Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5481-5500 of 10866 records
Threat Entry Updated 2024-10-18

CVE-2024-8920 - Custom Web Fonts Manager Plugin

The Fonto – Custom Web Fonts Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Custom Web Fonts Manager

CVE-2024-8920

MEDIUM CVSS 6.4 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2024-10-18

CVE-2024-9951 - Wp Photo Album Plus Plugin

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wppa-tab' parameter in all versions up to, and including, 8.8.05.003 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wp Photo Album Plus

CVE-2024-9951

MEDIUM CVSS 6.1 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-9213 - Persian Woocommerce Sms Plugin

The افزونه پیامک ووکامرس Persian WooCommerce SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.0.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Persian Woocommerce Sms

CVE-2024-9213

MEDIUM CVSS 6.1 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-9352 - Forminator Forms Plugin

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the custom form 'create_module' function. This makes it possible for unauthenticated attackers to create draft forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Forminator Forms

CVE-2024-9352

MEDIUM CVSS 4.3 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-9351 - Forminator Forms Plugin

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.35.1. This is due to missing or incorrect nonce validation on the quiz 'create_module' function. This makes it possible for unauthenticated attackers to create draft quizzes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Forminator Forms

CVE-2024-9351

MEDIUM CVSS 4.3 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2024-9347 - Wp Extended Plugin

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpext-export' parameter in all versions up to, and including, 3.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wp Extended

CVE-2024-9347

MEDIUM CVSS 6.1 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2024-10-18

CVE-2024-8719 - Idx Plugin

The Flexmls® IDX Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via several parameters like 'MaxBeds' and 'MinBeds' in all versions up to, and including, 3.14.22 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Idx

CVE-2024-8719

MEDIUM CVSS 6.1 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-10

CVE-2024-7417 - Royal Elementor Addons Plugin

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.3.986 via the data_fetch. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract data from password protected posts.

PLUGIN Royal Elementor Addons

CVE-2024-7417

MEDIUM CVSS 4.3 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-49593 - Advanced Custom Fields Plugin

In Advanced Custom Fields (ACF) before 6.3.9 and Secure Custom Fields before 6.3.6.3 (plugins for WordPress), using the Field Group editor to edit one of the plugin's fields can result in execution of a stored XSS payload. NOTE: if you wish to use the WP Engine alternative update mechanism for the free version of ACF, then you can follow the process shown at the advancedcustomfields.com blog URL within the References section below.

PLUGIN Advanced Custom Fields

CVE-2024-49593

MEDIUM CVSS 5.3 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-9940 - Calculated Fields Form Plugin

The Calculated Fields Form plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 5.2.45. This is due to the plugin not properly neutralizing HTML elements from submitted forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views form submissions in their email.

PLUGIN Calculated Fields Form

CVE-2024-9940

MEDIUM CVSS 5.3 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2024-10-18

CVE-2024-9240 - Redi Restaurant Reservation Plugin

The ReDi Restaurant Reservation plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 24.0902. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Redi Restaurant Reservation

CVE-2024-9240

MEDIUM CVSS 6.1 2024-10-17
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2024-49258 - WordPress Core

Path Traversal: '.../...//' vulnerability in Limb WordPress Gallery Plugin – Limb Image Gallery.This issue affects WordPress Gallery Plugin – Limb Image Gallery: from n/a through 1.5.7.

CORE WordPress Core

CVE-2024-49258

MEDIUM CVSS 6.5 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2024-8921 - Zita Elementor Site Library Plugin

The Zita Elementor Site Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Zita Elementor Site Library

CVE-2024-8921

MEDIUM CVSS 6.4 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-11-07

CVE-2024-9444 - Elementsready Plugin

The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Elementsready

CVE-2024-9444

MEDIUM CVSS 6.4 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-30

CVE-2024-9540 - Sina Extension For Elementor Plugin

The Sina Extension for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.7 via the render function in widgets/advanced/sina-modal-box.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data.

PLUGIN Sina Extension For Elementor

CVE-2024-9540

MEDIUM CVSS 4.3 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2023-7296 - Bigbluebutton Plugin

The BigBlueButton plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the moderator code and viewer code fields in versions up to, and including, 3.0.0-beta.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with author privileges or higher to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Bigbluebutton

CVE-2023-7296

MEDIUM CVSS 6.4 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2023-7295 - Video Grid Plugin

The Video Grid plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the search_term parameter in versions up to, and including, 1.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Video Grid

CVE-2023-7295

MEDIUM CVSS 6.1 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2024-9582 - Accordion Slider Plugin

The Accordion Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ attribute of an accordion slider in all versions up to, and including, 1.9.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Successful exploitation by Contributor-level users requires an Administrator-level user to provide access to the plugin's admin area via the `Access` plugin setting, which is…

PLUGIN Accordion Slider

CVE-2024-9582

MEDIUM CVSS 6.4 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-17

CVE-2023-7289 - Donations Plugin

The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized API key update due to a missing capability check on the paytium_sw_save_api_keys function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to change plugin API keys.

PLUGIN Donations

CVE-2023-7289

MEDIUM CVSS 5.4 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-17

CVE-2023-7293 - Donations Plugin

The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the check_mollie_account_details function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to verify the existence of a mollie account.

PLUGIN Donations

CVE-2023-7293

MEDIUM CVSS 4.3 2024-10-16
Open Full Technical Breakdown
Scroll to top