Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8221-8240 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2023-2446 - Userpro Plugin

The UserPro plugin for WordPress is vulnerable to sensitive information disclosure via the 'userpro' shortcode in versions up to, and including 5.1.1. This is due to insufficient restriction on sensitive user meta values that can be called via that shortcode. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to retrieve sensitive user meta that can be used to gain access to a high privileged user account.

PLUGIN Userpro

CVE-2023-2446

MEDIUM CVSS 6.5 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2447 - Userpro Plugin

The UserPro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.1.1. This is due to missing or incorrect nonce validation on the 'export_users' function. This makes it possible for unauthenticated attackers to export the users to a csv file, granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Userpro

CVE-2023-2447

MEDIUM CVSS 6.1 2023-11-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5776 - Post Meta Data Manager Plugin

The Post Meta Data Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the pmdm_wp_ajax_delete_meta, pmdm_wp_delete_user_meta, and pmdm_wp_delete_user_meta functions. This makes it possible for unauthenticated attackers to delete arbitrary user, term, and post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Post Meta Data Manager

CVE-2023-5776

MEDIUM CVSS 4.3 2023-11-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5799 - Wp Hotel Booking Plugin

The WP Hotel Booking WordPress plugin before 2.0.8 does not have proper authorisation when deleting a package, allowing Contributor and above roles to delete posts that do no belong to them

PLUGIN Wp Hotel Booking

CVE-2023-5799

MEDIUM CVSS 5.4 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-48300 - Embed Privacy Plugin

The `Embed Privacy` plugin for WordPress that prevents the loading of embedded external content is vulnerable to Stored Cross-Site Scripting via `embed_privacy_opt_out` shortcode in versions up to, and including, 1.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Version 1.8.1 contains a patch for this issue.

PLUGIN Embed Privacy

CVE-2023-48300

MEDIUM CVSS 6.3 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5609 - Seraphinite Accelerator Plugin

The Seraphinite Accelerator WordPress plugin before 2.2.29 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Seraphinite Accelerator

CVE-2023-5609

MEDIUM CVSS 6.1 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5140 - Bonus For Woo Plugin

The Bonus for Woo WordPress plugin before 5.8.3 does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Bonus For Woo

CVE-2023-5140

MEDIUM CVSS 6.1 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5651 - Wp Hotel Booking Plugin

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not ensure that the package to be deleted is a package, allowing any authenticated users, such as subscriber to delete arbitrary posts

PLUGIN Wp Hotel Booking

CVE-2023-5651

MEDIUM CVSS 5.4 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5509 - Before 2 Plugin

The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions.

PLUGIN Before 2

CVE-2023-5509

MEDIUM CVSS 5.4 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4799 - Magic Embeds Plugin

The Magic Embeds WordPress plugin before 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Magic Embeds

CVE-2023-4799

MEDIUM CVSS 5.4 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5343 - Before 3 Plugin

The Popup box WordPress plugin before 3.7.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

PLUGIN Before 3

CVE-2023-5343

MEDIUM CVSS 4.8 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5119 - Before 1 Plugin

The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).

PLUGIN Before 1

CVE-2023-5119

MEDIUM CVSS 4.8 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4970 - Pubydoc Plugin

The PubyDoc WordPress plugin through 2.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Pubydoc

CVE-2023-4970

MEDIUM CVSS 4.8 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4808 - Wp Post Popup Plugin

The WP Post Popup WordPress plugin through 3.7.3 does not sanitise and escape some of its inputs, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Wp Post Popup

CVE-2023-4808

MEDIUM CVSS 4.8 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-6197 - Audio Merchant Plugin

The Audio Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0.4. This is due to missing or incorrect nonce validation on the audio_merchant_save_settings function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Audio Merchant

CVE-2023-6197

MEDIUM CVSS 5.4 2023-11-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-25985 - Wordpress Tooltips Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Tomas | Docs | FAQ | Premium Support WordPress Tooltips.This issue affects WordPress Tooltips: from n/a through 8.2.5.

PLUGIN Wordpress Tooltips

CVE-2023-25985

MEDIUM CVSS 4.3 2023-11-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-47552 - Image Hover Effects Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Labib Ahmed Image Hover Effects – WordPress Plugin.This issue affects Image Hover Effects – WordPress Plugin: from n/a through 5.5.

PLUGIN Image Hover Effects

CVE-2023-47552

MEDIUM CVSS 5.4 2023-11-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4690 - Elementor Addon Elements Plugin

The Elementor Addon Elements plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.12.7. This is due to missing or incorrect nonce validation on the eae_save_config function. This makes it possible for unauthenticated attackers to change configuration settings for the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Elementor Addon Elements

CVE-2023-4690

MEDIUM CVSS 5.4 2023-11-15
Open Full Technical Breakdown
Scroll to top