Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 3821-3840 of 10866 records
Threat Entry Updated 2025-05-26

CVE-2024-13703 - Crm And Lead Management By Vcita Plugin

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vcita_ajax_toggle_ae() function in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable plugin widgets.

PLUGIN Crm And Lead Management By Vcita

CVE-2024-13703

MEDIUM CVSS 4.3 2025-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-24

CVE-2025-1527 - Shoplentor Plugin

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin's Flash Sale Countdown module in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Shoplentor

CVE-2025-1527

MEDIUM CVSS 6.4 2025-03-12
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2024-13430 - Pagelayer Plugin

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.8 via the 'pagelayer_builder_posts_shortcode' function due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.

PLUGIN Pagelayer

CVE-2024-13430

MEDIUM CVSS 4.3 2025-03-12
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2024-13838 - Uncanny Automator Plugin

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.2 via the 'call_webhook' method of the Automator_Send_Webhook class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Uncanny Automator

CVE-2024-13838

MEDIUM CVSS 5.5 2025-03-12
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2024-12589 - Finale Plugin

The Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the countdown timer in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Finale

CVE-2024-12589

MEDIUM CVSS 6.4 2025-03-12
Open Full Technical Breakdown
Threat Entry Updated 2025-03-12

CVE-2024-13498 - Contact Forms And Much More Plugin

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.8.1 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form.

PLUGIN Contact Forms And Much More

CVE-2024-13498

MEDIUM CVSS 5.3 2025-03-12
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2025-2077 - Simple Amazon Affiliate Plugin

The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Simple Amazon Affiliate

CVE-2025-2077

MEDIUM CVSS 6.1 2025-03-12
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-2205 - Gdpr Cookie Compliance Plugin

The GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Gdpr Cookie Compliance

CVE-2025-2205

MEDIUM CVSS 4.4 2025-03-12
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2025-2078 - Blogbuzztime For Wp Plugin

The BlogBuzzTime for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Blogbuzztime For Wp

CVE-2025-2078

MEDIUM CVSS 4.4 2025-03-12
Open Full Technical Breakdown
Threat Entry Updated 2025-04-07

CVE-2025-2076 - Binlayerpress Plugin

The binlayerpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Binlayerpress

CVE-2025-2076

MEDIUM CVSS 4.4 2025-03-12
Open Full Technical Breakdown
Threat Entry Updated 2025-03-20

CVE-2025-1508 - Wp Crowdfunding Plugin

The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed.

PLUGIN Wp Crowdfunding

CVE-2025-1508

MEDIUM CVSS 5.3 2025-03-12
Open Full Technical Breakdown
Threat Entry Updated 2025-03-11

CVE-2025-28914 - wordpress login form to anywhere Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Sharma wordpress login form to anywhere allows Stored XSS. This issue affects wordpress login form to anywhere: from n/a through 0.2.

PLUGIN wordpress login form to anywhere

CVE-2025-28914

MEDIUM CVSS 5.9 2025-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-05-26

CVE-2024-13228 - Qubely Plugin

The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubely_get_content'. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data.

PLUGIN Qubely

CVE-2024-13228

MEDIUM CVSS 4.3 2025-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2024-13853 - Seo Tools Plugin

The SEO Tools WordPress plugin through 4.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Seo Tools

CVE-2024-13853

MEDIUM CVSS 6.1 2025-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2025-0629 - Coronavirus Covid 19 Notice Message Plugin

The Coronavirus (COVID-19) Notice Message WordPress plugin through 1.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Coronavirus Covid 19 Notice Message

CVE-2025-0629

MEDIUM CVSS 4.8 2025-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-08-29

CVE-2024-13580 - Xv Random Quotes Plugin

The XV Random Quotes WordPress plugin through 1.40 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack

PLUGIN Xv Random Quotes

CVE-2024-13580

MEDIUM CVSS 4.3 2025-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-03-11

CVE-2024-13413 - Productdyno Plugin

The ProductDyno plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘res’ parameter in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This vulnerability is potentially a duplicate of CVE-2025-22320.

PLUGIN Productdyno

CVE-2024-13413

MEDIUM CVSS 6.1 2025-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-03-11

CVE-2024-13436 - Appsero Helper Plugin

The Appsero Helper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'appsero_helper' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Appsero Helper

CVE-2024-13436

MEDIUM CVSS 6.1 2025-03-11
Open Full Technical Breakdown
Threat Entry Updated 2025-05-26

CVE-2025-1926 - Pagelayer Plugin

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.8. This is due to missing or incorrect nonce validation on the pagelayer_save_post function. This makes it possible for unauthenticated attackers to modify post contents via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Pagelayer

CVE-2025-1926

MEDIUM CVSS 4.3 2025-03-10
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-1382 - Contact Us Plugin

The Contact Us By Lord Linus WordPress plugin through 2.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Contact Us

CVE-2025-1382

MEDIUM CVSS 6.1 2025-03-09
Open Full Technical Breakdown
Scroll to top