Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5501-5520 of 10866 records
Threat Entry Updated 2024-10-17

CVE-2023-7292 - Donations Plugin

The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized notification dismissal due to a missing capability check on the paytium_notice_dismiss function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to dismiss admin notices.

PLUGIN Donations

CVE-2023-7292

MEDIUM CVSS 4.3 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-17

CVE-2023-7290 - Donations Plugin

The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the check_for_verified_profiles function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to check profile statuses.

PLUGIN Donations

CVE-2023-7290

MEDIUM CVSS 4.3 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2023-7286 - ACF Quick Edit Fields Plugin

The plugin ACF Quick Edit Fields for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.2.2. This makes it possible for attackers without the edit_users capability to access metadata of other users, this includes contributor-level users and above.

PLUGIN ACF Quick Edit Fields

CVE-2023-7286

MEDIUM CVSS 6.5 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-17

CVE-2023-7288 - Donations Plugin

The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the update_profile_preference function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to change plugin settings.

PLUGIN Donations

CVE-2023-7288

MEDIUM CVSS 5.4 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-17

CVE-2023-7287 - Donations Plugin

The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized subscription cancellation due to a missing capability check on the pt_cancel_subscription function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-level access to cancel a subscription to the plugin.

PLUGIN Donations

CVE-2023-7287

MEDIUM CVSS 5.4 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-30

CVE-2021-4451 - Ninjafirewall Plugin

The NinjaFirewall plugin for WordPress is vulnerable to Authenticated PHAR Deserialization in versions up to, and including, 4.3.3. This allows authenticated attackers to perform phar deserialization on the server. This deserialization can allow other plugin or theme exploits if vulnerable software is present (WordPress, and NinjaFirewall).

PLUGIN Ninjafirewall

CVE-2021-4451

MEDIUM CVSS 6.6 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2021-4445 - Premium Addons For Elementor Plugin

The Premium Addons for Elementor plugin for WordPress is vulnerable to Arbitrary Option Updates in versions up to, and including, 4.5.1. This is due to missing capability and nonce checks in the pa_dismiss_admin_notice AJAX action. This makes it possible for authenticated subscriber+ attackers to change arbitrary options with a restricted value of 1 on vulnerable WordPress sites.

PLUGIN Premium Addons For Elementor

CVE-2021-4445

MEDIUM CVSS 6.5 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-10

CVE-2021-4446 - Essential Addons For Elementor Plugin

The Essential Addons for Elementor plugin for WordPress is vulnerable to authorization bypass in versions up to and including 4.6.4 due to missing capability checks and nonce disclosure. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to perform many unauthorized actions such as changing settings and installing arbitrary plugins.

PLUGIN Essential Addons For Elementor

CVE-2021-4446

MEDIUM CVSS 6.3 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2024-9937 - Woo Manage Fraud Orders Plugin

The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 6.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Woo Manage Fraud Orders

CVE-2024-9937

MEDIUM CVSS 6.1 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2024-9888 - Elementinvader Addons For Elementor Plugin

The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's contact form widget redirect URL in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementinvader Addons For Elementor

CVE-2024-9888

MEDIUM CVSS 5.4 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2024-9873 - Mobile App Plugin

The Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in posts, comments, and profiles when Markdown support is enabled in all versions up to, and including, 6.4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mobile App

CVE-2024-9873

MEDIUM CVSS 5.4 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2024-9652 - Locatoraid Store Locator Plugin

The Locatoraid Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST keys in all versions up to, and including, 3.9.47 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Locatoraid Store Locator

CVE-2024-9652

MEDIUM CVSS 6.1 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2024-9891 - Multiline Files Upload For Contact Form 7 Plugin

The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin and send a custom reason from the site.

PLUGIN Multiline Files Upload For Contact Form 7

CVE-2024-9891

MEDIUM CVSS 4.3 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2024-9521 - Seo Manager Plugin

The SEO Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post meta in versions up to, and including, 1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Seo Manager

CVE-2024-9521

MEDIUM CVSS 6.4 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2024-9647 - Kama Spamblock Plugin

The Kama SpamBlock plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST values in all versions up to, and including, 1.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Kama Spamblock

CVE-2024-9647

MEDIUM CVSS 6.1 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-02-27

CVE-2024-9649 - Wp Ulike Plugin

The WP ULike – The Ultimate Engagement Toolkit for Websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7.4. This is due to missing or incorrect nonce validation on the wp_ulike_delete_history_api() function. This makes it possible for unauthenticated attackers to delete engagements via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp Ulike

CVE-2024-9649

MEDIUM CVSS 4.3 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-8787 - Smart Online Order For Clover Plugin

The Smart Online Order for Clover plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.5.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Smart Online Order For Clover

CVE-2024-8787

MEDIUM CVSS 6.1 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-16

CVE-2024-9104 - Ultimateai Plugin

The UltimateAI plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.3. This is due to the improper empty value check and a missing default activated value check in the 'ultimate_ai_change_pass' function. This makes it possible for unauthenticated attackers to reset the password of the first user, whose account is not yet activated or the first user who activated their account, who are subscribers.

PLUGIN Ultimateai

CVE-2024-9104

MEDIUM CVSS 5.6 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-8541 - Discount Rules For Woocommerce Plugin

The Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site administrator into performing an action such as clicking on a link. Please note that this is only exploitable when the 'Leave a…

PLUGIN Discount Rules For Woocommerce

CVE-2024-8541

MEDIUM CVSS 4.7 2024-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-10-17

CVE-2024-9895 - Smart Online Order For Clover Plugin

The Smart Online Order for Clover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's moo_receipt_link shortcode in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Smart Online Order For Clover

CVE-2024-9895

MEDIUM CVSS 6.4 2024-10-15
Open Full Technical Breakdown
Scroll to top