Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5301-5320 of 10866 records
Threat Entry Updated 2024-11-13

CVE-2024-10269 - Easy Svg Support Plugin

The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Easy Svg Support

CVE-2024-10269

MEDIUM CVSS 6.4 2024-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10621 - Simple Shortcode For Google Maps Plugin

The Simple Shortcode for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pw_map shortcode in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Simple Shortcode For Google Maps

CVE-2024-10621

MEDIUM CVSS 6.4 2024-11-08
Open Full Technical Breakdown
Threat Entry Updated 2025-05-17

CVE-2024-8378 - Before 2 Plugin

The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data.

PLUGIN Before 2

CVE-2024-8378

MEDIUM CVSS 4.8 2024-11-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-9926 - Jetpack Plugin

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form

PLUGIN Jetpack

CVE-2024-9926

MEDIUM CVSS 4.3 2024-11-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-8442 - Prime Slider Plugin

The Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Blog widget in all versions up to, and including, 3.15.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Prime Slider

CVE-2024-8442

MEDIUM CVSS 6.4 2024-11-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-10027 - Wp Booking Calendar Plugin

The WP Booking Calendar WordPress plugin before 10.6.3 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Wp Booking Calendar

CVE-2024-10027

MEDIUM CVSS 4.8 2024-11-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10186 - Event Post Plugin

The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's events_cal shortcode in all versions up to, and including, 5.9.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Event Post

CVE-2024-10186

MEDIUM CVSS 6.4 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10168 - Woot Plugin

The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's woot_button shortcode in all versions up to, and including, 1.0.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Woot

CVE-2024-10168

MEDIUM CVSS 6.4 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-8323 - Easy Pricing Tables Plugin

The Pricing Tables WordPress Plugin – Easy Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fontFamily’ attribute in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Easy Pricing Tables

CVE-2024-8323

MEDIUM CVSS 6.4 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10715 - Mappress Plugin

The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Map block in all versions up to, and including, 2.94.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mappress

CVE-2024-10715

MEDIUM CVSS 6.4 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-6626 - Eleforms Plugin

The EleForms – All In One Form Integration including DB for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several functions in all versions up to, and including, 2.9.9.9. This makes it possible for unauthenticated attackers to view form submissions.

PLUGIN Eleforms

CVE-2024-6626

MEDIUM CVSS 5.3 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10543 - Tumult Hype Animations Plugin

The Tumult Hype Animations plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hypeanimations_getcontent function in all versions up to, and including, 1.9.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve animation information.

PLUGIN Tumult Hype Animations

CVE-2024-10543

MEDIUM CVSS 4.3 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10535 - Video Gallery For Woocommerce Plugin

The Video Gallery for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the remove_unused_thumbnails() function in all versions up to, and including, 1.31. This makes it possible for unauthenticated attackers to delete thumbnails in the video-wc-gallery-thumb directory.

PLUGIN Video Gallery For Woocommerce

CVE-2024-10535

MEDIUM CVSS 5.3 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-05-17

CVE-2024-9934 - Wp Imagezoom Plugin

The Wp-ImageZoom WordPress plugin through 1.1.0 does not sanitise and escape some parameters before outputting them back in a page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Wp Imagezoom

CVE-2024-9934

MEDIUM CVSS 6.1 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-04-11

CVE-2024-7879 - Before 4 Plugin

The WP ULike WordPress plugin before 4.7.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Before 4

CVE-2024-7879

MEDIUM CVSS 4.8 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10647 - Ws Form Plugin

The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.244. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Ws Form

CVE-2024-10647

MEDIUM CVSS 6.1 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-07-11

CVE-2024-10084 - Contact Form 7 Dynamic Text Extension Plugin

The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Basic Information Disclosure in all versions up to, and including, 4.5 via the CF7_get_post_var shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract the titles and text contents of private and password-protected posts, they do not own.

PLUGIN Contact Form 7 Dynamic Text Extension

CVE-2024-10084

MEDIUM CVSS 4.3 2024-11-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10329 - Ultimate Bootstrap Elements For Elementor Plugin

The Ultimate Bootstrap Elements for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.6 via the 'ube_get_page_templates' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the contents of templates that are private.

PLUGIN Ultimate Bootstrap Elements For Elementor

CVE-2024-10329

MEDIUM CVSS 4.3 2024-11-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-9657 - Element Pack Plugin

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tooltip' parameter in all versions up to, and including, 5.10.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Element Pack

CVE-2024-9657

MEDIUM CVSS 6.5 2024-11-05
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-9867 - Element Pack Plugin

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Open Map Widget' marker_content parameter in all versions up to, and including, 5.10.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Element Pack

CVE-2024-9867

MEDIUM CVSS 5.4 2024-11-05
Open Full Technical Breakdown
Scroll to top