Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8601-8620 of 10866 records
Threat Entry Updated 2025-04-23

CVE-2023-3245 - Floating Chat Widget Plugin

The Floating Chat Widget WordPress plugin before 3.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Floating Chat Widget

CVE-2023-3245

MEDIUM CVSS 4.8 2023-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3182 - Before 3 Plugin

The Membership WordPress plugin before 3.2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 3

CVE-2023-3182

MEDIUM CVSS 6.1 2023-07-17
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2023-3041 - Automatic Conversation Plugin

The Autochat Automatic Conversation WordPress plugin through 1.1.7 does not sanitise and escape user input before outputting it back on the page, leading to a cross-site Scripting attack.

PLUGIN Automatic Conversation

CVE-2023-3041

MEDIUM CVSS 6.1 2023-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2701 - Gravity Forms Plugin

The Gravity Forms WordPress plugin before 2.7.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high-privileged users such as admin.

PLUGIN Gravity Forms

CVE-2023-2701

MEDIUM CVSS 6.1 2023-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-1893 - Login Configurator Plugin

The Login Configurator WordPress plugin through 2.1 does not properly escape a URL parameter before outputting it to the page, leading to a reflected cross-site scripting vulnerability targeting site administrators.

PLUGIN Login Configurator

CVE-2023-1893

MEDIUM CVSS 6.1 2023-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2579 - Inventorypress Plugin

The InventoryPress WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow users with the role of author and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Inventorypress

CVE-2023-2579

MEDIUM CVSS 5.4 2023-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-0439 - Before 8 Plugin

The NEX-Forms WordPress plugin before 8.4.4 does not escape its form name, which could lead to Stored Cross-Site Scripting issues. By default only SuperAdmins (in multisite) / admins (in single site) can create forms, however there is a settings allowing them to give lower roles access to such feature.

PLUGIN Before 8

CVE-2023-0439

MEDIUM CVSS 5.4 2023-07-17
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2082 - Buy Me A Coffee Plugin

The "Buy Me a Coffee – Button and Widget Plugin" plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 3.6 due to insufficient sanitization and escaping on the 'text value set via the bmc_post_reception action. This makes it possible for authenticated attackers, with subscriber-level permissions, and above to inject arbitrary web scripts into pages that execute whenever a victim accesses a page with the injected scripts.

PLUGIN Buy Me A Coffee

CVE-2023-2082

MEDIUM CVSS 6.4 2023-07-14
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4427 - Revenue Plugin

The Vuukle Comments, Reactions, Share Bar, Revenue plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.31. This is due to missing or incorrect nonce validation in the /admin/partials/free-comments-for-wordpress-vuukle-admin-display.php file. This makes it possible for unauthenticated attackers to edit the plugins settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Revenue

CVE-2021-4427

MEDIUM CVSS 4.3 2023-07-12
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4426 - Absolute Reviews Plugin

The Absolute Reviews plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.8. This is due to missing or incorrect nonce validation on the metabox_review_save() function. This makes it possible for unauthenticated attackers to save meta tags via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Absolute Reviews

CVE-2021-4426

MEDIUM CVSS 4.3 2023-07-12
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4425 - Defender Security Plugin

The Defender Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.6. This is due to missing or incorrect nonce validation on the verify_otp_login_time() function. This makes it possible for unauthenticated attackers to verify a one time login via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Defender Security

CVE-2021-4425

MEDIUM CVSS 4.3 2023-07-12
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4424 - Slider Hero Plugin

The Slider Hero plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.2.0. This is due to missing or incorrect nonce validation on the qc_slider_hero_duplicate() function. This makes it possible for unauthenticated attackers to duplicate slides via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Slider Hero

CVE-2021-4424

MEDIUM CVSS 4.3 2023-07-12
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4423 - Rays Grid Plugin

The RAYS Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the rsgd_insert_update() function. This makes it possible for unauthenticated attackers to update post fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Rays Grid

CVE-2021-4423

MEDIUM CVSS 4.3 2023-07-12
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4422 - Post Smtp Mailer Plugin

The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport() function. This makes it possible for unauthenticated attackers to trigger a CSV export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Post Smtp Mailer

CVE-2021-4422

MEDIUM CVSS 4.3 2023-07-12
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4421 - Advanced Popups Plugin

The Advanced Popups plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the metabox_popup_save() function. This makes it possible for unauthenticated attackers to save meta tags via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Advanced Popups

CVE-2021-4421

MEDIUM CVSS 4.3 2023-07-12
Open Full Technical Breakdown
Threat Entry Updated 2026-04-08

CVE-2021-4420 - Sell Media Plugin

The Sell Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.5.5. This is due to missing or incorrect nonce validation on the sell_media_process() function. This makes it possible for unauthenticated attackers to sell media paypal orders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Sell Media

CVE-2021-4420

MEDIUM CVSS 4.3 2023-07-12
Open Full Technical Breakdown
Scroll to top