Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total196
Critical0
High0
Medium0
Reset
Showing 121-140 of 196 records
Threat Entry Updated 2025-11-13

CVE-2024-7056 - Before 1 Plugin

The WPForms WordPress plugin before 1.9.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 1

CVE-2024-7056

LOW CVSS 3.5 2024-11-25
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2024-10710 - Yadisk Files Plugin

The YaDisk Files WordPress plugin through 1.2.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Yadisk Files

CVE-2024-10710

LOW CVSS 3.5 2024-11-25
Open Full Technical Breakdown
Threat Entry Updated 2025-03-31

CVE-2024-10515 - In The Process Of Testing The Seo Plugin By Squirrly Seo

In the process of testing the SEO Plugin by Squirrly SEO WordPress plugin before 12.3.21, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor

PLUGIN In The Process Of Testing The Seo Plugin By Squirrly Seo

CVE-2024-10515

LOW CVSS 3.5 2024-11-20
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-5030 - Cm Table Of Contents Plugin

The CM Table Of Contents WordPress plugin before 1.2.3 does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin perform such action via a CSRF attack

PLUGIN Cm Table Of Contents

CVE-2024-5030

LOW CVSS 3.8 2024-11-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-14

CVE-2024-10672 - Multiple Page Generator Plugin

The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server.

PLUGIN Multiple Page Generator

CVE-2024-10672

LOW CVSS 2.7 2024-11-12
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-8350 - Uncanny Groups For Learndash Plugin

The Uncanny Groups for LearnDash plugin for WordPress is vulnerable to user group add due to a missing capability check on the /wp-json/ulgm_management/v1/add_user/ REST API endpoint in all versions up to, and including, 6.1.0.1. This makes it possible for authenticated attackers, with group leader-level access and above, to add users to their group which ultimately allows them to leverage CVE-2024-8349 and gain admin access to the site.

PLUGIN Uncanny Groups For Learndash

CVE-2024-8350

LOW CVSS 2.7 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-09-30

CVE-2023-5359 - W3 Total Cache Plugin

The W3 Total Cache plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.5 via Google OAuth API secrets stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to impersonate W3 Total Cache and gain access to user account information in successful conditions. This would not impact the WordPress users site in any way.

PLUGIN W3 Total Cache

CVE-2023-5359

LOW CVSS 3.7 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2024-6692 - Easy Digital Downloads Plugin

The Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Agreement Text value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Easy Digital Downloads

CVE-2024-6692

LOW CVSS 3.3 2024-08-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6694 - Wp Mail Smtp Plugin

The WP Mail SMTP plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 4.0.1. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information to an attacker in a limited environment.

PLUGIN Wp Mail Smtp

CVE-2024-6694

LOW CVSS 2.7 2024-07-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6434 - Premium Addons For Elementor Plugin

The Premium Addons for Elementor plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 4.10.35. This is due to processing user-supplied input as a regular expression. This makes it possible for authenticated attackers, with Author-level access and above, to create and query a malicious post title, resulting in slowing server resources.

PLUGIN Premium Addons For Elementor

CVE-2024-6434

LOW CVSS 3.1 2024-07-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3073 - Easy Wp Smtp Plugin

The Easy WP SMTP by SendLayer – WordPress SMTP and Email Log Plugin plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.3.0. This is due to plugin providing the SMTP password in the SMTP Password field when viewing the settings. This makes it possible for authenticated attackers, with administrative-level access and above, to view the SMTP password for the supplied server. Although this would not be useful for attackers in most cases, if an administrator account becomes compromised this could be useful information…

PLUGIN Easy Wp Smtp

CVE-2024-3073

LOW CVSS 2.7 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2024-3920 - Flattr Plugin

The Flattr WordPress plugin through 1.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Flattr

CVE-2024-3920

LOW CVSS 3.5 2024-05-23
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-2220 - Call Chat Contact Button Plugin

The Button contact VR WordPress plugin through 4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Call Chat Contact Button

CVE-2024-2220

LOW CVSS 3.5 2024-05-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-22139 - WordPress Core

Authentication Bypass by Spoofing vulnerability in Filipe Seabra WordPress Manutenção allows Functionality Bypass.This issue affects WordPress Manutenção: from n/a through 1.0.6.

CORE WordPress Core

CVE-2024-22139

LOW CVSS 3.7 2024-05-17
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-3823 - Base64 Encoderdecoder Plugin

The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

PLUGIN Base64 Encoderdecoder

CVE-2024-3823

LOW CVSS 2.4 2024-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-3629 - Hl Twitter Plugin

The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Hl Twitter

CVE-2024-3629

LOW CVSS 2.4 2024-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-09

CVE-2024-3628 - Easyevent Plugin

The EasyEvent WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Easyevent

CVE-2024-3628

LOW CVSS 3.8 2024-05-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-08

CVE-2024-3471 - Button Generator Plugin

The Button Generator WordPress plugin before 3.0 does not have CSRF check in place when bulk deleting, which could allow attackers to make a logged in admin delete buttons via a CSRF attack

PLUGIN Button Generator

CVE-2024-3471

LOW CVSS 3.4 2024-05-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3034 - Backupwordpress Plugin

The BackUpWordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.13 via the hmbkp_directory_browse parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to traverse directories outside of the context in which the plugin should allow.

PLUGIN Backupwordpress

CVE-2024-3034

LOW CVSS 2.7 2024-04-27
Open Full Technical Breakdown
Scroll to top