Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8421-8440 of 10866 records
Threat Entry Updated 2025-04-23

CVE-2023-3707 - Before 1 Plugin

The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post (such as draft and private) via an IDOR vector. Password protected posts are not affected by this issue.

PLUGIN Before 1

CVE-2023-3707

MEDIUM CVSS 4.3 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-3706 - Before 1 Plugin

The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vector

PLUGIN Before 1

CVE-2023-3706

MEDIUM CVSS 4.3 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2025-05-02

CVE-2023-4620 - Booking Calendar Plugin

The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators

PLUGIN Booking Calendar

CVE-2023-4620

MEDIUM CVSS 6.1 2023-10-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-1259 - Hotjar Plugin

The Hotjar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the hotjar_site_id in versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Hotjar

CVE-2023-1259

MEDIUM CVSS 4.4 2023-10-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4995 - Embed Calendly Plugin

The Embed Calendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'calendly' shortcode in versions up to, and including, 3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Embed Calendly

CVE-2023-4995

MEDIUM CVSS 6.4 2023-10-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-39999 - WordPress Core

Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from…

CORE WordPress Core

CVE-2023-39999

MEDIUM CVSS 4.3 2023-10-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-38000 - WordPress Core

Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin

CORE WordPress Core

CVE-2023-38000

MEDIUM CVSS 6.5 2023-10-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5470 - Etsy Shop Plugin

The Etsy Shop plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'etsy-shop' shortcode in versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Etsy Shop

CVE-2023-5470

MEDIUM CVSS 6.4 2023-10-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5531 - Thumbnail Slider With Lightbox Plugin

The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the delete functionality. This makes it possible for unauthenticated attackers to delete image lightboxes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Thumbnail Slider With Lightbox

CVE-2023-5531

MEDIUM CVSS 4.3 2023-10-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5468 - Slick Contact Forms Plugin

The Slick Contact Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'dcscf-link' shortcode in versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Slick Contact Forms

CVE-2023-5468

MEDIUM CVSS 6.4 2023-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5467 - Geo My Wordpress Plugin

The GEO my WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Geo My Wordpress

CVE-2023-5467

MEDIUM CVSS 6.4 2023-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4469 - Profile Extra Fields Plugin

The Profile Extra Fields by BestWebSoft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the prflxtrflds_export_file function in versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to expose potentially sensitive user data, including data entered into custom fields.

PLUGIN Profile Extra Fields

CVE-2023-4469

MEDIUM CVSS 5.3 2023-10-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5357 - Instagram For Wordpress Plugin

The Instagram for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Instagram For Wordpress

CVE-2023-5357

MEDIUM CVSS 6.4 2023-10-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5291 - Blog Filter Plugin

The Blog Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'AWL-BlogFilter' shortcode in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Blog Filter

CVE-2023-5291

MEDIUM CVSS 6.4 2023-10-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3213 - Wp Mail Smtp Plugin

The WP Mail SMTP Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the is_print_page function in versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to disclose potentially sensitive email information.

PLUGIN Wp Mail Smtp

CVE-2023-3213

MEDIUM CVSS 5.3 2023-10-04
Open Full Technical Breakdown
Scroll to top