Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,044
Critical0
High3,044
Medium0
Reset
Showing 1821-1840 of 3044 records
Threat Entry Updated 2024-08-06

CVE-2024-7485 - Traffic Manager Plugin

The Traffic Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page' parameter in the 'UserWebStat' AJAX function in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Traffic Manager

CVE-2024-7485

HIGH CVSS 7.2 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2024-7484 - Crm Perks Forms Plugin

The CRM Perks Forms plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'handle_uploaded_files' function in versions up to, and including, 1.1.3. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Crm Perks Forms

CVE-2024-7484

HIGH CVSS 7.2 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-04-10

CVE-2024-7031 - Filester Plugin

The File Manager Pro – Filester plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'njt_fs_saveSettingRestrictions' function in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with a role that has been granted permissions by an Administrator, to update the plugin settings for user role restrictions, including allowing file types such as .php to be uploaded.

PLUGIN Filester

CVE-2024-7031

HIGH CVSS 7.5 2024-08-03
Open Full Technical Breakdown
Threat Entry Updated 2024-08-05

CVE-2024-7291 - Jetformbuilder Plugin

The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions, to register as super-admins on the sites configured as multi-sites.

PLUGIN Jetformbuilder

CVE-2024-7291

HIGH CVSS 7.2 2024-08-03
Open Full Technical Breakdown
Threat Entry Updated 2025-08-22

CVE-2024-6477 - Before 1 Plugin

The UsersWP WordPress plugin before 1.2.12 uses predictable filenames when an admin generates an export, which could allow unauthenticated attackers to download them and retrieve sensitive information such as IP, username, and email address

PLUGIN Before 1

CVE-2024-6477

HIGH CVSS 7.5 2024-08-03
Open Full Technical Breakdown
Threat Entry Updated 2024-08-02

CVE-2024-3238 - Superfly Responsive Menu Plugin

The WordPress Menu Plugin — Superfly Responsive Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.29. This is due to missing or incorrect nonce validation on the ajax_handle_delete_icons() function. This makes it possible for unauthenticated attackers to delete arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Please not the CSRF was patched in 5.0.28, however, adequate directory traversal protection wasn't introduced until 5.0.30.

PLUGIN Superfly Responsive Menu

CVE-2024-3238

HIGH CVSS 8.8 2024-08-02
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-7389 - Forminator Plugin

The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration.

PLUGIN Forminator

CVE-2024-7389

HIGH CVSS 7.5 2024-08-02
Open Full Technical Breakdown
Threat Entry Updated 2025-05-29

CVE-2024-3983 - Woocommerce Customers Manager Plugin

The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks

PLUGIN Woocommerce Customers Manager

CVE-2024-3983

HIGH CVSS 8.1 2024-08-01
Open Full Technical Breakdown
Threat Entry Updated 2025-04-10

CVE-2024-6529 - Ultimate Classified Listings Plugin

The Ultimate Classified Listings WordPress plugin before 1.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Ultimate Classified Listings

CVE-2024-6529

HIGH CVSS 7.1 2024-08-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-23

CVE-2024-6698 - Fundengine Plugin

The FundEngine plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying user meta updated through the update_user_meta function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta which can be leveraged to update their capabilities to gain administrator access.

PLUGIN Fundengine

CVE-2024-6698

HIGH CVSS 8.8 2024-08-01
Open Full Technical Breakdown
Threat Entry Updated 2024-07-31

CVE-2024-6770 - V Form Plugin

The Lifetime free Drag & Drop Contact Form Builder for WordPress VForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN V Form

CVE-2024-6770

HIGH CVSS 7.2 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-5807 - Business Card Plugin

The Business Card WordPress plugin through 1.0.0 does not prevent high privilege users like administrators from uploading malicious PHP files, which could allow them to run arbitrary code on servers hosting their site, even in MultiSite configurations.

PLUGIN Business Card

CVE-2024-5807

HIGH CVSS 7.2 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-04-10

CVE-2024-5882 - Ultimate Classified Listings Plugin

The Ultimate Classified Listings WordPress plugin before 1.3 does not validate the `ucl_page` and `layout` parameters allowing unauthenticated users to access PHP files on the server from the listings page

PLUGIN Ultimate Classified Listings

CVE-2024-5882

HIGH CVSS 7.5 2024-07-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6431 - Media Net Ads Manager Plugin

The Media.net Ads Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and missing capability check in the 'sendMail' function in all versions up to, and including, 2.10.13. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability is only exploitable if anyone has ever logged in through the API.

PLUGIN Media Net Ads Manager

CVE-2024-6431

HIGH CVSS 8.8 2024-07-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6152 - Flipbox Builder Plugin

The Flipbox Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5 via deserialization of untrusted input in the flipbox_builder_Flipbox_ShortCode function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

PLUGIN Flipbox Builder

CVE-2024-6152

HIGH CVSS 8.8 2024-07-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6589 - Learnpress Plugin

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.6.8.2 via the 'render_content_block_template' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

PLUGIN Learnpress

CVE-2024-6589

HIGH CVSS 8.8 2024-07-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-7027 - Woocommerce Pdf Vouchers Plugin

The WooCommerce - PDF Vouchers plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.9.3. This is due to insufficient verification on the user being supplied during a QR code login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing Voucher Vendor user on the site, if they have access to the user id.

PLUGIN Woocommerce Pdf Vouchers

CVE-2024-7027

HIGH CVSS 7.3 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6756 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpw_auto_poster_get_image_path' function in all versions up to, and including, 5.3.14. This makes it possible for authenticated attackers, with Contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. An attacker can use CVE-2024-6754 to exploit with subscriber-level access.

PLUGIN Social Auto Poster

CVE-2024-6756

HIGH CVSS 8.8 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6753 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mapTypes’ parameter in the 'wpw_auto_poster_map_wordpress_post_type' AJAX function in all versions up to, and including, 5.3.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Social Auto Poster

CVE-2024-6753

HIGH CVSS 7.2 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6750 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.3.14. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.

PLUGIN Social Auto Poster

CVE-2024-6750

HIGH CVSS 7.3 2024-07-24
Open Full Technical Breakdown
Scroll to top