Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 6041-6060 of 10866 records
Threat Entry Updated 2025-03-21

CVE-2024-6208 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdm_all_packages' shortcode in all versions up to, and including, 3.2.97 due to insufficient input sanitization and output escaping on the 'cols' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Download Manager

CVE-2024-6208

MEDIUM CVSS 6.4 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2025-03-07

CVE-2024-7135 - Tainacan Plugin

The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. The function is also vulnerable to directory traversal. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Tainacan

CVE-2024-7135

MEDIUM CVSS 6.5 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-6725 - Formidable Forms Plugin

The Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘html’ parameter in all versions up to, and including, 6.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with form editing permissions and Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Formidable Forms

CVE-2024-6725

MEDIUM CVSS 4.9 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2024-07-31

CVE-2024-2508 - Wp Mobile Menu Plugin

The WP Mobile Menu plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_menu_item_icon function in all versions up to, and including, 2.8.4.4. This makes it possible for unauthenticated attackers to add the '_mobmenu_icon' post meta to arbitrary posts with an arbitrary (but sanitized) value. NOTE: Version 2.8.4.4 contains a partial fix for this vulnerability.

PLUGIN Wp Mobile Menu

CVE-2024-2508

MEDIUM CVSS 5.3 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2024-6412 - Before 1 Plugin

The HTML Forms WordPress plugin before 1.3.34 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Before 1

CVE-2024-6412

MEDIUM CVSS 6.5 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2025-06-10

CVE-2024-6272 - Spidercontacts Plugin

The SpiderContacts WordPress plugin through 1.1.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Spidercontacts

CVE-2024-6272

MEDIUM CVSS 6.1 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2025-05-06

CVE-2024-6408 - Slider By 10web Plugin

The Slider by 10Web WordPress plugin before 1.2.57 does not sanitise and escape its Slider Title, which could allow high privilege users such as editors and above to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Slider By 10web

CVE-2024-6408

MEDIUM CVSS 5.4 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2025-07-07

CVE-2024-6165 - Before 2 Plugin

The WANotifier WordPress plugin before 2.6.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 2

CVE-2024-6165

MEDIUM CVSS 4.8 2024-07-31
Open Full Technical Breakdown
Threat Entry Updated 2025-03-13

CVE-2024-5901 - Siteorigin Widgets Bundle Plugin

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Grid widget in all versions up to, and including, 1.62.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Siteorigin Widgets Bundle

CVE-2024-5901

MEDIUM CVSS 6.4 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-02-06

CVE-2024-7100 - Bold Page Builder Plugin

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bt_bb_button shortcode in all versions up to, and including, 5.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Bold Page Builder

CVE-2024-7100

MEDIUM CVSS 6.4 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-06-10

CVE-2024-6536 - Zephyr Project Manager Plugin

The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Zephyr Project Manager

CVE-2024-6536

MEDIUM CVSS 5.4 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2024-6230 - Pardakht Delkhah Plugin

The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack

PLUGIN Pardakht Delkhah

CVE-2024-6230

MEDIUM CVSS 6.5 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-08-20

CVE-2024-6226 - Wpstickybar Plugin

The WpStickyBar WordPress plugin through 2.1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Wpstickybar

CVE-2024-6226

MEDIUM CVSS 6.1 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-05-29

CVE-2024-6223 - Send Email Only On Reply To My Comment Plugin

The Send email only on Reply to My Comment WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Send Email Only On Reply To My Comment

CVE-2024-6223

MEDIUM CVSS 6.1 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-5809 - Wp Ajax Contact Form Plugin

The WP Ajax Contact Form WordPress plugin through 2.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin users

PLUGIN Wp Ajax Contact Form

CVE-2024-5809

MEDIUM CVSS 6.1 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-05-29

CVE-2024-6224 - Send Email Only On Reply To My Comment Plugin

The Send email only on Reply to My Comment WordPress plugin through 1.0.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

PLUGIN Send Email Only On Reply To My Comment

CVE-2024-6224

MEDIUM CVSS 5.9 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-5808 - Wp Ajax Contact Form Plugin

The WP Ajax Contact Form WordPress plugin through 2.2.2 does not have CSRF check in place when deleting emails from the email list, which could allow attackers to make a logged in admin perform such action via a CSRF attack

PLUGIN Wp Ajax Contact Form

CVE-2024-5808

MEDIUM CVSS 4.3 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-3669 - Web Directory Free Plugin

The Web Directory Free WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Web Directory Free

CVE-2024-3669

MEDIUM CVSS 6.8 2024-07-30
Open Full Technical Breakdown
Threat Entry Updated 2025-08-22

CVE-2024-1287 - Pmpro Member Directory Plugin

The pmpro-member-directory WordPress plugin before 1.2.6 does not prevent users with at least the contributor role from leaking other users' sensitive information, including password hashes via an SQLi vector.

PLUGIN Pmpro Member Directory

CVE-2024-1287

MEDIUM CVSS 6.5 2024-07-30
Open Full Technical Breakdown
Scroll to top