Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 6481-6500 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2024-5674 - Newsletter Plugin

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0

PLUGIN Newsletter

CVE-2024-5674

MEDIUM CVSS 6.5 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-3492 - Events Manager Plugin

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'event', 'location', and 'event_category' shortcodes in all versions up to, and including, 6.4.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Events Manager

CVE-2024-3492

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2024-1766 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.2.86 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with…

PLUGIN Download Manager

CVE-2024-1766

MEDIUM CVSS 4.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-08-20

CVE-2024-2092 - Elementor Addon Elements Plugin

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementor Addon Elements

CVE-2024-2092

MEDIUM CVSS 5.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5468 - Pearl Header Builder Plugin

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to unauthorized site option deletion due to a missing validation and capability checks on the stm_hb_delete() function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to delete arbitrary options that can be used to perform a denial of service attack on a site.

PLUGIN Pearl Header Builder

CVE-2024-5468

MEDIUM CVSS 6.5 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2024-5266 - Download Manager Plugin

The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via wpdm_user_dashboard, wpdm_package, wpdm_packages, wpdm_search_result, and wpdm_tag shortcodes in all versions up to, and including, 3.2.92 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Download Manager

CVE-2024-5266

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-3925 - Element Pack Plugin

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Creative Button widget in all versions up to, and including, 5.6.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Element Pack

CVE-2024-3925

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5892 - Addons For Divi Plugin

The Divi Torque Lite – Divi Theme and Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘support_unfiltered_files_upload’ function in all versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Addons For Divi

CVE-2024-5892

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-05-30

CVE-2024-4924 - Social Sharing Plugin

The Social Sharing Plugin WordPress plugin before 3.3.63 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Social Sharing

CVE-2024-4924

MEDIUM CVSS 6.1 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-3559 - Custom Field Suite Plugin

The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfs[post_content]' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Custom Field Suite

CVE-2024-3559

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-5553 - Premium Addons For Elementor Plugin

The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via several parameters in all versions up to, and including, 4.10.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses and edits an injected element, and subsequently clicks the element with the mouse scroll wheel.

PLUGIN Premium Addons For Elementor

CVE-2024-5553

MEDIUM CVSS 4.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4564 - More Plugin

The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Shop Slider, Tabs Classic, and Image Comparison widgets in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN More

CVE-2024-4564

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-4892 - Buddypress Plugin

The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘display_name’ parameter in versions up to, and including, 12.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Buddypress

CVE-2024-4892

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-5646 - Futurio Extra Plugin

The Futurio Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘header_size’ attribute within the Advanced Text Block widget in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Futurio Extra

CVE-2024-5646

MEDIUM CVSS 6.4 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-4669 - Events Addon For Elementor Plugin

The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Basic Slider, Upcoming Events, and Schedule widgets in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Events Addon For Elementor

CVE-2024-4669

MEDIUM CVSS 6.4 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-34826 - Contact Form 7 Plugin

Missing Authorization vulnerability in Tobias Conrad Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler.This issue affects Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler: from n/a through 1.6.4.

PLUGIN Contact Form 7

CVE-2024-34826

MEDIUM CVSS 6.3 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-5189 - Essential Addons For Elementor Plugin

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_js’ parameter in all versions up to, and including, 5.9.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Essential Addons For Elementor

CVE-2024-5189

MEDIUM CVSS 6.4 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5584 - Bookly Responsive Appointment Booking Tool Plugin

The WordPress Online Booking and Scheduling Plugin – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Color Profile parameter in all versions up to, and including, 23.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with the staff member role and Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Bookly Responsive Appointment Booking Tool

CVE-2024-5584

MEDIUM CVSS 6.4 2024-06-11
Open Full Technical Breakdown
Scroll to top