Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,047
Critical0
High3,047
Medium0
Reset
Showing 2921-2940 of 3047 records
Threat Entry Updated 2024-11-21

CVE-2021-24728 - Before 2 Plugin

The Membership & Content Restriction – Paid Member Subscriptions WordPress plugin before 2.4.2 did not sanitise, validate or escape its order and orderby parameters before using them in SQL statement, leading to Authenticated SQL Injections in the Members and Payments pages.

PLUGIN Before 2

CVE-2021-24728

HIGH CVSS 8.8 2021-09-13
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2021-24727 - Before 6 Plugin

The StopBadBots WordPress plugin before 6.60 did not validate or escape the order and orderby GET parameter in some of its admin dashboard pages, leading to Authenticated SQL Injections

PLUGIN Before 6

CVE-2021-24727

HIGH CVSS 8.8 2021-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24726 - Wp Simple Booking Calendar Plugin

The WP Simple Booking Calendar WordPress plugin before 2.0.6 did not escape, validate or sanitise the orderby parameter in its Search Calendars action, before using it in a SQL statement, leading to an authenticated SQL injection issue

PLUGIN Wp Simple Booking Calendar

CVE-2021-24726

HIGH CVSS 8.8 2021-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24620 - Simple E Commerce Shopping Cart Plugin

The WordPress Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin through 2.2.5 does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE

PLUGIN Simple E Commerce Shopping Cart

CVE-2021-24620

HIGH CVSS 8.8 2021-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24491 - Fileviewer Plugin

The Fileviewer WordPress plugin through 2.2 does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitrary files via a CSRF attack

PLUGIN Fileviewer

CVE-2021-24491

HIGH CVSS 8.8 2021-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-38360 - Wp Publications Plugin

The wp-publications WordPress plugin is vulnerable to restrictive local file inclusion via the Q_FILE parameter found in the ~/bibtexbrowser.php file which allows attackers to include local zip files and achieve remote code execution, in versions up to and including 0.0.

PLUGIN Wp Publications

CVE-2021-38360

HIGH CVSS 8.3 2021-09-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39202 - WordPress Core

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8.

CORE WordPress Core

CVE-2021-39202

HIGH CVSS 7.6 2021-09-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-39201 - WordPress Core

WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. ### Impact The issue allows an authenticated but low-privileged user (like contributor/author) to execute XSS in the editor. This bypasses the restrictions imposed on users who do not have the permission to post `unfiltered_html`. ### Patches This has been patched in WordPress 5.8, and will be pushed to older versions via minor releases (automatic updates). It's strongly recommended that you keep auto-updates enabled to receive the fix. ### References https://wordpress.org/news/category/releases/…

CORE WordPress Core

CVE-2021-39201

HIGH CVSS 7.6 2021-09-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-38324 - Sp Rental Manager Plugin

The SP Rental Manager WordPress plugin is vulnerable to SQL Injection via the orderby parameter found in the ~/user/shortcodes.php file which allows attackers to retrieve information contained in a site's database, in versions up to and including 1.5.3.

PLUGIN Sp Rental Manager

CVE-2021-38324

HIGH CVSS 8.2 2021-09-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24395 - Embed Youtube Video Plugin

The editid GET parameter of the Embed Youtube Video WordPress plugin through 1.0 is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.

PLUGIN Embed Youtube Video

CVE-2021-24395

HIGH CVSS 7.2 2021-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24391 - Cashtomer Plugin

An editid GET parameter of the Cashtomer WordPress plugin through 1.0.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.

PLUGIN Cashtomer

CVE-2021-24391

HIGH CVSS 8.8 2021-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24393 - Comment Highlighter Plugin

A c GET parameter of the Comment Highlighter WordPress plugin through 0.13 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.

PLUGIN Comment Highlighter

CVE-2021-24393

HIGH CVSS 7.2 2021-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24392 - Club Management Software Plugin

An id GET parameter of the WordPress Membership SwiftCloud.io WordPress plugin through 1.0 is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection.

PLUGIN Club Management Software

CVE-2021-24392

HIGH CVSS 7.2 2021-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24390 - Alipay Plugin

A proid GET parameter of the WordPress支付宝Alipay|财付通Tenpay|贝宝PayPal集成插件 WordPress plugin through 3.7.2 is not sanitised, properly escaped or validated before inserting to a SQL statement not delimited by quotes, leading to SQL injection.

PLUGIN Alipay

CVE-2021-24390

HIGH CVSS 7.2 2021-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24581 - Blue Admin Plugin

The Blue Admin WordPress plugin through 21.06.01 does not sanitise or escape its "Logo Title" setting before outputting in a page, leading to a Stored Cross-Site Scripting issue. Furthermore, the plugin does not have CSRF check in place when saving its settings, allowing the issue to be exploited via a CSRF attack.

PLUGIN Blue Admin

CVE-2021-24581

HIGH CVSS 8.8 2021-08-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2021-24580 - Side Menu Lite Plugin

The Side Menu Lite WordPress plugin before 2.2.6 does not sanitise user input from the List page in the admin dashboard before using it in SQL statement, leading to a SQL Injection issue

PLUGIN Side Menu Lite

CVE-2021-24580

HIGH CVSS 8.8 2021-08-30
Open Full Technical Breakdown
Scroll to top