Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 6161-6180 of 15036 records
Threat Entry Updated 2025-05-13

CVE-2024-13331 - Wp Dream Carousel Plugin

The WP Dream Carousel WordPress plugin through 1.0.1b does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Wp Dream Carousel

CVE-2024-13331

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-13328 - Giga Messenger Plugin

The Giga Messenger WordPress plugin through 2.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Giga Messenger

CVE-2024-13328

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13327 - Musicbox Plugin

The Musicbox WordPress plugin through 2.0.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Musicbox

CVE-2024-13327

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13326 - Ibuildapp Plugin

The iBuildApp WordPress plugin through 0.2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Ibuildapp

CVE-2024-13326

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-07-25

CVE-2024-13325 - Glossy Plugin

The Glossy WordPress plugin through 2.3.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Glossy

CVE-2024-13325

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13115 - Wp Projects Portfolio With Client Testimonials Plugin

The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Wp Projects Portfolio With Client Testimonials

CVE-2024-13115

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13114 - Wp Projects Portfolio With Client Testimonials Plugin

The WP Projects Portfolio with Client Testimonials WordPress plugin through 3.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Wp Projects Portfolio With Client Testimonials

CVE-2024-13114

MEDIUM CVSS 6.1 2025-02-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-03

CVE-2024-12859 - Boombox Theme Extensions Plugin

The BoomBox Theme Extensions plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.8.0 via the 'boombox_listing' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

PLUGIN Boombox Theme Extensions

CVE-2024-12859

HIGH CVSS 8.8 2025-02-03
Open Full Technical Breakdown
Threat Entry Updated 2025-03-05

CVE-2024-11132 - Eventer Plugin

The Eventer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Eventer

CVE-2024-11132

MEDIUM CVSS 6.4 2025-02-03
Open Full Technical Breakdown
Threat Entry Updated 2025-03-04

CVE-2024-11133 - Eventer Plugin

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_pdf_download_request' function in all versions up to, and including, 3.9.9. This makes it possible for unauthenticated attackers to download event tickets.

PLUGIN Eventer

CVE-2024-11133

MEDIUM CVSS 5.3 2025-02-03
Open Full Technical Breakdown
Threat Entry Updated 2025-03-04

CVE-2024-11134 - Eventer Plugin

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventer_export_bookings_csv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level permissions or above, to download bookings, which contains customers' personal data.

PLUGIN Eventer

CVE-2024-11134

MEDIUM CVSS 4.3 2025-02-03
Open Full Technical Breakdown
Threat Entry Updated 2025-02-03

CVE-2025-23614 - WordPress Additional Logins Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nik Sudan WordPress Additional Logins allows Reflected XSS. This issue affects WordPress Additional Logins: from n/a through 1.0.0.

PLUGIN WordPress Additional Logins

CVE-2025-23614

HIGH CVSS 7.1 2025-02-03
Open Full Technical Breakdown
Threat Entry Updated 2025-02-03

CVE-2025-23588 - WOW Best CSS Compiler Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WOW WordPress WOW Best CSS Compiler allows Reflected XSS. This issue affects WOW Best CSS Compiler: from n/a through 2.0.2.

PLUGIN WOW Best CSS Compiler

CVE-2025-23588

HIGH CVSS 7.1 2025-02-03
Open Full Technical Breakdown
Threat Entry Updated 2025-02-03

CVE-2025-22704 - WordPress Signature Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Abinav Thakuri WordPress Signature allows Cross Site Request Forgery. This issue affects WordPress Signature: from n/a through 0.1.

PLUGIN WordPress Signature

CVE-2025-22704

MEDIUM CVSS 5.4 2025-02-03
Open Full Technical Breakdown
Threat Entry Updated 2025-02-24

CVE-2024-13775 - Woocommerce Support Ticket System Plugin

The WooCommerce Support Ticket System plugin for WordPress is vulnerable to unauthorized access and loss of data due to missing capability checks on the 'ajax_delete_message', 'ajax_get_customers_partial_list', and 'ajax_get_admins_list' functions in all versions up to, and including, 17.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts, and read names, emails, and capabilities of all users.

PLUGIN Woocommerce Support Ticket System

CVE-2024-13775

MEDIUM CVSS 5.4 2025-02-01
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-13612 - Better Messages Plugin

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'better_messages_live_chat_button' shortcode in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Better Messages

CVE-2024-13612

MEDIUM CVSS 6.4 2025-02-01
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-13429 - Wp Job Portal Plugin

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the 'jobenforcedelete' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with employer-level access and above, to delete arbitrary

PLUGIN Wp Job Portal

CVE-2024-13429

MEDIUM CVSS 4.3 2025-02-01
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-13428 - Wp Job Portal Plugin

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the deleteCompanyLogo() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary company logos.

PLUGIN Wp Job Portal

CVE-2024-13428

MEDIUM CVSS 5.3 2025-02-01
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-13372 - Wp Job Portal Plugin

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.6 via the getresumefiledownloadbyid() and getallresumefiles() functions due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download users resumes without the appropriate authorization to do so.

PLUGIN Wp Job Portal

CVE-2024-13372

MEDIUM CVSS 5.3 2025-02-01
Open Full Technical Breakdown
Scroll to top