Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 3981-4000 of 10866 records
Threat Entry Updated 2025-05-20

CVE-2024-13630 - Newsticker Plugin

The NewsTicker WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Newsticker

CVE-2024-13630

MEDIUM CVSS 6.1 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-20

CVE-2024-13629 - Pushbiz Plugin

The pushBIZ WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Pushbiz

CVE-2024-13629

MEDIUM CVSS 6.1 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-13628 - Wp Pricing Table Plugin

The WP Pricing Table WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Wp Pricing Table

CVE-2024-13628

MEDIUM CVSS 6.1 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-20

CVE-2024-12737 - Services And Events Plugin

The WP BASE Booking of Appointments, Services and Events WordPress plugin before 5.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Services And Events

CVE-2024-12737

MEDIUM CVSS 6.1 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-13113 - Countdown Timer For Elementor Plugin

The Countdown Timer for Elementor WordPress plugin before 1.3.7 does not sanitise and escape some parameters when outputting them on the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.

PLUGIN Countdown Timer For Elementor

CVE-2024-13113

MEDIUM CVSS 5.9 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2024-12434 - Suremembers Plugin

The SureMembers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.10.6 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive data including restricted content.

PLUGIN Suremembers

CVE-2024-12434

MEDIUM CVSS 5.3 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2024-13560 - Subscriptions Memberships For Paypal Plugin

The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Subscriptions Memberships For Paypal

CVE-2024-13560

MEDIUM CVSS 4.3 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-20

CVE-2024-10563 - Woocommerce Cart Count Shortcode Plugin

The WooCommerce Cart Count Shortcode WordPress plugin before 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Woocommerce Cart Count Shortcode

CVE-2024-10563

MEDIUM CVSS 5.4 2025-02-26
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2025-26913 - AR For WordPress Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webandprint AR For WordPress allows DOM-Based XSS. This issue affects AR For WordPress: from n/a through 7.7.

PLUGIN AR For WordPress

CVE-2025-26913

MEDIUM CVSS 6.5 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2025-1262 - Advanced Google Recaptcha Plugin

The Advanced Google reCaptcha plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 1.27 . This makes it possible for unauthenticated attackers to bypass the Built-in Math Captcha Verification.

PLUGIN Advanced Google Recaptcha

CVE-2025-1262

MEDIUM CVSS 5.3 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2024-13695 - Enfold Plugin

The Enfold theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.9 via the 'attachment_id' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Enfold

CVE-2024-13695

MEDIUM CVSS 6.4 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2024-13693 - Enfold Plugin

The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive information such as the Mailchimp API Key, reCAPTCHA Secret Key, or Envato private token if they are set.

PLUGIN Enfold

CVE-2024-13693

MEDIUM CVSS 5.3 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2024-13494 - Wordpress File Upload Plugin

The WordPress File Upload plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.25.2. This is due to missing or incorrect nonce validation on the 'wfu_file_details' function. This makes it possible for unauthenticated attackers to modify user data details associated with uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wordpress File Upload

CVE-2024-13494

MEDIUM CVSS 4.3 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2025-1063 - Classified Listing Plugin

The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens.

PLUGIN Classified Listing

CVE-2025-1063

MEDIUM CVSS 5.3 2025-02-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2025-27265 - Google Maps for WordPress Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aaron D. Campbell Google Maps for WordPress allows DOM-Based XSS. This issue affects Google Maps for WordPress: from n/a through 1.0.3.

PLUGIN Google Maps for WordPress

CVE-2025-27265

MEDIUM CVSS 6.5 2025-02-24
Open Full Technical Breakdown
Threat Entry Updated 2025-03-27

CVE-2025-1488 - Wpo365 Msgraphmailer Plugin

The WPO365 | MICROSOFT 365 GRAPH MAILER plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.2. This is due to insufficient validation on the redirect url supplied via the 'redirect_to' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if 1. they can successfully trick them into performing an action and 2. the plugin is activated but not configured.

PLUGIN Wpo365 Msgraphmailer

CVE-2025-1488

MEDIUM CVSS 4.7 2025-02-24
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13822 - Totalcontest Plugin

The Photo Contest | Competition | Video Contest WordPress plugin through 2.8.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Totalcontest

CVE-2024-13822

MEDIUM CVSS 6.1 2025-02-24
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13605 - Form Maker By 10web Plugin

The Form Maker by 10Web WordPress plugin before 1.15.33 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Form Maker By 10web

CVE-2024-13605

MEDIUM CVSS 4.8 2025-02-24
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-12308 - Before 4 Plugin

The Logo Slider WordPress plugin before 4.6.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 4

CVE-2024-12308

MEDIUM CVSS 5.4 2025-02-24
Open Full Technical Breakdown
Threat Entry Updated 2025-02-23

CVE-2024-13728 - Easy Paypal Donation Plugin

The Accept Donations with PayPal & Stripe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the rf parameter in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Easy Paypal Donation

CVE-2024-13728

MEDIUM CVSS 6.1 2025-02-23
Open Full Technical Breakdown
Scroll to top