Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,044
Critical0
High3,044
Medium0
Reset
Showing 1861-1880 of 3044 records
Threat Entry Updated 2025-05-13

CVE-2024-5472 - Wp Quicklatex Plugin

The WP QuickLaTeX WordPress plugin before 3.8.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Wp Quicklatex

CVE-2024-5472

HIGH CVSS 7.1 2024-07-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-06

CVE-2024-5080 - Before 10 Plugin

The wp-eMember WordPress plugin before 10.6.6 does not validate files to be uploaded, which could allow admins to upload arbitrary files such as PHP on the server

PLUGIN Before 10

CVE-2024-5080

HIGH CVSS 8.8 2024-07-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-5167 - Cm Email Registration Blacklist And Whitelist Plugin

The CM Email Registration Blacklist and Whitelist WordPress plugin before 1.4.9 does not have CSRF check when adding or deleting an item from the blacklist or whitelist, which could allow attackers to make a logged in admin add or delete settings from the blacklist or whitelist menu via a CSRF attack

PLUGIN Cm Email Registration Blacklist And Whitelist

CVE-2024-5167

HIGH CVSS 8.1 2024-07-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-19

CVE-2024-5287 - Wp Affiliate Platform Plugin

The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in user change them via a CSRF attack

PLUGIN Wp Affiliate Platform

CVE-2024-5287

HIGH CVSS 7.1 2024-07-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-5151 - Before 4 Plugin

The SULly WordPress plugin before 4.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 4

CVE-2024-5151

HIGH CVSS 7.1 2024-07-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-06

CVE-2024-5076 - Before 10 Plugin

The wp-eMember WordPress plugin before 10.6.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Before 10

CVE-2024-5076

HIGH CVSS 8.8 2024-07-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-02

CVE-2024-5034 - Before 4 Plugin

The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Before 4

CVE-2024-5034

HIGH CVSS 8.8 2024-07-13
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2024-5902 - Userfeedback Plugin

The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name parameter in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in feedback form responses that will execute whenever a high-privileged user tries to view them.

PLUGIN Userfeedback

CVE-2024-5902

HIGH CVSS 7.2 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2024-5325 - Form Vibes Plugin

The Form Vibes plugin for WordPress is vulnerable to SQL Injection via the ‘fv_export_data’ parameter in all versions up to, and including, 1.4.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Form Vibes

CVE-2024-5325

HIGH CVSS 8.8 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2024-6353 - Terawallet Plugin

The Wallet for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'search[value]' parameter in all versions up to, and including, 1.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Terawallet

CVE-2024-6353

HIGH CVSS 8.8 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-6024 - Contentlock Plugin

The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when deleting groups or emails, which could allow attackers to make a logged in admin remove them via a CSRF attack

PLUGIN Contentlock

CVE-2024-6024

HIGH CVSS 8.8 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6023 - Contentlock Plugin

The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when adding emails, which could allow attackers to make a logged in admin perform such action via a CSRF attack

PLUGIN Contentlock

CVE-2024-6023

HIGH CVSS 8.8 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6022 - Contentlock Plugin

The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Contentlock

CVE-2024-6022

HIGH CVSS 8.8 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6666 - Wp Erp Plugin

The WP ERP plugin for WordPress is vulnerable to SQL Injection via the ‘vendor_id’ parameter in all versions up to, and including, 1.13.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Accounting Manager access (erp_ac_view_sales_summary capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wp Erp

CVE-2024-6666

HIGH CVSS 8.8 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6447 - Full Customer Plugin

The FULL – Cliente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the license plan parameter in all versions up to, and including, 3.1.12 due to insufficient input sanitization and output escaping as well as missing authorization and capability checks on the related functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrative user accesses wp-admin dashboard

PLUGIN Full Customer

CVE-2024-6447

HIGH CVSS 7.2 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-10

CVE-2024-6411 - Profilegrid Plugin

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.8.9. This is due to a lack of validation on user-supplied data in the 'pm_upload_image' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their user capabilities to Administrator.

PLUGIN Profilegrid

CVE-2024-6411

HIGH CVSS 8.8 2024-07-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5792 - Houzez Crm Plugin

The Houzez CRM plugin for WordPress is vulnerable to time-based SQL Injection via the notes ‘belong_to’ parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level (seller) access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Houzez Crm

CVE-2024-5792

HIGH CVSS 8.8 2024-07-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-7062 - Advanced File Manager Shortcodes Plugin

The Advanced File Manager Shortcodes plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.4. This makes it possible for attackers with contributor access or higher to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Advanced File Manager Shortcodes

CVE-2023-7062

HIGH CVSS 8.8 2024-07-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-7061 - Advanced File Manager Shortcodes Plugin

The Advanced File Manager Shortcodes plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers with contributor access or above to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Advanced File Manager Shortcodes

CVE-2023-7061

HIGH CVSS 8.8 2024-07-10
Open Full Technical Breakdown
Scroll to top