Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 3461-3480 of 10866 records
Threat Entry Updated 2025-05-27

CVE-2023-7230 - Through 1 Plugin

The illi Link Party! WordPress plugin through 1.0 does not sanitize and escape some parameters, which could allow users with a role as low as admin to perform Cross-Site Scripting attacks.

PLUGIN Through 1

CVE-2023-7230

MEDIUM CVSS 6.1 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2023-7228 - Through 1 Plugin

The illi Link Party! WordPress plugin through 1.0 does not sanitise and escape some parameters, which could allow unauthenticated vistors to perform Cross-Site Scripting attacks.

PLUGIN Through 1

CVE-2023-7228

MEDIUM CVSS 6.1 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-27

CVE-2023-7229 - Through 1 Plugin

The illi Link Party! WordPress plugin through 1.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

PLUGIN Through 1

CVE-2023-7229

MEDIUM CVSS 5.5 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2023-7088 - Through 1 Plugin

The Add SVG Support for Media Uploader | inventivo WordPress plugin through 1.0.5 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

PLUGIN Through 1

CVE-2023-7088

MEDIUM CVSS 5.4 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-09

CVE-2023-7168 - Better Follow Button For Jetpack Plugin

The Better Follow Button for Jetpack WordPress plugin through 8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Better Follow Button For Jetpack

CVE-2023-7168

MEDIUM CVSS 4.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2023-7196 - Ultimate Noindex Nofollow Tool Plugin

The Ultimate Noindex Nofollow Tool WordPress plugin through 1.1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Ultimate Noindex Nofollow Tool

CVE-2023-7196

MEDIUM CVSS 4.3 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2023-7195 - Wp Reply Notify Plugin

The WP-Reply Notify WordPress plugin through 1.1 does not have a CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack.

PLUGIN Wp Reply Notify

CVE-2023-7195

MEDIUM CVSS 4.3 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2023-6541 - Allow Svg Plugin

The Allow SVG WordPress plugin before 1.2.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

PLUGIN Allow Svg

CVE-2023-6541

MEDIUM CVSS 6.1 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2023-7086 - Svg Uploads Support Plugin

The SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

PLUGIN Svg Uploads Support

CVE-2023-7086

MEDIUM CVSS 5.4 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2023-6783 - Wolfnet Idx For Plugin

The WolfNet IDX for WordPress plugin through 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Wolfnet Idx For

CVE-2023-6783

MEDIUM CVSS 4.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2023-6030 - Logdash Activity Log Plugin

The LogDash Activity Log WordPress plugin before 1.1.4 hooks the wp_login_failed function (from src/Hooks/Users.php) in order to log failed login attempts to the database but it doesn't escape the username when it perform some SQL request leading to a SQL injection vulnerability which can be exploited using time-based technique by unauthenticated attacker

PLUGIN Logdash Activity Log

CVE-2023-6030

MEDIUM CVSS 5.4 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-04

CVE-2023-5932 - All Travel Brands In One Place Plugin

The Travelpayouts: All Travel Brands in One Place WordPress plugin before 1.1.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN All Travel Brands In One Place

CVE-2023-5932

MEDIUM CVSS 4.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-04

CVE-2023-5529 - Before 8 Plugin

The Advanced Page Visit Counter WordPress plugin before 8.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 8

CVE-2023-5529

MEDIUM CVSS 4.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2023-2334 - Easy Digital Downloads Google Sheet Connector Plugin

The edd-google-sheet-connector-pro WordPress plugin before 1.4, Easy Digital Downloads Google Sheet Connector WordPress plugin before 1.6.6 does not have CSRF check when updating its Access Code, which could allow attackers to make logged in admin change the access code to an arbitrary one via a CSRF attack

PLUGIN Easy Digital Downloads Google Sheet Connector

CVE-2023-2334

MEDIUM CVSS 5.4 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-04

CVE-2025-3742 - Before 2 Plugin

The Responsive Lightbox & Gallery WordPress plugin before 2.5.1 does not validate and escape some of its attributes before outputting them back in a page/post, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2025-3742

MEDIUM CVSS 6.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-16

CVE-2025-4591 - Weluka Lite Plugin

The Weluka Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'weluka-map' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Weluka Lite

CVE-2025-4591

MEDIUM CVSS 6.4 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-16

CVE-2025-4589 - Bon Toolkit Plugin

The Bon Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bt-map' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Bon Toolkit

CVE-2025-4589

MEDIUM CVSS 6.4 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-16

CVE-2025-4126 - Eg Series Plugin

The EG-Series plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [series] shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes in the shortcode_title function. This makes it possible for authenticated attackers - with contributor-level access and above, on sites with the Classic Editor plugin activated - to inject arbitrary JavaScript code in the titletag attribute that will execute whenever a user access an injected page.

PLUGIN Eg Series

CVE-2025-4126

MEDIUM CVSS 6.4 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-16

CVE-2025-3769 - Calendar Booking Plugin For Appointments And Events

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'view_booking_summary_in_lightbox' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to retrieve appointment details such as customer names and email addresses.

PLUGIN Calendar Booking Plugin For Appointments And Events

CVE-2025-3769

MEDIUM CVSS 5.3 2025-05-14
Open Full Technical Breakdown
Scroll to top