Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 6101-6120 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2024-6836 - Funnel Builder Plugin

The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple functions in all versions up to, and including, 3.4.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to update multiple settings, including templates, designs, checkouts, and other plugin settings.

PLUGIN Funnel Builder

CVE-2024-6836

MEDIUM CVSS 4.3 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6094 - Before 4 Plugin

The WP ULike WordPress plugin before 4.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 4

CVE-2024-6094

MEDIUM CVSS 4.8 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3246 - Litespeed Cache Plugin

The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Litespeed Cache

CVE-2024-3246

MEDIUM CVSS 6.1 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5861 - Wp Easypay Plugin

The WP EasyPay – Square for WordPress plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the wpep_square_disconnect() function in all versions up to, and including, 4.2.3. This makes it possible for unauthenticated attackers to disconnect square.

PLUGIN Wp Easypay

CVE-2024-5861

MEDIUM CVSS 5.3 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6755 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the ‘wpw_auto_poster_quick_delete_multiple’ function in all versions up to, and including, 5.3.14. This makes it possible for unauthenticated attackers to delete arbitrary posts.

PLUGIN Social Auto Poster

CVE-2024-6755

MEDIUM CVSS 6.5 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6752 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp_name’ parameter in the 'wpw_auto_poster_map_wordpress_post_type' AJAX function in all versions up to, and including, 5.3.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Social Auto Poster

CVE-2024-6752

MEDIUM CVSS 6.4 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6754 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the ‘wpw_auto_poster_update_tweet_template’ function in all versions up to, and including, 5.3.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary post metadata.

PLUGIN Social Auto Poster

CVE-2024-6754

MEDIUM CVSS 5.4 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6751 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.

PLUGIN Social Auto Poster

CVE-2024-6751

MEDIUM CVSS 6.3 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2025-05-20

CVE-2024-6231 - Request A Quote Plugin

The Request a Quote WordPress plugin before 2.4.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Request A Quote

CVE-2024-6231

MEDIUM CVSS 5.9 2024-07-23
Open Full Technical Breakdown
Threat Entry Updated 2025-05-16

CVE-2024-4260 - Page Builder Gutenberg Blocks Plugin

The Page Builder Gutenberg Blocks WordPress plugin before 3.1.12 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks.

PLUGIN Page Builder Gutenberg Blocks

CVE-2024-4260

MEDIUM CVSS 6.5 2024-07-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6271 - Community Events Plugin

The Community Events WordPress plugin before 1.5 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete arbitrary events via a CSRF attack

PLUGIN Community Events

CVE-2024-6271

MEDIUM CVSS 5.4 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2024-6243 - Before 1 Plugin

The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled.

PLUGIN Before 1

CVE-2024-6243

MEDIUM CVSS 4.8 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2025-03-18

CVE-2024-5529 - Wp Quicklatex Plugin

The WP QuickLaTeX WordPress plugin before 3.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Wp Quicklatex

CVE-2024-5529

MEDIUM CVSS 4.8 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5004 - Cm Popup Plugin For Wordpress

The CM Popup Plugin for WordPress WordPress plugin before 1.6.6 does not sanitise and escape some of the campaign settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

PLUGIN Cm Popup Plugin For Wordpress

CVE-2024-5004

MEDIUM CVSS 4.8 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37519 - Premium Blocks For Gutenburg Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Leap13 Premium Blocks – Gutenberg Blocks for WordPress allows Stored XSS.This issue affects Premium Blocks – Gutenberg Blocks for WordPress: from n/a through 2.1.27.

PLUGIN Premium Blocks For Gutenburg

CVE-2024-37519

MEDIUM CVSS 6.5 2024-07-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37556 - Wordpress Notification Bar Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SeedProd WordPress Notification Bar allows Stored XSS.This issue affects WordPress Notification Bar: from n/a through 1.3.10.

PLUGIN Wordpress Notification Bar

CVE-2024-37556

MEDIUM CVSS 5.9 2024-07-21
Open Full Technical Breakdown
Threat Entry Updated 2025-03-20

CVE-2024-6848 - Post And Page Builder Plugin

The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 1.26.6 due to insufficient input sanitization and output escaping affecting the boldgrid_canvas_image AJAX endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Post And Page Builder

CVE-2024-6848

MEDIUM CVSS 6.4 2024-07-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37959 - Power Bi Embedded Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Atlas Public Policy Power BI Embedded for WordPress allows Stored XSS.This issue affects Power BI Embedded for WordPress: from n/a through 1.1.7.

PLUGIN Power Bi Embedded

CVE-2024-37959

MEDIUM CVSS 6.5 2024-07-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37946 - WordPress Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in weDevs ReCaptcha Integration for WordPress allows Stored XSS.This issue affects ReCaptcha Integration for WordPress: from n/a through 1.2.5.

CORE WordPress Core

CVE-2024-37946

MEDIUM CVSS 5.9 2024-07-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37918 - WordPress Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPCone.Com ConeBlog – WordPress Blog Widgets allows Stored XSS.This issue affects ConeBlog – WordPress Blog Widgets: from n/a through 1.4.8.

CORE WordPress Core

CVE-2024-37918

MEDIUM CVSS 6.5 2024-07-20
Open Full Technical Breakdown
Scroll to top