Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5461-5480 of 10866 records
Threat Entry Updated 2024-10-22

CVE-2024-9703 - Arconix Shortcodes Plugin

The Arconix Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Arconix Shortcodes

CVE-2024-9703

MEDIUM CVSS 6.4 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-22

CVE-2024-9206 - Mas Companies For Wp Job Manager Plugin

The MAS Companies For WP Job Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.13. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Mas Companies For Wp Job Manager

CVE-2024-9206

MEDIUM CVSS 6.1 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-22

CVE-2024-9892 - Add Widget After Content Plugin

The Add Widget After Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Add Widget After Content

CVE-2024-9892

MEDIUM CVSS 4.4 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-22

CVE-2024-9848 - Product Customizer Light Plugin

The Product Customizer Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Product Customizer Light

CVE-2024-9848

MEDIUM CVSS 6.4 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-22

CVE-2024-9452 - Branding Plugin

The Branding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Branding

CVE-2024-9452

MEDIUM CVSS 6.4 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-22

CVE-2024-9383 - Parcel Pro Plugin

The Parcel Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'action' parameter in all versions up to, and including, 1.8.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Parcel Pro

CVE-2024-9383

MEDIUM CVSS 6.1 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-22

CVE-2024-9382 - Gantry Plugin

The Gantry 4 Framework plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'override_id' parameter in all versions up to, and including, 4.1.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Gantry

CVE-2024-9382

MEDIUM CVSS 6.1 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-22

CVE-2024-9373 - Elemenda Plugin

The Elemenda plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Elemenda

CVE-2024-9373

MEDIUM CVSS 6.4 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-22

CVE-2024-9366 - Easy Menu Manager Plugin

The Easy Menu Manager | WPZest plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Easy Menu Manager

CVE-2024-9366

MEDIUM CVSS 6.4 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-9350 - Woo Shipping Dpd Baltic Plugin

The DPD Baltic Shipping plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_value' parameter in all versions up to, and including, 1.2.83 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Woo Shipping Dpd Baltic

CVE-2024-9350

MEDIUM CVSS 6.1 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-22

CVE-2024-9364 - Sendgrid Plugin

The SendGrid for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_mailplus_clear_logs' function in all versions up to, and including, 1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's log files.

PLUGIN Sendgrid

CVE-2024-9364

MEDIUM CVSS 4.3 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-01

CVE-2024-9361 - Bulk Images Optimizer Plugin

The Bulk images optimizer: Resize, optimize, convert to webp, rename … plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_configuration' function in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options.

PLUGIN Bulk Images Optimizer

CVE-2024-9361

MEDIUM CVSS 4.3 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-8916 - Suki Sites Import Plugin

The Suki Sites Import plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Suki Sites Import

CVE-2024-8916

MEDIUM CVSS 6.4 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-8790 - Social Share With Floating Bar Plugin

The Social Share With Floating Bar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Social Share With Floating Bar

CVE-2024-8790

MEDIUM CVSS 6.1 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-8740 - Getresponse Forms Plugin

The GetResponse Forms by Optin Cat plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.5.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Getresponse Forms

CVE-2024-8740

MEDIUM CVSS 6.1 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-10049 - Woo Edit Templates Plugin

The Edit WooCommerce Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Woo Edit Templates

CVE-2024-10049

MEDIUM CVSS 6.1 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-01

CVE-2024-10040 - Infinite Scroll Plugin

The Infinite-Scroll plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.2. This is due to missing or incorrect nonce validation on the process_ajax_edit and process_ajax_delete function. This makes it possible for unauthenticated attackers to make changes to plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Infinite Scroll

CVE-2024-10040

MEDIUM CVSS 5.3 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-29

CVE-2024-10014 - Flat Ui Button Plugin

The Flat UI Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's flatbtn shortcode in version 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Flat Ui Button

CVE-2024-10014

MEDIUM CVSS 6.4 2024-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-10-18

CVE-2024-49302 - WordPress Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Portfoliohub WordPress Portfolio Builder – Portfolio Gallery allows Stored XSS.This issue affects WordPress Portfolio Builder – Portfolio Gallery: from n/a through 1.1.7.

CORE WordPress Core

CVE-2024-49302

MEDIUM CVSS 6.5 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2024-9898 - Parallax Image Plugin

The Parallax Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's dd-parallax shortcode in all versions up to, and including, 1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Parallax Image

CVE-2024-9898

MEDIUM CVSS 6.4 2024-10-17
Open Full Technical Breakdown
Scroll to top