Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5681-5700 of 10866 records
Threat Entry Updated 2024-10-01

CVE-2024-8872 - Store Hours For Woocommerce Plugin

The Store Hours for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.3.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Store Hours For Woocommerce

CVE-2024-8872

MEDIUM CVSS 6.1 2024-09-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-01

CVE-2024-9025 - Sight Plugin

The Sight – Professional Image Gallery and Portfolio plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handler_post_title' function in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to expose private, pending, trashed, and draft post titles. Successful exploitation requires the Elementor plugin to be installed and activated.

PLUGIN Sight

CVE-2024-9025

MEDIUM CVSS 5.3 2024-09-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-01

CVE-2024-8861 - Profilegrid Plugin

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.9.3.2 due to incorrect use of the wp_kses_allowed_html function, which allows the 'onclick' attribute for certain HTML elements without sufficient restriction or context validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Profilegrid

CVE-2024-8861

MEDIUM CVSS 6.4 2024-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-03-14

CVE-2024-6517 - Contact Form 7 Math Captcha Plugin

The Contact Form 7 Math Captcha WordPress plugin through 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users.

PLUGIN Contact Form 7 Math Captcha

CVE-2024-6517

MEDIUM CVSS 6.1 2024-09-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-8723 - 012 Ps Multi Languages Plugin

The 012 Ps Multi Languages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via translated titles in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN 012 Ps Multi Languages

CVE-2024-8723

MEDIUM CVSS 6.4 2024-09-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-8803 - Bulk Noindex Nofollow Toolkit Plugin

The Bulk NoIndex & NoFollow Toolkit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.15. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Bulk Noindex Nofollow Toolkit

CVE-2024-8803

MEDIUM CVSS 6.1 2024-09-26
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-8552 - Download Monitor Plugin

The Download Monitor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the enable_shop() function in all versions up to, and including, 5.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable shop functionality.

PLUGIN Download Monitor

CVE-2024-8552

MEDIUM CVSS 4.3 2024-09-26
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-43237 - WordPress Core

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in TaxoPress WordPress Tag Cloud Plugin – Tag Groups.This issue affects WordPress Tag Cloud Plugin – Tag Groups: from n/a through 2.0.3.

CORE WordPress Core

CVE-2024-43237

MEDIUM CVSS 5.3 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-8546 - Elementskit Elementor Addons Plugin

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video widget in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementskit Elementor Addons

CVE-2024-8546

MEDIUM CVSS 6.4 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-8858 - Addons For Elementor Plugin

The Elementor Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘piechart_settings’ parameter in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Addons For Elementor

CVE-2024-8858

MEDIUM CVSS 6.4 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2025-03-07

CVE-2024-9169 - Litespeed Cache Plugin

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin debug settings in all versions up to, and including, 6.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Litespeed Cache

CVE-2024-9169

MEDIUM CVSS 5.5 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-10-03

CVE-2024-8910 - Ht Mega Plugin

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.5 via the render function in includes/widgets/htmega_accordion.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.

PLUGIN Ht Mega

CVE-2024-8910

MEDIUM CVSS 4.3 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-8678 - Revolut Gateway For Woocommerce Plugin

The Revolut Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wc/v3/revolut REST API endpoint in all versions up to, and including, 4.17.3. This makes it possible for unauthenticated attackers to mark orders as completed.

PLUGIN Revolut Gateway For Woocommerce

CVE-2024-8678

MEDIUM CVSS 5.3 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-3866 - Ninja Forms Plugin

The Ninja Forms Contact Form plugin for WordPress is vulnerable to Reflected Self-Based Cross-Site Scripting via the 'Referer' header in all versions up to, and including, 3.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Successful exploitation of this vulnerability requires "maintenance mode" for a targeted form to be enabled. However, there is no setting available to…

PLUGIN Ninja Forms

CVE-2024-3866

MEDIUM CVSS 4.7 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-8658 - Mycred Plugin

The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mycred_update_database() function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to upgrade an out of date database.

PLUGIN Mycred

CVE-2024-8658

MEDIUM CVSS 5.3 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2024-6845 - Chatbot With Chatgpt Plugin

The Chatbot with ChatGPT WordPress plugin before 2.4.6 does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key

PLUGIN Chatbot With Chatgpt

CVE-2024-6845

MEDIUM CVSS 5.3 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-7878 - Before 4 Plugin

The WP ULike WordPress plugin before 4.7.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 4

CVE-2024-7878

MEDIUM CVSS 4.8 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-7892 - Adstxt Plugin

The adstxt Plugin WordPress plugin through 1.0.0 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Adstxt

CVE-2024-7892

MEDIUM CVSS 4.3 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-8668 - Woolentor Woocommerce Elementor Addons Builder Plugin

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the tooltip and countdown functionality in all versions up to, and including, 2.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Woolentor Woocommerce Elementor Addons Builder

CVE-2024-8668

MEDIUM CVSS 6.4 2024-09-25
Open Full Technical Breakdown
Threat Entry Updated 2024-10-02

CVE-2024-8516 - Themesflat Addons For Elementor

The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.2.1 via the render() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract limited post information from draft and future scheduled posts.

THEME Themesflat Addons For Elementor

CVE-2024-8516

MEDIUM CVSS 4.3 2024-09-25
Open Full Technical Breakdown
Scroll to top