Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 4561-4580 of 10866 records
Threat Entry Updated 2025-01-07

CVE-2024-11764 - Solar Wizard Lite Plugin

The Solar Wizard Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'solar_wizard' shortcode in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Solar Wizard Lite

CVE-2024-11764

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-11282 - Passster Plugin

The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.

PLUGIN Passster

CVE-2024-11282

MEDIUM CVSS 5.3 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-9702 - Social Rocket Plugin

The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'socialrocket-floating' shortcode in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Social Rocket

CVE-2024-9702

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-9697 - Social Rocket Plugin

The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tweet_settings_save() and tweet_settings_update() functions in all versions up to, and including, 1.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.

PLUGIN Social Rocket

CVE-2024-9697

MEDIUM CVSS 5.3 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-9638 - Category Posts Widget Plugin

The Category Posts Widget WordPress plugin before 4.9.18 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Category Posts Widget

CVE-2024-9638

MEDIUM CVSS 4.8 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-8857 - Wordpress Auction Plugin

The WordPress Auction Plugin WordPress plugin through 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Stored Cross-Site Scripting attacks.

PLUGIN Wordpress Auction

CVE-2024-8857

MEDIUM CVSS 4.8 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12464 - Chatroll Live Chat Plugin

The Chatroll Live Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'chatroll' shortcode in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Chatroll Live Chat

CVE-2024-12464

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12440 - Candifly Plugin

The Candifly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'candifly' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Candifly

CVE-2024-12440

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12439 - Marketplace Items Plugin

The Marketplace Items plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'marketplace' shortcode in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Marketplace Items

CVE-2024-12439

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12438 - Woocommerce Digital Content Delivery With Drm Flickrocket Plugin

The WooCommerce Digital Content Delivery (incl. DRM) – FlickRocket plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'start_date’ and 'end_date' parameters in all versions up to, and including, 4.74 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Woocommerce Digital Content Delivery With Drm Flickrocket

CVE-2024-12438

MEDIUM CVSS 6.1 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-12073 - Meteor Slides Plugin

The Meteor Slides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slide_url_value' parameter in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Meteor Slides

CVE-2024-12073

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-11887 - Geo Targetly Geo Content Plugin

The Geo Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'geotargetlygeocontent' shortcode in all versions up to, and including, 6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Geo Targetly Geo Content

CVE-2024-11887

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12384 - Woo Binary Mlm Plugin

The Binary MLM Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page’ parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Woo Binary Mlm

CVE-2024-12384

MEDIUM CVSS 6.1 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12383 - Woo Binary Mlm Plugin

The Binary MLM Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'bmw_display_pv_set_page' function and insufficient input sanitization and output escaping of the 'product_points' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Woo Binary Mlm

CVE-2024-12383

MEDIUM CVSS 6.1 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12261 - Smartemailing Plugin

The SmartEmailing.cz plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'se-lists-updated' parameter in all versions up to, and including, 2.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Smartemailing

CVE-2024-12261

MEDIUM CVSS 6.1 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-11756 - Sweepwidget Plugin

The SweepWidget Contests, Giveaways, Photo Contests, Competitions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sweepwidget' shortcode in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Sweepwidget

CVE-2024-11756

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-11749 - App Embed Plugin

The App Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appizy' shortcode in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN App Embed

CVE-2024-11749

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-11369 - Gift Cards For Woocommerce Plugin

The Store credit / Gift cards for woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'coupon', 'start_date', and 'end_date' parameters in all versions up to, and including, 1.0.49.46 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Gift Cards For Woocommerce

CVE-2024-11369

MEDIUM CVSS 6.1 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2024-11606 - Tabs Shortcode Plugin

The Tabs Shortcode WordPress plugin through 2.0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Tabs Shortcode

CVE-2024-11606

MEDIUM CVSS 5.3 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-10536 - Post Block Plugin

The FancyPost – Best Ultimate Post Block, Post Grid, Layouts, Carousel, Slider For Gutenberg & Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the handle_block_shortcode_export() function in all versions up to, and including, 6.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export shortcodes.

PLUGIN Post Block

CVE-2024-10536

MEDIUM CVSS 4.3 2025-01-07
Open Full Technical Breakdown
Scroll to top