Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8521-8540 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2023-2353 - Chp Ads Block Detector Plugin

The CHP Ads Block Detector plugin for WordPress is vulnerable to unauthorized plugin settings update and reset due to a missing capability check on the chp_abd_action function in versions up to, and including, 3.9.4. This makes it possible for subscriber-level attackers to change or reset plugin settings. CVE-2023-36509 appears to be a duplicate of this issue.

PLUGIN Chp Ads Block Detector

CVE-2023-2353

MEDIUM CVSS 4.3 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2352 - Chp Ads Block Detector Plugin

The CHP Ads Block Detector plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.9.4. This is due to missing or incorrect nonce validation on the chp_abd_action function. This makes it possible for unauthenticated attackers to update or reset plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Chp Ads Block Detector

CVE-2023-2352

MEDIUM CVSS 4.3 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2173 - Badgeos Plugin

The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_delete_step_ajax_handler, badgeos_delete_award_step_ajax_handler, badgeos_delete_deduct_step_ajax_handler, and badgeos_delete_rank_req_step_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete arbitrary posts.

PLUGIN Badgeos

CVE-2023-2173

MEDIUM CVSS 6.5 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2171 - Badgeos Plugin

The BadgeOS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 3.7.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Badgeos

CVE-2023-2171

MEDIUM CVSS 5.4 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2174 - Badgeos Plugin

The BadgeOS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_badgeos_log_entries function in versions up to, and including, 3.7.1.6. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to delete the plugin's log entries.

PLUGIN Badgeos

CVE-2023-2174

MEDIUM CVSS 4.3 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2172 - Badgeos Plugin

The BadgeOS plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.7.1.6. This is due to improper validation and authorization checks within the badgeos_update_steps_ajax_handler, badgeos_update_award_steps_ajax_handler, badgeos_update_deduct_steps_ajax_handler, and badgeos_update_ranks_req_steps_ajax_handler functions. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to overwrite arbitrary post titles.

PLUGIN Badgeos

CVE-2023-2172

MEDIUM CVSS 4.3 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-0689 - Metform Elementor Contact Form Builder Plugin

The Metform Elementor Contact Form Builder for WordPress is vulnerable to Information Disclosure via the 'mf_first_name' shortcode in versions up to, and including, 3.3.1. This allows authenticated attackers, with subscriber-level capabilities or above to obtain sensitive information about arbitrary form submissions, including the submitter's first name.

PLUGIN Metform Elementor Contact Form Builder

CVE-2023-0689

MEDIUM CVSS 4.3 2023-08-31
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4209 - Before 0 Plugin

The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks.

PLUGIN Before 0

CVE-2023-4209

MEDIUM CVSS 4.3 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4013 - Before 4 Plugin

The GDPR Cookie Compliance (CCPA, DSGVO, Cookie Consent) WordPress plugin before 4.12.5 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks

PLUGIN Before 4

CVE-2023-4013

MEDIUM CVSS 6.5 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2023-3720 - Upload Media By Url Plugin

The Upload Media By URL WordPress plugin before 1.0.8 does not have CSRF check when uploading files, which could allow attackers to make logged in admins upload files (including HTML containing JS code for users with the unfiltered_html capability) on their behalf.

PLUGIN Upload Media By Url

CVE-2023-3720

MEDIUM CVSS 6.5 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-3992 - Before 3 Plugin

The PostX WordPress plugin before 3.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 3

CVE-2023-3992

MEDIUM CVSS 6.1 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4035 - Simple Blog Card Plugin

The Simple Blog Card WordPress plugin before 1.31 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Simple Blog Card

CVE-2023-4035

MEDIUM CVSS 5.4 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-3501 - Before 1 Plugin

The FormCraft WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 1

CVE-2023-3501

MEDIUM CVSS 4.8 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-4150 - User Activity Tracking And Log Plugin

The User Activity Tracking and Log WordPress plugin before 4.0.9 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks

PLUGIN User Activity Tracking And Log

CVE-2023-4150

MEDIUM CVSS 4.3 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2025-05-02

CVE-2023-4036 - Simple Blog Card Plugin

The Simple Blog Card WordPress plugin before 1.32 does not ensure that posts to be displayed via a shortcode are public, allowing any authenticated users, such as subscriber, to retrieve arbitrary post title and their content such as draft, private and password protected ones

PLUGIN Simple Blog Card

CVE-2023-4036

MEDIUM CVSS 4.3 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3356 - Subscribers Text Counter Plugin

The Subscribers Text Counter WordPress plugin before 1.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack, which also lead to Stored Cross-Site Scripting due to the lack of sanitisation and escaping

PLUGIN Subscribers Text Counter

CVE-2023-3356

MEDIUM CVSS 4.3 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-1982 - Front Editor Plugin

The Front Editor WordPress plugin through 4.0.4 does not sanitize and escape some of its form settings, which could allow high-privilege users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Front Editor

CVE-2023-1982

MEDIUM CVSS 4.8 2023-08-30
Open Full Technical Breakdown
Scroll to top