Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 6421-6440 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2024-3984 - Embedalbum Pro Plugin

The EmbedSocial – Social Media Feeds, Reviews and Galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embedsocial_reviews' shortcode in all versions up to, and including, 1.1.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Embedalbum Pro

CVE-2024-3984

MEDIUM CVSS 6.4 2024-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4450 - Aliexpress Dropshipping With Alinext Plugin

The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions like importing and modifying products.

PLUGIN Aliexpress Dropshipping With Alinext

CVE-2024-4450

MEDIUM CVSS 6.3 2024-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4541 - Custom Product List Table Plugin

The Custom Product List Table plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation when modifying products. This makes it possible for unauthenticated attackers to add, delete, bulk edit, approve or cancel products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Custom Product List Table

CVE-2024-4541

MEDIUM CVSS 4.3 2024-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5970 - Maxgalleria Plugin

The MaxGalleria plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's maxgallery_thumb shortcode in all versions up to, and including, 6.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Maxgalleria

CVE-2024-5970

MEDIUM CVSS 6.4 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5533 - Divi Plugin

The Divi theme for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.25.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Divi

CVE-2024-5533

MEDIUM CVSS 6.4 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2025-03-18

CVE-2024-4094 - Simple Share Buttons Adder Plugin

The Simple Share Buttons Adder WordPress plugin before 8.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Simple Share Buttons Adder

CVE-2024-4094

MEDIUM CVSS 5.4 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5172 - Expert Invoice Plugin

The Expert Invoice WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Expert Invoice

CVE-2024-5172

MEDIUM CVSS 4.8 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3276 - Foobox Image Lightbox Premium Plugin

The Lightbox & Modal Popup WordPress Plugin WordPress plugin before 2.7.28, foobox-image-lightbox-premium WordPress plugin before 2.7.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Foobox Image Lightbox Premium

CVE-2024-3276

MEDIUM CVSS 4.8 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5860 - Tickera Plugin

The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all tickets associated with events.

PLUGIN Tickera

CVE-2024-5860

MEDIUM CVSS 4.3 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5541 - Ibtana Plugin

The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ibtana_visual_editor_register_ajax_json_endpont' function in all versions up to, and including, 1.2.3.3. This makes it possible for unauthenticated attackers to update option values for reCAPTCHA keys on the WordPress site. This can be leveraged to bypass reCAPTCHA on the site.

PLUGIN Ibtana

CVE-2024-5541

MEDIUM CVSS 5.3 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1634 - Scheduling Plugin Online Booking

The Scheduling Plugin – Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cbsb_disconnect_settings' function in all versions up to, and including, 3.5.10. This makes it possible for unauthenticated attackers to disconnect the plugin from the startbooking service and remove connection data.

PLUGIN Scheduling Plugin Online Booking

CVE-2024-1634

MEDIUM CVSS 6.5 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4375 - Master Slider Plugin

The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ms_layer' shortcode in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on the 'css_id' user supplied attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Master Slider

CVE-2024-4375

MEDIUM CVSS 6.4 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0845 - Pdf Viewer For Elementor Plugin

The PDF Viewer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the render function in all versions up to, and including, 2.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Pdf Viewer For Elementor

CVE-2024-0845

MEDIUM CVSS 6.4 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-4305 - Post Grid Gutenberg Blocks And Wordpress Blog Plugin

The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.1.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Post Grid Gutenberg Blocks And Wordpress Blog

CVE-2024-4305

MEDIUM CVSS 6.8 2024-06-17
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-3236 - Popup Builder Plugin

The Popup Builder WordPress plugin before 1.1.33 does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Popup Builder

CVE-2024-3236

MEDIUM CVSS 5.4 2024-06-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5611 - Elementor Widgets Plugin

The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘label_years’ attribute within the Countdown widget in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementor Widgets

CVE-2024-5611

MEDIUM CVSS 6.4 2024-06-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4551 - Video Gallery Plugin

The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the display function. This makes it possible for authenticated attackers, with contributor access and higher, to include and execute arbitrary php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded…

PLUGIN Video Gallery

CVE-2024-4551

MEDIUM CVSS 6.4 2024-06-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4095 - Jquery Collapse O Matic Plugin

The Collapse-O-Matic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'expand' and 'expandsub' shortcode in all versions up to, and including, 1.8.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Jquery Collapse O Matic

CVE-2024-4095

MEDIUM CVSS 6.4 2024-06-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5858 - Ai Infographic Maker Plugin

The AI Infographic Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the qcld_openai_title_generate_desc AJAX action in all versions up to, and including, 4.7.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary post titles.

PLUGIN Ai Infographic Maker

CVE-2024-5858

MEDIUM CVSS 4.3 2024-06-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-09

CVE-2024-2695 - Shariff Wrapper Plugin

The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.13 due to insufficient input sanitization and output escaping on user supplied attributes such as 'borderradius' and 'timestamp'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Shariff Wrapper

CVE-2024-2695

MEDIUM CVSS 6.4 2024-06-15
Open Full Technical Breakdown
Scroll to top