Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 7381-7400 of 10866 records
Threat Entry Updated 2025-01-30

CVE-2024-0367 - Unlimited Elements For Elementor Plugin

The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the link field of an installed widget (e.g., 'Button Link') in all versions up to, and including, 1.5.96 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Unlimited Elements For Elementor

CVE-2024-0367

MEDIUM CVSS 6.4 2024-03-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-30444 - WordPress Page Builder – Zion Builder Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zionbuilder.Io WordPress Page Builder – Zion Builder allows Stored XSS.This issue affects WordPress Page Builder – Zion Builder: from n/a through 3.6.9.

PLUGIN WordPress Page Builder – Zion Builder

CVE-2024-30444

MEDIUM CVSS 5.9 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-30492 - Import Export WordPress Users Plugin

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WebToffee Import Export WordPress Users.This issue affects Import Export WordPress Users: from n/a through 2.5.2.

PLUGIN Import Export WordPress Users

CVE-2024-30492

MEDIUM CVSS 4.3 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2250 - 140+ Widgets | Best Addons For Elementor – FREE Plugin

The 130+ Widgets | Best Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN 140+ Widgets | Best Addons For Elementor – FREE

CVE-2024-2250

MEDIUM CVSS 6.4 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2025-05-19

CVE-2024-2969 - Wp Eggdrop Plugin

The WP-Eggdrop plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the wpegg_updateOptions() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp Eggdrop

CVE-2024-2969

MEDIUM CVSS 5.4 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2025-05-19

CVE-2024-2968 - Wp Eggdrop Plugin

The WP-Eggdrop plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Wp Eggdrop

CVE-2024-2968

MEDIUM CVSS 4.4 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2970 - News Wall Plugin

The News Wall plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the nwap_newslist_page() function. This makes it possible for unauthenticated attackers to update the plugin's settings and modify news lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN News Wall

CVE-2024-2970

MEDIUM CVSS 4.3 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2024-2964 - Pocket News Generator Plugin

The Pocket News Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.0. This is due to missing or incorrect nonce validation on the option_page() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Pocket News Generator

CVE-2024-2964

MEDIUM CVSS 5.4 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2024-2963 - Pocket News Generator Plugin

The Pocket News Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings such as "Consumer Key" and "Access Token" in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Pocket News Generator

CVE-2024-2963

MEDIUM CVSS 4.4 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2024-2280 - Better Elementor Addons Plugin

The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget link URL values in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Better Elementor Addons

CVE-2024-2280

MEDIUM CVSS 6.4 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2116 - Christmas Greetings Plugin

The Christmas Greetings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the code parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Christmas Greetings

CVE-2024-2116

MEDIUM CVSS 6.1 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2476 - OceanWP Plugin

The OceanWP theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose sensitive information such as system/environment data and API keys.

PLUGIN OceanWP

CVE-2024-2476

MEDIUM CVSS 4.3 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2025-01-23

CVE-2024-2108 - Ninja Forms Plugin

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an image title embedded into a form in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ninja Forms

CVE-2024-2108

MEDIUM CVSS 4.6 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2025-01-23

CVE-2024-2113 - Ninja Forms Plugin

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.0. This is due to missing or incorrect nonce validation on the nf_download_all_subs AJAX action. This makes it possible for unauthenticated attackers to trigger an export of a form's submission to a publicly accessible location via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Ninja Forms

CVE-2024-2113

MEDIUM CVSS 4.3 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1858 - Lightbox slider – Responsive Lightbox Gallery Plugin

The Lightbox slider – Responsive Lightbox Gallery plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.9 via deserialization of untrusted input through post meta data. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or…

PLUGIN Lightbox slider – Responsive Lightbox Gallery

CVE-2024-1858

MEDIUM CVSS 5.4 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2025-02-13

CVE-2024-2936 - Sydney Toolbox Plugin

The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id attribute of widgets in all versions up to, and including, 1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Sydney Toolbox

CVE-2024-2936

MEDIUM CVSS 6.4 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-2844 - Easy Appointments Plugin

The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders.

PLUGIN Easy Appointments

CVE-2024-2844

MEDIUM CVSS 4.3 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-2842 - Easy Appointments Plugin

The Easy Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ea_full_calendar' shortcode in all versions up to, and including, 3.11.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Easy Appointments

CVE-2024-2842

MEDIUM CVSS 6.4 2024-03-29
Open Full Technical Breakdown
Threat Entry Updated 2025-01-23

CVE-2024-2841 - Otter Blocks Plugin

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping on user supplied attributes such as 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Otter Blocks

CVE-2024-2841

MEDIUM CVSS 6.4 2024-03-29
Open Full Technical Breakdown
Scroll to top