Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8181-8200 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2023-4252 - Eventprime Plugin

The EventPrime WordPress plugin through 3.2.9 specifies the price of a booking in the client request, allowing an attacker to purchase bookings without payment.

PLUGIN Eventprime

CVE-2023-4252

MEDIUM CVSS 5.3 2023-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5209 - Wordpress Online Booking And Scheduling Plugin

The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Wordpress Online Booking And Scheduling

CVE-2023-5209

MEDIUM CVSS 4.8 2023-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5525 - Limit Login Attempts Reloaded Plugin

The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is missing authorization on the `toggle_auto_update` AJAX action, allowing any user with a valid nonce to toggle the auto-update status of the plugin.

PLUGIN Limit Login Attempts Reloaded

CVE-2023-5525

MEDIUM CVSS 4.3 2023-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4297 - Mmm Simple File List Plugin

The Mmm Simple File List WordPress plugin through 2.3 does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories.

PLUGIN Mmm Simple File List

CVE-2023-4297

MEDIUM CVSS 4.3 2023-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2707 - Gappointments Plugin

The gAppointments WordPress plugin through 1.9.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Gappointments

CVE-2023-2707

MEDIUM CVSS 4.8 2023-11-27
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-47835 - Ari Stream Quiz Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ARI Soft ARI Stream Quiz – WordPress Quizzes Builder plugin

PLUGIN Ari Stream Quiz

CVE-2023-47835

MEDIUM CVSS 6.5 2023-11-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6008 - Userpro Plugin

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.

PLUGIN Userpro

CVE-2023-6008

MEDIUM CVSS 6.3 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5742 - Easyrotator For Wordpress Plugin

The EasyRotator for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'easyrotator' shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Easyrotator For Wordpress

CVE-2023-5742

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5708 - Wp Post Columns Plugin

The WP Post Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'column' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Post Columns

CVE-2023-5708

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5706 - Vk Blocks Plugin

The VK Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vk-blocks/ancestor-page-list' block in all versions up to, and including, 1.63.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Vk Blocks

CVE-2023-5706

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5704 - Cpo Shortcodes Plugin

The CPO Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Cpo Shortcodes

CVE-2023-5704

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5715 - Heatmap Plugin

The Website Optimization – Plerdy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tracking code settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Heatmap

CVE-2023-5715

MEDIUM CVSS 4.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5667 - Tab Ultimate Plugin

The Tab Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Tab Ultimate

CVE-2023-5667

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5664 - Garden Gnome Package Plugin

The Garden Gnome Package plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ggpkg' shortcode in all versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was partially patched in version 2.2.7 and fully patched in version 2.2.9.

PLUGIN Garden Gnome Package

CVE-2023-5664

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5662 - Sponsors Plugin

The Sponsors plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sponsors' shortcode in all versions up to, and including, 3.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Sponsors

CVE-2023-5662

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5469 - Drop Shadow Boxes Plugin

The Drop Shadow Boxes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dropshadowbox' shortcode in versions up to, and including, 1.7.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Drop Shadow Boxes

CVE-2023-5469

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5537 - Delete Usermeta Plugin

The Delete Usermeta plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing nonce validation on the delumet_options_page() function. This makes it possible for unauthenticated attackers to remove user meta for arbitrary users via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Delete Usermeta

CVE-2023-5537

MEDIUM CVSS 4.3 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5419 - Funnelforms Plugin

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_test_mail function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to send test emails to an arbitrary email address.

PLUGIN Funnelforms

CVE-2023-5419

MEDIUM CVSS 4.3 2023-11-22
Open Full Technical Breakdown
Scroll to top