Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 5961-5980 of 10866 records
Threat Entry Updated 2024-08-19

CVE-2024-7422 - Theme My Login Plugin

The Theme My Login plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.1.7. This is due to missing or incorrect nonce validation on the tml_admin_save_ms_settings() function. This makes it possible for unauthenticated attackers to update the theme's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Please note that this only affects multi-site instances.

PLUGIN Theme My Login

CVE-2024-7422

MEDIUM CVSS 4.3 2024-08-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-7630 - Relevanssi Plugin

The Relevanssi – A Better Search plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.22.2 via the relevanssi_do_query() due to insufficient limitations on the posts that are returned when searching. This makes it possible for unauthenticated attackers to extract potentially sensitive information from password protected posts.

PLUGIN Relevanssi

CVE-2024-7630

MEDIUM CVSS 5.3 2024-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-08-19

CVE-2023-7049 - Custom Field For Wp Job Manager Plugin

The Custom Field For WP Job Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2 via the the 'cm_fieldshow' shortcode due to missing validation on the 'job_id' user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to expose potentially sensitive post metadata.

PLUGIN Custom Field For Wp Job Manager

CVE-2023-7049

MEDIUM CVSS 4.3 2024-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-08-15

CVE-2024-7411 - Newsletters Lite Plugin

The Newsletters plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 4.9.9. This is due the plugin not preventing direct access to the /vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

PLUGIN Newsletters Lite

CVE-2024-7411

MEDIUM CVSS 5.3 2024-08-15
Open Full Technical Breakdown
Threat Entry Updated 2025-01-08

CVE-2024-7064 - Elementskit Plugin

The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementskit

CVE-2024-7064

MEDIUM CVSS 6.4 2024-08-15
Open Full Technical Breakdown
Threat Entry Updated 2025-01-08

CVE-2024-7063 - Elementskit Plugin

The ElementsKit Pro plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.6 via the 'render_raw' function. This can allow authenticated attackers, with Contributor-level permissions and above, to extract sensitive data including private, future, and draft posts.

PLUGIN Elementskit

CVE-2024-7063

MEDIUM CVSS 4.3 2024-08-15
Open Full Technical Breakdown
Threat Entry Updated 2024-09-13

CVE-2024-7420 - Insert Php Code Snippet Plugin

The Insert PHP Code Snippet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6. This is due to missing or incorrect nonce validation in the /admin/snippets.php file. This makes it possible for unauthenticated attackers to activate/deactivate and delete code snippets via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Insert Php Code Snippet

CVE-2024-7420

MEDIUM CVSS 5.8 2024-08-15
Open Full Technical Breakdown
Threat Entry Updated 2024-08-14

CVE-2024-6532 - Sheet To Table Live Sync For Google Sheet Plugin

The Sheet to Table Live Sync for Google Sheet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's STWT_Sheet_Table shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Sheet To Table Live Sync For Google Sheet

CVE-2024-6532

MEDIUM CVSS 6.4 2024-08-14
Open Full Technical Breakdown
Threat Entry Updated 2024-08-14

CVE-2024-7588 - Comboblocks Plugin

The Gutenberg Blocks, Page Builder – ComboBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion block in all versions up to, and including, 2.2.87 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Comboblocks

CVE-2024-7588

MEDIUM CVSS 6.4 2024-08-14
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-7247 - Element Pack Plugin

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Custom Gallery and Countdown widgets in all versions up to, and including, 5.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Element Pack

CVE-2024-7247

MEDIUM CVSS 6.4 2024-08-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-27

CVE-2024-6724 - Generate Images Plugin

The Generate Images WordPress plugin before 5.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Generate Images

CVE-2024-6724

MEDIUM CVSS 4.8 2024-08-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-08

CVE-2024-7092 - Essential Addons For Elementor Plugin

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘no_more_items_text’ parameter in all versions up to, and including, 5.9.27 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Essential Addons For Elementor

CVE-2024-7092

MEDIUM CVSS 6.4 2024-08-13
Open Full Technical Breakdown
Threat Entry Updated 2024-08-13

CVE-2024-7388 - Wp Bannerize Pro Plugin

The WP Bannerize Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via banner alt data in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Wp Bannerize Pro

CVE-2024-7388

MEDIUM CVSS 4.0 2024-08-13
Open Full Technical Breakdown
Threat Entry Updated 2025-06-09

CVE-2024-43125 - Wp Table Builder Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Table Builder WP Table Builder – WordPress Table Plugin allows Stored XSS.This issue affects WP Table Builder – WordPress Table Plugin: from n/a through 1.4.15.

PLUGIN Wp Table Builder

CVE-2024-43125

MEDIUM CVSS 6.5 2024-08-12
Open Full Technical Breakdown
Threat Entry Updated 2024-08-13

CVE-2024-43224 - WordPress Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Yuri Baranov YaMaps for WordPress allows Stored XSS.This issue affects YaMaps for WordPress: from n/a through 0.6.27.

CORE WordPress Core

CVE-2024-43224

MEDIUM CVSS 6.5 2024-08-12
Open Full Technical Breakdown
Threat Entry Updated 2024-08-12

CVE-2024-6639 - Mdx Theme

The MDx theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdx_list_item' shortcode in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Mdx

CVE-2024-6639

MEDIUM CVSS 6.4 2024-08-12
Open Full Technical Breakdown
Threat Entry Updated 2024-08-12

CVE-2024-7649 - Opal Membership Plugin

The Opal Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via checkout form fields in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Opal Membership

CVE-2024-7649

MEDIUM CVSS 6.1 2024-08-12
Open Full Technical Breakdown
Threat Entry Updated 2024-08-12

CVE-2024-7648 - Opal Membership Plugin

The Opal Membership plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.4 via the private notes functionality on payments which utilizes WordPress comments. This makes it possible for authenticated attackers, with subscriber-level access and above, to view private notes via recent comments that should be restricted to just administrators.

PLUGIN Opal Membership

CVE-2024-7648

MEDIUM CVSS 4.3 2024-08-12
Open Full Technical Breakdown
Threat Entry Updated 2024-08-12

CVE-2024-7621 - Atarim Visual Collaboration Plugin

The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the process_wpfeedback_misc_options() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings which can also be leveraged to gain access to the plugin's settings.

PLUGIN Atarim Visual Collaboration

CVE-2024-7621

MEDIUM CVSS 5.4 2024-08-12
Open Full Technical Breakdown
Threat Entry Updated 2025-04-10

CVE-2024-7574 - Christmasify Plugin

The Christmasify! plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.5. This is due to missing nonce validation on the 'options' function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Christmasify

CVE-2024-7574

MEDIUM CVSS 6.1 2024-08-12
Open Full Technical Breakdown
Scroll to top