Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 6301-6320 of 15036 records
Threat Entry Updated 2025-05-11

CVE-2024-12749 - Competition Form Plugin

The Competition Form WordPress plugin through 2.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Competition Form

CVE-2024-12749

HIGH CVSS 7.1 2025-01-29
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2025-0804 - Clickwhale Plugin

The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via link titles in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Clickwhale

CVE-2025-0804

MEDIUM CVSS 6.4 2025-01-29
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2024-13527 - Philantro Plugin

The Philantro – Donations and Donor Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'donate' in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Philantro

CVE-2024-13527

MEDIUM CVSS 6.4 2025-01-28
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2025-0321 - Elementskit Plugin

The ElementsKit Pro plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 3.7.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementskit

CVE-2025-0321

MEDIUM CVSS 6.4 2025-01-28
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2024-13521 - Mailup Auto Subscription Plugin

The MailUp Auto Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the mas_options function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Mailup Auto Subscription

CVE-2024-13521

MEDIUM CVSS 6.1 2025-01-28
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2024-13509 - Ws Form Plugin

The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter in all versions up to, and including, 1.10.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability is partially fixed in 1.10.13 and completely fixed in 1.10.14.

PLUGIN Ws Form

CVE-2024-13509

HIGH CVSS 7.2 2025-01-28
Open Full Technical Breakdown
Threat Entry Updated 2025-01-30

CVE-2024-13448 - Addons Plugin

The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Addons

CVE-2024-13448

CRITICAL CVSS 9.8 2025-01-28
Open Full Technical Breakdown
Threat Entry Updated 2025-05-24

CVE-2024-12723 - Infility Global Plugin

The Infility Global WordPress plugin through 2.9.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Infility Global

CVE-2024-12723

MEDIUM CVSS 6.1 2025-01-28
Open Full Technical Breakdown
Threat Entry Updated 2025-05-11

CVE-2024-12807 - Social Share Buttons Plugin

The Social Share Buttons for WordPress plugin through 2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Social Share Buttons

CVE-2024-12807

MEDIUM CVSS 4.8 2025-01-28
Open Full Technical Breakdown
Threat Entry Updated 2025-03-05

CVE-2024-11135 - Eventer Plugin

The Eventer plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'eventer_get_attendees' function in all versions up to, and including, 3.9.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Eventer

CVE-2024-11135

HIGH CVSS 7.5 2025-01-28
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13094 - Wp Triggers Lite Plugin

The WP Triggers Lite WordPress plugin through 2.5.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Wp Triggers Lite

CVE-2024-13094

HIGH CVSS 7.1 2025-01-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13057 - Dyn Business Panel Plugin

The Dyn Business Panel WordPress plugin through 1.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Dyn Business Panel

CVE-2024-13057

HIGH CVSS 7.1 2025-01-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13056 - Dyn Business Panel Plugin

The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Dyn Business Panel

CVE-2024-13056

HIGH CVSS 7.1 2025-01-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-13055 - Dyn Business Panel Plugin

The Dyn Business Panel WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Dyn Business Panel

CVE-2024-13055

HIGH CVSS 7.1 2025-01-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-13117 - Share Buttons Plugin

The Social Share Buttons for WordPress plugin through 2.7 allows an unauthenticated user to upload arbitrary images and change the path where they are uploaded

PLUGIN Share Buttons

CVE-2024-13117

MEDIUM CVSS 6.5 2025-01-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-05

CVE-2024-13095 - Wp Triggers Lite Plugin

The WP Triggers Lite WordPress plugin through 2.5.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

PLUGIN Wp Triggers Lite

CVE-2024-13095

MEDIUM CVSS 4.8 2025-01-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-13116 - Crelly Slider Plugin

The Crelly Slider WordPress plugin before 1.4.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Crelly Slider

CVE-2024-13116

LOW CVSS 3.8 2025-01-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-07

CVE-2024-12773 - Altra Side Menu Plugin

The Altra Side Menu WordPress plugin through 2.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

PLUGIN Altra Side Menu

CVE-2024-12773

HIGH CVSS 7.2 2025-01-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-13052 - Dental Optimizer Patient Generator App Plugin

The Dental Optimizer Patient Generator App WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Dental Optimizer Patient Generator App

CVE-2024-13052

HIGH CVSS 7.1 2025-01-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-12321 - Wc Affiliate Plugin

The WC Affiliate WordPress plugin through 2.3.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Wc Affiliate

CVE-2024-12321

HIGH CVSS 7.1 2025-01-27
Open Full Technical Breakdown
Scroll to top