Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 4501-4520 of 10866 records
Threat Entry Updated 2025-01-09

CVE-2024-12493 - Files Download Delay Plugin

The Files Download Delay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fddwrap' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Files Download Delay

CVE-2024-12493

MEDIUM CVSS 6.4 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-12491 - Simply Rets Plugin

The SimplyRETS Real Estate IDX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sr_search_form' shortcode in all versions up to, and including, 2.11.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Simply Rets

CVE-2024-12491

MEDIUM CVSS 6.4 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-12394 - Wp Action Network Plugin

The Action Network plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp Action Network

CVE-2024-12394

MEDIUM CVSS 6.1 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-12285 - Sema Api Plugin

The SEMA API plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘catid’ parameter in all versions up to, and including, 5.27 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Sema Api

CVE-2024-12285

MEDIUM CVSS 6.1 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-12222 - Wc Shipos Delivery Plugin

The Deliver via Shipos for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘dvsfw_bulk_label_url’ parameter in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wc Shipos Delivery

CVE-2024-12222

MEDIUM CVSS 6.1 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-12218 - Woocommerce Check Pincode Zipcode For Shipping Plugin

The Woocommerce check pincode/zipcode for shipping plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Woocommerce Check Pincode Zipcode For Shipping

CVE-2024-12218

MEDIUM CVSS 6.1 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-12249 - Gs Instagram Portfolio Plugin

The GS Insever Portfolio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings() function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's CSS settings.

PLUGIN Gs Instagram Portfolio

CVE-2024-12249

MEDIUM CVSS 4.3 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-12206 - Pearl Plugin

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing or incorrect nonce validation on the stm_header_builder page. This makes it possible for unauthenticated attackers to delete arbitrary headers via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Pearl

CVE-2024-12206

MEDIUM CVSS 4.3 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-12067 - Wp Travel Plugin

The WP Travel – Ultimate Travel Booking System, Tour Management Engine plugin for WordPress is vulnerable to SQL Injection via the 'booking_itinerary' parameter of the 'wptravel_get_booking_data' function in all versions up to, and including, 10.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wp Travel

CVE-2024-12067

MEDIUM CVSS 6.5 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-11929 - Responsive Flipbook Plugin Wordpress

The Responsive FlipBook Plugin Wordpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the rfbwp_save_settings() functionin all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Responsive Flipbook Plugin Wordpress

CVE-2024-11929

MEDIUM CVSS 6.4 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-11907 - Skyword Plugin

The Skyword API Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skyword_iframe' shortcode in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Skyword

CVE-2024-11907

MEDIUM CVSS 6.4 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-12122 - Resads Plugin

The ResAds plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Resads

CVE-2024-12122

MEDIUM CVSS 6.1 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-11815 - Posturinn Plugin

The Pósturinn\'s Shipping with WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the printed_marked and nonprinted_marked parameters in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Posturinn

CVE-2024-11815

MEDIUM CVSS 6.1 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-11686 - Manycontacts Bar Plugin

The WhatsApp 🚀 click to chat plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'manycontacts_code' parameter in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Manycontacts Bar

CVE-2024-11686

MEDIUM CVSS 6.1 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-11328 - Cluevo Lms Plugin

The CLUEVO LMS, E-Learning Platform plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.13.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Cluevo Lms

CVE-2024-11328

MEDIUM CVSS 6.1 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-03-03

CVE-2024-13153 - Unlimited Elements For Elementor Plugin

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.5.135 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: Since the widget code isn't part of the code, to apply the patch, the affected widgets: Image Tooltip, Notification, Simple Popup, Video Play…

PLUGIN Unlimited Elements For Elementor

CVE-2024-13153

MEDIUM CVSS 6.4 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2024-12736 - Bu Section Editing Plugin

The BU Section Editing WordPress plugin through 0.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Bu Section Editing

CVE-2024-12736

MEDIUM CVSS 6.1 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-04-21

CVE-2024-12731 - Infeed Plugin

The Aklamator INfeed WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Infeed

CVE-2024-12731

MEDIUM CVSS 6.1 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-04-21

CVE-2024-12717 - Infeed Plugin

The Aklamator INfeed WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Infeed

CVE-2024-12717

MEDIUM CVSS 4.8 2025-01-09
Open Full Technical Breakdown
Threat Entry Updated 2025-05-17

CVE-2024-12715 - Asgard Security Scanner Plugin

The Asgard Security Scanner WordPress plugin through 0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Asgard Security Scanner

CVE-2024-12715

MEDIUM CVSS 6.1 2025-01-09
Open Full Technical Breakdown
Scroll to top