Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 4181-4200 of 10866 records
Threat Entry Updated 2025-02-20

CVE-2024-13544 - Zarinpal Paid Download Plugin

The Zarinpal Paid Download WordPress plugin through 2.3 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

PLUGIN Zarinpal Paid Download

CVE-2024-13544

MEDIUM CVSS 4.8 2025-02-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-10

CVE-2024-13010 - Wp Foodbakery Plugin

The WP Foodbakery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.7 due to insufficient input sanitization and output escaping on the 'search_type' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wp Foodbakery

CVE-2024-13010

MEDIUM CVSS 6.1 2025-02-10
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2025-0169 - Dwt Listing Plugin

The DWT - Directory & Listing WordPress Theme is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Dwt Listing

CVE-2025-0169

MEDIUM CVSS 6.4 2025-02-08
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2024-13850 - Simple Add Pages Or Posts Plugin

The Simple add pages or posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Simple Add Pages Or Posts

CVE-2024-13850

MEDIUM CVSS 5.5 2025-02-08
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-7425 - Wp All Export Plugin

The WP ALL Export Pro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to improper user input validation and sanitization in all versions up to, and including, 1.9.1. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

PLUGIN Wp All Export

CVE-2024-7425

MEDIUM CVSS 6.8 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-18

CVE-2024-9661 - Wp All Import Pro Plugin

The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the delete_and_edit function. This makes it possible for unauthenticated attackers to delete imported content (posts, comments, users, etc.) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp All Import Pro

CVE-2024-9661

MEDIUM CVSS 4.3 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2025-25077 - Easy Chart Builder for WordPress Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dugbug Easy Chart Builder for WordPress allows Stored XSS. This issue affects Easy Chart Builder for WordPress: from n/a through 1.3.

PLUGIN Easy Chart Builder for WordPress

CVE-2025-25077

MEDIUM CVSS 6.5 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2024-13841 - Builder Shortcode Extras Plugin

The Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via the 'bse-elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private and draft posts created with Elementor that they should not have access to.

PLUGIN Builder Shortcode Extras

CVE-2024-13841

MEDIUM CVSS 4.3 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2024-13492 - Guten Free Options Plugin

The Guten Free Options WordPress plugin through 0.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Guten Free Options

CVE-2024-13492

MEDIUM CVSS 6.1 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-03-19

CVE-2025-0859 - Post And Page Builder Plugin

The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.27.6 via the template_via_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Post And Page Builder

CVE-2025-0859

MEDIUM CVSS 6.5 2025-02-06
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2025-0522 - Likebot Plugin

The LikeBot WordPress plugin through 0.85 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Likebot

CVE-2025-0522

MEDIUM CVSS 4.7 2025-02-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-13829 - Tripetto Plugin

The WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.0.8 via the 'attachments.php' file. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via forms.

PLUGIN Tripetto

CVE-2024-13829

MEDIUM CVSS 5.3 2025-02-05
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-13699 - Qi Addons For Elementor Plugin

The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor’ parameter in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in versions 1.8.5, 1.8.6, and 1.8.7.

PLUGIN Qi Addons For Elementor

CVE-2024-13699

MEDIUM CVSS 6.4 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-04

CVE-2024-13529 - Socialv Social Network And Community Buddypress Theme

The SocialV - Social Network and Community BuddyPress Theme theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'socialv_send_download_file' function in all versions up to, and including, 2.0.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download arbitrary files from the target system.

THEME Socialv Social Network And Community Buddypress Theme

CVE-2024-13529

MEDIUM CVSS 6.5 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2024-13733 - Skt Blocks Plugin

The SKT Blocks – Gutenberg based Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's skt-blocks/post-carousel block in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Skt Blocks

CVE-2024-13733

MEDIUM CVSS 6.4 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-04

CVE-2024-13510 - Shopsite Plugin

The ShopSite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.10. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Shopsite

CVE-2024-13510

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2024-13356 - Dsgvo All In One For Wp Plugin

The DSGVO All in one for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6. This is due to missing or incorrect nonce validation in the user_remove_form.php file. This makes it possible for unauthenticated attackers to delete admin user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Dsgvo All In One For Wp

CVE-2024-13356

MEDIUM CVSS 6.5 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-08-12

CVE-2024-13403 - Wpforms Plugin

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fieldHTML’ parameter in all versions up to, and including, 1.9.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wpforms

CVE-2024-13403

MEDIUM CVSS 6.4 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-04

CVE-2024-13514 - B Slider Gutenberg Slider Block For Wp Plugin

The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.9.5 via the 'bsb-slider' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private posts that they should not have access to.

PLUGIN B Slider Gutenberg Slider Block For Wp

CVE-2024-13514

MEDIUM CVSS 4.3 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-04

CVE-2024-12046 - Medical Addon For Elementor Plugin

The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the 'namedical_elementor_template' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of draft, pending, and private posts.

PLUGIN Medical Addon For Elementor

CVE-2024-12046

MEDIUM CVSS 4.3 2025-02-04
Open Full Technical Breakdown
Scroll to top