Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8381-8400 of 10866 records
Threat Entry Updated 2026-04-08

CVE-2021-4353 - Woocommerce Dynamic Pricing And Discounts Plugin

The WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthenticated settings export in versions up to, and including, 2.4.1. This is due to missing authorization on the export() function which makes makes it possible for unauthenticated attackers to export the plugin's settings.

PLUGIN Woocommerce Dynamic Pricing And Discounts

CVE-2021-4353

MEDIUM CVSS 5.3 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5668 - Whatsapp Share Button Plugin

The WhatsApp Share Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'whatsapp' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Whatsapp Share Button

CVE-2023-5668

MEDIUM CVSS 6.4 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5614 - Theme Switcha

The Theme Switcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'theme_switcha_list' shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Theme Switcha

CVE-2023-5614

MEDIUM CVSS 6.4 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2026-01-07

CVE-2023-5613 - Super Testimonials Plugin

The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tpsscode' shortcode in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Super Testimonials

CVE-2023-5613

MEDIUM CVSS 6.4 2023-10-20
Open Full Technical Breakdown
Threat Entry Updated 2025-05-12

CVE-2023-5254 - Wpbot Plugin

The ChatBot plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.8.9 via the qcld_wb_chatbot_check_user function. This can allow unauthenticated attackers to extract sensitive data including confirmation as to whether a user name exists on the site as well as order information for existing users.

PLUGIN Wpbot

CVE-2023-5254

MEDIUM CVSS 5.3 2023-10-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5639 - Team Showcase Plugin

The Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tmfshortcode' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Team Showcase

CVE-2023-5639

MEDIUM CVSS 6.4 2023-10-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5638 - Booster For Woocommerce Plugin

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcj_image' shortcode in versions up to, and including, 7.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Booster For Woocommerce

CVE-2023-5638

MEDIUM CVSS 6.4 2023-10-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4645 - Ad Inserter Plugin

The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai_ajax function. This can allow unauthenticated attackers to extract sensitive data such as post titles and slugs (including those of protected posts along with their passwords), usernames, available roles, the plugin license key provided the remote debugging option is enabled. In the default state it is disabled.

PLUGIN Ad Inserter

CVE-2023-4645

MEDIUM CVSS 5.3 2023-10-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5621 - Thumbnail Slider With Lightbox Plugin

The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Title field in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Thumbnail Slider With Lightbox

CVE-2023-5621

MEDIUM CVSS 4.4 2023-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4938 - Bear Woocommerce Bulk Editor And Products Manager Professional Plugin

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3. This is due to a missing capability check on the woobe_bulkoperations_apply_default_combination function. This makes it possible for authenticated attackers (subscriber or higher) to manipulate products.

PLUGIN Bear Woocommerce Bulk Editor And Products Manager Professional

CVE-2023-4938

MEDIUM CVSS 4.3 2023-10-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3254 - Widgets For Google Reviews Plugin

The Widgets for Google Reviews plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 10.9. This is due to missing or incorrect nonce validation within setup_no_reg_header.php. This makes it possible for unauthenticated attackers to reset plugin settings and remove reviews via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Widgets For Google Reviews

CVE-2023-3254

MEDIUM CVSS 4.3 2023-10-18
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-5561 - WordPress Core

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

CORE WordPress Core

CVE-2023-5561

MEDIUM CVSS 5.3 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-5167 - User Activity Log Pro Plugin

The User Activity Log Pro WordPress plugin before 2.3.4 does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks.

PLUGIN User Activity Log Pro

CVE-2023-5167

MEDIUM CVSS 5.4 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-5087 - Before 1 Plugin

The Page Builder: Pagelayer WordPress plugin before 1.7.8 doesn't prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post's header or footer code.

PLUGIN Before 1

CVE-2023-5087

MEDIUM CVSS 5.4 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5057 - Before 1 Plugin

The ActivityPub WordPress plugin before 1.0.0 does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks

PLUGIN Before 1

CVE-2023-5057

MEDIUM CVSS 5.4 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-5177 - Vrm360 Plugin

The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode.

PLUGIN Vrm360

CVE-2023-5177

MEDIUM CVSS 5.3 2023-10-16
Open Full Technical Breakdown
Scroll to top