Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5201-5220 of 10866 records
Threat Entry Updated 2025-01-23

CVE-2024-11069 - Wordpress Gdpr Plugin

The WordPress GDPR plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'WordPress_GDPR_Data_Delete::check_action' function in all versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to delete arbitrary users.

PLUGIN Wordpress Gdpr

CVE-2024-11069

MEDIUM CVSS 6.5 2024-11-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-11098 - Svg Block Plugin

The SVG Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Svg Block

CVE-2024-11098

MEDIUM CVSS 5.5 2024-11-19
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-10268 - Mp3 Audio Player For Music Radio Podcast Plugin

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sonaar_audioplayer shortcode in all versions up to, and including, 5.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mp3 Audio Player For Music Radio Podcast

CVE-2024-10268

MEDIUM CVSS 6.4 2024-11-19
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2024-10103 - In The Process Of Testing The Mailpoet Plugin

In the process of testing the MailPoet WordPress plugin before 5.3.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor

PLUGIN In The Process Of Testing The Mailpoet

CVE-2024-10103

MEDIUM CVSS 6.1 2024-11-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-10486 - Google Listings And Ads Plugin

The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible print_php_information.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PHP configuration, which can be used to aid other attacks.

PLUGIN Google Listings And Ads

CVE-2024-10486

MEDIUM CVSS 5.3 2024-11-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-10390 - Elfsight Telegram Chat Cc Plugin

The Elfsight Telegram Chat CC plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'updatePreferences' function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elfsight Telegram Chat Cc

CVE-2024-10390

MEDIUM CVSS 6.4 2024-11-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10592 - Mapster Wp Maps Plugin

The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup class parameter in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mapster Wp Maps

CVE-2024-10592

MEDIUM CVSS 6.4 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-11094 - 404 Solution Plugin

The 404 Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.35.17 via the export feature. This makes it possible for unauthenticated attackers to extract sensitive data such as redirects including GET parameters which may reveal sensitive information.

PLUGIN 404 Solution

CVE-2024-11094

MEDIUM CVSS 5.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-10614 - Customer Reviews For Woocommerce Plugin

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the cancel_import() function in all versions up to, and including, 5.61.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and import or check on the status.

PLUGIN Customer Reviews For Woocommerce

CVE-2024-10614

MEDIUM CVSS 4.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9938 - Bounce Handler Mailpoet Plugin

The Bounce Handler MailPoet 3 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.3.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Bounce Handler Mailpoet

CVE-2024-9938

MEDIUM CVSS 6.1 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9850 - Case Study Plugin

The SVG Case Study plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Case Study

CVE-2024-9850

MEDIUM CVSS 6.4 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9386 - Exclusive Divi Plugin

The Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Exclusive Divi

CVE-2024-9386

MEDIUM CVSS 6.4 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9615 - Bulkpress Plugin

The BulkPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.3.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Bulkpress

CVE-2024-9615

MEDIUM CVSS 6.1 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-8873 - Pepro Bacs Receipt Upload For Woocommerce Plugin

The PeproDev WooCommerce Receipt Uploader plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Pepro Bacs Receipt Upload For Woocommerce

CVE-2024-8873

MEDIUM CVSS 6.1 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-11118 - 404 Error Monitor Plugin

The 404 Error Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the updatePluginSettings() function. This makes it possible for unauthenticated attackers to make changes to plugin settings and clear up all the error logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN 404 Error Monitor

CVE-2024-11118

MEDIUM CVSS 5.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2025-03-31

CVE-2024-6628 - Eleforms Plugin

The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.9.9.9. This is due to missing or incorrect nonce validation when deleting form submissions. This makes it possible for unauthenticated attackers to delete form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Eleforms

CVE-2024-6628

MEDIUM CVSS 4.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-11092 - Svgplus Plugin

The SVGPlus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Svgplus

CVE-2024-11092

MEDIUM CVSS 6.4 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10884 - Simpleform Contact Form Submissions Plugin

The SimpleForm Contact Form Submissions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Simpleform Contact Form Submissions

CVE-2024-10884

MEDIUM CVSS 6.1 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10883 - Contact Form Made Simple Plugin

The SimpleForm – Contact form made simple plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Contact Form Made Simple

CVE-2024-10883

MEDIUM CVSS 6.1 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10875 - Fancy Gallery Plugin

The Gallery Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_Query_Arg without appropriate escaping on the URL in all versions up to, and including, 1.6.58. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Fancy Gallery

CVE-2024-10875

MEDIUM CVSS 6.1 2024-11-16
Open Full Technical Breakdown
Scroll to top