Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 6461-6480 of 10866 records
Threat Entry Updated 2025-05-13

CVE-2024-3993 - Azan Plugin

The AZAN Plugin WordPress plugin through 0.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

PLUGIN Azan

CVE-2024-3993

MEDIUM CVSS 4.6 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3972 - Similarity Plugin

The Similarity WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

PLUGIN Similarity

CVE-2024-3972

MEDIUM CVSS 4.3 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2025-03-13

CVE-2024-3971 - Similarity Plugin

The Similarity WordPress plugin through 3.0 does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack

PLUGIN Similarity

CVE-2024-3971

MEDIUM CVSS 4.3 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2122 - Foogallery Plugin

The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via album gallery custom URLs in all versions up to, and including, 2.4.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Foogallery

CVE-2024-2122

MEDIUM CVSS 6.4 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2025-07-03

CVE-2024-3754 - Alemha Watermark Plugin

The Alemha watermarker WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Alemha Watermark

CVE-2024-3754

MEDIUM CVSS 4.7 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-2218 - Luckywp Table Of Contents Plugin

The LuckyWP Table of Contents WordPress plugin through 2.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Luckywp Table Of Contents

CVE-2024-2218

MEDIUM CVSS 4.6 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1295 - Events Calendar Plugin

The events-calendar-pro WordPress plugin before 6.4.0.1, The Events Calendar WordPress plugin before 6.4.0.1 does not prevent users with at least the contributor role from leaking details about events they shouldn't have access to. (e.g. password-protected events, drafts, etc.)

PLUGIN Events Calendar

CVE-2024-1295

MEDIUM CVSS 6.5 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0892 - Schema App Structured Data For Schemaorg Plugin

The Schema App Structured Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the MarkUpdate function. This makes it possible for unauthenticated attackers to update and delete post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Schema App Structured Data For Schemaorg

CVE-2024-0892

MEDIUM CVSS 4.3 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6492 - Create A Responsive Html Sitemap Plugin

The Simple Sitemap – Create a Responsive HTML Sitemap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.13. This is due to missing or incorrect nonce validation in the 'admin_notices' hook found in class-settings.php. This makes it possible for unauthenticated attackers to reset the plugin options to a default state via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Create A Responsive Html Sitemap

CVE-2023-6492

MEDIUM CVSS 4.3 2024-06-14
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-37308 - Cooked Plugin

The Cooked Pro recipe plugin for WordPress is vulnerable to Persistent Cross-Site Scripting (XSS) via the `_recipe_settings[post_title]` parameter in versions up to, and including, 1.7.15.4 due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a compromised page. A patch is available at commit 8cf88f334ccbf11134080bbb655c66f1cfe77026 and will be part of version 1.8.0.

PLUGIN Cooked

CVE-2024-37308

MEDIUM CVSS 5.4 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1565 - Embedpress Plugin

The EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the PDF Widget URL in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Embedpress

CVE-2024-1565

MEDIUM CVSS 6.4 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0979 - Dashboard Widgets Suite Plugin

The Dashboard Widgets Suite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Dashboard Widgets Suite

CVE-2024-0979

MEDIUM CVSS 6.1 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4615 - Elespare Plugin

The Elespare – Blog, Magazine and Newspaper Addons for Elementor with Templates, Widgets, Kits, and Header/Footer Builder. One Click Import: No Coding Required! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Horizontal Nav Menu' widget in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elespare

CVE-2024-4615

MEDIUM CVSS 6.4 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5265 - Wpbakery Page Builder Clipboard Plugin

The WPBakery Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the link attribute within the vc_single_image shortcode in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wpbakery Page Builder Clipboard

CVE-2024-5265

MEDIUM CVSS 6.4 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5787 - Powerpack Addons For Elementor Plugin

The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the plugin's Link Effects widget in all versions up to, and including, 2.7.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Powerpack Addons For Elementor

CVE-2024-5787

MEDIUM CVSS 6.4 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5757 - Elementor Header Footer Blocks Template Plugin

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url attribute within the plugin's Site Title widget in all versions up to, and including, 1.6.35 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementor Header Footer Blocks Template

CVE-2024-5757

MEDIUM CVSS 6.4 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-26

CVE-2024-4149 - Before 3 Plugin

The Floating Chat Widget: Contact Chat Icons, WhatsApp, Telegram Chat, Line Messenger, WeChat, Email, SMS, Call Button WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 3

CVE-2024-4149

MEDIUM CVSS 4.8 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2762 - Foogallery Premium Plugin

The FooGallery WordPress plugin before 2.4.15, foogallery-premium WordPress plugin before 2.4.15 does not validate and escape some of its Gallery settings before outputting them back in the page, which could allow users with a role as low as Author to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

PLUGIN Foogallery Premium

CVE-2024-2762

MEDIUM CVSS 5.4 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37297 - Woocommerce Plugin

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions…

PLUGIN Woocommerce

CVE-2024-37297

MEDIUM CVSS 5.4 2024-06-12
Open Full Technical Breakdown
Scroll to top