Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 4421-4440 of 10866 records
Threat Entry Updated 2025-02-11

CVE-2024-12370 - Wp Hotel Booking Plugin

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices.

PLUGIN Wp Hotel Booking

CVE-2024-12370

MEDIUM CVSS 5.3 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13367 - Sandbox Plugin

The Sandbox plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the export_download action in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download an entire copy of a sandbox environment which can contain sensitive information like the wp-config.php file.

PLUGIN Sandbox

CVE-2024-13367

MEDIUM CVSS 6.5 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13386 - Quote Post Type Plugin

The quote-posttype-plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Author field in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Quote Post Type

CVE-2024-13386

MEDIUM CVSS 6.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12598 - Mybookprogress Plugin

The MyBookProgress by Stormhill Media plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘book’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mybookprogress

CVE-2024-12598

MEDIUM CVSS 6.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12508 - Glofox Shortcodes Plugin

The Glofox Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'glofox' and 'glofox_lead_capture ' shortcodes in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Glofox Shortcodes

CVE-2024-12508

MEDIUM CVSS 6.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13366 - Sandbox Plugin

The Sandbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'debug' parameter in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Sandbox

CVE-2024-13366

MEDIUM CVSS 6.1 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12466 - Proofreading Plugin

The Proofreading plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Proofreading

CVE-2024-12466

MEDIUM CVSS 6.1 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12637 - Moving Users Plugin

The Moving Users plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.05 via the export functionality. The JSON files are stored in predictable locations with guessable file names when exporting user data. This could allow unauthenticated attackers to extract sensitive user data, for instance, email addresses, hashed passwords, and IP addresses.

PLUGIN Moving Users

CVE-2024-12637

MEDIUM CVSS 5.3 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12203 - Rss Icon Widget Plugin

The RSS Icon Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link_color’ parameter in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Rss Icon Widget

CVE-2024-12203

MEDIUM CVSS 4.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-10799 - Eventer Plugin

The Eventer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.9.7 via the eventer_woo_download_tickets() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Eventer

CVE-2024-10799

MEDIUM CVSS 6.5 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13401 - Wp Paypal Plugin

The Payment Button for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_paypal_checkout' shortcode in all versions up to, and including, 1.2.3.35 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Paypal

CVE-2024-13401

MEDIUM CVSS 6.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13434 - Wp Inventory Manager Plugin

The WP Inventory Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wp Inventory Manager

CVE-2024-13434

MEDIUM CVSS 6.1 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13398 - Checkout For Paypal Plugin

The Checkout for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'checkout_for_paypal' shortcode in all versions up to, and including, 1.0.32 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Checkout For Paypal

CVE-2024-13398

MEDIUM CVSS 6.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2025-23961 - WordPress Graphs & Charts Plugin

Missing Authorization vulnerability in WP Tasker WordPress Graphs & Charts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Graphs & Charts: from n/a through 2.0.8.

PLUGIN WordPress Graphs & Charts

CVE-2025-23961

MEDIUM CVSS 5.4 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2025-23423 - SendGrid for WordPress Plugin

Missing Authorization vulnerability in Smackcoders SendGrid for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SendGrid for WordPress: from n/a through 1.4.

PLUGIN SendGrid for WordPress

CVE-2025-23423

MEDIUM CVSS 4.3 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2024-13387 - Wp Responsive Tabs Plugin

The WP Responsive Tabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wprtabs' shortcode in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Responsive Tabs

CVE-2024-13387

MEDIUM CVSS 6.4 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12615 - Passwords Manager Plugin

The Passwords Manager plugin for WordPress is vulnerable to SQL Injection via the $wpdb->prefix value in several AJAX actions in all versions up to, and including, 1.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Passwords Manager

CVE-2024-12615

MEDIUM CVSS 6.5 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2024-13355 - Orderconvo Plugin

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible.

PLUGIN Orderconvo

CVE-2024-13355

MEDIUM CVSS 5.4 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-03-04

CVE-2024-12427 - Multi Step Form Plugin

The Multi Step Form plugin for WordPress is vulnerable to unauthorized limited file upload due to a missing capability check on the fw_upload_file AJAX action in all versions up to, and including, 1.7.23. This makes it possible for unauthenticated attackers to upload limited file types such as images.

PLUGIN Multi Step Form

CVE-2024-12427

MEDIUM CVSS 5.3 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2024-11452 - Chamber Dashboard Business Directory Plugin

The Chamber Dashboard Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'business_categories' shortcode in all versions up to, and including, 3.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Chamber Dashboard Business Directory

CVE-2024-11452

MEDIUM CVSS 6.4 2025-01-16
Open Full Technical Breakdown
Scroll to top