Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 4141-4160 of 10866 records
Threat Entry Updated 2025-02-25

CVE-2024-9601 - Qubely Plugin

The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ and 'UniqueID' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Qubely

CVE-2024-9601

MEDIUM CVSS 6.5 2025-02-14
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13692 - Return Refund And Exchange For Woocommerce Plugin

The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite linked refund image attachments, overwrite refund request message, overwrite order messages, and read order messages of other users.

PLUGIN Return Refund And Exchange For Woocommerce

CVE-2024-13692

MEDIUM CVSS 5.4 2025-02-14
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-7052 - Forminator Forms Plugin

The Forminator Forms WordPress plugin before 1.38.3 does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Forminator Forms

CVE-2024-7052

MEDIUM CVSS 4.8 2025-02-14
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13641 - Return Refund And Exchange For Woocommerce Plugin

The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the 'attachment' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/attachment directory which can contain file attachments for order refunds.

PLUGIN Return Refund And Exchange For Woocommerce

CVE-2024-13641

MEDIUM CVSS 5.9 2025-02-14
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-13493 - Sensly Online Presence Plugin

The Sensly Online Presence WordPress plugin through 0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Sensly Online Presence

CVE-2024-13493

MEDIUM CVSS 4.8 2025-02-14
Open Full Technical Breakdown
Threat Entry Updated 2025-02-18

CVE-2024-13867 - Listivo Plugin

The Listivo - Classified Ads WordPress Theme theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 2.3.67 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Listivo

CVE-2024-13867

MEDIUM CVSS 6.1 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-18

CVE-2024-13639 - Read More Accordion Plugin

The Read More & Accordion plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the expmDeleteData() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary 'read more' posts.

PLUGIN Read More Accordion

CVE-2024-13639

MEDIUM CVSS 4.3 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2025-0661 - Dethemekit For Elementor

The DethemeKit For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.36 via the duplicate_post() function due to insufficient restrictions on which posts can be duplicated. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, draft, or scheduled posts that they should not have access to by duplicating the post.

THEME Dethemekit For Elementor

CVE-2025-0661

MEDIUM CVSS 4.3 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2024-12586 - Chalet Montagne Com Tools Plugin

The Chalet-Montagne.com Tools WordPress plugin through 2.7.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Chalet Montagne Com Tools

CVE-2024-12586

MEDIUM CVSS 6.1 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2024-13120 - Restrict Content Plugin

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Restrict Content

CVE-2024-13120

MEDIUM CVSS 4.8 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2024-13119 - Restrict Content Plugin

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Restrict Content

CVE-2024-13119

MEDIUM CVSS 4.8 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2025-0837 - Puzzles Plugin

The Puzzles theme for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Puzzles

CVE-2025-0837

MEDIUM CVSS 6.4 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2024-13227 - Seo Plugin

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Rank Math API in all versions up to, and including, 1.0.235 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Seo

CVE-2024-13227

MEDIUM CVSS 6.4 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2024-13229 - Seo Plugin

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the update_metadata() function in all versions up to, and including, 1.0.235. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete any schema metadata assigned to any post.

PLUGIN Seo

CVE-2024-13229

MEDIUM CVSS 4.3 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13644 - Dethemekit For Elementor

The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's De Gallery widget in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Dethemekit For Elementor

CVE-2024-13644

MEDIUM CVSS 6.4 2025-02-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-10322 - Brizy Plugin

The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Brizy

CVE-2024-10322

MEDIUM CVSS 6.4 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2025-0506 - Rise Blocks Plugin

The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the titleTag parameter in all versions up to, and including, 3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Rise Blocks

CVE-2025-0506

MEDIUM CVSS 6.4 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-18

CVE-2024-13459 - Fusedesk Plugin

The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fusedesk_newcase' shortcode in all versions up to, and including, 6.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Fusedesk

CVE-2024-13459

MEDIUM CVSS 6.4 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13456 - Easy Quiz Maker Plugin

The Easy Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wqt-question' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Easy Quiz Maker

CVE-2024-13456

MEDIUM CVSS 6.4 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13437 - Book A Room Plugin

The Book a Room plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9. This is due to missing or incorrect nonce validation on the 'bookaroom_Settings' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Book A Room

CVE-2024-13437

MEDIUM CVSS 4.3 2025-02-12
Open Full Technical Breakdown
Scroll to top