Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8541-8560 of 10866 records
Threat Entry Updated 2024-11-21

CVE-2023-4600 - Affiliatewp Plugin

The AffiliateWP for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'affwp_activate_addons_page_plugin' function called via an AJAX action in versions up to, and including, 2.14.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to activate arbitrary plugins.

PLUGIN Affiliatewp

CVE-2023-4600

MEDIUM CVSS 4.3 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4599 - Email Encoder Plugin

The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode in versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Email Encoder

CVE-2023-4599

MEDIUM CVSS 6.4 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4597 - Slimstat Analytics Plugin

The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slimstat' shortcode in versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Slimstat Analytics

CVE-2023-4597

MEDIUM CVSS 6.4 2023-08-30
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4520 - Fv Flowplayer Video Player Plugin

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_fv_player_user_video’ parameter saved via the 'save' function hooked via init, and the plugin is also vulnerable to Arbitrary Usermeta Update via the 'save' function in versions up to, and including, 7.5.37.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, and makes it possible to update the user metas arbitrarily, but…

PLUGIN Fv Flowplayer Video Player

CVE-2023-4520

MEDIUM CVSS 5.4 2023-08-25
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2023-3954 - Multiparcels Shipping For Woocommerce Plugin

The MultiParcels Shipping For WooCommerce WordPress plugin before 1.15.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Multiparcels Shipping For Woocommerce

CVE-2023-3954

MEDIUM CVSS 6.1 2023-08-21
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-3936 - Before 7 Plugin

The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 7

CVE-2023-3936

MEDIUM CVSS 6.1 2023-08-21
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2023-3667 - Before 1 Plugin

The Bit Assist WordPress plugin before 1.1.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 1

CVE-2023-3667

MEDIUM CVSS 4.8 2023-08-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-4040 - Stripe Payment Plugin For Woocommerce

The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_callback_handler function in versions up to, and including, 3.7.9. This makes it possible for unauthenticated attackers to modify the order status of arbitrary WooCommerce orders.

PLUGIN Stripe Payment Plugin For Woocommerce

CVE-2023-4040

MEDIUM CVSS 5.3 2023-08-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3244 - Comments Like Dislike Plugin

The Comments Like Dislike plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the restore_settings function called via an AJAX action in versions up to, and including, 1.1.9. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to reset the plugin's settings. NOTE: After attempting to contact the developer with no response, and reporting this to the WordPress plugin's team 30 days ago we are disclosing this issue as it still is not updated.

PLUGIN Comments Like Dislike

CVE-2023-3244

MEDIUM CVSS 5.3 2023-08-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2272 - Tiempo Plugin

The Tiempo.com WordPress plugin through 0.1.2 does not sanitise and escape the page parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Tiempo

CVE-2023-2272

MEDIUM CVSS 6.1 2023-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2123 - Wp Inventory Manager Plugin

The WP Inventory Manager WordPress plugin before 2.1.0.13 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting.

PLUGIN Wp Inventory Manager

CVE-2023-2123

MEDIUM CVSS 6.1 2023-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2122 - Image Optimizer By 10web Plugin

The Image Optimizer by 10web WordPress plugin before 1.0.27 does not sanitise and escape the iowd_tabs_active parameter before rendering it in the plugin admin panel, leading to a reflected Cross-Site Scripting vulnerability, allowing an attacker to trick a logged in admin to execute arbitrary javascript by clicking a link.

PLUGIN Image Optimizer By 10web

CVE-2023-2122

MEDIUM CVSS 6.1 2023-08-16
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2023-1465 - Before 4 Plugin

The WP EasyPay WordPress plugin before 4.1 does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin

PLUGIN Before 4

CVE-2023-1465

MEDIUM CVSS 6.1 2023-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-1110 - Yellow Yard Searchbar Plugin

The Yellow Yard Searchbar WordPress plugin before 2.8.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Yellow Yard Searchbar

CVE-2023-1110

MEDIUM CVSS 5.4 2023-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-0551 - Rest Api To Miniprogram Plugin

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments

PLUGIN Rest Api To Miniprogram

CVE-2023-0551

MEDIUM CVSS 5.4 2023-08-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2023-0274 - Before 2 Plugin

The URL Params WordPress plugin before 2.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2023-0274

MEDIUM CVSS 5.4 2023-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2254 - Ko Fi Button Plugin

The Ko-fi Button WordPress plugin before 1.3.3 does not properly some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup), and we consider it a low risk.

PLUGIN Ko Fi Button

CVE-2023-2254

MEDIUM CVSS 4.8 2023-08-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2225 - Seo Alert Plugin

The SEO ALert WordPress plugin through 1.59 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Seo Alert

CVE-2023-2225

MEDIUM CVSS 4.8 2023-08-16
Open Full Technical Breakdown
Scroll to top