Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5821-5840 of 10866 records
Threat Entry Updated 2024-09-11

CVE-2024-6855 - Wp Multitasking Plugin

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating exit popups, which could allow attackers to make logged admins perform such action via a CSRF attack

PLUGIN Wp Multitasking

CVE-2024-6855

MEDIUM CVSS 4.3 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6853 - Wp Multitasking Plugin

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating welcome popups, which could allow attackers to make logged admins perform such action via a CSRF attack

PLUGIN Wp Multitasking

CVE-2024-6853

MEDIUM CVSS 4.3 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6852 - Wp Multitasking Plugin

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Wp Multitasking

CVE-2024-6852

MEDIUM CVSS 4.3 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2024-7620 - Customizer Export Import Plugin

The Customizer Export/Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_import' function in all versions up to, and including, 0.9.7. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: This vulnerability is only exploitable when used in conjunction with a race condition as the uploaded file is deleted shortly after it is created.

PLUGIN Customizer Export Import

CVE-2024-7620

MEDIUM CVSS 6.6 2024-09-07
Open Full Technical Breakdown
Threat Entry Updated 2024-10-23

CVE-2024-6010 - Cost Calculator Builder Plugin

The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated attackers to manipulate the price of orders submitted via the calculator. Note: this vulnerability was partially patched with the release of Cost Calculator Builder version 3.2.17.

PLUGIN Cost Calculator Builder

CVE-2024-6010

MEDIUM CVSS 5.3 2024-09-07
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-8538 - Big File Uploads Plugin

The Big File Uploads – Increase Maximum File Upload Size plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1.2. This is due the plugin not sanitizing a file path in an error message. This makes it possible for authenticated attackers, with author-level access and above, to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an…

PLUGIN Big File Uploads

CVE-2024-8538

MEDIUM CVSS 4.3 2024-09-07
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-6849 - Preloader Plus Plugin

The Preloader Plus – WordPress Loading Screen Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Preloader Plus

CVE-2024-6849

MEDIUM CVSS 6.4 2024-09-07
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-7611 - Enter Addons Plugin

The Enter Addons – Ultimate Template Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' attribute of the Events Card widget in all versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Enter Addons

CVE-2024-7611

MEDIUM CVSS 6.4 2024-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-7599 - Advanced Sermons Plugin

The Advanced Sermons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘sermon_video_embed’ parameter in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Advanced Sermons

CVE-2024-7599

MEDIUM CVSS 6.4 2024-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-7622 - Revision Manager Tmc Plugin

The Revision Manager TMC plugin for WordPress is vulnerable to unauthorized arbitrary email sending due to a missing capability check on the _a_ajaxQuickEmailTestCallback() function in all versions up to, and including, 2.8.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to send emails with arbitrary content to any individual through the vulnerable web server.

PLUGIN Revision Manager Tmc

CVE-2024-7622

MEDIUM CVSS 4.3 2024-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-8317 - Wp Adcenter Plugin

The WP AdCenter – Ad Manager & Adsense Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ad_alignment’ attribute in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Adcenter

CVE-2024-8317

MEDIUM CVSS 6.4 2024-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-8427 - Frontend Post Submission Manager Plugin

The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_global_settings and process_form_edit functions in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings and forms.

PLUGIN Frontend Post Submission Manager

CVE-2024-8427

MEDIUM CVSS 4.3 2024-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-09-30

CVE-2024-7415 - Remember Me Controls Plugin

The Remember Me Controls plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0.1. This is due to the plugin allowing direct access to the bootstrap.php file which has display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

PLUGIN Remember Me Controls

CVE-2024-7415

MEDIUM CVSS 5.3 2024-09-06
Open Full Technical Breakdown
Threat Entry Updated 2024-09-06

CVE-2024-7381 - Geo Controller Plugin

The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajax__shortcode_cache function in all versions up to, and including, 8.6.9. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes available on the target site.

PLUGIN Geo Controller

CVE-2024-7381

MEDIUM CVSS 5.3 2024-09-05
Open Full Technical Breakdown
Threat Entry Updated 2024-09-12

CVE-2024-7605 - Helloasso Plugin

The HelloAsso plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ha_ajax' function in all versions up to, and including, 1.1.10. This makes it possible for authenticated attackers, with Contributor-level access and above, to update plugin options, potentially disrupting the service.

PLUGIN Helloasso

CVE-2024-7605

MEDIUM CVSS 4.3 2024-09-05
Open Full Technical Breakdown
Threat Entry Updated 2024-09-06

CVE-2024-7380 - Geo Controller Plugin

The Geo Controller plugin for WordPress is vulnerable to unauthorized menu creation/deletion due to missing capability checks on the ajax__geolocate_menu and ajax__geolocate_remove_menu functions in all versions up to, and including, 8.6.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete WordPress menus.

PLUGIN Geo Controller

CVE-2024-7380

MEDIUM CVSS 4.3 2024-09-05
Open Full Technical Breakdown
Threat Entry Updated 2024-09-12

CVE-2024-6929 - Dynamic Featured Image Plugin

The Dynamic Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘dfiFeatured’ parameter in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Dynamic Featured Image

CVE-2024-6929

MEDIUM CVSS 6.4 2024-09-05
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6894 - Rd Station Plugin

The RD Station plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.3.2 due to insufficient input sanitization and output escaping of post metaboxes added by the plugin. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Rd Station

CVE-2024-6894

MEDIUM CVSS 6.4 2024-09-05
Open Full Technical Breakdown
Threat Entry Updated 2024-09-12

CVE-2024-6332 - Amelia Plugin

The Booking for Appointments and Events Calendar – Amelia Premium and Lite plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the 'ameliaButtonCommand' function in all versions up to, and including, Premium 7.7 and Lite 1.2.3. This makes it possible for unauthenticated attackers to access employee calendar details, including Google Calendar OAuth tokens in the premium version.

PLUGIN Amelia

CVE-2024-6332

MEDIUM CVSS 6.5 2024-09-05
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-8363 - Share This Image Plugin

The Share This Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's STI Buttons shortcode in all versions up to, and including, 2.02 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Share This Image

CVE-2024-8363

MEDIUM CVSS 6.4 2024-09-05
Open Full Technical Breakdown
Scroll to top