Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 6121-6140 of 15036 records
Threat Entry Updated 2025-02-11

CVE-2025-0180 - Wp Foodbakery Plugin

The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator.

PLUGIN Wp Foodbakery

CVE-2025-0180

CRITICAL CVSS 9.8 2025-02-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-13570 - Stray Random Quotes Plugin

The Stray Random Quotes WordPress plugin through 1.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Stray Random Quotes

CVE-2024-13570

MEDIUM CVSS 6.1 2025-02-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-13543 - Zarinpal Paid Download Plugin

The Zarinpal Paid Download WordPress plugin through 2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Zarinpal Paid Download

CVE-2024-13543

MEDIUM CVSS 6.1 2025-02-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-13544 - Zarinpal Paid Download Plugin

The Zarinpal Paid Download WordPress plugin through 2.3 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

PLUGIN Zarinpal Paid Download

CVE-2024-13544

MEDIUM CVSS 4.8 2025-02-11
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2024-12599 - Ht Mega Plugin

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ht Mega

CVE-2024-12599

HIGH CVSS 7.2 2025-02-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-10

CVE-2024-13011 - Wp Foodbakery Plugin

The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Wp Foodbakery

CVE-2024-13011

CRITICAL CVSS 9.8 2025-02-10
Open Full Technical Breakdown
Threat Entry Updated 2025-02-10

CVE-2024-13010 - Wp Foodbakery Plugin

The WP Foodbakery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.7 due to insufficient input sanitization and output escaping on the 'search_type' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wp Foodbakery

CVE-2024-13010

MEDIUM CVSS 6.1 2025-02-10
Open Full Technical Breakdown
Threat Entry Updated 2025-02-13

CVE-2024-13440 - Super Store Finder Plugin

The Super Store Finder plugin for WordPress is vulnerable to SQL Injection via the ‘ssf_wp_user_name’ parameter in all versions up to, and including, 7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into an already existing query to store cross-site scripting in store reviews.

PLUGIN Super Store Finder

CVE-2024-13440

HIGH CVSS 8.2 2025-02-09
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2025-0169 - Dwt Listing Plugin

The DWT - Directory & Listing WordPress Theme is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Dwt Listing

CVE-2025-0169

MEDIUM CVSS 6.4 2025-02-08
Open Full Technical Breakdown
Threat Entry Updated 2025-02-08

CVE-2025-0316 - Wp Directorybox Manager Plugin

The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

PLUGIN Wp Directorybox Manager

CVE-2025-0316

CRITICAL CVSS 9.8 2025-02-08
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2024-13850 - Simple Add Pages Or Posts Plugin

The Simple add pages or posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Simple Add Pages Or Posts

CVE-2024-13850

MEDIUM CVSS 5.5 2025-02-08
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-7425 - Wp All Export Plugin

The WP ALL Export Pro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to improper user input validation and sanitization in all versions up to, and including, 1.9.1. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

PLUGIN Wp All Export

CVE-2024-7425

MEDIUM CVSS 6.8 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-7419 - Wp All Export Plugin

The WP ALL Export Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.9.1 via the custom export fields. This is due to the missing input validation and sanitization of user-supplied data. This makes it possible for unauthenticated attackers to inject arbitrary PHP code into form fields that get executed on the server during the export, potentially leading to a complete site compromise. As a prerequisite, the custom export field should include fields containing user-supplied data.

PLUGIN Wp All Export

CVE-2024-7419

HIGH CVSS 8.3 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-9664 - Wp All Import Plugin

The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

PLUGIN Wp All Import

CVE-2024-9664

HIGH CVSS 7.2 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-18

CVE-2024-9661 - Wp All Import Pro Plugin

The WP All Import Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.9.7. This is due to missing nonce validation on the delete_and_edit function. This makes it possible for unauthenticated attackers to delete imported content (posts, comments, users, etc.) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp All Import Pro

CVE-2024-9661

MEDIUM CVSS 4.3 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2025-25077 - Easy Chart Builder for WordPress Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dugbug Easy Chart Builder for WordPress allows Stored XSS. This issue affects Easy Chart Builder for WordPress: from n/a through 1.3.

PLUGIN Easy Chart Builder for WordPress

CVE-2025-25077

MEDIUM CVSS 6.5 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2024-13841 - Builder Shortcode Extras Plugin

The Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via the 'bse-elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private and draft posts created with Elementor that they should not have access to.

PLUGIN Builder Shortcode Extras

CVE-2024-13841

MEDIUM CVSS 4.3 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2024-13492 - Guten Free Options Plugin

The Guten Free Options WordPress plugin through 0.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Guten Free Options

CVE-2024-13492

MEDIUM CVSS 6.1 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2024-13352 - Legull Plugin

The Legull WordPress plugin through 1.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Legull

CVE-2024-13352

HIGH CVSS 7.1 2025-02-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2025-1061 - Nextend Social Login Pro Plugin

The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

PLUGIN Nextend Social Login Pro

CVE-2025-1061

CRITICAL CVSS 9.8 2025-02-07
Open Full Technical Breakdown
Scroll to top