Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 6421-6440 of 15036 records
Threat Entry Updated 2025-01-31

CVE-2024-13404 - Link Library Plugin

The Link Library plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'searchll' parameter in all versions up to, and including, 7.7.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Link Library

CVE-2024-13404

MEDIUM CVSS 6.1 2025-01-21
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2024-12005 - Wp Bibtex Plugin

The WP-BibTeX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the wp_bibtex_option_page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp Bibtex

CVE-2024-12005

MEDIUM CVSS 6.1 2025-01-21
Open Full Technical Breakdown
Threat Entry Updated 2026-02-17

CVE-2024-12104 - Atarim Plugin

The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpf_delete_file and wpf_delete_file functions in all versions up to, and including, 4.0.9. This makes it possible for unauthenticated attackers to delete project pages and files.

PLUGIN Atarim

CVE-2024-12104

MEDIUM CVSS 5.3 2025-01-21
Open Full Technical Breakdown
Threat Entry Updated 2025-01-31

CVE-2025-0371 - Jetelements Plugin

The JetElements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.7.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Jetelements

CVE-2025-0371

MEDIUM CVSS 6.4 2025-01-21
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-10936 - String Locator Plugin

The String locator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must perform a search and…

PLUGIN String Locator

CVE-2024-10936

HIGH CVSS 8.8 2025-01-21
Open Full Technical Breakdown
Threat Entry Updated 2025-01-21

CVE-2024-13536 - 1003 Mortgage Application Plugin

The 1003 Mortgage Application plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.87. This is due the /inc/class/fnm/export.php file being publicly accessible with error logging enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

PLUGIN 1003 Mortgage Application

CVE-2024-13536

MEDIUM CVSS 5.3 2025-01-21
Open Full Technical Breakdown
Threat Entry Updated 2025-01-19

CVE-2024-8722 - Import Any Xml Or Csv File To Wordpress Pro Plugin

The Import any XML or CSV File to WordPress PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Import Any Xml Or Csv File To Wordpress Pro

CVE-2024-8722

MEDIUM CVSS 5.5 2025-01-19
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-13375 - Adifier System Plugin

The Adifier System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.1.7. This is due to the plugin not properly validating a user's identity prior to updating their details like password through the adifier_recover() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

PLUGIN Adifier System

CVE-2024-13375

CRITICAL CVSS 9.8 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-13184 - Wp Extended Plugin

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to time-based SQL Injection via the Login Attempts module in all versions up to, and including, 3.0.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wp Extended

CVE-2024-13184

HIGH CVSS 7.5 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-13392 - Star Ratings Plugin

The Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_reviews' shortcode in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Star Ratings

CVE-2024-13392

MEDIUM CVSS 6.4 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2025-0369 - Jetengine Plugin

The JetEngine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘list_tag’ parameter in all versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Jetengine

CVE-2025-0369

MEDIUM CVSS 6.4 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-13433 - Utilities For Mtg Plugin

The Utilities for MTG plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mtglink' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Utilities For Mtg

CVE-2024-13433

MEDIUM CVSS 6.4 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-13519 - Ultimate Woocommerce Multivendor Marketplace Solution Plugin

The MarketKing — Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.9.80 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Ultimate Woocommerce Multivendor Marketplace Solution

CVE-2024-13519

MEDIUM CVSS 4.4 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-07

CVE-2024-13517 - Easy Digital Downloads Plugin

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title value in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Easy Digital Downloads

CVE-2024-13517

MEDIUM CVSS 4.4 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2025-0515 - Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme

The Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service…

THEME Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme

CVE-2025-0515

MEDIUM CVSS 4.3 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-13393 - Turnkey Video Site Builder Script Plugin

The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_videos' shortcode in all versions up to, and including, 2.6.31 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Turnkey Video Site Builder Script

CVE-2024-13393

MEDIUM CVSS 6.4 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-13391 - Tokens Wallet Plugin

The MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Tokens Wallet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_content_upload_guest' shortcode in all versions up to, and including, 2.9.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Tokens Wallet

CVE-2024-13391

MEDIUM CVSS 6.4 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-13385 - Jsm Screenshot Machine Shortcode Plugin

The JSM Screenshot Machine Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ssm' shortcode in all versions up to, and including, 2.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Jsm Screenshot Machine Shortcode

CVE-2024-13385

MEDIUM CVSS 6.4 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-12696 - Picture Gallery Plugin

The Picture Gallery – Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's videowhisper_picture_upload_guest shortcode in all versions up to, and including, 1.5.22 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Picture Gallery

CVE-2024-12696

MEDIUM CVSS 6.4 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-13432 - Webcamconsult Plugin

The Webcamconsult plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Webcamconsult

CVE-2024-13432

MEDIUM CVSS 6.1 2025-01-18
Open Full Technical Breakdown
Scroll to top