Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8001-8020 of 10866 records
Threat Entry Updated 2025-06-03

CVE-2023-6048 - Estatik Real Estate Plugin

The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset

PLUGIN Estatik Real Estate

CVE-2023-6048

MEDIUM CVSS 6.5 2024-01-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-6050 - Estatik Real Estate Plugin

The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not sanitise and escape various parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Estatik Real Estate

CVE-2023-6050

MEDIUM CVSS 6.1 2024-01-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-20

CVE-2023-6941 - Official Opt In Forms Plugin

The Keap Official Opt-in Forms WordPress plugin through 1.0.11 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

PLUGIN Official Opt In Forms

CVE-2023-6941

MEDIUM CVSS 4.8 2024-01-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-09

CVE-2023-6163 - Wp Crowdfunding Plugin

The WP Crowdfunding WordPress plugin before 2.1.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Wp Crowdfunding

CVE-2023-6163

MEDIUM CVSS 4.8 2024-01-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-6843 - Before 2 Plugin

The easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg WordPress plugin before 2.4.7 does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings.

PLUGIN Before 2

CVE-2023-6843

MEDIUM CVSS 4.3 2024-01-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-12

CVE-2023-6066 - Wp Custom Widget Area Plugin

The WP Custom Widget area WordPress plugin through 1.2.5 does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site.

PLUGIN Wp Custom Widget Area

CVE-2023-6066

MEDIUM CVSS 4.3 2024-01-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2023-4925 - Easy Forms For Mailchimp Plugin

The Easy Forms for Mailchimp WordPress plugin through 6.8.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Easy Forms For Mailchimp

CVE-2023-4925

MEDIUM CVSS 4.8 2024-01-15
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0251 - Advanced Woo Search Plugin

The Advanced Woo Search plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the search parameter in all versions up to, and including, 2.96 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This only affects sites when the Dynamic Content for Elementor plugin is also installed.

PLUGIN Advanced Woo Search

CVE-2024-0251

MEDIUM CVSS 6.1 2024-01-13
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-22027 - Quiz Maker Plugin

Improper input validation vulnerability in WordPress Quiz Maker Plugin prior to 6.5.0.6 allows a remote authenticated attacker to perform a Denial of Service (DoS) attack against external services.

PLUGIN Quiz Maker

CVE-2024-22027

MEDIUM CVSS 6.5 2024-01-12
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-6244 - Eventon Lite Plugin

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (Pro) & 2.2.8 (Free). This is due to missing or incorrect nonce validation on the save_virtual_event_settings function. This makes it possible for unauthenticated attackers to modify virtual event settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Eventon Lite

CVE-2023-6244

MEDIUM CVSS 6.5 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-6242 - Eventon Lite Plugin

The EventON - WordPress Virtual Event Calendar Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.4 (for Pro) & 2.2.7 (for Free). This is due to missing or incorrect nonce validation on the evo_eventpost_update_meta function. This makes it possible for unauthenticated attackers to update arbitrary post metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Eventon Lite

CVE-2023-6242

MEDIUM CVSS 6.5 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6938 - Oxygen Plugin

The Oxygen Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a custom field in all versions up to, and including, 4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Version 4.8.1 of the Oxygen Builder plugin for WordPress addresses this vulnerability by implementing an optional filter to provide output escaping for dynamic data. Please see https://oxygenbuilder.com/documentation/other/security/#filtering-dynamic-data for…

PLUGIN Oxygen

CVE-2023-6938

MEDIUM CVSS 6.4 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-7071 - Essential Blocks Plugin

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 4.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Essential Blocks

CVE-2023-7071

MEDIUM CVSS 6.4 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-7070 - Email Encoder Plugin

The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's eeb_mailto shortcode in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Email Encoder

CVE-2023-7070

MEDIUM CVSS 6.4 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6994 - List Category Posts Plugin

The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.89.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN List Category Posts

CVE-2023-6994

MEDIUM CVSS 6.5 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6990 - Weaver Xtreme Theme Support

The Weaver Xtreme theme for WordPress is vulnerable to Stored Cross-Site Scripting via custom post meta in all versions up to, and including, 6.3.0 due to insufficient input sanitization and output escaping on user supplied meta (page-head-code). This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Weaver Xtreme Theme Support

CVE-2023-6990

MEDIUM CVSS 5.4 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-7019 - Lightstart Plugin

The LightStart – Maintenance Mode, Coming Soon and Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the insert_template function in all versions up to, and including, 2.6.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to change page designs.

PLUGIN Lightstart

CVE-2023-7019

MEDIUM CVSS 4.3 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-6988 - Colibri Page Builder Plugin

The Colibri Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's extend_builder_render_js shortcode in all versions up to, and including, 1.0.239 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Colibri Page Builder

CVE-2023-6988

MEDIUM CVSS 6.4 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6934 - Limit Login Attempts Reloaded Plugin

The Limit Login Attempts Reloaded plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 2.25.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Limit Login Attempts Reloaded

CVE-2023-6934

MEDIUM CVSS 6.4 2024-01-11
Open Full Technical Breakdown
Threat Entry Updated 2025-06-03

CVE-2023-6882 - Simple Membership Plugin

The Simple Membership plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘environment_mode’ parameter in all versions up to, and including, 4.3.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Simple Membership

CVE-2023-6882

MEDIUM CVSS 6.1 2024-01-11
Open Full Technical Breakdown
Scroll to top