Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8321-8340 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2023-5744 - Very Simple Google Maps Plugin

The Very Simple Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vsgmap' shortcode in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Very Simple Google Maps

CVE-2023-5744

MEDIUM CVSS 6.4 2023-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5740 - Live Chat With Facebook Messenger Plugin

The Live Chat with Facebook Messenger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'messenger' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Live Chat With Facebook Messenger

CVE-2023-5740

MEDIUM CVSS 6.4 2023-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5745 - Reusable Text Blocks Plugin

The Reusable Text Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'text-blocks' shortcode in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Reusable Text Blocks

CVE-2023-5745

MEDIUM CVSS 5.5 2023-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5127 - Wp Font Awesome Plugin

The WP Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping on 'icon' user supplied attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Font Awesome

CVE-2023-5127

MEDIUM CVSS 6.4 2023-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5110 - Bsk Pdf Manager Plugin

The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'bsk-pdfm-category-dropdown' shortcode in versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Bsk Pdf Manager

CVE-2023-5110

MEDIUM CVSS 6.4 2023-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5085 - Advanced Menu Widget Plugin

The Advanced Menu Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'advMenu' shortcode in versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Advanced Menu Widget

CVE-2023-5085

MEDIUM CVSS 6.4 2023-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5126 - Delete Me Plugin

The Delete Me plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'plugin_delete_me' shortcode in versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The shortcode is not displayed to administrators, so it cannot be used against administrator users.

PLUGIN Delete Me

CVE-2023-5126

MEDIUM CVSS 4.9 2023-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-45640 - Wp Ulike Plugin

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in TechnoWich WP ULike – Most Advanced WordPress Marketing Toolkit plugin

PLUGIN Wp Ulike

CVE-2023-45640

MEDIUM CVSS 6.5 2023-10-25
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5205 - Add Custom Body Class Plugin

The Add Custom Body Class plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_custom_body_class' value in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Add Custom Body Class

CVE-2023-5205

MEDIUM CVSS 6.4 2023-10-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4635 - Eventon Lite Plugin

The EventON plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Eventon Lite

CVE-2023-4635

MEDIUM CVSS 6.1 2023-10-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4939 - Salesmanago Plugin

The SALESmanago plugin for WordPress is vulnerable to Log Injection in versions up to, and including, 3.2.4. This is due to the use of a weak authentication token for the /wp-json/salesmanago/v1/callbackApiV3 API endpoint which is simply a SHA1 hash of the site URL and client ID found in the page source of the website. This makes it possible for unauthenticated attackers to inject arbitrary content into the log files, and when combined with another vulnerability this could have significant consequences.

PLUGIN Salesmanago

CVE-2023-4939

MEDIUM CVSS 5.3 2023-10-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3965 - Nsc Plugin

The nsc theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Nsc

CVE-2023-3965

MEDIUM CVSS 6.1 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3962 - Winters Plugin

The Winters theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Winters

CVE-2023-3962

MEDIUM CVSS 6.1 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3933 - Your Journey Plugin

The Your Journey theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Your Journey

CVE-2023-3933

MEDIUM CVSS 6.1 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5618 - Modern Footnotes Plugin

The Modern Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in versions up to, and including, 1.4.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Modern Footnotes

CVE-2023-5618

MEDIUM CVSS 6.4 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5615 - Skype Legacy Buttons Plugin

The Skype Legacy Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skype-status' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Skype Legacy Buttons

CVE-2023-5615

MEDIUM CVSS 6.4 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5337 - Formforall Plugin

The Contact form Form For All plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formforall' shortcode in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Formforall

CVE-2023-5337

MEDIUM CVSS 6.4 2023-10-20
Open Full Technical Breakdown
Scroll to top