Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 4261-4280 of 10866 records
Threat Entry Updated 2025-05-11

CVE-2024-13112 - Wp Mediatagger Plugin

The WP MediaTagger WordPress plugin through 4.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Wp Mediatagger

CVE-2024-13112

MEDIUM CVSS 6.1 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-11

CVE-2024-13101 - Wp Mediatagger Plugin

The WP MediaTagger WordPress plugin through 4.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Wp Mediatagger

CVE-2024-13101

MEDIUM CVSS 5.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13216 - Ht Event Plugin

The HT Event – WordPress Event Manager Plugin for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.7 via the 'render' function in /includes/widgets/htevent_sponsor.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, and draft template data.

PLUGIN Ht Event

CVE-2024-13216

MEDIUM CVSS 4.3 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-11886 - Lead Capturing Call To Actions By Vcita Plugin

The Contact Form and Calls To Action by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vCitaMeetingScheduler ' shortcode in all versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Lead Capturing Call To Actions By Vcita

CVE-2024-11886

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2024-13100 - Opsi Israel Domestic Shipments Plugin

The OPSI Israel Domestic Shipments WordPress plugin through 2.6.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Opsi Israel Domestic Shipments

CVE-2024-13100

MEDIUM CVSS 6.1 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-12275 - Canvasflow Plugin

The Canvasflow for WordPress plugin through 1.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Canvasflow

CVE-2024-12275

MEDIUM CVSS 6.1 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2024-12772 - Ninja Tables Plugin

The Ninja Tables WordPress plugin before 5.0.17 does not sanitize and escape a parameter before outputting it back in the page when importing a CSV, leading to a Cross Site Scripting vulnerability.

PLUGIN Ninja Tables

CVE-2024-12772

MEDIUM CVSS 5.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2024-12872 - Zalomeni Plugin

The Zalomení WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Zalomeni

CVE-2024-12872

MEDIUM CVSS 4.8 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2025-0507 - Ticketmeo – Sell Tickets – Event Ticketing Plugin

The Ticketmeo – Sell Tickets – Event Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ticketmeo – Sell Tickets – Event Ticketing

CVE-2025-0507

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-03-25

CVE-2024-10867 - Borderless Plugin

The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Borderless

CVE-2024-10867

MEDIUM CVSS 5.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2025-0470 - Forminator Forms Plugin

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the title parameter in all versions up to, and including, 1.38.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Forminator Forms

CVE-2025-0470

MEDIUM CVSS 6.1 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13463 - Seatreg Plugin

The SeatReg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'seatreg' shortcode in all versions up to, and including, 1.56.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Seatreg

CVE-2024-13463

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13399 - Gosign Posts Slider Block Plugin

The Gosign – Posts Slider Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'posts-slider-block' block in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Gosign Posts Slider Block

CVE-2024-13399

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13397 - Wordpress Radio Streaming Plugin

The WPRadio – WordPress Radio Streaming Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpradio_player' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wordpress Radio Streaming

CVE-2024-13397

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13396 - Frictionless Plugin

The Frictionless plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'frictionless_form' shortcode[s] in all versions up to, and including, 0.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Frictionless

CVE-2024-13396

MEDIUM CVSS 6.4 2025-01-31
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13705 - Stageshow Plugin

The StageShow plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 9.8.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Stageshow

CVE-2024-13705

MEDIUM CVSS 6.1 2025-01-30
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2024-13715 - Zstore Manager Basic Plugin

The zStore Manager Basic plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the zstore_clear_cache() function in all versions up to, and including, 3.311. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's cache.

PLUGIN Zstore Manager Basic

CVE-2024-13715

MEDIUM CVSS 4.3 2025-01-30
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2024-8494 - Website Builder Plugin

The Elementor Website Builder Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.25.10 via the 'elementor-template' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the content of Private, Pending, and Draft Templates. The vulnerability was partially patched in version 3.24.4.

PLUGIN Website Builder

CVE-2024-8494

MEDIUM CVSS 4.3 2025-01-30
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13700 - Embed Swagger Ui Plugin

The Embed Swagger UI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsgui' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Embed Swagger Ui

CVE-2024-13700

MEDIUM CVSS 6.4 2025-01-30
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-13670 - Music Sheet Viewer Plugin

The Music Sheet Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pn_msv' shortcode in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Music Sheet Viewer

CVE-2024-13670

MEDIUM CVSS 6.4 2025-01-30
Open Full Technical Breakdown
Scroll to top