Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5221-5240 of 10866 records
Threat Entry Updated 2024-11-18

CVE-2024-11085 - Wp Log Viewer Plugin

The WP Log Viewer plugin for WordPress is vulnerable to unauthorized use of functionality due to a missing capability check on several AJAX actions in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access logs, update plugin-related user settings and general plugin settings.

PLUGIN Wp Log Viewer

CVE-2024-11085

MEDIUM CVSS 5.4 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10147 - Steel Plugin

The Steel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's btn shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Steel

CVE-2024-10147

MEDIUM CVSS 6.4 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10017 - Pjw Mime Config Plugin

The PJW Mime Config plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Pjw Mime Config

CVE-2024-10017

MEDIUM CVSS 6.4 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10262 - The Drop Shadow Boxes Plugin

The The Drop Shadow Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

PLUGIN The Drop Shadow Boxes

CVE-2024-10262

MEDIUM CVSS 6.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2025-02-27

CVE-2024-10533 - Wp Chat App Plugin

The WP Chat App plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the ajax_install_plugin() function in all versions up to, and including, 3.6.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the filebird plugin.

PLUGIN Wp Chat App

CVE-2024-10533

MEDIUM CVSS 4.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10015 - Convertcalculator Plugin

The ConvertCalculator for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' and 'type' parameters in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Convertcalculator

CVE-2024-10015

MEDIUM CVSS 6.4 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10861 - Ays Popup Box Plugin

The Popup Box – Create Countdown, Coupon, Video, Contact Form Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_plugin_option() function in all versions up to, and including, 4.9.7. This makes it possible for unauthenticated attackers to update the 'ays_pb_upgrade_plugin' option with arbitrary data.

PLUGIN Ays Popup Box

CVE-2024-10861

MEDIUM CVSS 5.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10795 - Popularis Extra Plugin

The Popularis Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.7 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.

PLUGIN Popularis Extra

CVE-2024-10795

MEDIUM CVSS 4.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10786 - Simple Local Avatars Plugin

The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the sla_clear_user_cache function in all versions up to, and including, 2.7.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear user caches.

PLUGIN Simple Local Avatars

CVE-2024-10786

MEDIUM CVSS 4.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-8978 - Essential Addons For Elementor Plugin

The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_content_register_user_email_controls' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including usernames and passwords of any users who register via the Login | Register Form widget, as long as that user opens the email notification for successful registration.

PLUGIN Essential Addons For Elementor

CVE-2024-8978

MEDIUM CVSS 5.7 2024-11-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2024-9529 - Advanced Custom Fields Pro Plugin

The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from running arbitrary functions through its setting import functionalities, which could allow high privilege users such as admin to run arbitrary PHP functions.

PLUGIN Advanced Custom Fields Pro

CVE-2024-9529

MEDIUM CVSS 6.6 2024-11-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-8961 - Essential Addons For Elementor Plugin

The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nomore_items_text’ parameter in all versions up to, and including, 6.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Essential Addons For Elementor

CVE-2024-8961

MEDIUM CVSS 6.4 2024-11-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-20

CVE-2024-10825 - Hide My Wp Ghost Plugin

The Hide My WP Ghost – Security & Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL in all versions up to, and including, 5.3.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.

PLUGIN Hide My Wp Ghost

CVE-2024-10825

MEDIUM CVSS 6.1 2024-11-15
Open Full Technical Breakdown
Threat Entry Updated 2025-04-11

CVE-2024-10104 - Before 2 Plugin

The Jobs for WordPress plugin before 2.7.8 does not sanitise and escape some of its Job settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

PLUGIN Before 2

CVE-2024-10104

MEDIUM CVSS 5.9 2024-11-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-20

CVE-2024-9356 - Yotpo Plugin

The Yotpo: Product & Photo Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'yotpo_user_email' and 'yotpo_user_name' parameters in all versions up to, and including, 1.7.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Yotpo

CVE-2024-9356

MEDIUM CVSS 6.1 2024-11-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-10582 - Music Player For Elementor Plugin

The Music Player for Elementor – Audio Player & Podcast Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_mpfe_template() function in all versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import templates.

PLUGIN Music Player For Elementor

CVE-2024-10582

MEDIUM CVSS 4.3 2024-11-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-10113 - Wp Adcenter Plugin

The WP AdCenter – Ad Manager & Adsense Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpadcenter_ad shortcode in all versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Adcenter

CVE-2024-10113

MEDIUM CVSS 6.4 2024-11-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-9609 - Learnpress Export Import Plugin

The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'learnpress_import_form_server' parameter in all versions up to, and including, 4.0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Learnpress Export Import

CVE-2024-9609

MEDIUM CVSS 6.1 2024-11-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-20

CVE-2024-10897 - Tutor Lms Elementor Addons Plugin

The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_etlms_dependency_plugin() function in all versions up to, and including, 2.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install Elementor or Tutor LMS. Please note the impact of this issue is incredibly limited due to the fact that these two plugins will likely already be installed as a dependency of the plugin.

PLUGIN Tutor Lms Elementor Addons

CVE-2024-10897

MEDIUM CVSS 4.3 2024-11-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-10146 - Simple File List Plugin

The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins.

PLUGIN Simple File List

CVE-2024-10146

MEDIUM CVSS 5.4 2024-11-14
Open Full Technical Breakdown
Scroll to top