Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,047
Critical0
High3,047
Medium0
Reset
Showing 2881-2900 of 3047 records
Threat Entry Updated 2024-11-21

CVE-2021-24575 - Before 2 Plugin

The School Management System – WPSchoolPress WordPress plugin before 2.1.10 does not properly sanitize or use prepared statements before using POST variable in SQL queries, leading to SQL injection in multiple actions available to various authenticated users, from simple subscribers/students to teachers and above.

PLUGIN Before 2

CVE-2021-24575

HIGH CVSS 8.8 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24647 - Invitation Codes Plugin

The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username

PLUGIN Invitation Codes

CVE-2021-24647

HIGH CVSS 8.1 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24629 - Post Content Xmlrpc Plugin

The Post Content XMLRPC WordPress plugin through 1.0 does not sanitise or escape multiple GET/POST parameters before using them in SQL statements in the admin dashboard, leading to an authenticated SQL Injections

PLUGIN Post Content Xmlrpc

CVE-2021-24629

HIGH CVSS 7.2 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24628 - Wow Forms Plugin

The Wow Forms WordPress plugin through 3.1.3 does not sanitise or escape a 'did' GET parameter before using it in a SQL statement, when deleting a form in the admin dashboard, leading to an authenticated SQL injection

PLUGIN Wow Forms

CVE-2021-24628

HIGH CVSS 7.2 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24627 - G Auto Hyperlink Plugin

The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection

PLUGIN G Auto Hyperlink

CVE-2021-24627

HIGH CVSS 7.2 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24625 - Spidercatalog Plugin

The SpiderCatalog WordPress plugin through 1.7.3 does not sanitise or escape the 'parent' and 'ordering' parameters from the admin dashboard before using them in a SQL statement, leading to a SQL injection when adding a category

PLUGIN Spidercatalog

CVE-2021-24625

HIGH CVSS 7.2 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24537 - Similar Posts Plugin

The Similar Posts WordPress plugin through 3.1.5 allow high privilege users to execute arbitrary PHP code in an hardened environment (ie with DISALLOW_FILE_EDIT, DISALLOW_FILE_MODS and DISALLOW_UNFILTERED_HTML set to true) via the 'widget_rrm_similar_posts_condition' widget setting of the plugin.

PLUGIN Similar Posts

CVE-2021-24537

HIGH CVSS 7.2 2021-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39341 - Optinmonster Plugin

The OptinMonster WordPress plugin is vulnerable to sensitive information disclosure and unauthorized setting updates due to insufficient authorization validation via the logged_in_or_has_api_key function in the ~/OMAPI/RestApi.php file that can used to exploit inject malicious web scripts on sites with the plugin installed. This affects versions up to, and including, 2.6.4.

PLUGIN Optinmonster

CVE-2021-39341

HIGH CVSS 8.2 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24809 - Bp Better Messages Plugin

The BP Better Messages WordPress plugin before 1.9.9.41 does not check for CSRF in multiple of its AJAX actions: bp_better_messages_leave_chat, bp_better_messages_join_chat, bp_messages_leave_thread, bp_messages_mute_thread, bp_messages_unmute_thread, bp_better_messages_add_user_to_thread, bp_better_messages_exclude_user_from_thread. This could allow attackers to make logged in users do unwanted actions

PLUGIN Bp Better Messages

CVE-2021-24809

HIGH CVSS 8.8 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24717 - Before 1 Plugin

The AutomatorWP WordPress plugin before 1.7.6 does not perform capability checks which allows users with Subscriber roles to enumerate automations, disclose title of private posts or user emails, call functions, or perform privilege escalation via Ajax actions.

PLUGIN Before 1

CVE-2021-24717

HIGH CVSS 8.8 2021-11-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24487 - St Daily Tip Plugin

The St-Daily-Tip WordPress plugin through 4.7 does not have any CSRF check in place when saving its 'Default Text to Display if no tips' setting, and was also lacking sanitisation as well as escaping before outputting it the page. This could allow attacker to make logged in administrators set a malicious payload in it, leading to a Stored Cross-Site Scripting issue

PLUGIN St Daily Tip

CVE-2021-24487

HIGH CVSS 8.8 2021-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24774 - Before 1 Plugin

The Check & Log Email WordPress plugin before 1.0.3 does not validate and escape the "order" and "orderby" GET parameters before using them in a SQL statement when viewing logs, leading to SQL injections issues

PLUGIN Before 1

CVE-2021-24774

HIGH CVSS 7.2 2021-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24769 - Permalink Manager Lite Plugin

The Permalink Manager Lite WordPress plugin before 2.2.13.1 does not validate and escape the orderby parameter before using it in a SQL statement in the Permalink Manager page, leading to a SQL Injection

PLUGIN Permalink Manager Lite

CVE-2021-24769

HIGH CVSS 7.2 2021-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24662 - Game Server Status Plugin

The Game Server Status WordPress plugin through 1.0 does not validate or escape the server_id parameter before using it in SQL statement, leading to an Authenticated SQL Injection in an admin page

PLUGIN Game Server Status

CVE-2021-24662

HIGH CVSS 7.2 2021-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39352 - Catch Themes Demo Import Plugin

The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.

PLUGIN Catch Themes Demo Import

CVE-2021-39352

HIGH CVSS 7.2 2021-10-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39321 - Sassy Social Share Plugin

Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user supplied inputs via the import_config function found in the ~/admin/class-sassy-social-share-admin.php file. This can be exploited by underprivileged authenticated users due to a missing capability check on the import_config function.

PLUGIN Sassy Social Share

CVE-2021-39321

HIGH CVSS 8.8 2021-10-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24754 - Mainwp Child Reports Plugin

The MainWP Child Reports WordPress plugin before 2.0.8 does not validate or sanitise the order parameter before using it in a SQL statement in the admin dashboard, leading to an SQL injection issue

PLUGIN Mainwp Child Reports

CVE-2021-24754

HIGH CVSS 7.2 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24684 - Wordpress Pdf Light Viewer Plugin

The WordPress PDF Light Viewer Plugin WordPress plugin before 1.4.12 allows users with Author roles to execute arbitrary OS command on the server via OS Command Injection when invoking Ghostscript.

PLUGIN Wordpress Pdf Light Viewer

CVE-2021-24684

HIGH CVSS 8.8 2021-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39317 - Access Demo Importer Plugin

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer

PLUGIN Access Demo Importer

CVE-2021-39317

HIGH CVSS 8.8 2021-10-11
Open Full Technical Breakdown
Scroll to top