Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 7421-7440 of 10866 records
Threat Entry Updated 2025-01-28

CVE-2024-2139 - Master Addons Plugin

The Master Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Table widget in all versions up to, and including, 2.0.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Master Addons

CVE-2024-2139

MEDIUM CVSS 6.4 2024-03-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2303 - Easy Textillate Plugin

The Easy Textillate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'textillate' shortcode in all versions up to, and including, 2.01 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Easy Textillate

CVE-2024-2303

MEDIUM CVSS 6.4 2024-03-26
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2024-2170 - Vk All In One Expansion Unit Plugin

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the child page index widget in all versions up to, and including, 9.96.0.1 due to insufficient input sanitization and output escaping on user supplied attributes such as 'className.' This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Vk All In One Expansion Unit

CVE-2024-2170

MEDIUM CVSS 6.4 2024-03-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-1745 - Testimonial Slider Plugin

The Testimonial Slider WordPress plugin before 2.3.7 does not properly ensure that a user has the necessary capabilities to edit certain sensitive Testimonial Slider WordPress plugin before 2.3.7 settings, making it possible for users with at least the Author role to edit them.

PLUGIN Testimonial Slider

CVE-2024-1745

MEDIUM CVSS 4.3 2024-03-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2023-7232 - Backup And Restore Wordpress Plugin

The Backup and Restore WordPress WordPress plugin through 1.45 does not protect some log files containing sensitive information such as site configuration etc, allowing unauthenticated users to access such data

PLUGIN Backup And Restore Wordpress

CVE-2023-7232

MEDIUM CVSS 5.3 2024-03-26
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2024-2732 - Themify Shortcodes Plugin

The Themify Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'themify_post_slider shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Themify Shortcodes

CVE-2024-2732

MEDIUM CVSS 5.4 2024-03-26
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2024-1231 - Cm Download Manager Plugin

The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins unpublish downloads via a CSRF attack

PLUGIN Cm Download Manager

CVE-2024-1231

MEDIUM CVSS 6.8 2024-03-25
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2024-1232 - Cm Download Manager Plugin

The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack

PLUGIN Cm Download Manager

CVE-2024-1232

MEDIUM CVSS 4.8 2024-03-25
Open Full Technical Breakdown
Threat Entry Updated 2025-06-27

CVE-2024-1564 - Wp Schema Pro Plugin

The wp-schema-pro WordPress plugin before 2.7.16 does not validate post access allowing a contributor user to access custom fields on any post regardless of post type or status via a shortcode

PLUGIN Wp Schema Pro

CVE-2024-1564

MEDIUM CVSS 4.3 2024-03-25
Open Full Technical Breakdown
Threat Entry Updated 2025-02-13

CVE-2024-1049 - Coblocks Plugin

The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Icon Widget's in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping on the link value. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Coblocks

CVE-2024-1049

MEDIUM CVSS 6.4 2024-03-23
Open Full Technical Breakdown
Threat Entry Updated 2025-02-13

CVE-2024-2326 - Prettylinks Plugin

The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.3. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin's configuration including stripe integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Prettylinks

CVE-2024-2326

MEDIUM CVSS 4.3 2024-03-23
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-2688 - Embedpress Plugin

The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the EmbedPress document widget in all versions up to, and including, 3.9.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Embedpress

CVE-2024-2688

MEDIUM CVSS 5.4 2024-03-23
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-2468 - Embedpress Plugin

The EmbedPress – Embed PDF, Google Docs, Vimeo, Wistia, Embed YouTube Videos, Audios, Maps & Embed Any Documents in Gutenberg & Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the EmbedPress widget 'embedpress_pro_twitch_theme ' attribute in all versions up to, and including, 3.9.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Embedpress

CVE-2024-2468

MEDIUM CVSS 6.4 2024-03-23
Open Full Technical Breakdown
Threat Entry Updated 2025-02-13

CVE-2024-2202 - Page Builder Plugin

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the legacy Image widget in all versions up to, and including, 2.29.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Page Builder

CVE-2024-2202

MEDIUM CVSS 6.4 2024-03-23
Open Full Technical Breakdown
Threat Entry Updated 2025-01-27

CVE-2024-2131 - Move Addons For Elementor Plugin

The Move Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's infobox and button widget in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Move Addons For Elementor

CVE-2024-2131

MEDIUM CVSS 6.4 2024-03-23
Open Full Technical Breakdown
Threat Entry Updated 2025-02-13

CVE-2024-1697 - Custom Woocommerce Checkout Fields Editor Plugin

The Custom WooCommerce Checkout Fields Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the save_wcfe_options function in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Custom Woocommerce Checkout Fields Editor

CVE-2024-1697

MEDIUM CVSS 6.4 2024-03-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2500 - Colormag Theme

The ColorMag theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authentciated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Colormag

CVE-2024-2500

MEDIUM CVSS 6.4 2024-03-22
Open Full Technical Breakdown
Threat Entry Updated 2025-01-28

CVE-2024-2392 - Blocksy Companion Plugin

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Newsletter widget in all versions up to, and including, 2.0.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Blocksy Companion

CVE-2024-2392

MEDIUM CVSS 6.5 2024-03-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2080 - LiquidPoll – Polls, Surveys, NPS and Feedback Reviews Plugin

The LiquidPoll – Polls, Surveys, NPS and Feedback Reviews plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.76 via the poller_list shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to extract information from polls that may be private.

PLUGIN LiquidPoll – Polls, Surveys, NPS and Feedback Reviews

CVE-2024-2080

MEDIUM CVSS 4.3 2024-03-22
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-0957 - Woocommerce Pdf Invoices Packing Slips Delivery Notes And Shipping Labels Plugin

The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Customer Notes field in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected invoice for printing.

PLUGIN Woocommerce Pdf Invoices Packing Slips Delivery Notes And Shipping Labels

CVE-2024-0957

MEDIUM CVSS 6.1 2024-03-22
Open Full Technical Breakdown
Scroll to top