Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 4161-4180 of 10866 records
Threat Entry Updated 2025-02-18

CVE-2024-13814 - Global Gallery Plugin

The The Global Gallery - WordPress Responsive Gallery plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 9.1.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

PLUGIN Global Gallery

CVE-2024-13814

MEDIUM CVSS 5.4 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13821 - Booking Calendar Plugin

The WP Booking Calendar plugin for WordPress is vulnerable to Unauthenticated Post-Confirmation Booking Manipulation in all versions up to, and including, 10.10. This is due to the plugin not properly requiring re-verification after a booking has been made and a change is being attempted. This makes it possible for unauthenticated attackers to manipulate their confirmed bookings, even after they have been approved.

PLUGIN Booking Calendar

CVE-2024-13821

MEDIUM CVSS 5.3 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13794 - Hide My Wp Ghost Plugin

The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Login Page Dislcosure in all versions up to, and including, 5.3.02. This is due to the plugin not properly restricting the /wp-register.php path. This makes it possible for unauthenticated attackers to discover the hidden login page location.

PLUGIN Hide My Wp Ghost

CVE-2024-13794

MEDIUM CVSS 5.3 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-18

CVE-2024-13601 - Majestic Support Plugin

The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.5 via the 'exportusereraserequest' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export ticket data for any user.

PLUGIN Majestic Support

CVE-2024-13601

MEDIUM CVSS 4.3 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2024-13374 - Wp Table Manager Plugin

The WP Table Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on thewptm_getFolders AJAX action in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary file names and directories.

PLUGIN Wp Table Manager

CVE-2024-13374

MEDIUM CVSS 4.3 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2024-13769 - Puzzles Plugin

The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the 'theme_options_ajax_post_action' AJAX action in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings and inject malicious web scripts. The developer opted to remove the software from the repository, so an update is not available and it is recommended to find a replacement software.

PLUGIN Puzzles

CVE-2024-13769

MEDIUM CVSS 6.4 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2024-13665 - Admire Extra Plugin

The Admire Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'space' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Admire Extra

CVE-2024-13665

MEDIUM CVSS 6.4 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2024-13658 - Ngg Smart Image Search Plugin

The NGG Smart Image Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'hr_SIS_nextgen_searchbox' shortcode in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ngg Smart Image Search

CVE-2024-13658

MEDIUM CVSS 6.4 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-11746 - Woocommerce Brands Plugin

The Discover the Best Woocommerce Product Brands Plugin for WordPress – Woocommerce Brands Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'product_brand' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Woocommerce Brands

CVE-2024-11746

MEDIUM CVSS 6.4 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-12164 - Wpsyncsheets Plugin

The WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpsslwp_reset_settings() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.

PLUGIN Wpsyncsheets

CVE-2024-12164

MEDIUM CVSS 4.3 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13701 - Liveticker Plugin

The Liveticker (by stklcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'liveticker' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Liveticker

CVE-2024-13701

MEDIUM CVSS 6.4 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13749 - Stafflist Plugin

The StaffList plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing or incorrect nonce validation on the 'stafflist' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Stafflist

CVE-2024-13749

MEDIUM CVSS 6.1 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13554 - Wp Extended Plugin

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reorder_route() function in all versions up to, and including, 3.0.13. This makes it possible for unauthenticated attackers to reorder posts.

PLUGIN Wp Extended

CVE-2024-13554

MEDIUM CVSS 5.3 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13539 - Aforms Eats Plugin

The AForms Eats plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.3.1. This is due the /vendor/aura/payload-interface/phpunit.php file being publicly accessible and displaying error messages. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

PLUGIN Aforms Eats

CVE-2024-13539

MEDIUM CVSS 5.3 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2025-0808 - Houzez Property Feed Plugin

The Houzez Property Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.21. This is due to missing or incorrect nonce validation on the "deleteexport" action. This makes it possible for unauthenticated attackers to delete property feed exports via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Houzez Property Feed

CVE-2025-0808

MEDIUM CVSS 4.3 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-13541 - Adirectory Plugin

The aDirectory – WordPress Directory Listing Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the adqs_delete_listing() function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.

PLUGIN Adirectory

CVE-2024-13541

MEDIUM CVSS 4.3 2025-02-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2025-0862 - SuperSaaS – online appointment scheduling Plugin

The SuperSaaS – online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘after’ parameter in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is limited to Chromium-based browsers (e.g. Chrome, Edge, Brave).

PLUGIN SuperSaaS – online appointment scheduling

CVE-2025-0862

MEDIUM CVSS 4.9 2025-02-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-13506 - Geodirectory Plugin

The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the display_name profile parameter in all versions up to, and including, 2.8.97 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Geodirectory

CVE-2024-13506

MEDIUM CVSS 6.4 2025-02-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-13570 - Stray Random Quotes Plugin

The Stray Random Quotes WordPress plugin through 1.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Stray Random Quotes

CVE-2024-13570

MEDIUM CVSS 6.1 2025-02-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-13543 - Zarinpal Paid Download Plugin

The Zarinpal Paid Download WordPress plugin through 2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Zarinpal Paid Download

CVE-2024-13543

MEDIUM CVSS 6.1 2025-02-11
Open Full Technical Breakdown
Scroll to top