Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5381-5400 of 10866 records
Threat Entry Updated 2024-10-29

CVE-2024-9376 - Kata Plus Plugin

The Kata Plus – Addons for Elementor – Widgets, Extensions and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Kata Plus

CVE-2024-9376

MEDIUM CVSS 6.4 2024-10-29
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-10437 - Wpc Smart Messages Plugin

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to unauthorized Smar Message activation/deactivation due to a missing capability check on the ajax_enable function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate smart messages.

PLUGIN Wpc Smart Messages

CVE-2024-10437

MEDIUM CVSS 4.3 2024-10-29
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-10227 - Affiliate Toolkit Starter Plugin

The affiliate-toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's atkp_product shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Affiliate Toolkit Starter

CVE-2024-10227

MEDIUM CVSS 6.4 2024-10-29
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-9438 - Seur Oficial Plugin

The SEUR Oficial plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'change_service' parameter in all versions up to, and including, 2.2.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Seur Oficial

CVE-2024-9438

MEDIUM CVSS 6.1 2024-10-29
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-50415 - WordPress Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Pagup Ads.Txt & App-ads.Txt Manager for WordPress allows Stored XSS.This issue affects Ads.Txt & App-ads.Txt Manager for WordPress: from n/a through 1.1.7.1.

CORE WordPress Core

CVE-2024-50415

MEDIUM CVSS 5.9 2024-10-29
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-10048 - Changeset Plugin

The Post Status Notifier Lite and Premium plugins for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.11.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Changeset

CVE-2024-10048

MEDIUM CVSS 6.1 2024-10-29
Open Full Technical Breakdown
Threat Entry Updated 2025-01-24

CVE-2024-10312 - Exclusive Addons For Elementor Plugin

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.4 via the render function in elements/tabs/tabs.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.

PLUGIN Exclusive Addons For Elementor

CVE-2024-10312

MEDIUM CVSS 4.3 2024-10-29
Open Full Technical Breakdown
Threat Entry Updated 2025-05-17

CVE-2024-10000 - Masteriyo Plugin

The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the question's content parameter in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with student-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Masteriyo

CVE-2024-10000

MEDIUM CVSS 6.4 2024-10-29
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-9629 - Cf7 Telegram Plugin

The Contact Form 7 + Telegram plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wpcf7_Telegram::ajax' function in versions up to, and including, 0.8.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve, pause and refuse subscriptions.

PLUGIN Cf7 Telegram

CVE-2024-9629

MEDIUM CVSS 5.4 2024-10-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-50451 - Meta Data And Taxonomies Filter Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Stored XSS.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.4.

PLUGIN Meta Data And Taxonomies Filter

CVE-2024-50451

MEDIUM CVSS 6.5 2024-10-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-10117 - Wp Crowdfunding Plugin

The WP Crowdfunding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpcf_donate shortcode in all versions up to, and including, 2.1.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Crowdfunding

CVE-2024-10117

MEDIUM CVSS 6.4 2024-10-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-28

CVE-2024-9116 - Monkee Boy Wp Essentials Plugin

The Monkee-Boy Essentials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Monkee Boy Wp Essentials

CVE-2024-9116

MEDIUM CVSS 6.4 2024-10-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-28

CVE-2024-10357 - Cafe Lite Plugin

The Clever Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.1 via the getTemplateContent function in src/widgets/class-clever-widget-base.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.

PLUGIN Cafe Lite

CVE-2024-10357

MEDIUM CVSS 4.3 2024-10-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-22

CVE-2024-9967 - Wp Show More Plugin

The WP show more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's show_more shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Show More

CVE-2024-9967

MEDIUM CVSS 6.4 2024-10-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-28

CVE-2024-9853 - Idsk Toolkit Plugin

The ID-SK Toolkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Idsk Toolkit

CVE-2024-9853

MEDIUM CVSS 6.4 2024-10-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-28

CVE-2024-9642 - Editor Custom Color Palette Plugin

The Editor Custom Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Editor Custom Color Palette

CVE-2024-9642

MEDIUM CVSS 6.4 2024-10-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-28

CVE-2024-10092 - Download Monitor Plugin

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handle_api_key_actions function in all versions up to, and including, 5.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revoke existing API keys and generate new ones.

PLUGIN Download Monitor

CVE-2024-10092

MEDIUM CVSS 4.3 2024-10-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-28

CVE-2024-9456 - Wp Awesome Login Plugin

The WP Awesome Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Wp Awesome Login

CVE-2024-9456

MEDIUM CVSS 6.4 2024-10-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-28

CVE-2024-8870 - Mailchimp Wp Plugin

The Forms for Mailchimp by Optin Cat – Grow Your MailChimp List plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.5.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Mailchimp Wp

CVE-2024-8870

MEDIUM CVSS 6.1 2024-10-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-28

CVE-2024-9626 - Editorial Assistant By Sovrn Plugin

The Editorial Assistant by Sovrn plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_zemanta_set_featured_image' function in versions up to, and including, 1.3.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload attachment files (such as jpg, png, txt, zip), and set the post featured image.

PLUGIN Editorial Assistant By Sovrn

CVE-2024-9626

MEDIUM CVSS 4.3 2024-10-26
Open Full Technical Breakdown
Scroll to top