Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 4621-4640 of 10866 records
Threat Entry Updated 2025-01-07

CVE-2024-12541 - Chative Live Chat And Chatbot Plugin

The Chative Live chat and Chatbot plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the add_chative_widget_action() function. This makes it possible for unauthenticated attackers to change the channel ID or organization ID via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This could lead to redirecting the live chat widget to an attacker-controlled channel.

PLUGIN Chative Live Chat And Chatbot

CVE-2024-12541

MEDIUM CVSS 5.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12559 - Clickdesigns Plugin

The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesigns_add_api' and the 'clickdesigns_remove_api' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to modify or remove the plugin's API key.

PLUGIN Clickdesigns

CVE-2024-12559

MEDIUM CVSS 5.3 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12419 - Cf7 Styler Plugin

The The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. This functionality is also vulnerable to Reflected Cross-Site Scripting. Version 1.7.0 patched the Reflected XSS issue, however, the arbitrary shortcode execution issue remains.

PLUGIN Cf7 Styler

CVE-2024-12419

MEDIUM CVSS 6.5 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12528 - Wp Survey And Poll Plugin

The WordPress Survey & Poll – Quiz, Survey and Poll Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsurveypoll_results' shortcode in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Survey And Poll

CVE-2024-12528

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12538 - Duplicate Pp Plugin

The Duplicate Post, Page and Any Custom Post plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.3 via the 'dpp_duplicate_as_draft' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract potentially sensitive data from draft, scheduled (future), private, and password protected posts.

PLUGIN Duplicate Pp

CVE-2024-12538

MEDIUM CVSS 4.3 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-11934 - Formaloo Form Builder Plugin

The Formaloo Form Maker & Customer Analytics for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘address’ parameter in all versions up to, and including, 2.1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Formaloo Form Builder

CVE-2024-11934

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-11899 - Slider Pro Lite Plugin

The Slider Pro Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sliderpro' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Slider Pro Lite

CVE-2024-11899

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-11777 - Sell Media Plugin

The Sell Media plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sell_media_search_form_gutenberg' shortcode in all versions up to, and including, 2.5.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Sell Media

CVE-2024-11777

MEDIUM CVSS 6.4 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-12098 - Ars Affiliate Page Plugin

The ARS Affiliate Page Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'utm_keyword' parameter in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Ars Affiliate Page

CVE-2024-12098

MEDIUM CVSS 6.1 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-11437 - Timeline Designer Plugin

The Timeline Designer plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Timeline Designer

CVE-2024-11437

MEDIUM CVSS 4.9 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-12302 - Icegram Engage Plugin

The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its Campaign settings, which could allow authors and above to perform Stored Cross-Site Scripting attacks

PLUGIN Icegram Engage

CVE-2024-12302

MEDIUM CVSS 6.1 2025-01-06
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-11849 - Before 3 Plugin

The Pods WordPress plugin before 3.2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 3

CVE-2024-11849

MEDIUM CVSS 6.1 2025-01-06
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-11356 - Before 5 Plugin

The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks.

PLUGIN Before 5

CVE-2024-11356

MEDIUM CVSS 6.1 2025-01-06
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-12475 - Wp Multi Store Locator Plugin

The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Multi Store Locator

CVE-2024-12475

MEDIUM CVSS 6.4 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-08-12

CVE-2024-12279 - Wp Social Autoconnect Plugin

The WP Social AutoConnect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp Social Autoconnect

CVE-2024-12279

MEDIUM CVSS 6.1 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-12195 - Wp Project Manager Plugin

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to SQL Injection via the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint in all versions up to, and including, 2.6.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, who have been granted access to a project, to append additional SQL queries into already existing queries that can be used…

PLUGIN Wp Project Manager

CVE-2024-12195

MEDIUM CVSS 6.5 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-01-04

CVE-2024-12221 - Weaver For Bbpress Plugin

The Turnkey bbPress by WeaverTheme plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘_wpnonce’ parameter in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Weaver For Bbpress

CVE-2024-12221

MEDIUM CVSS 6.1 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-11930 - Taskbuilder Plugin

The Taskbuilder – WordPress Project & Task Management plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppm_tasks shortcode in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Taskbuilder

CVE-2024-11930

MEDIUM CVSS 6.4 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-01-04

CVE-2024-12701 - Import Any Xml File To Wordpress Plugin

The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Import Any Xml File To Wordpress

CVE-2024-12701

MEDIUM CVSS 6.1 2025-01-04
Open Full Technical Breakdown
Scroll to top