Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 6241-6260 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2024-5946 - Squelch Tabs And Accordions Shortcodes Plugin

The Squelch Tabs and Accordions Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tab’ shortcode in all versions up to, and including, 0.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Squelch Tabs And Accordions Shortcodes

CVE-2024-5946

MEDIUM CVSS 6.4 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2024-4862 - Wpbits Addons For Elementor Page Builder Plugin

The WPBITS Addons For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wpbits Addons For Elementor Page Builder

CVE-2024-4862

MEDIUM CVSS 6.4 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37430 - WordPress Core

Authentication Bypass by Spoofing vulnerability in Patreon Patreon WordPress allows Functionality Misuse.This issue affects Patreon WordPress: from n/a through 1.9.0.

CORE WordPress Core

CVE-2024-37430

MEDIUM CVSS 5.3 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6168 - Just Custom Fields Plugin

The Just Custom Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.2. This is due to missing or incorrect nonce validation on several AJAX function. This makes it possible for unauthenticated attackers to invoke this functionality intended for admin users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This enables subscribers to manage field groups, change visibility of items among other things.

PLUGIN Just Custom Fields

CVE-2024-6168

MEDIUM CVSS 4.3 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6167 - Just Custom Fields Plugin

The Just Custom Fields plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several AJAX functions in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke this functionality intended for admin users. This enables subscribers to manage field groups, change visibility of items among other things.

PLUGIN Just Custom Fields

CVE-2024-6167

MEDIUM CVSS 4.3 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5992 - Cliengo Plugin

The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_chatbot_token' and 'update_chatbot_position' functions in all versions up to, and including, 3.0.1. This makes it possible for unauthenticated attackers to change chatbot settings, which can lead to unavailability or other changes to the chatbot.

PLUGIN Cliengo

CVE-2024-5992

MEDIUM CVSS 6.5 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5937 - Simple Alert Boxes Plugin

The Simple Alert Boxes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Alert shortcode in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Simple Alert Boxes

CVE-2024-5937

MEDIUM CVSS 6.4 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5993 - Cliengo Plugin

The Cliengo – Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_session' function in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the session token of the chatbot.

PLUGIN Cliengo

CVE-2024-5993

MEDIUM CVSS 5.4 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5856 - Comment Images Reloaded Plugin

The Comment Images Reloaded plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the cir_delete_image AJAX action in all versions up to, and including, 2.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary media attachments.

PLUGIN Comment Images Reloaded

CVE-2024-5856

MEDIUM CVSS 4.3 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5669 - Faq For Woocommerce Plugin

The XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin] plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ffw_activate_template' function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to store cross-site scripting that will trigger when viewing the dashboard templates or accessing FAQs.

PLUGIN Faq For Woocommerce

CVE-2024-5669

MEDIUM CVSS 6.4 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5648 - Wisdm Reports For Learndash Plugin

The LearnDash LMS – Reports plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update various plugin settings.

PLUGIN Wisdm Reports For Learndash

CVE-2024-5648

MEDIUM CVSS 5.4 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5810 - Optimize Pagespeed Insights Score 90 100 Plugin

The WP2Speed Faster – Optimize PageSpeed Insights Score 90-100 plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.1. This is due to the use of hardcoded credentials to authenticate all the incoming API requests. This makes it possible for unauthenticated attackers to overwrite CSS, update the trial settings, purge the cache, and find attachments.

PLUGIN Optimize Pagespeed Insights Score 90 100

CVE-2024-5810

MEDIUM CVSS 5.3 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5704 - Faq For Woocommerce Plugin

The XPlainer – WooCommerce Product FAQ [WooCommerce Accordion FAQ Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add new and update existing FAQs, FAQ lists, and modify FAQ associations with products.

PLUGIN Faq For Woocommerce

CVE-2024-5704

MEDIUM CVSS 4.3 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5457 - Panda Video Plugin

The Panda Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Panda Video

CVE-2024-5457

MEDIUM CVSS 6.4 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-4868 - Extensions For Elementor Plugin

The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's EE Events and EE Flipbox widgets in all versions up to, and including, 2.0.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Extensions For Elementor

CVE-2024-4868

MEDIUM CVSS 6.4 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5600 - Happy Scss Compiler Plugin

The SCSS Happy Compiler – Compile SCSS to CSS & Automatic Enqueue plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check and insufficient sanitization on the import_settings() function in all versions up to, and including, 1.3.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject malicious web scripts.

PLUGIN Happy Scss Compiler

CVE-2024-5600

MEDIUM CVSS 5.4 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4102 - Elfsight Pricing Table Plugin

The Pricing Table plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 2.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform unauthorized actions like editing pricing tables.

PLUGIN Elfsight Pricing Table

CVE-2024-4102

MEDIUM CVSS 5.4 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4100 - Elfsight Pricing Table Plugin

The Pricing Table plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the ajax() function. This makes it possible for unauthenticated attackers to perform a variety of actions related to managing pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Elfsight Pricing Table

CVE-2024-4100

MEDIUM CVSS 5.3 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3608 - Product Designer Plugin

The Product Designer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the product_designer_ajax_delete_attach_id() function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to delete arbitrary attachments.

PLUGIN Product Designer

CVE-2024-3608

MEDIUM CVSS 5.3 2024-07-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3603 - Openstreetmap Plugin

The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'osm_map' shortcode in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping on user supplied attributes such as 'theme'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Openstreetmap

CVE-2024-3603

MEDIUM CVSS 6.4 2024-07-09
Open Full Technical Breakdown
Scroll to top