Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 6441-6460 of 15036 records
Threat Entry Updated 2025-01-18

CVE-2024-13317 - Shipworks Connector For Woocommerce Plugin

The ShipWorks Connector for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to missing or incorrect nonce validation on the 'shipworks-wordpress' page. This makes it possible for unauthenticated attackers to update the services username and password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Shipworks Connector For Woocommerce

CVE-2024-13317

MEDIUM CVSS 4.3 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-12385 - Wp Abstracts Plugin

The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing nonce validation on the wpabstracts_load_status() and wpabstracts_delete_abstracts() functions. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp Abstracts

CVE-2024-12385

MEDIUM CVSS 6.1 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2025-0318 - Ultimate Member Plugin

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.9.1 through different error messages in the responses. This makes it possible for unauthenticated attackers to exfiltrate data from wp_usermeta table.

PLUGIN Ultimate Member

CVE-2025-0318

MEDIUM CVSS 5.3 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2025-0308 - Ultimate Member Plugin

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the search parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Ultimate Member

CVE-2025-0308

HIGH CVSS 7.5 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-13516 - Kubio Ai Page Builder Plugin

The Kubio AI Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 2.3.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Kubio Ai Page Builder

CVE-2024-13516

MEDIUM CVSS 6.1 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-9020 - List Category Posts Plugin

The List category posts WordPress plugin before 0.90.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN List Category Posts

CVE-2024-9020

MEDIUM CVSS 5.4 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-18

CVE-2024-13515 - Show Image Credits And Captions Plugin

The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'path' parameter in all versions up to, and including, 2.28.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Show Image Credits And Captions

CVE-2024-13515

MEDIUM CVSS 6.1 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-12071 - Evergreen Content Poster Plugin

The Evergreen Content Poster – Auto Post and Schedule Your Best Content to Social Media plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_network_post() function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to delete arbitrary posts and pages.

PLUGIN Evergreen Content Poster

CVE-2024-12071

MEDIUM CVSS 5.3 2025-01-18
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13377 - Gravity Forms Plugin

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alt’ parameter in all versions up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Gravity Forms

CVE-2024-13377

HIGH CVSS 7.2 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13378 - Gravity Forms Plugin

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style_settings’ parameter in versions 2.9.0.1 up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attack is only successful in the Chrome web browser, and requires directly browsing the media file via the attachment post.

PLUGIN Gravity Forms

CVE-2024-13378

MEDIUM CVSS 5.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-12370 - Wp Hotel Booking Plugin

The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check when adding rooms in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to add rooms with custom prices.

PLUGIN Wp Hotel Booking

CVE-2024-12370

MEDIUM CVSS 5.3 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13367 - Sandbox Plugin

The Sandbox plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the export_download action in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download an entire copy of a sandbox environment which can contain sensitive information like the wp-config.php file.

PLUGIN Sandbox

CVE-2024-13367

MEDIUM CVSS 6.5 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13386 - Quote Post Type Plugin

The quote-posttype-plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Author field in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Quote Post Type

CVE-2024-13386

MEDIUM CVSS 6.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12598 - Mybookprogress Plugin

The MyBookProgress by Stormhill Media plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘book’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mybookprogress

CVE-2024-12598

MEDIUM CVSS 6.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12508 - Glofox Shortcodes Plugin

The Glofox Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'glofox' and 'glofox_lead_capture ' shortcodes in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Glofox Shortcodes

CVE-2024-12508

MEDIUM CVSS 6.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13366 - Sandbox Plugin

The Sandbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'debug' parameter in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Sandbox

CVE-2024-13366

MEDIUM CVSS 6.1 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12466 - Proofreading Plugin

The Proofreading plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 1.2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Proofreading

CVE-2024-12466

MEDIUM CVSS 6.1 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12637 - Moving Users Plugin

The Moving Users plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.05 via the export functionality. The JSON files are stored in predictable locations with guessable file names when exporting user data. This could allow unauthenticated attackers to extract sensitive user data, for instance, email addresses, hashed passwords, and IP addresses.

PLUGIN Moving Users

CVE-2024-12637

MEDIUM CVSS 5.3 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12203 - Rss Icon Widget Plugin

The RSS Icon Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link_color’ parameter in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Rss Icon Widget

CVE-2024-12203

MEDIUM CVSS 4.4 2025-01-17
Open Full Technical Breakdown
Scroll to top