Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 8721-8740 of 10866 records
Threat Entry Updated 2024-12-12

CVE-2023-2654 - Conditional Menus Plugin

The Conditional Menus WordPress plugin before 1.2.1 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Conditional Menus

CVE-2023-2654

MEDIUM CVSS 6.1 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2023-2399 - Before 1 Plugin

The QuBot WordPress plugin before 1.1.6 doesn't filter user input on chat, leading to bad code inserted on it be reflected on the user dashboard.

PLUGIN Before 1

CVE-2023-2399

MEDIUM CVSS 6.1 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2023-2899 - Google Map Shortcode Plugin

The Google Map Shortcode WordPress plugin through 3.1.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

PLUGIN Google Map Shortcode

CVE-2023-2899

MEDIUM CVSS 5.4 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2023-2751 - Upload Resume Plugin

The Upload Resume WordPress plugin through 1.2.0 does not validate the captcha parameter when uploading a resume via the resume_upload_form shortcode, allowing unauthenticated visitors to upload arbitrary media files to the site.

PLUGIN Upload Resume

CVE-2023-2751

MEDIUM CVSS 5.3 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2812 - Ultimate Dashboard Plugin

The Ultimate Dashboard WordPress plugin before 3.7.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Ultimate Dashboard

CVE-2023-2812

MEDIUM CVSS 4.8 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2025-05-12

CVE-2023-2811 - Ai Chatbot Plugin

The AI ChatBot WordPress plugin before 4.5.6 does not sanitise and escape numerous of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks to all admin when setting chatbot and all client when using chatbot

PLUGIN Ai Chatbot

CVE-2023-2811

MEDIUM CVSS 4.8 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2025-05-12

CVE-2023-2742 - Ai Chatbot Plugin

The AI ChatBot WordPress plugin before 4.5.5 does not sanitize and escape its settings, allowing high-privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Ai Chatbot

CVE-2023-2742

MEDIUM CVSS 4.8 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-12-11

CVE-2023-2684 - File Renaming On Upload Plugin

The File Renaming on Upload WordPress plugin before 2.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN File Renaming On Upload

CVE-2023-2684

MEDIUM CVSS 4.8 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2023-2600 - Custom Base Terms Plugin

The Custom Base Terms WordPress plugin before 1.0.3 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Custom Base Terms

CVE-2023-2600

MEDIUM CVSS 4.8 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2023-2527 - Before 1 Plugin

The Integration for Contact Form 7 and Zoho CRM, Bigin WordPress plugin before 1.2.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

PLUGIN Before 1

CVE-2023-2527

MEDIUM CVSS 4.8 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2023-2401 - Before 1 Plugin

The QuBot WordPress plugin before 1.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 1

CVE-2023-2401

MEDIUM CVSS 4.8 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-0489 - Sideonline Plugin

The SlideOnline WordPress plugin through 1.2.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Sideonline

CVE-2023-0489

MEDIUM CVSS 5.4 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-12-12

CVE-2023-0368 - Responsive Tabs For Wpbakery Page Builder Plugin

The Responsive Tabs For WPBakery Page Builder (formerly Visual Composer) WordPress plugin through 1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Responsive Tabs For Wpbakery Page Builder

CVE-2023-0368

MEDIUM CVSS 5.4 2023-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3203 - Mstore Api Plugin

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_limit_product function. This makes it possible for unauthenticated attackers to update limit the number of product per category to use cache data in home screen via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Mstore Api

CVE-2023-3203

MEDIUM CVSS 4.3 2023-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3201 - Mstore Api Plugin

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_title function. This makes it possible for unauthenticated attackers to update new order title via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Mstore Api

CVE-2023-3201

MEDIUM CVSS 4.3 2023-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3200 - Mstore Api Plugin

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_new_order_message function. This makes it possible for unauthenticated attackers to update new order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Mstore Api

CVE-2023-3200

MEDIUM CVSS 4.3 2023-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-3198 - Mstore Api Plugin

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Mstore Api

CVE-2023-3198

MEDIUM CVSS 4.3 2023-06-14
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2351 - Wp Directory Kit Plugin

The WP Directory Kit plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'ajax_admin' function in versions up to, and including, 1.2.3. This makes it possible for authenticated attackers with subscriber-level permissions or above to delete or change plugin settings, import demo data, delete Directory Kit related posts and terms, and install arbitrary plugins. A partial patch was introduced in version 1.2.0.

PLUGIN Wp Directory Kit

CVE-2023-2351

MEDIUM CVSS 6.5 2023-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-2277 - Wp Directory Kit Plugin

The WP Directory Kit plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the 'insert' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp Directory Kit

CVE-2023-2277

MEDIUM CVSS 6.1 2023-06-13
Open Full Technical Breakdown
Scroll to top