Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5061-5080 of 10866 records
Threat Entry Updated 2025-05-15

CVE-2024-10896 - Before 4 Plugin

The Logo Slider WordPress plugin before 4.5.0 does not sanitise and escape some of its Logo and Slider settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting

PLUGIN Before 4

CVE-2024-10896

MEDIUM CVSS 5.4 2024-11-28
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-10493 - Before 5 Plugin

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) WordPress plugin before 5.10.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 5

CVE-2024-10493

MEDIUM CVSS 5.4 2024-11-28
Open Full Technical Breakdown
Threat Entry Updated 2025-06-09

CVE-2024-10510 - Adbuddy Adblocker Detection Plugin

The adBuddy+ (AdBlocker Detection) by NetfunkDesign WordPress plugin through 1.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Adbuddy Adblocker Detection

CVE-2024-10510

MEDIUM CVSS 4.8 2024-11-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-28

CVE-2024-11918 - Image Alt Text Plugin

The Image Alt Text plugin for WordPress is vulnerable to unauthorized modification of data| due to a missing capability check on the iat_add_alt_txt_action and iat_update_alt_txt_action AJAX actions in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the alt text on arbitrary images.

PLUGIN Image Alt Text

CVE-2024-11918

MEDIUM CVSS 4.3 2024-11-28
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-10473 - Before 4 Plugin

The Logo Slider WordPress plugin before 4.5.0 does not sanitise and escape some of its Logo Settings when outputing them in pages where the Logo Slider shortcode is embed, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks.

PLUGIN Before 4

CVE-2024-10473

MEDIUM CVSS 5.4 2024-11-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-27

CVE-2024-11009 - Automatic Internal Links For Seo Plugin

The Internal Linking for SEO traffic & Ranking – Auto internal links (100% automatic) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘post_id’ parameter in all versions up to, and including, 1.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Automatic Internal Links For Seo

CVE-2024-11009

MEDIUM CVSS 4.9 2024-11-27
Open Full Technical Breakdown
Threat Entry Updated 2025-03-19

CVE-2024-10521 - Wordpress Contact Forms Plugin

The WordPress Contact Forms by Cimatti plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on the process_bulk_action function. This makes it possible for unauthenticated attackers to delete forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wordpress Contact Forms

CVE-2024-10521

MEDIUM CVSS 4.3 2024-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-27

CVE-2024-10895 - Wp Counter Up Plugin

The Counter Up – Animated Number Counter & Milestone Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lgx-counter' shortcode in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Counter Up

CVE-2024-10895

MEDIUM CVSS 6.4 2024-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-27

CVE-2024-10175 - Pricing Tables For Visual Composer Plugin

The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wdo_pricing_tables shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Pricing Tables For Visual Composer

CVE-2024-10175

MEDIUM CVSS 6.4 2024-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-27

CVE-2024-10580 - Wordpress Popup Plugin

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to submit unpublished forms.

PLUGIN Wordpress Popup

CVE-2024-10580

MEDIUM CVSS 5.3 2024-11-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-14

CVE-2024-11219 - Otter Blocks Plugin

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.0.6 via the get_image function. This makes it possible for unauthenticated attackers to view arbitrary images on the server, which can contain sensitive information.

PLUGIN Otter Blocks

CVE-2024-11219

MEDIUM CVSS 5.3 2024-11-27
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-11083 - Profilepress Plugin

The ProfilePress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.15.18 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.

PLUGIN Profilepress

CVE-2024-11083

MEDIUM CVSS 5.3 2024-11-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-09

CVE-2024-10878 - Sugar Calendar Plugin

The Sugar Calendar – Simple Event Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.3.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Sugar Calendar

CVE-2024-10878

MEDIUM CVSS 6.1 2024-11-26
Open Full Technical Breakdown
Threat Entry Updated 2025-04-21

CVE-2024-8236 - Website Builder Plugin

The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter of the Icon widget in all versions up to, and including, 3.25.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Website Builder

CVE-2024-8236

MEDIUM CVSS 6.4 2024-11-26
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-8899 - Jeg Elementor Kit Plugin

The Jeg Elementor Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the render_content function in class/elements/views/class-tabs-view.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.

PLUGIN Jeg Elementor Kit

CVE-2024-8899

MEDIUM CVSS 4.3 2024-11-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-26

CVE-2024-10579 - Wordpress Popup Plugin

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the preview_module() function in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view unpublished forms.

PLUGIN Wordpress Popup

CVE-2024-10579

MEDIUM CVSS 4.3 2024-11-26
Open Full Technical Breakdown
Threat Entry Updated 2025-01-09

CVE-2024-10308 - Jeg Elementor Kit Plugin

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's JKit - Countdown widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Jeg Elementor Kit

CVE-2024-10308

MEDIUM CVSS 6.4 2024-11-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-26

CVE-2024-11032 - Wp Parsidate Plugin

The Parsi Date plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.1.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wp Parsidate

CVE-2024-11032

MEDIUM CVSS 6.1 2024-11-26
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-9170 - Booster For Woocommerce Plugin

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wcj_product_meta shortcode in all versions up to, and including, 7.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with ShopManager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Booster For Woocommerce

CVE-2024-9170

MEDIUM CVSS 5.5 2024-11-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-26

CVE-2024-11192 - Spotify Play Button For Wordpress Plugin

The Spotify Play Button for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's spotifyplaybutton shortcode in all versions up to, and including, 2.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Spotify Play Button For Wordpress

CVE-2024-11192

MEDIUM CVSS 6.4 2024-11-26
Open Full Technical Breakdown
Scroll to top