Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 7741-7760 of 10866 records
Threat Entry Updated 2025-02-05

CVE-2024-0379 - Custom Twitter Feeds Plugin

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. This is due to missing or incorrect nonce validation on the ctf_auto_save_tokens function. This makes it possible for unauthenticated attackers to update the site's twitter API token and secret via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Custom Twitter Feeds

CVE-2024-0379

MEDIUM CVSS 4.3 2024-02-29
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2023-6923 - Matomo Plugin

The Matomo Analytics – Ethical Stats. Powerful Insights. plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the idsite parameter in all versions up to, and including, 4.15.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Matomo

CVE-2023-6923

MEDIUM CVSS 6.1 2024-02-29
Open Full Technical Breakdown
Threat Entry Updated 2025-02-27

CVE-2023-6806 - Starbox Plugin

The Starbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Settings user profile fields in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Starbox

CVE-2023-6806

MEDIUM CVSS 6.4 2024-02-29
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2023-6565 - Infinitewp Client Plugin

The InfiniteWP Client plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.12.3 via the multi-call backup option. This makes it possible for unauthenticated attackers to extract sensitive data from a temporary SQL file via repeated GET requests during the limited time window of the backup process.

PLUGIN Infinitewp Client

CVE-2023-6565

MEDIUM CVSS 5.9 2024-02-29
Open Full Technical Breakdown
Threat Entry Updated 2025-01-27

CVE-2024-1808 - Shortcodes Ultimate Plugin

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_qrcode' shortcode in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Shortcodes Ultimate

CVE-2024-1808

MEDIUM CVSS 6.4 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-1860 - Anti Hacker Plugin

The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_add_whitelist() function in all versions up to, and including, 4.51. This makes it possible for unauthenticated attackers to add their IP Address to the whitelist circumventing protection

PLUGIN Anti Hacker

CVE-2024-1860

MEDIUM CVSS 6.5 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-01-27

CVE-2024-1861 - Anti Hacker Plugin

The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_truncate_scan_table() function in all versions up to, and including, 4.52. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate the scan table.

PLUGIN Anti Hacker

CVE-2024-1861

MEDIUM CVSS 4.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2024-1719 - Paypal Stripe Add On Plugin

The Easy PayPal & Stripe Buy Now Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.3 and in Contact Form 7 – PayPal & Stripe Add-on all versions up to, and including 2.1. This is due to missing or incorrect nonce validation on the 'wpecpp_stripe_connect_completion' function. This makes it possible for unauthenticated attackers to modify the plugins settings and chance the stripe connection via a forged request granted they can trick a site administrator into performing an action such as clicking…

PLUGIN Paypal Stripe Add On

CVE-2024-1719

MEDIUM CVSS 4.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-28

CVE-2024-1566 - Redirects Plugin

The Redirects plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save function in all versions up to, and including, 1.2.1. This makes it possible for unauthenticated attackers to change redirects created with this plugin. This could lead to undesired redirection to phishing sites or malicious web pages.

PLUGIN Redirects

CVE-2024-1566

MEDIUM CVSS 6.5 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-03-04

CVE-2024-1791 - Codemirror Blocks Plugin

The CodeMirror Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Code Mirror block in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Codemirror Blocks

CVE-2024-1791

MEDIUM CVSS 6.4 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-03-04

CVE-2024-1954 - Oliver Pos Plugin

The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1.8. This is due to missing or incorrect nonce validation in the includes/class-pos-bridge-install.php file. This makes it possible for unauthenticated attackers to perform several unauthorized actions like deactivating the plugin, disconnecting the subscription, syncing the status and more via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Oliver Pos

CVE-2024-1954

MEDIUM CVSS 6.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-1516 - Wp Ecommerce Plugin

The WP eCommerce plugin for WordPress is vulnerable to unauthorized arbitrary post creation due to a missing capability check on the check_for_saas_push() function in all versions up to, and including, 3.15.1. This makes it possible for unauthenticated attackers to create arbitrary posts with arbitrary content.

PLUGIN Wp Ecommerce

CVE-2024-1516

MEDIUM CVSS 5.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2024-1476 - under_construction_\/_maintenance_mode Plugin

The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6 via the REST API. This makes it possible for unauthenticated attackers to obtain the contents of posts and pages when maintenance mode is active thus bypassing the protection provided by the plugin.

PLUGIN under_construction_\/_maintenance_mode

CVE-2024-1476

MEDIUM CVSS 5.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-1368 - Page Duplicator Plugin

The Page Duplicator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the duplicate_dat_page() function in all versions up to, and including, 0.1.1. This makes it possible for unauthenticated attackers to duplicate arbitrary posts and pages.

PLUGIN Page Duplicator

CVE-2024-1368

MEDIUM CVSS 5.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2024-1136 - Coming Soon Page Maintenance Mode Plugin

The Coming Soon Page & Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to an improperly implemented URL check in the wpsm_coming_soon_redirect function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to view a site with maintenance mode or coming-soon mode enabled to view the site's content.

PLUGIN Coming Soon Page Maintenance Mode

CVE-2024-1136

MEDIUM CVSS 5.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2024-0975 - Wordpress Access Control Plugin

The WordPress Access Control plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.13 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's "Make Website Members Only" feature (when unset) and view restricted page and post content.

PLUGIN Wordpress Access Control

CVE-2024-0975

MEDIUM CVSS 5.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-01-08

CVE-2024-0768 - Envo S Elementor Templates Widgets For Woocommerce Plugin

The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4.4. This is due to missing or incorrect nonce validation on the ajax_theme_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed themes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Envo S Elementor Templates Widgets For Woocommerce

CVE-2024-0768

MEDIUM CVSS 4.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2024-0682 - Pagerestrict Plugin

The Page Restrict plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 2.5.5. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected posts.

PLUGIN Pagerestrict

CVE-2024-0682

MEDIUM CVSS 5.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2024-0680 - Wp Private Content Plus Plugin

The WP Private Content Plus plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 3.6. This is due to the plugin not properly restricting access to posts via the REST API when a page has been made private. This makes it possible for unauthenticated attackers to view protected posts.

PLUGIN Wp Private Content Plus

CVE-2024-0680

MEDIUM CVSS 5.3 2024-02-28
Open Full Technical Breakdown
Scroll to top