Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,044
Critical0
High3,044
Medium0
Reset
Showing 1901-1920 of 3044 records
Threat Entry Updated 2024-11-21

CVE-2024-2376 - Wpqa Builder Plugin

The WPQA Builder WordPress plugin before 6.1.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Wpqa Builder

CVE-2024-2376

HIGH CVSS 8.8 2024-07-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5767 - Sitetweet Plugin

The sitetweet WordPress plugin through 0.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

PLUGIN Sitetweet

CVE-2024-5767

HIGH CVSS 8.8 2024-07-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5606 - Before 9 Plugin

The Quiz and Survey Master (QSM) WordPress plugin before 9.0.2 is vulnerable does not validate and escape the question_id parameter in the qsm_bulk_delete_question_from_database AJAX action, leading to a SQL injection exploitable by Contributors and above role

PLUGIN Before 9

CVE-2024-5606

HIGH CVSS 8.8 2024-07-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5349 - Element Kit For Elementor Plugin

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.8.1 via the 'map_style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

PLUGIN Element Kit For Elementor

CVE-2024-5349

HIGH CVSS 8.8 2024-07-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2386 - Wp Maps Plugin

The WordPress Plugin for Google Maps – WP MAPS plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'put_wpgm' shortcode in all versions up to, and including, 4.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wp Maps

CVE-2024-2386

HIGH CVSS 8.8 2024-06-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5598 - Advanced File Manager Plugin

The Advanced File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.4 via the 'fma_local_file_system' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder.

PLUGIN Advanced File Manager

CVE-2024-5598

HIGH CVSS 7.5 2024-06-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6054 - Auto Featured Image Plugin

The Auto Featured Image plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'create_post_attachment_from_url' function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Auto Featured Image

CVE-2024-6054

HIGH CVSS 8.8 2024-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-19

CVE-2024-4758 - Muslim Prayer Time Bd Plugin

The Muslim Prayer Time BD WordPress plugin through 2.4 does not have CSRF check in place when reseting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack

PLUGIN Muslim Prayer Time Bd

CVE-2024-4758

HIGH CVSS 7.6 2024-06-26
Open Full Technical Breakdown
Threat Entry Updated 2025-07-09

CVE-2024-4869 - Wp Cookie Consent Plugin

The WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Client-IP’ header in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Cookie Consent

CVE-2024-4869

HIGH CVSS 7.2 2024-06-26
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2024-5431 - Wpcafe Plugin

The WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.25 via the reservation_extra_field shortcode parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include remote files on the server, potentially resulting in code execution

PLUGIN Wpcafe

CVE-2024-5431

HIGH CVSS 8.8 2024-06-25
Open Full Technical Breakdown
Threat Entry Updated 2025-05-19

CVE-2024-4757 - Logo Manager For Enamad Plugin

The Logo Manager For Enamad WordPress plugin through 0.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

PLUGIN Logo Manager For Enamad

CVE-2024-4757

HIGH CVSS 8.1 2024-06-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3593 - Ubermenu Plugin

The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenu_delete_all_item_settings and ubermenu_reset_settings functions. This makes it possible for unauthenticated attackers to delete and reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Ubermenu

CVE-2024-3593

HIGH CVSS 7.2 2024-06-22
Open Full Technical Breakdown
Threat Entry Updated 2025-06-10

CVE-2024-5791 - Online Booking Scheduling Calendar Plugin

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_id' parameter in all versions up to, and including, 4.4.2 due to missing authorization checks on processAction function, as well as insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a wp-admin dashboard.

PLUGIN Online Booking Scheduling Calendar

CVE-2024-5791

HIGH CVSS 7.2 2024-06-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5455 - Plus Addons For Elementor Plugin

The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can…

PLUGIN Plus Addons For Elementor

CVE-2024-5455

HIGH CVSS 8.8 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5503 - Wp Blog Post Layouts Plugin

The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

PLUGIN Wp Blog Post Layouts

CVE-2024-5503

HIGH CVSS 8.8 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5605 - Media Library Assistant Plugin

The Media Library Assistant plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter within the mla_tag_cloud Shortcode in all versions up to, and including, 3.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Media Library Assistant

CVE-2024-5605

HIGH CVSS 8.8 2024-06-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3562 - Custom Field Suite Plugin

The Custom Field Suite plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.6.7 via the Loop custom field. This is due to insufficient sanitization of input prior to being used in a call to the eval() function. This makes it possible for authenticated attackers, with contributor-level access and above, to execute arbitrary PHP code on the server.

PLUGIN Custom Field Suite

CVE-2024-3562

HIGH CVSS 8.8 2024-06-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3597 - Export Wp Page To Static Html Css Plugin

The Export WP Page to Static HTML/CSS plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.2.2. This is due to insufficient validation on the redirect url supplied via the rc_exported_zip_file parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

PLUGIN Export Wp Page To Static Html Css

CVE-2024-3597

HIGH CVSS 7.1 2024-06-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3561 - Custom Field Suite Plugin

The Custom Field Suite plugin for WordPress is vulnerable to SQL Injection via the the 'Term' custom field in all versions up to, and including, 2.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Custom Field Suite

CVE-2024-3561

HIGH CVSS 8.8 2024-06-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6132 - Wp Pexels Free Stock Photos Plugin

The Pexels: Free Stock Photos plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'pexels_fsp_images_options_validate' function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Wp Pexels Free Stock Photos

CVE-2024-6132

HIGH CVSS 8.8 2024-06-19
Open Full Technical Breakdown
Scroll to top