Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 4201-4220 of 10866 records
Threat Entry Updated 2025-02-05

CVE-2024-12597 - Ht Mega Plugin

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_css' and 'inner_css' parameters in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ht Mega

CVE-2024-12597

MEDIUM CVSS 6.4 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-04

CVE-2024-13607 - Js Support Ticket Plugin

The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.8 via the 'exportusereraserequest' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level permissions and above, to export ticket data for any user.

PLUGIN Js Support Ticket

CVE-2024-13607

MEDIUM CVSS 4.3 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2025-0368 - Banner Garden Plugin

The Banner Garden Plugin for WordPress plugin through 0.1.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users.

PLUGIN Banner Garden

CVE-2025-0368

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-09-30

CVE-2025-0466 - Before 4 Plugin

The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information.

PLUGIN Before 4

CVE-2025-0466

MEDIUM CVSS 5.3 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-26

CVE-2024-13332 - Transfinanz Plugin

The TransFinanz WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Transfinanz

CVE-2024-13332

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-13331 - Wp Dream Carousel Plugin

The WP Dream Carousel WordPress plugin through 1.0.1b does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Wp Dream Carousel

CVE-2024-13331

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-13328 - Giga Messenger Plugin

The Giga Messenger WordPress plugin through 2.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Giga Messenger

CVE-2024-13328

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13327 - Musicbox Plugin

The Musicbox WordPress plugin through 2.0.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Musicbox

CVE-2024-13327

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13326 - Ibuildapp Plugin

The iBuildApp WordPress plugin through 0.2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Ibuildapp

CVE-2024-13326

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-07-25

CVE-2024-13325 - Glossy Plugin

The Glossy WordPress plugin through 2.3.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Glossy

CVE-2024-13325

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13115 - Wp Projects Portfolio With Client Testimonials Plugin

The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Wp Projects Portfolio With Client Testimonials

CVE-2024-13115

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13114 - Wp Projects Portfolio With Client Testimonials Plugin

The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Wp Projects Portfolio With Client Testimonials

CVE-2024-13114

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-03-05

CVE-2024-11132 - Eventer Plugin

The Eventer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Eventer

CVE-2024-11132

MEDIUM CVSS 6.4 2025-02-03
Open Full Technical Breakdown
Threat Entry Updated 2025-03-04

CVE-2024-11133 - Eventer Plugin

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_pdf_download_request' function in all versions up to, and including, 3.9.9. This makes it possible for unauthenticated attackers to download event tickets.

PLUGIN Eventer

CVE-2024-11133

MEDIUM CVSS 5.3 2025-02-03
Open Full Technical Breakdown
Threat Entry Updated 2025-03-04

CVE-2024-11134 - Eventer Plugin

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventer_export_bookings_csv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level permissions or above, to download bookings, which contains customers' personal data.

PLUGIN Eventer

CVE-2024-11134

MEDIUM CVSS 4.3 2025-02-03
Open Full Technical Breakdown
Threat Entry Updated 2025-02-03

CVE-2025-22704 - WordPress Signature Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Abinav Thakuri WordPress Signature allows Cross Site Request Forgery. This issue affects WordPress Signature: from n/a through 0.1.

PLUGIN WordPress Signature

CVE-2025-22704

MEDIUM CVSS 5.4 2025-02-03
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2024-13775 - Woocommerce Support Ticket System Plugin

The WooCommerce Support Ticket System plugin for WordPress is vulnerable to unauthorized access and loss of data due to missing capability checks on the 'ajax_delete_message', 'ajax_get_customers_partial_list', and 'ajax_get_admins_list' functions in all versions up to, and including, 17.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts, and read names, emails, and capabilities of all users.

PLUGIN Woocommerce Support Ticket System

CVE-2024-13775

MEDIUM CVSS 5.4 2025-02-01
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-13612 - Better Messages Plugin

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'better_messages_live_chat_button' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Better Messages

CVE-2024-13612

MEDIUM CVSS 6.4 2025-02-01
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-13429 - Wp Job Portal Plugin

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the 'jobenforcedelete' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with employer-level access and above, to delete arbitrary

PLUGIN Wp Job Portal

CVE-2024-13429

MEDIUM CVSS 4.3 2025-02-01
Open Full Technical Breakdown
Scroll to top