Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5741-5760 of 10866 records
Threat Entry Updated 2024-09-27

CVE-2024-8052 - Review Ratings Plugin

The Review Ratings WordPress plugin through 1.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Review Ratings

CVE-2024-8052

MEDIUM CVSS 6.1 2024-09-17
Open Full Technical Breakdown
Threat Entry Updated 2024-09-27

CVE-2024-8092 - Accordion Image Menu Plugin

The Accordion Image Menu WordPress plugin through 3.1.3 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Accordion Image Menu

CVE-2024-8092

MEDIUM CVSS 5.4 2024-09-17
Open Full Technical Breakdown
Threat Entry Updated 2024-09-27

CVE-2024-8051 - Special Feed Items Plugin

The Special Feed Items WordPress plugin through 1.0.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Special Feed Items

CVE-2024-8051

MEDIUM CVSS 5.4 2024-09-17
Open Full Technical Breakdown
Threat Entry Updated 2024-09-27

CVE-2024-8043 - Vikinghammer Tweet Plugin

The Vikinghammer Tweet WordPress plugin through 0.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Vikinghammer Tweet

CVE-2024-8043

MEDIUM CVSS 5.4 2024-09-17
Open Full Technical Breakdown
Threat Entry Updated 2024-09-27

CVE-2024-5170 - Logo Manager For Enamad Plugin

The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Logo Manager For Enamad

CVE-2024-5170

MEDIUM CVSS 4.8 2024-09-17
Open Full Technical Breakdown
Threat Entry Updated 2024-09-27

CVE-2023-3410 - Bricks Theme

The Bricks theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘customTag' attribute in versions up to, and including, 1.10.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to the Bricks Builder (admin-only by default), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This becomes more of an issue when Bricks Builder access is granted to lower-privileged users.

THEME Bricks

CVE-2023-3410

MEDIUM CVSS 5.4 2024-09-14
Open Full Technical Breakdown
Threat Entry Updated 2024-09-27

CVE-2024-8797 - Wp Booking System Plugin

The WP Booking System – Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.19.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wp Booking System

CVE-2024-8797

MEDIUM CVSS 6.1 2024-09-14
Open Full Technical Breakdown
Threat Entry Updated 2024-09-27

CVE-2024-8724 - Waitlist Woocommerce Plugin

The Waitlist Woocommerce ( Back in stock notifier ) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Waitlist Woocommerce

CVE-2024-8724

MEDIUM CVSS 6.1 2024-09-14
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-8747 - Email Obfuscate Shortcode Plugin

The Email Obfuscate Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email-obfuscate' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Email Obfuscate Shortcode

CVE-2024-8747

MEDIUM CVSS 6.4 2024-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-8737 - Pdf Thumbnail Generator Plugin

The PDF Thumbnail Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Pdf Thumbnail Generator

CVE-2024-8737

MEDIUM CVSS 6.1 2024-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-8734 - Lucas String Replace Plugin

The Lucas String Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Lucas String Replace

CVE-2024-8734

MEDIUM CVSS 6.1 2024-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-8732 - Roles Capabilities Plugin

The Roles & Capabilities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Roles Capabilities

CVE-2024-8732

MEDIUM CVSS 6.1 2024-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-8731 - Cron Jobs Plugin

The Cron Jobs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Cron Jobs

CVE-2024-8731

MEDIUM CVSS 6.1 2024-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-8730 - Exit Notifier Plugin

The Exit Notifier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Exit Notifier

CVE-2024-8730

MEDIUM CVSS 6.1 2024-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-8714 - Affiliate Program Suite Plugin

The WordPress Affiliates Plugin — SliceWP Affiliates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Affiliate Program Suite

CVE-2024-8714

MEDIUM CVSS 6.1 2024-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-5884 - Beauty Plugin

The Beauty theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tpl_featured_cat_id’ parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Beauty

CVE-2024-5884

MEDIUM CVSS 6.4 2024-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-09-30

CVE-2024-6544 - Custom Post Limits Plugin

The Custom Post Limits plugin for WordPress is vulnerable to full path disclosure in all versions up to, and including, 4.4.1. This is due to the plugin utilizing bootstrap and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

PLUGIN Custom Post Limits

CVE-2024-6544

MEDIUM CVSS 5.3 2024-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-09-18

CVE-2024-8242 - Mstore Api Plugin

The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. This can be paired with a registration endpoint for unauthenticated users to exploit the issue.

PLUGIN Mstore Api

CVE-2024-8242

MEDIUM CVSS 4.3 2024-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-5870 - Tweaker5 Plugin

The Tweaker5 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Tweaker5

CVE-2024-5870

MEDIUM CVSS 6.4 2024-09-13
Open Full Technical Breakdown
Threat Entry Updated 2024-09-27

CVE-2024-5869 - Neighborly Plugin

The Neighborly theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Neighborly

CVE-2024-5869

MEDIUM CVSS 6.4 2024-09-13
Open Full Technical Breakdown
Scroll to top