Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 7541-7560 of 10866 records
Threat Entry Updated 2025-01-17

CVE-2024-1391 - Elementor Addon Elements Plugin

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eae_custom_overlay_switcher’ attribute of the Thumbnail Slider widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementor Addon Elements

CVE-2024-1391

MEDIUM CVSS 6.4 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2024-1383 - Wpvivid Backup For Mainwp Plugin

The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 0.9.32 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wpvivid Backup For Mainwp

CVE-2024-1383

MEDIUM CVSS 6.1 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-12

CVE-2024-1363 - Easy Accordion Plugin

The Easy Accordion – Best Accordion FAQ Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'accordion_content_source' attribute in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Easy Accordion

CVE-2024-1363

MEDIUM CVSS 6.4 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-12

CVE-2024-1365 - Yml For Yandex Market Plugin

The YML for Yandex Market plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the feed_id parameter in all versions up to, and including, 4.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Yml For Yandex Market

CVE-2024-1365

MEDIUM CVSS 6.1 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-1380 - Relevanssi Plugin

The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relevanssi_export_log_check() function in all versions up to, and including, 4.22.0. This makes it possible for unauthenticated attackers to export the query log data. The vendor has indicated that they may look into adding a capability check for proper authorization control, however, this vulnerability is theoretically patched as is.

PLUGIN Relevanssi

CVE-2024-1380

MEDIUM CVSS 5.3 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-05

CVE-2024-1370 - Maintenance Page Plugin

The Maintenance Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the subscribe_download function hooked via AJAX action in all versions up to, and including, 1.0.8. This makes it possible for authenticated attackers, with subscriber access or higher, to download a csv containing subscriber emails.

PLUGIN Maintenance Page

CVE-2024-1370

MEDIUM CVSS 5.3 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2024-1296 - Brizy Plugin

The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block upload in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Brizy

CVE-2024-1296

MEDIUM CVSS 6.4 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2024-1293 - Brizy Plugin

The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom block in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Brizy

CVE-2024-1293

MEDIUM CVSS 6.4 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-1321 - Eventprime Plugin

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. This is due to the plugin allowing unauthenticated users to update the status of order payments. This makes it possible for unauthenticated attackers to book events for free.

PLUGIN Eventprime

CVE-2024-1321

MEDIUM CVSS 5.3 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2024-1291 - Brizy Plugin

The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown URL parameter in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Brizy

CVE-2024-1291

MEDIUM CVSS 6.4 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-1237 - Elementor Header Footer Builder Plugin

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the flyout_layout attribute in all versions up to, and including, 1.6.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementor Header Footer Builder

CVE-2024-1237

MEDIUM CVSS 6.4 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-23

CVE-2024-1234 - Exclusive Addons For Elementor Plugin

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Exclusive Addons For Elementor

CVE-2024-1234

MEDIUM CVSS 6.4 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-12

CVE-2024-1176 - Ht Easy Ga4 Plugin

The HT Easy GA4 – Google Analytics WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the login() function in all versions up to, and including, 1.1.5. This makes it possible for unauthenticated attackers to update the email associated through the plugin with GA4.

PLUGIN Ht Easy Ga4

CVE-2024-1176

MEDIUM CVSS 5.3 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-1126 - Eventprime Plugin

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_email_by_event_id() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to to retrieve the attendees list for any event.

PLUGIN Eventprime

CVE-2024-1126

MEDIUM CVSS 5.3 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-11

CVE-2024-1158 - Buddyforms Plugin

The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyforms_new_page function in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber access or higher, to create pages with arbitrary titles. These pages are published.

PLUGIN Buddyforms

CVE-2024-1158

MEDIUM CVSS 4.3 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-1127 - Eventprime Plugin

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the booking_export_all() function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve all event booking which can contain PII.

PLUGIN Eventprime

CVE-2024-1127

MEDIUM CVSS 4.3 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-02

CVE-2024-1080 - Beaver Builder Plugin

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the via the heading tag in all versions up to, and including, 2.7.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Beaver Builder

CVE-2024-1080

MEDIUM CVSS 6.4 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-02

CVE-2024-1074 - Beaver Builder Plugin

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the audio widget 'link_url' parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Beaver Builder

CVE-2024-1074

MEDIUM CVSS 6.4 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-01-02

CVE-2024-1038 - Beaver Builder Plugin

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to DOM-Based Reflected Cross-Site Scripting via a 'playground.wordpress.net' parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Beaver Builder

CVE-2024-1038

MEDIUM CVSS 5.4 2024-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-11

CVE-2024-1083 - Simple Restrict Plugin

The Simple Restrict plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.6 via the REST API. This makes it possible for authenticated attackers to bypass the plugin's restrictions to extract post titles and content

PLUGIN Simple Restrict

CVE-2024-1083

MEDIUM CVSS 5.3 2024-03-13
Open Full Technical Breakdown
Scroll to top