Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,044
Critical0
High3,044
Medium0
Reset
Showing 1521-1540 of 3044 records
Threat Entry Updated 2025-01-08

CVE-2024-12854 - Garden Gnome Package Plugin

The Garden Gnome Package plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the functionality that automatically extracts 'ggpkg' files that have been uploaded in all versions up to, and including, 2.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Garden Gnome Package

CVE-2024-12854

HIGH CVSS 8.8 2025-01-08
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2024-12853 - Modula Image Gallery Plugin

The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 2.11.10. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Modula Image Gallery

CVE-2024-12853

HIGH CVSS 8.8 2025-01-08
Open Full Technical Breakdown
Threat Entry Updated 2025-03-13

CVE-2024-9939 - Wordpress File Upload Plugin

The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.13 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read files outside of the originally intended directory.

PLUGIN Wordpress File Upload

CVE-2024-9939

HIGH CVSS 7.5 2025-01-08
Open Full Technical Breakdown
Threat Entry Updated 2025-01-08

CVE-2024-11939 - Cost Calculator Builder Pro Plugin

The Cost Calculator Builder PRO plugin for WordPress is vulnerable to blind time-based SQL Injection via the ‘data’ parameter in all versions up to, and including, 3.2.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Cost Calculator Builder Pro

CVE-2024-11939

HIGH CVSS 7.5 2025-01-08
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-11271 - Webinarpress Plugin

The WordPress Webinar Plugin – WebinarPress plugin for WordPress is vulnerable to modification of data due to a missing capability check on several functions in all versions up to, and including, 1.33.24. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify webinars.

PLUGIN Webinarpress

CVE-2024-11271

HIGH CVSS 8.8 2025-01-08
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-11270 - Webinarpress Plugin

The WordPress Webinar Plugin – WebinarPress plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the 'sync-import-imgs' function and missing file type validation in all versions up to, and including, 1.33.24. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files that can lead to remote code execution.

PLUGIN Webinarpress

CVE-2024-11270

HIGH CVSS 8.8 2025-01-08
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-11816 - Ultimate Wordpress Toolkit Plugin

The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Remote Code Execution in version 3.0.11. This is due to a missing capability check on the 'wpext_handle_snippet_update' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server providing an admin has created at least one code snippet.

PLUGIN Ultimate Wordpress Toolkit

CVE-2024-11816

HIGH CVSS 8.8 2025-01-08
Open Full Technical Breakdown
Threat Entry Updated 2025-04-14

CVE-2024-11916 - Wp Extended Plugin

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification and retrieval of data due to a missing capability check on several functions in all versions up to, and including, 3.0.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to import and activate arbitrary code snippets along with

PLUGIN Wp Extended

CVE-2024-11916

HIGH CVSS 7.4 2025-01-08
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2025-22349 - WordPress Auction Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Owen Cutajar & Hyder Jaffari WordPress Auction Plugin allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through 3.7.

PLUGIN WordPress Auction Plugin

CVE-2025-22349

HIGH CVSS 7.6 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12152 - Mipl Wc Multisite Sync Plugin

The MIPL WC Multisite Sync plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.5 via the 'mipl_wc_sync_download_log' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Mipl Wc Multisite Sync

CVE-2024-12152

HIGH CVSS 7.5 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12202 - Croma Music Plugin

The Croma Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'ironMusic_ajax' function in all versions up to, and including, 3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

PLUGIN Croma Music

CVE-2024-12202

HIGH CVSS 8.8 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-11725 - Sms Alert Order Notifications Plugin

The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings() function in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Please…

PLUGIN Sms Alert Order Notifications

CVE-2024-11725

HIGH CVSS 8.8 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12471 - Post Saint Plugin

The Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator plugin for WordPress is vulnerable to arbitrary files uploads due to a missing capability check and file type validation on the add_image_to_library AJAX action function in all versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files that make remote code execution possible.

PLUGIN Post Saint

CVE-2024-12471

HIGH CVSS 8.8 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12535 - Host Php Info Plugin

The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited.

PLUGIN Host Php Info

CVE-2024-12535

HIGH CVSS 8.6 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12849 - Error Log Viewer Wp Plugin

The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Error Log Viewer Wp

CVE-2024-12849

HIGH CVSS 7.5 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12633 - More Plugin

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page parameter in all versions up to, and including, 5.6.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN More

CVE-2024-12633

HIGH CVSS 7.1 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12322 - Theperfectweddingnl Widget Plugin

The ThePerfectWedding.nl Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8. This is due to missing or incorrect nonce validation on the 'update_option' function. This makes it possible for unauthenticated attackers to update the 'tpwKey' option with stored cross-site scripting via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Theperfectweddingnl Widget

CVE-2024-12322

HIGH CVSS 8.8 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12313 - Woocommerce Compare Products Plugin

The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the 'woo_compare_list' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

PLUGIN Woocommerce Compare Products

CVE-2024-12313

HIGH CVSS 8.1 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12157 - Ultimate Popup Creator Plugin

The Popup – MailChimp, GetResponse and ActiveCampaign Intergrations plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'upc_delete_db_record' AJAX action in all versions up to, and including, 3.2.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Ultimate Popup Creator

CVE-2024-12157

HIGH CVSS 7.5 2025-01-07
Open Full Technical Breakdown
Scroll to top