Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 6221-6240 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2024-1375 - Event Post Plugin

The Event post plugin for WordPress is vulnerable to unauthorized bulk metadata update due to a missing nonce check on the save_bulkdatas function in all versions up to, and including, 5.9.5. This makes it possible for unauthenticated attackers to update post_meta_data via a forged request, granted they can trick a logged-in user into performing an action such as clicking on a link.

PLUGIN Event Post

CVE-2024-1375

MEDIUM CVSS 4.3 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6392 - Sirv Plugin

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized plugin settings modification due to missing capability checks on the plugin functions in all versions up to, and including, 7.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the connected Sirv account to an attacker-controlled one.

PLUGIN Sirv

CVE-2024-6392

MEDIUM CVSS 5.4 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6256 - Feeds For Youtube Plugin

The Feeds for YouTube (YouTube video, channel, and gallery plugin) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'youtube-feed' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Feeds For Youtube

CVE-2024-6256

MEDIUM CVSS 6.4 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6138 - Secure Copy Content Protection And Content Locking Plugin

The Secure Copy Content Protection and Content Locking WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Secure Copy Content Protection And Content Locking

CVE-2024-6138

MEDIUM CVSS 4.8 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6026 - Slider By 10web Plugin

The Slider by 10Web WordPress plugin before 1.2.56 does not sanitise and escape some of its Slide options, which could allow authenticated users with access to the Sliders (by default Administrator, however this can be changed via the Slider by 10Web WordPress plugin before 1.2.56's options) and the ability to add images (Editor+) to perform Stored Cross-Site Scripting attacks

PLUGIN Slider By 10web

CVE-2024-6026

MEDIUM CVSS 5.4 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6025 - Before 9 Plugin

The Quiz and Survey Master (QSM) WordPress plugin before 9.0.5 does not sanitise and escape some of its Quiz settings, which could allow contributors and higher to perform Stored Cross-Site Scripting attacks

PLUGIN Before 9

CVE-2024-6025

MEDIUM CVSS 5.4 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-12-26

CVE-2024-5444 - Bible Text Plugin

The Bible Text WordPress plugin through 0.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Bible Text

CVE-2024-5444

MEDIUM CVSS 5.4 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4655 - Ultimate Blocks Plugin

The Ultimate Blocks WordPress plugin before 3.1.9 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Ultimate Blocks

CVE-2024-4655

MEDIUM CVSS 5.4 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6554 - Branda Plugin

The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.18. This is due the plugin utilizing composer without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

PLUGIN Branda

CVE-2024-6554

MEDIUM CVSS 5.3 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0619 - Payment Gateway Plugin

The Payflex Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the payment_callback() function in all versions up to, and including, 2.5.0. This makes it possible for unauthenticated attackers to update the status of orders, which can potentially lead to revenue loss.

PLUGIN Payment Gateway

CVE-2024-0619

MEDIUM CVSS 5.3 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6210 - Duplicator Plugin

The Duplicator plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 1.5.9. This makes it possible for unauthenticated attackers to obtain the full path to instances, which they may be able to use in combination with other vulnerabilities or to simplify reconnaissance work. On its own, this information is of very limited use.

PLUGIN Duplicator

CVE-2024-6210

MEDIUM CVSS 5.3 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6556 - Seo Optimizer Plugin

The SmartCrawl WordPress SEO checker, SEO analyzer, SEO optimizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.10.8. This is due the plugin utilizing mobiledetect without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

PLUGIN Seo Optimizer

CVE-2024-6556

MEDIUM CVSS 5.3 2024-07-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5664 - Mp3 Audio Player For Music Radio Podcast Plugin

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute within the plugin's sonaar_audioplayer shortcode in all versions up to, and including, 5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mp3 Audio Player For Music Radio Podcast

CVE-2024-5664

MEDIUM CVSS 6.4 2024-07-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6813 - Login By Auth0 Plugin

The Login by Auth0 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wle’ parameter in all versions up to, and including, 4.6.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Login By Auth0

CVE-2023-6813

MEDIUM CVSS 6.1 2024-07-10
Open Full Technical Breakdown
Threat Entry Updated 2025-02-10

CVE-2024-6410 - Profilegrid Plugin

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.8.9 via the 'pm_upload_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the profile picture of any user.

PLUGIN Profilegrid

CVE-2024-6410

MEDIUM CVSS 4.3 2024-07-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6550 - Gravity Forms Multiple Form Instances Plugin

The Gravity Forms: Multiple Form Instances plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.1.1. This is due to the plugin leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

PLUGIN Gravity Forms Multiple Form Instances

CVE-2024-6550

MEDIUM CVSS 5.3 2024-07-10
Open Full Technical Breakdown
Threat Entry Updated 2025-02-03

CVE-2024-4866 - Ultraaddons Elementor Lite Plugin

The UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ultraaddons Elementor Lite

CVE-2024-4866

MEDIUM CVSS 6.4 2024-07-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5677 - Featured Image Generator Plugin

The Featured Image Generator plugin for WordPress is vulnerable to unauthorized image upload due to a missing capability check on the fig_save_after_generate_image function in all versions up to, and including, 1.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary images to a post-related gallery.

PLUGIN Featured Image Generator

CVE-2024-5677

MEDIUM CVSS 4.3 2024-07-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6391 - Oik Plugin

The oik plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bw_button shortcode in all versions up to, and including, 4.10.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Oik

CVE-2024-6391

MEDIUM CVSS 6.4 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2025-06-09

CVE-2024-37499 - Online Booking Scheduling Calendar Plugin

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vCita Online Booking & Scheduling Calendar for WordPress by vcita allows Path Traversal.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.4.2.

PLUGIN Online Booking Scheduling Calendar

CVE-2024-37499

MEDIUM CVSS 6.5 2024-07-09
Open Full Technical Breakdown
Scroll to top