Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 6501-6520 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2024-5531 - Ocean Extra Plugin

The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flickr widget in all versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ocean Extra

CVE-2024-5531

MEDIUM CVSS 6.4 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-26

CVE-2024-4266 - Metform Elementor Contact Form Builder Plugin

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.8.8 via the 'handle_file' function. This can allow unauthenticated attackers to extract sensitive data, such as Personally Identifiable Information, from files uploaded by users.

PLUGIN Metform Elementor Contact Form Builder

CVE-2024-4266

MEDIUM CVSS 5.3 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4319 - Advanced Cf7 Db Plugin

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to download the entry data for submitted forms.

PLUGIN Advanced Cf7 Db

CVE-2024-4319

MEDIUM CVSS 5.3 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3723 - Advanced Cf7 Db Plugin

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via this plugin through a form.

PLUGIN Advanced Cf7 Db

CVE-2024-3723

MEDIUM CVSS 5.3 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-11-25

CVE-2024-5530 - Shoplentor Plugin

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WL: Product Horizontal Filter widget in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Shoplentor

CVE-2024-5530

MEDIUM CVSS 6.4 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-03-24

CVE-2024-5090 - Siteorigin Widgets Bundle Plugin

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SiteOrigin Blog Widget in all versions up to, and including, 1.61.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Siteorigin Widgets Bundle

CVE-2024-5090

MEDIUM CVSS 6.4 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2473 - Wps Hide Login Plugin

The WPS Hide Login plugin for WordPress is vulnerable to Login Page Disclosure in all versions up to, and including, 1.9.15.2. This is due to a bypass that is created when the 'action=postpass' parameter is supplied. This makes it possible for attackers to easily discover any login page that may have been hidden by the plugin.

PLUGIN Wps Hide Login

CVE-2024-2473

MEDIUM CVSS 5.3 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-0627 - Custom Field Template Plugin

The Custom Field Template plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom field name column in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping on user supplied custom fields. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Custom Field Template

CVE-2024-0627

MEDIUM CVSS 6.4 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2023-6745 - Custom Field Template Plugin

The Custom Field Template plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cpt' shortcode in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping on user supplied post meta. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Custom Field Template

CVE-2023-6745

MEDIUM CVSS 6.4 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-0653 - Custom Field Template Plugin

The Custom Field Template plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Custom Field Template

CVE-2024-0653

MEDIUM CVSS 4.4 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2023-6748 - Custom Field Template Plugin

The Custom Field Template plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.1 via the 'cft' shortcode. This makes it possible for authenticated attackers with contributor access and above, to extract sensitive data including arbitrary post metadata.

PLUGIN Custom Field Template

CVE-2023-6748

MEDIUM CVSS 4.3 2024-06-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-35720 - Album Gallery Plugin

Missing Authorization vulnerability in A WP Life Album Gallery – WordPress Gallery.This issue affects Album Gallery – WordPress Gallery: from n/a through 1.5.7.

PLUGIN Album Gallery

CVE-2024-35720

MEDIUM CVSS 4.3 2024-06-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-35738 - Kognetiks Chatbot Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kognetiks Kognetiks Chatbot for WordPress allows Stored XSS.This issue affects Kognetiks Chatbot for WordPress: from n/a through 1.9.8.

PLUGIN Kognetiks Chatbot

CVE-2024-35738

MEDIUM CVSS 6.5 2024-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5654 - Cf7 Google Sheets Connector Plugin

The CF7 Google Sheets Connector plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'execute_post_data_cg7_free' function in all versions up to, and including, 5.0.9. This makes it possible for unauthenticated attackers to toggle site configuration settings, including WP_DEBUG, WP_DEBUG_LOG, SCRIPT_DEBUG, and SAVEQUERIES.

PLUGIN Cf7 Google Sheets Connector

CVE-2024-5654

MEDIUM CVSS 6.5 2024-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4468 - Salon Booking System Plugin

The Salon booking system plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions hooked into admin_init in all versions up to, and including, 9.9. This makes it possible for authenticated attackers with subscriber access or higher to modify plugin settings and view discount codes intended for other users.

PLUGIN Salon Booking System

CVE-2024-4468

MEDIUM CVSS 4.3 2024-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5638 - Formula Plugin

The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'ti_customizer_notify_dismiss_recommended_plugins' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Formula

CVE-2024-5638

MEDIUM CVSS 6.1 2024-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5613 - Formula Plugin

The Formula theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in the 'quality_customizer_notify_dismiss_action' AJAX action in all versions up to, and including, 0.5.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Formula

CVE-2024-5613

MEDIUM CVSS 6.1 2024-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5087 - Minimal Coming Soon Maintenance Mode Plugin

The Minimal Coming Soon – Coming Soon Page plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the validate_ajax, deactivate_ajax, and save_ajax functions in all versions up to, and including, 2.38. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit the license key, which could disable features of the plugin.

PLUGIN Minimal Coming Soon Maintenance Mode

CVE-2024-5087

MEDIUM CVSS 6.3 2024-06-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4661 - Wp Reset Plugin

The WP Reset plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_ajax function in all versions up to, and including, 2.02. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the value fo the 'License Key' field for the 'Activate Pro License' setting.

PLUGIN Wp Reset

CVE-2024-4661

MEDIUM CVSS 4.3 2024-06-08
Open Full Technical Breakdown
Scroll to top