Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 4641-4660 of 10866 records
Threat Entry Updated 2025-08-11

CVE-2024-12047 - Wp Compress Plugin

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘custom_server’ parameter in all versions up to, and including, 6.30.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wp Compress

CVE-2024-12047

MEDIUM CVSS 6.1 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-12545 - Scratch Win Plugin

The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.1. This is due to missing nonce validation on the reset_installation() function. This makes it possible for unauthenticated attackers to reset the plugin’s installation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Scratch Win

CVE-2024-12545

MEDIUM CVSS 5.4 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-03-31

CVE-2024-11974 - Media Library Assistant Plugin

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘smc_settings_tab', 'unattachfixit-action', and 'woofixit-action’ parameters in all versions up to, and including, 3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Media Library Assistant

CVE-2024-11974

MEDIUM CVSS 6.1 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-01-03

CVE-2024-12237 - Wp Responsive Photo Gallery Plugin

The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.15 via the rjg_get_youtube_info_justified_gallery_callback function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to retrieve limited information from internal services.

PLUGIN Wp Responsive Photo Gallery

CVE-2024-12237

MEDIUM CVSS 4.3 2025-01-03
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-12132 - Wp Job Portal Plugin

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker.

PLUGIN Wp Job Portal

CVE-2024-12132

MEDIUM CVSS 4.3 2025-01-03
Open Full Technical Breakdown
Threat Entry Updated 2025-01-02

CVE-2024-56302 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ConvertCalculator ConvertCalculator for WordPress allows Stored XSS.This issue affects ConvertCalculator for WordPress: from n/a through 1.1.1.

CORE WordPress Core

CVE-2024-56302

MEDIUM CVSS 6.5 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-02

CVE-2024-56245 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leap13 Premium Blocks – Gutenberg Blocks for WordPress allows Stored XSS.This issue affects Premium Blocks – Gutenberg Blocks for WordPress: from n/a through 2.1.42.

CORE WordPress Core

CVE-2024-56245

MEDIUM CVSS 6.5 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-02

CVE-2023-46644 - WordPress CTA Plugin

Missing Authorization vulnerability in WP CTA PRO WordPress CTA allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through 1.5.8.

PLUGIN WordPress CTA

CVE-2023-46644

MEDIUM CVSS 6.5 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-02

CVE-2023-45636 - WordPress Backup & Migration Plugin

Missing Authorization vulnerability in WebToffee WordPress Backup & Migration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Backup & Migration: from n/a through 1.4.1.

PLUGIN WordPress Backup & Migration

CVE-2023-45636

MEDIUM CVSS 5.4 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-11357 - Goodlayers Core Plugin

The goodlayers-core WordPress plugin before 2.0.10 does not sanitise and escape some of its settings, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Goodlayers Core

CVE-2024-11357

MEDIUM CVSS 5.9 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2024-12595 - Ahathat Plugin

The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

PLUGIN Ahathat

CVE-2024-12595

MEDIUM CVSS 4.7 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-06-24

CVE-2024-11184 - Wp Enable Svg Plugin

The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts

PLUGIN Wp Enable Svg

CVE-2024-11184

MEDIUM CVSS 4.8 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-04-18

CVE-2024-12238 - Ninja Forms Plugin

The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.22. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

PLUGIN Ninja Forms

CVE-2024-12238

MEDIUM CVSS 6.3 2024-12-29
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-11644 - Wp Svg Plugin

The WP-SVG WordPress plugin through 0.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Wp Svg

CVE-2024-11644

MEDIUM CVSS 5.9 2024-12-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-11921 - Before 3 Plugin

The GiveWP WordPress plugin before 3.19.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 3

CVE-2024-11921

MEDIUM CVSS 4.8 2024-12-27
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2024-11645 - Float Block Plugin

The float block WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Float Block

CVE-2024-11645

MEDIUM CVSS 4.8 2024-12-27
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2024-11605 - Wp Publications Plugin

The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Wp Publications

CVE-2024-11605

MEDIUM CVSS 4.8 2024-12-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-08

CVE-2024-11223 - Before 1 Plugin

The WPForms WordPress plugin before 1.9.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 1

CVE-2024-11223

MEDIUM CVSS 4.7 2024-12-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-10903 - Broken Link Checker Plugin

The Broken Link Checker WordPress plugin before 2.4.2 does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation.

PLUGIN Broken Link Checker

CVE-2024-10903

MEDIUM CVSS 4.7 2024-12-26
Open Full Technical Breakdown
Scroll to top