Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5941-5960 of 10866 records
Threat Entry Updated 2024-08-26

CVE-2024-5941 - Givewp Plugin

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.14.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read attachment paths and delete attachment files.

PLUGIN Givewp

CVE-2024-5941

MEDIUM CVSS 5.4 2024-08-20
Open Full Technical Breakdown
Threat Entry Updated 2024-08-26

CVE-2024-5940 - Givewp Plugin

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_request' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to edit event ticket settings if the Events beta feature is enabled.

PLUGIN Givewp

CVE-2024-5940

MEDIUM CVSS 6.5 2024-08-20
Open Full Technical Breakdown
Threat Entry Updated 2024-08-26

CVE-2024-5939 - Givewp Plugin

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'setup_wizard' function in all versions up to, and including, 3.13.0. This makes it possible for unauthenticated attackers to read the setup wizard administrative pages.

PLUGIN Givewp

CVE-2024-5939

MEDIUM CVSS 5.3 2024-08-20
Open Full Technical Breakdown
Threat Entry Updated 2025-05-27

CVE-2024-6843 - Chatbot With Chatgpt Plugin

The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not sanitise and escape user inputs, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks against admins

PLUGIN Chatbot With Chatgpt

CVE-2024-6843

MEDIUM CVSS 6.1 2024-08-19
Open Full Technical Breakdown
Threat Entry Updated 2024-09-13

CVE-2024-43335 - Responsive Blocks Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CyberChimps Responsive Blocks – WordPress Gutenberg Blocks allows Stored XSS.This issue affects Responsive Blocks – WordPress Gutenberg Blocks: from n/a through 1.8.8.

PLUGIN Responsive Blocks

CVE-2024-43335

MEDIUM CVSS 6.5 2024-08-18
Open Full Technical Breakdown
Threat Entry Updated 2024-08-19

CVE-2024-7703 - Armember Membership Plugin

The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.0.37 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Armember Membership

CVE-2024-7703

MEDIUM CVSS 6.4 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2025-04-10

CVE-2023-5505 - Backwpup Plugin

The BackWPup plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.0.1 via the job-specific backup folder. This allows authenticated attackers to store backups in arbitrary folders on the server provided they can be written to by the server. Additionally, default settings will place an index.php and a .htaccess file into the chosen directory (unless already present) when the first backup job is run that are intended to prevent directory listing and file access. This means that an attacker could set the backup directory to…

PLUGIN Backwpup

CVE-2023-5505

MEDIUM CVSS 6.8 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2024-09-13

CVE-2023-3409 - Bricks Theme

The Bricks theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.1. This is due to missing or incorrect nonce validation on the 'reset_settings' function. This makes it possible for unauthenticated attackers to reset the theme's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

THEME Bricks

CVE-2023-3409

MEDIUM CVSS 5.4 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2024-09-13

CVE-2023-3408 - Bricks Theme

The Bricks theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.1. This is due to missing or incorrect nonce validation on the 'save_settings' function. This makes it possible for unauthenticated attackers to modify the theme's settings, including enabling a setting which allows lower-privileged users such as contributors to perform code execution, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

THEME Bricks

CVE-2023-3408

MEDIUM CVSS 4.3 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2024-08-19

CVE-2023-4604 - 2j Slideshow Plugin

The Slideshow, Image Slider by 2J plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘post’ parameter in versions up to, and including, 1.3.54 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN 2j Slideshow

CVE-2023-4604

MEDIUM CVSS 6.1 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2024-08-19

CVE-2023-4730 - LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing… Plugin

The LadiApp plugn for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init_endpoint() function hooked via 'init' in versions up to, and including, 4.3. This makes it possible for unauthenticated attackers to modify a variety of settings. An attacker can directly modify the 'ladipage_key' which enables them to create new posts on the website and inject malicious web scripts.

PLUGIN LadiApp: Landing Page, PopupX, Marketing Automation, Affiliate Marketing…

CVE-2023-4730

MEDIUM CVSS 5.3 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2024-08-19

CVE-2023-4507 - Admission Appmanager Plugin

The Admission AppManager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'q' parameter in versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Admission Appmanager

CVE-2023-4507

MEDIUM CVSS 6.1 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2024-09-12

CVE-2023-4027 - Radio Player Plugin

The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_settings function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update plugin settings.

PLUGIN Radio Player

CVE-2023-4027

MEDIUM CVSS 5.3 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2024-08-28

CVE-2023-4025 - Radio Player Plugin

The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to update player instances.

PLUGIN Radio Player

CVE-2023-4025

MEDIUM CVSS 5.3 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2024-08-28

CVE-2023-4024 - Radio Player Plugin

The Radio Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_player function in versions up to, and including, 2.0.73. This makes it possible for unauthenticated attackers to delete player instances.

PLUGIN Radio Player

CVE-2023-4024

MEDIUM CVSS 5.3 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2024-08-19

CVE-2023-1604 - Short Url Plugin

The Short URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.8. This is due to missing or incorrect nonce validation on the configuration_page function. This makes it possible for unauthenticated attackers to add and import redirects, including comments containing cross-site scripting as detailed in CVE-2023-1602, granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Short Url

CVE-2023-1604

MEDIUM CVSS 4.7 2024-08-17
Open Full Technical Breakdown
Threat Entry Updated 2024-09-13

CVE-2024-7144 - Jetelements Plugin

The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' and 'slide_id' parameters in all versions up to, and including, 2.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Jetelements

CVE-2024-7144

MEDIUM CVSS 6.4 2024-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-08-19

CVE-2024-7147 - Jetblocks For Elementor Plugin

The JetBlocks for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple placeholder parameters in all versions up to, and including, 1.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Jetblocks For Elementor

CVE-2024-7147

MEDIUM CVSS 6.4 2024-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-08-19

CVE-2024-7136 - Jetsearch Plugin

The JetSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Jetsearch

CVE-2024-7136

MEDIUM CVSS 6.4 2024-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-08-19

CVE-2024-7501 - Download Plugins And Themes In Zip From Dashboard

The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.7. This is due to missing or incorrect nonce validation on the download_theme() function. This makes it possible for unauthenticated attackers to download arbitrary themes from the website via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. In versions prior to 1.8.6 it was possible to download the entire sites files.

PLUGIN Download Plugins And Themes In Zip From Dashboard

CVE-2024-7501

MEDIUM CVSS 4.2 2024-08-16
Open Full Technical Breakdown
Scroll to top