading to an SQL injection exploitable by high privilege users such as admin when the Backup and Staging by WP Time Capsule plugin is installed

PLUGIN Mainwp Child

CVE-2021-24877

HIGH CVSS 7.2 2021-11-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24641 - Images To Webp Plugin

The Images to WebP WordPress plugin before 1.9 does not have CSRF checks in place when performing some administrative actions, which could result in modification of plugin settings, Denial-of-Service, as well as arbitrary image conversion

PLUGIN Images To Webp

CVE-2021-24641

HIGH CVSS 8.1 2021-11-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24644 - Images To Webp Plugin

The Images to WebP WordPress plugin before 1.9 does not validate or sanitise the tab parameter before passing it to the include() function, which could lead to a Local File Inclusion issue

PLUGIN Images To Webp

CVE-2021-24644

HIGH CVSS 7.5 2021-11-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39353 - Easy Registration Forms Plugin

The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajax_add_form function found in the ~/includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 2.1.1.

PLUGIN Easy Registration Forms

CVE-2021-39353

HIGH CVSS 8.8 2021-11-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-42362 - Wordpress Popular Posts Plugin

The WordPress Popular Posts WordPress plugin is vulnerable to arbitrary file uploads due to insufficient input file type validation found in the ~/src/Image.php file which makes it possible for attackers with contributor level access and above to upload malicious files that can be used to obtain remote code execution, in versions up to and including 5.3.2.

PLUGIN Wordpress Popular Posts

CVE-2021-42362

HIGH CVSS 8.8 2021-11-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-42360 - Starter Templates Plugin

On sites that also had the Elementor plugin for WordPress installed, it was possible for users with the edit_posts capability, which includes Contributor-level users, to import blocks onto any page using the astra-page-elementor-batch-process AJAX action. An attacker could craft and host a block containing malicious JavaScript on a server they controlled, and then use it to overwrite any post or page by sending an AJAX request with the action set to astra-page-elementor-batch-process and the url parameter pointed to their remotely-hosted malicious block, as well as an id parameter containing the…

PLUGIN Starter Templates

CVE-2021-42360

HIGH CVSS 7.6 2021-11-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24847 - 301 Redirect Manager Plugin

The importFromRedirection AJAX action of the SEO Redirection Plugin – 301 Redirect Manager WordPress plugin before 8.2, available to any authenticated user, does not properly sanitise the offset parameter before using it in a SQL statement, leading an SQL injection when the redirection plugin is also installed

PLUGIN 301 Redirect Manager

CVE-2021-24847

HIGH CVSS 8.8 2021-11-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24804 - Simple Jwt Login Plugin

The Simple JWT Login WordPress plugin before 3.2.1 does not have nonce checks when saving its settings, allowing attackers to make a logged in admin changed them. Settings such as HMAC verification secret, account registering and default user roles can be updated, which could result in site takeover.

PLUGIN Simple Jwt Login

CVE-2021-24804

HIGH CVSS 8.8 2021-11-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24772 - Before 3 Plugin

The Stream WordPress plugin before 3.8.2 does not sanitise and validate the order GET parameter from the Stream Records admin dashboard before using it in a SQL statement, leading to an SQL injection issue.

PLUGIN Before 3

CVE-2021-24772

HIGH CVSS 8.8 2021-11-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24758 - Before 2 Plugin

The Email Log WordPress plugin before 2.4.7 does not properly validate, sanitise and escape the "orderby" and "order" GET parameters before using them in SQL statement in the admin dashboard, leading to SQL injections

PLUGIN Before 2

CVE-2021-24758

HIGH CVSS 8.8 2021-11-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24835 - Tend Manager For Woocommerce Along With Bookings Subscription Listings Compatible Plugin

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible WordPress plugin before 6.5.12, when used in combination with another WCFM - WooCommerce Multivendor plugin such as WCFM - WooCommerce Multivendor Marketplace, does not escape the withdrawal_vendor parameter before using it in a SQL statement, allowing low privilege users such as Subscribers to perform SQL injection attacks

PLUGIN Tend Manager For Woocommerce Along With Bookings Subscription Listings Compatible

CVE-2021-24835

HIGH CVSS 8.8 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24829 - Visitor Traffic Real Time Statistics Plugin

The Visitor Traffic Real Time Statistics WordPress plugin before 3.9 does not validate and escape user input passed to the today_traffic_index AJAX action (available to any authenticated users) before using it in a SQL statement, leading to an SQL injection issue

PLUGIN Visitor Traffic Real Time Statistics

CVE-2021-24829

HIGH CVSS 8.8 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24844 - Affiliates Manager Plugin

The Affiliates Manager WordPress plugin before 2.8.7 does not validate the orderby parameter before using it in an SQL statement in the admin dashboard, leading to an SQL Injection issue

PLUGIN Affiliates Manager

CVE-2021-24844

HIGH CVSS 7.2 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24695 - Simple Download Monitor Plugin

The Simple Download Monitor WordPress plugin before 3.9.6 saves logs in a predictable location, and does not have any authentication or authorisation in place to prevent unauthenticated users to download and read the logs containing Sensitive Information such as IP Addresses and Usernames

PLUGIN Simple Download Monitor

CVE-2021-24695

HIGH CVSS 7.5 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24791 - Header Footer Code Manager Plugin

The Header Footer Code Manager WordPress plugin before 1.1.14 does not validate and escape the "orderby" and "order" request parameters before using them in a SQL statement when viewing the Snippets admin dashboard, leading to SQL injections

PLUGIN Header Footer Code Manager

CVE-2021-24791

HIGH CVSS 7.2 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24669 - Preloader Builder For Plugin

The MAZ Loader – Preloader Builder for WordPress plugin before 1.3.3 does not validate or escape the loader_id parameter of the mzldr shortcode, which allows users with a role as low as Contributor to perform SQL injection.

PLUGIN Preloader Builder For

CVE-2021-24669

HIGH CVSS 8.8 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24631 - Unlimited Popups Plugin

The Unlimited PopUps WordPress plugin through 4.5.3 does not sanitise or escape the did GET parameter before using it in a SQL statement, available to users as low as editor, leading to an authenticated SQL Injection

PLUGIN Unlimited Popups

CVE-2021-24631

HIGH CVSS 8.8 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24630 - Schreikasten Plugin

The Schreikasten WordPress plugin through 0.14.18 does not sanitise or escape the id GET parameter before using it in SQL statements in the comments dashboard from various actions, leading to authenticated SQL Injections which can be exploited by users as low as author

PLUGIN Schreikasten

CVE-2021-24630

HIGH CVSS 8.8 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24626 - Chameleon Css Plugin

The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, remove_css, also does not sanitise or escape the css_id POST parameter before using it in a SQL statement, leading to a SQL Injection

PLUGIN Chameleon Css

CVE-2021-24626

HIGH CVSS 8.8 2021-11-08
Open Full Technical Breakdown
Scroll to top