Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 5961-5980 of 15036 records
Threat Entry Updated 2025-02-18

CVE-2025-27013 - MediCenter - Health Medical Clinic WordPress Theme

Missing Authorization vulnerability in EPC MediCenter - Health Medical Clinic WordPress Theme allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MediCenter - Health Medical Clinic WordPress Theme: from n/a through n/a.

THEME MediCenter - Health Medical Clinic WordPress Theme

CVE-2025-27013

MEDIUM CVSS 5.3 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-18

CVE-2024-13689 - Uncode Core Plugin

The Uncode Core plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.9.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

PLUGIN Uncode Core

CVE-2024-13689

MEDIUM CVSS 6.3 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2025-0817 - Formcraft Plugin

The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Formcraft

CVE-2025-0817

HIGH CVSS 7.2 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2025-0521 - Post Smtp Plugin

The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Post Smtp

CVE-2025-0521

HIGH CVSS 7.2 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-13681 - Uncode Plugin

The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_admin_get_oembed' function in all versions up to, and including, 2.9.1.6. This makes it possible for unauthenticated attackers to read arbitrary files on the server.

PLUGIN Uncode

CVE-2024-13681

HIGH CVSS 7.5 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-13797 - Pressmart Plugin

The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

PLUGIN Pressmart

CVE-2024-13797

HIGH CVSS 7.3 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-13691 - Uncode Plugin

The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_recordMedia' function in all versions up to, and including, 2.9.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server.

PLUGIN Uncode

CVE-2024-13691

MEDIUM CVSS 6.5 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-13667 - Uncode Plugin

The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Uncode

CVE-2024-13667

MEDIUM CVSS 5.4 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-13783 - Formcraft Plugin

The FormCraft plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in formcraft-main.php in all versions up to, and including, 3.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export all plugin data which may contain sensitive information from form submissions.

PLUGIN Formcraft

CVE-2024-13783

MEDIUM CVSS 4.3 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-13369 - Tour Master Plugin

The Tour Master - Tour Booking, Travel, Hotel plugin for WordPress is vulnerable to time-based SQL Injection via the ‘review_id’ parameter in all versions up to, and including, 5.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Tour Master

CVE-2024-13369

MEDIUM CVSS 6.5 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-13395 - Threepress Plugin

The Threepress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'threepress' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Threepress

CVE-2024-13395

MEDIUM CVSS 6.4 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-08-01

CVE-2024-13316 - Scratch Win Plugin

The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the apmswn_create_discount() function in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create coupons.

PLUGIN Scratch Win

CVE-2024-13316

MEDIUM CVSS 5.3 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-13718 - Flexible Wishlist For Woocommerce Plugin

The Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.26. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to modify/update/create other user's wishlists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Flexible Wishlist For Woocommerce

CVE-2024-13718

MEDIUM CVSS 4.3 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-12860 - Carspot Plugin

The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

PLUGIN Carspot

CVE-2024-12860

CRITICAL CVSS 9.8 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2025-0864 - Active Products Tables For Woocommerce Plugin

The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcodes_set' parameter in all versions up to, and including, 1.0.6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Active Products Tables For Woocommerce

CVE-2025-0864

MEDIUM CVSS 6.1 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2026-01-07

CVE-2024-13704 - Super Testimonials Plugin

The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'st_user_title' parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Super Testimonials

CVE-2024-13704

HIGH CVSS 7.2 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-13575 - Web Stories Enhancer Plugin

The Web Stories Enhancer – Level Up Your Web Stories plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'web_stories_enhancer' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Web Stories Enhancer

CVE-2024-13575

MEDIUM CVSS 6.4 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-13465 - Ablocks Plugin

The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Table Of Content" Block, specifically in the "markerView" attribute, in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ablocks

CVE-2024-13465

MEDIUM CVSS 6.4 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-11895 - Online Payments Get Paid With Paypal Square Stripe Plugin

The Online Payments – Get Paid with PayPal, Square & Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Online Payments Get Paid With Paypal Square Stripe

CVE-2024-11895

MEDIUM CVSS 6.4 2025-02-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-21

CVE-2024-13795 - Ecwid Ecommerce Shopping Cart Plugin

The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.12.27. This is due to missing or incorrect nonce validation on the ecwid_deactivate_feedback() function. This makes it possible for unauthenticated attackers to send deactivation messages on behalf of a site owner via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Ecwid Ecommerce Shopping Cart

CVE-2024-13795

MEDIUM CVSS 4.3 2025-02-18
Open Full Technical Breakdown
Scroll to top