Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8501-8520 of 10866 records
Threat Entry Updated 2025-05-12

CVE-2023-4254 - Ai Chatbot Plugin

The AI ChatBot WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Ai Chatbot

CVE-2023-4254

MEDIUM CVSS 4.8 2023-09-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-12

CVE-2023-4253 - Ai Chatbot Plugin

The AI ChatBot WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Ai Chatbot

CVE-2023-4253

MEDIUM CVSS 4.8 2023-09-04
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4269 - User Activity Log Plugin

The User Activity Log WordPress plugin before 1.6.6 lacks proper authorisation when exporting its activity logs, allowing any authenticated users, such as subscriber to perform such action and retrieve PII such as email addresses.

PLUGIN User Activity Log

CVE-2023-4269

MEDIUM CVSS 4.3 2023-09-04
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2023-4059 - Profile Builder Plugin

The Profile Builder WordPress plugin before 3.9.8 lacks authorisation and CSRF in its page creation function which allows unauthenticated users to create the register, log-in and edit-profile pages from the plugin on the blog

PLUGIN Profile Builder

CVE-2023-4059

MEDIUM CVSS 4.3 2023-09-04
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2023-3814 - Advanced File Manager Plugin

The Advanced File Manager WordPress plugin before 5.1.1 does not adequately authorize its usage on multisite installations, allowing site admin users to list and read arbitrary files and folders on the server.

PLUGIN Advanced File Manager

CVE-2023-3814

MEDIUM CVSS 4.9 2023-09-04
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-3499 - Slider In Rbs Image Gallery Plugin

The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Slider In Rbs Image Gallery

CVE-2023-3499

MEDIUM CVSS 4.8 2023-09-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2813 - All Of The Above Aapna Theme

All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordPress theme through 1.1, Arendelle WordPress theme before 1.1.13, Atlast Business WordPress theme through 1.5.8.5, Bazaar Lite WordPress theme before 1.8.6, Brain Power WordPress theme through 1.2, BunnyPressLite WordPress theme before 2.1, Cafe Bistro WordPress theme before 1.1.4, College WordPress theme before 1.5.1, Connections Reloaded WordPress theme through 3.1, Counterpoint WordPress theme through 1.8.1, Digitally WordPress theme through 1.0.8, Directory WordPress theme before 3.0.2, Drop WordPress theme before 1.22, Everse WordPress theme before 1.2.4, Fashionable…

THEME All Of The Above Aapna

CVE-2023-2813

MEDIUM CVSS 6.1 2023-09-04
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4718 - Font Awesome 4 Menus Plugin

The Font Awesome 4 Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fa' and 'fa-stack' shortcodes in versions up to, and including, 4.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Font Awesome 4 Menus

CVE-2023-4718

MEDIUM CVSS 6.4 2023-09-02
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4471 - Order Tracking Plugin

The Order Tracking Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the start_date and end_date parameters in versions up to, and including, 3.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Order Tracking

CVE-2023-4471

MEDIUM CVSS 6.1 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4315 - Woo Custom Emails Plugin

The Woo Custom Emails for WordPress is vulnerable to Reflected Cross-Site Scripting via the wcemails_edit parameter in versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Woo Custom Emails

CVE-2023-4315

MEDIUM CVSS 6.1 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4500 - Order Tracking Plugin

The Order Tracking Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the order status parameter in versions up to, and including, 3.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers (admin or higher) to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Order Tracking

CVE-2023-4500

MEDIUM CVSS 4.7 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4000 - Waiting Plugin

The Waiting: One-click countdowns plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.2. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to create and delete countdowns, via forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Waiting

CVE-2023-4000

MEDIUM CVSS 6.3 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3999 - Waiting Plugin

The Waiting: One-click countdowns plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on its AJAX calls in versions up to, and including, 0.6.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to create and delete countdowns as well as manipulate other plugin settings.

PLUGIN Waiting

CVE-2023-3999

MEDIUM CVSS 6.3 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4160 - Woocommerce Pdf Invoice Builder Plugin

The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 1.2.90 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Woocommerce Pdf Invoice Builder

CVE-2023-4160

MEDIUM CVSS 4.4 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4245 - Woocommerce Pdf Invoice Builder Plugin

The WooCommerce PDF Invoice Builder for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the GetInvoiceDetail function in versions up to, and including, 1.2.89. This makes it possible for subscribers to view arbitrary invoices provided they can guess the order id and invoice id.

PLUGIN Woocommerce Pdf Invoice Builder

CVE-2023-4245

MEDIUM CVSS 4.3 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4161 - Woocommerce Pdf Invoice Builder Plugin

The WooCommerce PDF Invoice Builder for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the SaveCustomField function in versions up to, and including, 1.2.90. This makes it possible for unauthenticated attackers to create invoice fields provided they can trick an admin into performing an action such as clicking on a link.

PLUGIN Woocommerce Pdf Invoice Builder

CVE-2023-4161

MEDIUM CVSS 4.3 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3764 - Woocommerce Pdf Invoice Builder Plugin

The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.90. This is due to missing or incorrect nonce validation on the Save function. This makes it possible for unauthenticated attackers to make changes to invoices via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Woocommerce Pdf Invoice Builder

CVE-2023-3764

MEDIUM CVSS 4.3 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2279 - Wp Directory Kit Plugin

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the 'admin_page_display' function. This makes it possible for unauthenticated attackers to delete or change plugin settings, import demo data, modify or delete Directory Kit related posts and terms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Partial patches were made avilable in versions 1.2.0 and 1.2.1 but…

PLUGIN Wp Directory Kit

CVE-2023-2279

MEDIUM CVSS 5.4 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3404 - Profilegrid Plugin

The ProfileGrid plugin for WordPress is vulnerable to unauthorized decryption of private information in versions up to, and including, 5.5.0. This is due to the passphrase and iv being hardcoded in the 'pm_encrypt_decrypt_pass' function and used across all sites running the plugin. This makes it possible for authenticated attackers, with administrator-level permissions or above to decrypt and view users' passwords. If combined with another vulnerability, this can potentially grant lower-privileged users access to users' passwords.

PLUGIN Profilegrid

CVE-2023-3404

MEDIUM CVSS 4.9 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2354 - Chp Ads Block Detector Plugin

The CHP Ads Block Detector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings reachable though an AJAX action in versions up to, and including, 3.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Chp Ads Block Detector

CVE-2023-2354

MEDIUM CVSS 4.9 2023-08-31
Open Full Technical Breakdown
Scroll to top