Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5641-5660 of 10866 records
Threat Entry Updated 2024-10-04

CVE-2024-8288 - Guten Post Layout Plugin

The Guten Post Layout – An Advanced Post Grid Collection for WordPress Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ attribute within the 'wp:guten-post-layout/post-grid' Gutenberg block in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Guten Post Layout

CVE-2024-8288

MEDIUM CVSS 6.4 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-9304 - Locateandfilter Plugin

The LocateAndFilter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Locateandfilter

CVE-2024-9304

MEDIUM CVSS 6.4 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-9274 - Elastik Page Builder Plugin

The Elastik Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.27.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Elastik Page Builder

CVE-2024-9274

MEDIUM CVSS 6.4 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-9272 - R Animated Icon Plugin

The R Animated Icon Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN R Animated Icon

CVE-2024-9272

MEDIUM CVSS 6.4 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-9269 - Relogo Plugin

The Relogo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Relogo

CVE-2024-9269

MEDIUM CVSS 6.4 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-9267 - Opt In Hound Plugin

The Easy WordPress Subscribe – Optin Hound plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Opt In Hound

CVE-2024-9267

MEDIUM CVSS 6.1 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-9119 - Svg Complete Plugin

The SVG Complete plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Svg Complete

CVE-2024-9119

MEDIUM CVSS 6.4 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-8990 - Geo Mashup Plugin

The Geo Mashup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's geo_mashup_visible_posts_list shortcode in all versions up to, and including, 1.13.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Geo Mashup

CVE-2024-8990

MEDIUM CVSS 6.4 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-8989 - Stars Testimonials Plugin

The Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stars_testimonials shortcode in all versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Stars Testimonials

CVE-2024-8989

MEDIUM CVSS 6.4 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-8720 - Rumbletalk Chat A Chat With Themes Plugin

The RumbleTalk Live Group Chat – HTML5 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'rumbletalk-admin-button' shortcode in all versions up to, and including, 6.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Rumbletalk Chat A Chat With Themes

CVE-2024-8720

MEDIUM CVSS 6.4 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-8728 - Easy Load More Plugin

The Easy Load More plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Easy Load More

CVE-2024-8728

MEDIUM CVSS 6.1 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-8727 - Dk Pdf Plugin

The DK PDF plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Dk Pdf

CVE-2024-8727

MEDIUM CVSS 6.1 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-8718 - Gravity Forms Toolbar Plugin

The Gravity Forms Toolbar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Gravity Forms Toolbar

CVE-2024-8718

MEDIUM CVSS 6.1 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2025-02-10

CVE-2024-8632 - Kb Support Plugin

The KB Support – WordPress Help Desk and Knowledge Base plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'kbs_ajax_load_front_end_replies' and 'kbs_ajax_mark_reply_as_read' functions in all versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to read replies of any ticket, and mark any reply as read.

PLUGIN Kb Support

CVE-2024-8632

MEDIUM CVSS 6.5 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-04

CVE-2024-8675 - Soumettre Fr Plugin

The Soumettre.fr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the soumettre_disconnect_gateway function in all versions up to, and including, 2.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the gateway and delete the API key.

PLUGIN Soumettre Fr

CVE-2024-8675

MEDIUM CVSS 4.3 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-8107 - Slider Revolution Plugin

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.7.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. By default, this can only be exploited by administrators, but the ability to use and configure Slider Revolution can be extended to authors.

PLUGIN Slider Revolution

CVE-2024-8107

MEDIUM CVSS 6.4 2024-10-01
Open Full Technical Breakdown
Threat Entry Updated 2024-10-03

CVE-2024-8536 - Ultimate Blocks Plugin

The Ultimate Blocks WordPress plugin before 3.2.2 does not validate and escape some of its block attributes before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Ultimate Blocks

CVE-2024-8536

MEDIUM CVSS 5.4 2024-09-30
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-8239 - Before 3 Plugin

The Starbox WordPress plugin before 3.5.3 does not properly render social media profiles URLs in certain contexts, like the malicious user's profile or pages where the starbox shortcode is used, which may be abused by users with at least the contributor role to conduct Stored XSS attacks.

PLUGIN Before 3

CVE-2024-8239

MEDIUM CVSS 5.4 2024-09-30
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-8283 - Slider By 10web Plugin

The Slider by 10Web WordPress plugin before 1.2.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Slider By 10web

CVE-2024-8283

MEDIUM CVSS 4.8 2024-09-30
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-3635 - Before 7 Plugin

The Post Grid WordPress plugin before 7.5.0 does not sanitise and escape some of its Grid settings, which could allow high privilege users such as Editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 7

CVE-2024-3635

MEDIUM CVSS 4.8 2024-09-30
Open Full Technical Breakdown
Scroll to top