Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 6361-6380 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2024-5596 - Armember Premium Plugin

The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta and plugin options which can lead to limited privilege escalation.

PLUGIN Armember Premium

CVE-2024-5596

MEDIUM CVSS 6.3 2024-06-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4874 - Bricks Plugin

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify posts and pages created by other users including admins. As a requirement for this, an admin would have to enable access to the editor specifically for such a user or enable it for all users with a certain user account type.

PLUGIN Bricks

CVE-2024-4874

MEDIUM CVSS 4.3 2024-06-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5966 - Grey Opaque Plugin

The Grey Opaque theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Download-Button shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Grey Opaque

CVE-2024-5966

MEDIUM CVSS 6.4 2024-06-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5965 - Mosaic Plugin

The Mosaic theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter within the theme's Button shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mosaic

CVE-2024-5965

MEDIUM CVSS 6.4 2024-06-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5346 - Flatsome Plugin

The Flatsome theme for WordPress is vulnerable to Stored Cross-Site Scripting via the UX Countdown, Video Button, UX Video, UX Slider, UX Sidebar, and UX Payment Icons shortcodes in all versions up to, and including, 3.18.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Flatsome

CVE-2024-5346

MEDIUM CVSS 6.4 2024-06-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4313 - Table Addons For Elementor Plugin

The Table Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_id’ parameter in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Table Addons For Elementor

CVE-2024-4313

MEDIUM CVSS 6.4 2024-06-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2484 - Orbit Fox Plugin

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post Type Grid widgets in all versions up to, and including, 2.10.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Orbit Fox

CVE-2024-2484

MEDIUM CVSS 6.4 2024-06-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6120 - Sparkle Demo Importer Plugin

The Sparkle Demo Importer plugin for WordPress is vulnerable to unauthorized database reset and demo data import due to a missing capability check on the multiple functions in all versions up to and including 1.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all posts, pages, and uploaded files, as well as download and install a limited set of demo plugins.

PLUGIN Sparkle Demo Importer

CVE-2024-6120

MEDIUM CVSS 6.5 2024-06-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-35770 - Vimeography Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Dave Kiss Vimeography: Vimeo Video Gallery WordPress Plugin.This issue affects Vimeography: Vimeo Video Gallery WordPress Plugin: from n/a through 2.4.1.

PLUGIN Vimeography

CVE-2024-35770

MEDIUM CVSS 4.3 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2024-35761 - Online Booking Scheduling Calendar Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in vCita Online Booking & Scheduling Calendar for WordPress by vcita allows Stored XSS.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.4.0.

PLUGIN Online Booking Scheduling Calendar

CVE-2024-35761

MEDIUM CVSS 6.5 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2025-06-10

CVE-2024-5859 - Online Booking Scheduling Calendar Plugin

The Online Booking & Scheduling Calendar for WordPress by vcita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘d’ parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Online Booking Scheduling Calendar

CVE-2024-5859

MEDIUM CVSS 6.1 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6225 - Amelia Plugin

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.5 (and 7.5.1 for the Pro version) due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Amelia

CVE-2024-6225

MEDIUM CVSS 4.4 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5945 - Wp Svg Images Plugin

The WP SVG Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 4.2 due to insufficient input sanitization. This makes it possible for authenticated attackers, with Author-level access and above, who have permissions to upload sanitized files, to bypass SVG sanitization and inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Svg Images

CVE-2024-5945

MEDIUM CVSS 6.4 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5191 - Branda Plugin

The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mime_types’ parameter in all versions up to, and including, 3.4.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Branda

CVE-2024-5191

MEDIUM CVSS 6.4 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5639 - User Profile Picture Plugin

The User Profile Picture plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.1 via the 'rest_api_change_profile_image' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to update the profile picture of any user.

PLUGIN User Profile Picture

CVE-2024-5639

MEDIUM CVSS 4.3 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2025-03-26

CVE-2024-4382 - Commonsbooking Plugin

The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF attacks

PLUGIN Commonsbooking

CVE-2024-4382

MEDIUM CVSS 6.5 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4616 - Widget Bundle Plugin

The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users

PLUGIN Widget Bundle

CVE-2024-4616

MEDIUM CVSS 6.1 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5448 - Paypal Pay Now Buy Now Donation And Cart Buttons Shortcode Plugin

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Paypal Pay Now Buy Now Donation And Cart Buttons Shortcode

CVE-2024-5448

MEDIUM CVSS 5.4 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4477 - Wp Logs Book Plugin

The WP Logs Book WordPress plugin through 1.0.1 does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site Scripting

PLUGIN Wp Logs Book

CVE-2024-4477

MEDIUM CVSS 5.4 2024-06-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5447 - Paypal Pay Now Buy Now Donation And Cart Buttons Shortcode Plugin

The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Paypal Pay Now Buy Now Donation And Cart Buttons Shortcode

CVE-2024-5447

MEDIUM CVSS 4.8 2024-06-21
Open Full Technical Breakdown
Scroll to top