Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8201-8220 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2023-5417 - Funnelforms Plugin

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_update_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify the Funnelforms category for a given post ID.

PLUGIN Funnelforms

CVE-2023-5417

MEDIUM CVSS 4.3 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5416 - Funnelforms Plugin

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete categories.

PLUGIN Funnelforms

CVE-2023-5416

MEDIUM CVSS 4.3 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5415 - Funnelforms Plugin

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_add_category function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to add new categories.

PLUGIN Funnelforms

CVE-2023-5415

MEDIUM CVSS 4.3 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5411 - Funnelforms Plugin

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_save_post function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to modify certain post values. Note that the extent of modification is limited due to fixed values passed to the wp_update_post function.

PLUGIN Funnelforms

CVE-2023-5411

MEDIUM CVSS 4.3 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5386 - Funnelforms Plugin

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_delete_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts, including administrator posts, and posts not related to the Funnelforms Free plugin.

PLUGIN Funnelforms

CVE-2023-5386

MEDIUM CVSS 6.5 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5382 - Funnelforms Plugin

The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_delete_posts function. This makes it possible for unauthenticated attackers to delete arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Funnelforms

CVE-2023-5382

MEDIUM CVSS 6.5 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5338 - Theme Blvd Shortcodes

The Theme Blvd Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Theme Blvd Shortcodes

CVE-2023-5338

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5387 - Funnelforms Plugin

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_af2_trigger_dark_mode function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to enable or disable the dark mode plugin setting.

PLUGIN Funnelforms

CVE-2023-5387

MEDIUM CVSS 4.3 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5385 - Funnelforms Plugin

The Funnelforms Free plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fnsf_copy_posts function in versions up to, and including, 3.4. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to create copies of arbitrary posts.

PLUGIN Funnelforms

CVE-2023-5385

MEDIUM CVSS 4.3 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5383 - Funnelforms Plugin

The Funnelforms Free plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4. This is due to missing or incorrect nonce validation on the fnsf_copy_posts function. This makes it possible for unauthenticated attackers to create copies of arbitrary posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Funnelforms

CVE-2023-5383

MEDIUM CVSS 4.3 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5234 - Related Products For Woocommerce Plugin

The Related Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'woo-related' shortcode in versions up to, and including, 3.3.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Related Products For Woocommerce

CVE-2023-5234

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5163 - Weather Atlas Plugin

The Weather Atlas Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'shortcode-weather-atlas' shortcode in versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Weather Atlas

CVE-2023-5163

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5128 - Tcd Google Maps Plugin

The TCD Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'map' shortcode in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Tcd Google Maps

CVE-2023-5128

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5096 - Html Filter And Csv File Search Plugin

The HTML filter and csv-file search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'csvsearch' shortcode in versions up to, and including, 2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Html Filter And Csv File Search

CVE-2023-5096

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5048 - Wp Form Builder Plugin

The WDContactFormBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Contact_Form_Builder' shortcode in versions up to, and including, 1.0.72 due to insufficient input sanitization and output escaping on 'id' user supplied attribute. This makes it possible for authenticated attackers with contributor level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Form Builder

CVE-2023-5048

MEDIUM CVSS 6.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5314 - Wp Extra Plugin

The WP EXtra plugin for WordPress is vulnerable to unauthorized access to restricted functionality due to a missing capability check on the 'test-email' section of the register() function in versions up to, and including, 6.2. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to send emails with arbitrary content to arbitrary locations from the affected site's mail server.

PLUGIN Wp Extra

CVE-2023-5314

MEDIUM CVSS 4.3 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4726 - Ultimate Dashboard Plugin

The Ultimate Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.7.7. due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Ultimate Dashboard

CVE-2023-4726

MEDIUM CVSS 4.4 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4686 - Wp Customer Reviews Plugin

The WP Customer Reviews plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.6.6 via the ajax_enabled_posts function. This can allow authenticated attackers to extract sensitive data such as post titles and slugs, including those of protected and trashed posts and pages in addition to other post types such as galleries.

PLUGIN Wp Customer Reviews

CVE-2023-4686

MEDIUM CVSS 4.3 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2448 - Userpro Plugin

The UserPro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'userpro_shortcode_template' function in versions up to, and including, 5.1.4. This makes it possible for unauthenticated attackers to arbitrary shortcode execution. An attacker can leverage CVE-2023-2446 to get sensitive information via shortcode.

PLUGIN Userpro

CVE-2023-2448

MEDIUM CVSS 6.5 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2438 - Userpro Plugin

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.0. This is due to missing or incorrect nonce validation on the 'userpro_save_userdata' function. This makes it possible for unauthenticated attackers to update the user meta and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Userpro

CVE-2023-2438

MEDIUM CVSS 6.1 2023-11-22
Open Full Technical Breakdown
Scroll to top