Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 4841-4860 of 10866 records
Threat Entry Updated 2024-12-13

CVE-2024-12579 - Minify Html Plugin

The Minify HTML plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 2.1.10. This is due to processing user-supplied input as a regular expression. This makes it possible for unauthenticated attackers to create comments that can cause catastrophic backtracking and break pages.

PLUGIN Minify Html

CVE-2024-12579

MEDIUM CVSS 5.3 2024-12-13
Open Full Technical Breakdown
Threat Entry Updated 2024-12-13

CVE-2024-11767 - Newsmanapp Plugin

The NewsmanApp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'newsman_subscribe_widget' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Newsmanapp

CVE-2024-11767

MEDIUM CVSS 6.4 2024-12-13
Open Full Technical Breakdown
Threat Entry Updated 2024-12-13

CVE-2024-12572 - Hello In All Languages Plugin

The Hello In All Languages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Hello In All Languages

CVE-2024-12572

MEDIUM CVSS 6.1 2024-12-13
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2024-12271 - 360deg Javascript Viewer Plugin

The 360 Javascript Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ref’ parameter in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN 360deg Javascript Viewer

CVE-2024-12271

MEDIUM CVSS 4.4 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2024-12333 - Woodmart Theme

The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_instagram_ajax_query AJAX action. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

THEME Woodmart

CVE-2024-12333

MEDIUM CVSS 6.5 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2024-11760 - Pro Plugin

The Currency Converter Widget ⚡ PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'currency-converter-widget-pro' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Pro

CVE-2024-11760

MEDIUM CVSS 6.4 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2024-12160 - Seraphinite Discount For Woocommerce Plugin

The Seraphinite Bulk Discounts for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Seraphinite Discount For Woocommerce

CVE-2024-12160

MEDIUM CVSS 6.1 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-12329 - Essential Real Estate Plugin

The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to access invoices and transaction logs

PLUGIN Essential Real Estate

CVE-2024-12329

MEDIUM CVSS 4.3 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2024-11727 - Floating Notification Top Bar Plugin

The NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content settings for notifications in all versions up to, and including, 2.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has…

PLUGIN Floating Notification Top Bar

CVE-2024-11727

MEDIUM CVSS 4.4 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-27

CVE-2024-12201 - Hash Form Plugin

The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check when creating form styles in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create new form styles.

PLUGIN Hash Form

CVE-2024-12201

MEDIUM CVSS 4.3 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-07-14

CVE-2024-11724 - Wp Cookie Consent Plugin

The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts.

PLUGIN Wp Cookie Consent

CVE-2024-11724

MEDIUM CVSS 4.3 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-11181 - Greenshift Animation And Page Builder Blocks Plugin

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 9.9.9.3 via the 'wp_reusable_render' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

PLUGIN Greenshift Animation And Page Builder Blocks

CVE-2024-11181

MEDIUM CVSS 4.3 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2024-10784 - Unlimited Elements For Elementor Plugin

The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Tile Gallery' widget in all versions up to, and including, 1.5.126 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Unlimited Elements For Elementor

CVE-2024-10784

MEDIUM CVSS 6.4 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-04-11

CVE-2024-10583 - Popup Maker Plugin

The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_title’ parameter in all versions up to, and including, 1.20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Popup Maker

CVE-2024-10583

MEDIUM CVSS 5.4 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2024-12265 - Web3 Crypto Payments By Depay For Woocommerce Plugin

The Web3 Crypto Payments by DePay for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/depay/wc/debug REST API endpoint in all versions up to, and including, 2.12.17. This makes it possible for unauthenticated attackers to retrieve debug infromation.

PLUGIN Web3 Crypto Payments By Depay For Woocommerce

CVE-2024-12265

MEDIUM CVSS 5.3 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-9881 - Before 4 Plugin

The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 4

CVE-2024-9881

MEDIUM CVSS 4.8 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-9641 - Luckywp Table Of Contents Plugin

The LuckyWP Table of Contents WordPress plugin before 2.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Luckywp Table Of Contents

CVE-2024-9641

MEDIUM CVSS 4.8 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-9428 - Popup Builder Plugin

The Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Popup Builder

CVE-2024-9428

MEDIUM CVSS 4.8 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2024-12072 - Google Analytics Made Easy Plugin

The Analytics Cat – Google Analytics Made Easy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute if they can successfully trick a user into performing an action, such as clicking on a specially crafted link.

PLUGIN Google Analytics Made Easy

CVE-2024-12072

MEDIUM CVSS 6.1 2024-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-07-02

CVE-2024-12255 - Accept Stripe Payments Using Contact Form 7 Plugin

The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via the cf7sa-info.php file that returns phpinfo() data. This makes it possible for unauthenticated attackers to extract configuration information that can be leveraged in another attack.

PLUGIN Accept Stripe Payments Using Contact Form 7

CVE-2024-12255

MEDIUM CVSS 5.3 2024-12-12
Open Full Technical Breakdown
Scroll to top