Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 6921-6940 of 10866 records
Threat Entry Updated 2025-05-08

CVE-2024-0904 - Fancy Product Designer Plugin

The Fancy Product Designer WordPress plugin before 6.1.81 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Fancy Product Designer

CVE-2024-0904

MEDIUM CVSS 5.9 2024-05-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-7065 - Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms Plugin

The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for unauthenticated attackers to add arbitrary IPs to the plugin's allowlist and blocklist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

CVE-2023-7065

MEDIUM CVSS 5.4 2024-05-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1050 - Import Users From Csv With Meta Plugin

The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_force_reset_password_delete_metas() function in all versions up to, and including, 1.26.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete all forced password resets.

PLUGIN Import Users From Csv With Meta

CVE-2024-1050

MEDIUM CVSS 4.3 2024-05-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3237 - Convertplug Plugin

The ConvertPlug plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cp_dismiss_notice() function in all versions up to, and including, 3.5.25. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary option values to true.

PLUGIN Convertplug

CVE-2024-3237

MEDIUM CVSS 5.4 2024-05-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3868 - Folders Pro Plugin

The Folders Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's First Name and Last Name in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Folders Pro

CVE-2024-3868

MEDIUM CVSS 5.4 2024-05-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-33931 - WordPress Core

Missing Authorization vulnerability in ilGhera JW Player for WordPress.This issue affects JW Player for WordPress: from n/a through 2.3.3.

CORE WordPress Core

CVE-2024-33931

MEDIUM CVSS 6.5 2024-05-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-33937 - WordPress Core

Missing Authorization vulnerability in Nico Martin Progressive WordPress (PWA).This issue affects Progressive WordPress (PWA): from n/a through 2.1.13.

CORE WordPress Core

CVE-2024-33937

MEDIUM CVSS 4.3 2024-05-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-33941 - WordPress Core

Missing Authorization vulnerability in Avirtum iPanorama 360 WordPress Virtual Tour Builder.This issue affects iPanorama 360 WordPress Virtual Tour Builder: from n/a through 1.8.1.

CORE WordPress Core

CVE-2024-33941

MEDIUM CVSS 5.3 2024-05-03
Open Full Technical Breakdown
Threat Entry Updated 2025-05-08

CVE-2024-3692 - Before 1 Plugin

The Gutenverse WordPress plugin before 1.9.1 does not validate the htmlTag option in various of its block before outputting it back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Before 1

CVE-2024-3692

MEDIUM CVSS 6.1 2024-05-03
Open Full Technical Breakdown
Threat Entry Updated 2025-05-08

CVE-2024-3637 - Contact Form Lead Form Elementor Builder Plugin

The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Contact Form Lead Form Elementor Builder

CVE-2024-3637

MEDIUM CVSS 6.1 2024-05-03
Open Full Technical Breakdown
Threat Entry Updated 2025-04-10

CVE-2024-3703 - Carousel Slider Plugin

The Carousel Slider WordPress plugin before 2.2.10 does not validate and escape some of its Slide options before outputting them back in the page/post where the related Slide shortcode is embed, which could allow users with the Editor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Carousel Slider

CVE-2024-3703

MEDIUM CVSS 4.7 2024-05-03
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4334 - Extra Theme And Divi Builder Plugin

The Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the ‘typing_cursor’ parameter in versions up to, and including, 2.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Extra Theme And Divi Builder

CVE-2024-4334

MEDIUM CVSS 6.4 2024-05-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4324 - Wp Video Lightbox Plugin

The WP Video Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 1.9.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Video Lightbox

CVE-2024-4324

MEDIUM CVSS 6.4 2024-05-02
Open Full Technical Breakdown
Threat Entry Updated 2025-02-03

CVE-2024-4265 - Master Addons Plugin

The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 2.0.5.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Master Addons

CVE-2024-4265

MEDIUM CVSS 6.4 2024-05-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-4156 - Essential Addons For Elementor Plugin

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eael_event_text_color’ parameter in versions up to, and including, 5.9.17 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Essential Addons For Elementor

CVE-2024-4156

MEDIUM CVSS 6.4 2024-05-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4133 - User Signup Plugin

The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 4.0.30. This is due to insufficient validation on the redirect url supplied via the redirect_to parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

PLUGIN User Signup

CVE-2024-4133

MEDIUM CVSS 6.1 2024-05-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-4203 - Premium Addons For Elementor Plugin

The Premium Addons Pro for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the maps widget in all versions up to, and including, 4.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note this only affects sites running the premium version of the plugin.

PLUGIN Premium Addons For Elementor

CVE-2024-4203

MEDIUM CVSS 5.4 2024-05-02
Open Full Technical Breakdown
Threat Entry Updated 2025-02-03

CVE-2024-4092 - Slider Revolution Plugin

The Slider Revolution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmltag’ parameter in all versions up to, and including, 6.7.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure Slider Revolution can be extended to authors.

PLUGIN Slider Revolution

CVE-2024-4092

MEDIUM CVSS 6.4 2024-05-02
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-4036 - Sydney Toolbox Plugin

The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the style parameter in all versions up to, and including, 1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Sydney Toolbox

CVE-2024-4036

MEDIUM CVSS 6.4 2024-05-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4085 - Com Plugin

The Tabellen von faustball.com plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Com

CVE-2024-4085

MEDIUM CVSS 4.4 2024-05-02
Open Full Technical Breakdown
Scroll to top