Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 7761-7780 of 10866 records
Threat Entry Updated 2025-01-08

CVE-2024-0767 - Envo S Elementor Templates Widgets For Woocommerce Plugin

The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.4. This is due to missing or incorrect nonce validation on the ajax_plugin_activation function. This makes it possible for unauthenticated attackers to activate arbitrary installed plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Envo S Elementor Templates Widgets For Woocommerce

CVE-2024-0767

MEDIUM CVSS 4.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-01-08

CVE-2024-0766 - Envo S Elementor Templates Widgets For Woocommerce Plugin

The Envo's Elementor Templates & Widgets for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the templates_ajax_request function in all versions up to, and including, 1.4.4. This makes it possible for subscribers and higher to create templates.

PLUGIN Envo S Elementor Templates Widgets For Woocommerce

CVE-2024-0766

MEDIUM CVSS 4.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-10

CVE-2024-0433 - Gestpay For Woocommerce Plugin

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_unset_default_card' function. This makes it possible for unauthenticated attackers to remove the default status of a card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Gestpay For Woocommerce

CVE-2024-0433

MEDIUM CVSS 4.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-10

CVE-2024-0432 - Gestpay For Woocommerce Plugin

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_delete_card' function. This makes it possible for unauthenticated attackers to delete the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Gestpay For Woocommerce

CVE-2024-0432

MEDIUM CVSS 4.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-0431 - Gestpay For Woocommerce Plugin

The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_set_default_card' function. This makes it possible for unauthenticated attackers to set the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Gestpay For Woocommerce

CVE-2024-0431

MEDIUM CVSS 4.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2023-6922 - Under Construction Maintenance Mode Plugin

The Under Construction / Maintenance Mode from Acurax plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.6 via the 'acx_csma_subscribe_ajax' function. This can allow authenticated attackers to extract sensitive data such as names and email addresses of subscribed visitors.

PLUGIN Under Construction Maintenance Mode

CVE-2023-6922

MEDIUM CVSS 4.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-01-08

CVE-2024-1943 - Yuki Plugin

The Yuki theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including 1.3.14. This is due to missing or incorrect nonce validation on the reset_customizer_options() function. This makes it possible for unauthenticated attackers to reset the themes settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Yuki

CVE-2024-1943

MEDIUM CVSS 4.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2024-1568 - Seraphinite Accelerator Plugin

The Seraphinite Accelerator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.20.52 via the OnAdminApi_HtmlCheck function. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Seraphinite Accelerator

CVE-2024-1568

MEDIUM CVSS 6.4 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2024-1388 - Yuki Plugin

The Yuki theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_customizer_options() function in all versions up to, and including, 1.3.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset the theme's settings.

PLUGIN Yuki

CVE-2024-1388

MEDIUM CVSS 4.3 2024-02-28
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-1912 - Categorify Plugin

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxUpdateFolderPosition function. This makes it possible for unauthenticated attackers to update the folder position of categories as well as update the metadata of other taxonomies via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Categorify

CVE-2024-1912

MEDIUM CVSS 4.3 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-1910 - Categorify Plugin

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxClearCategory function. This makes it possible for unauthenticated attackers to clear categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Categorify

CVE-2024-1910

MEDIUM CVSS 4.3 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-1909 - Categorify Plugin

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxRenameCategory function. This makes it possible for unauthenticated attackers to rename categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Categorify

CVE-2024-1909

MEDIUM CVSS 4.3 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-1907 - Categorify Plugin

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxDeleteCategory function. This makes it possible for unauthenticated attackers to delete categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Categorify

CVE-2024-1907

MEDIUM CVSS 4.3 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-1906 - Categorify Plugin

The Categorify plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7.4. This is due to missing or incorrect nonce validation on the categorifyAjaxAddCategory function. This makes it possible for unauthenticated attackers to add categories via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Categorify

CVE-2024-1906

MEDIUM CVSS 4.3 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-1653 - Categorify Plugin

The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxUpdateFolderPosition in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the folder position of categories as well as update the metadata of other taxonomies.

PLUGIN Categorify

CVE-2024-1653

MEDIUM CVSS 4.3 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-1652 - Categorify Plugin

The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxClearCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to clear categories.

PLUGIN Categorify

CVE-2024-1652

MEDIUM CVSS 4.3 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-1650 - Categorify Plugin

The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxRenameCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to rename categories.

PLUGIN Categorify

CVE-2024-1650

MEDIUM CVSS 4.3 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-01-07

CVE-2024-1649 - Categorify Plugin

The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxDeleteCategory function in all versions up to, and including, 1.0.7.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete categories.

PLUGIN Categorify

CVE-2024-1649

MEDIUM CVSS 4.3 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-01

CVE-2024-1106 - Shariff Wrapper Plugin

The Shariff Wrapper WordPress plugin before 4.6.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Shariff Wrapper

CVE-2024-1106

MEDIUM CVSS 6.1 2024-02-27
Open Full Technical Breakdown
Threat Entry Updated 2025-04-08

CVE-2023-7203 - Before 2 Plugin

The Smart Forms WordPress plugin before 2.6.87 does not have authorisation in various AJAX actions, which could allow users with a role as low as subscriber to call them and perform unauthorised actions such as deleting entries. The plugin also lacks CSRF checks in some places which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as deleting entries.

PLUGIN Before 2

CVE-2023-7203

MEDIUM CVSS 6.1 2024-02-27
Open Full Technical Breakdown
Scroll to top