Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 3641-3660 of 10866 records
Threat Entry Updated 2025-04-11

CVE-2024-13909 - Accredible Certificates Plugin

The Accredible Certificates & Open Badges plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Accredible Certificates

CVE-2024-13909

MEDIUM CVSS 4.9 2025-04-10
Open Full Technical Breakdown
Threat Entry Updated 2025-04-11

CVE-2024-10894 - Payment Forms For Paystack Plugin

The Payment Forms for Paystack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'datepicker', 'textarea', and 'text' in all versions up to, and including, 4.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Payment Forms For Paystack

CVE-2024-10894

MEDIUM CVSS 6.4 2025-04-10
Open Full Technical Breakdown
Threat Entry Updated 2025-04-09

CVE-2025-31035 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Chris WP Editor.md – The Perfect WordPress Markdown Editor allows Stored XSS. This issue affects WP Editor.md – The Perfect WordPress Markdown Editor: from n/a through 10.2.1.

CORE WordPress Core

CVE-2025-31035

MEDIUM CVSS 5.9 2025-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-04-22

CVE-2024-8243 - Wordpress Plugin Upgrade Time Out

The WordPress/Plugin Upgrade Time Out Plugin WordPress plugin through 1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Wordpress Plugin Upgrade Time Out

CVE-2024-8243

MEDIUM CVSS 6.3 2025-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-04-22

CVE-2024-6860 - Wp Multitasking Plugin

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its permalink suffix settings, which could allow attackers to make logged admins perform such action via a CSRF attack

PLUGIN Wp Multitasking

CVE-2024-6860

MEDIUM CVSS 4.3 2025-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-04-22

CVE-2024-6857 - Wp Multitasking Plugin

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its Header, Footer and Body Script Settings, which could allow attackers to make logged admins perform such action via a CSRF attack

PLUGIN Wp Multitasking

CVE-2024-6857

MEDIUM CVSS 4.3 2025-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-07-14

CVE-2025-3100 - Wp Project Manager Plugin

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.22 due to insufficient input sanitization and output escaping in tasks discussion. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Wp Project Manager

CVE-2025-3100

MEDIUM CVSS 6.4 2025-04-09
Open Full Technical Breakdown
Threat Entry Updated 2025-07-17

CVE-2025-2876 - Melapress Login Security Plugin

The MelaPress Login Security and MelaPress Login Security Premium plugins for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'monitor_admin_actions' function in version 2.1.0. This makes it possible for unauthenticated attackers to delete any user.

PLUGIN Melapress Login Security

CVE-2025-2876

MEDIUM CVSS 5.3 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-04-08

CVE-2025-2568 - Vayu Blocks Plugin

The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the 'vayu_blocks_get_toggle_switch_values_callback' and 'vayu_blocks_save_toggle_switch_callback' function in versions 1.0.4 to 1.2.1. This makes it possible for unauthenticated attackers to read plugin options and update any option with a key name ending in '_value'.

PLUGIN Vayu Blocks

CVE-2025-2568

MEDIUM CVSS 5.3 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-04-08

CVE-2025-2883 - Accept Sagepay Payments Using Contact Form 7 Plugin

The Accept SagePay Payments Using Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.

PLUGIN Accept Sagepay Payments Using Contact Form 7

CVE-2025-2883

MEDIUM CVSS 5.3 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-08-08

CVE-2025-3437 - Motors Car Dealer Classifieds Listing Plugin

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in the ajax_actions.php file in all versions up to, and including, 1.4.66. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute several initial set-up actions.

PLUGIN Motors Car Dealer Classifieds Listing

CVE-2025-3437

MEDIUM CVSS 4.3 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-08-08

CVE-2025-2808 - Motors Car Dealer Classifieds Listing Plugin

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Phone Number parameter in all versions up to, and including, 1.4.63 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Motors Car Dealer Classifieds Listing

CVE-2025-2808

MEDIUM CVSS 5.4 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-04-08

CVE-2025-3436 - Activity Logging For Wordpress Plugin

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'order' and 'orderby' parameters in all versions up to, and including, 2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Activity Logging For Wordpress

CVE-2025-3436

MEDIUM CVSS 6.5 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-04-08

CVE-2025-3432 - Aawp Obfuscator Plugin

The AAWP Obfuscator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-aawp-web' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Aawp Obfuscator

CVE-2025-3432

MEDIUM CVSS 6.4 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-04-08

CVE-2025-3433 - Advanced Advertising System Plugin

The Advanced Advertising System plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.3.1. This is due to insufficient validation on the redirect url supplied via the 'redir' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

PLUGIN Advanced Advertising System

CVE-2025-3433

MEDIUM CVSS 6.1 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-04-08

CVE-2025-2882 - Green Money Payment Gateway Plugin

The GreenPay(tm) by Green.Money plugin for WordPress is vulnerable to Sensitive Information Exposure in versions between 3.0.0 and 3.0.9 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.

PLUGIN Green Money Payment Gateway

CVE-2025-2882

MEDIUM CVSS 5.3 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-3430 - 3dprint Lite Plugin

The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'printer_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN 3dprint Lite

CVE-2025-3430

MEDIUM CVSS 4.9 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-3429 - 3dprint Lite Plugin

The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'material_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN 3dprint Lite

CVE-2025-3429

MEDIUM CVSS 4.9 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-3428 - 3dprint Lite Plugin

The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'coating_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN 3dprint Lite

CVE-2025-3428

MEDIUM CVSS 4.9 2025-04-08
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-3427 - 3dprint Lite Plugin

The 3DPrint Lite plugin for WordPress is vulnerable to SQL Injection via the 'infill_text' parameter in all versions up to, and including, 2.1.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN 3dprint Lite

CVE-2025-3427

MEDIUM CVSS 4.9 2025-04-08
Open Full Technical Breakdown
Scroll to top