Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 6461-6480 of 15036 records
Threat Entry Updated 2025-06-05

CVE-2024-13333 - Advanced File Manager Plugin

The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fma_local_file_system' function in versions 5.2.12 to 5.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above and upload permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The function can be exploited only if the "Display .htaccess?" setting is enabled.

PLUGIN Advanced File Manager

CVE-2024-13333

HIGH CVSS 7.5 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-10799 - Eventer Plugin

The Eventer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.9.7 via the eventer_woo_download_tickets() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Eventer

CVE-2024-10799

MEDIUM CVSS 6.5 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13401 - Wp Paypal Plugin

The Payment Button for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_paypal_checkout' shortcode in all versions up to, and including, 1.2.3.35 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Paypal

CVE-2024-13401

MEDIUM CVSS 6.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13434 - Wp Inventory Manager Plugin

The WP Inventory Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wp Inventory Manager

CVE-2024-13434

MEDIUM CVSS 6.1 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-13398 - Checkout For Paypal Plugin

The Checkout for PayPal plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'checkout_for_paypal' shortcode in all versions up to, and including, 1.0.32 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Checkout For Paypal

CVE-2024-13398

MEDIUM CVSS 6.4 2025-01-17
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2025-23961 - WordPress Graphs & Charts Plugin

Missing Authorization vulnerability in WP Tasker WordPress Graphs & Charts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Graphs & Charts: from n/a through 2.0.8.

PLUGIN WordPress Graphs & Charts

CVE-2025-23961

MEDIUM CVSS 5.4 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2025-23913 - WordPress Google Map Professional Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pankajpragma, rahulpragma WordPress Google Map Professional allows SQL Injection.This issue affects WordPress Google Map Professional: from n/a through 1.0.

PLUGIN WordPress Google Map Professional

CVE-2025-23913

HIGH CVSS 8.5 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2025-23912 - WordPress Custom Sidebar Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Typomedia Foundation WordPress Custom Sidebar allows Blind SQL Injection.This issue affects WordPress Custom Sidebar: from n/a through 2.3.

PLUGIN WordPress Custom Sidebar

CVE-2025-23912

HIGH CVSS 8.5 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2025-23842 - WordPress Gallery Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Nilesh Shiragave WordPress Gallery Plugin allows Cross Site Request Forgery.This issue affects WordPress Gallery Plugin: from n/a through 1.4.

PLUGIN WordPress Gallery Plugin

CVE-2025-23842

HIGH CVSS 7.1 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2025-23828 - WordPress Data Guard Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OriginalTips.com WordPress Data Guard allows Stored XSS.This issue affects WordPress Data Guard: from n/a through 8.

PLUGIN WordPress Data Guard

CVE-2025-23828

HIGH CVSS 7.1 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2025-23423 - SendGrid for WordPress Plugin

Missing Authorization vulnerability in Smackcoders SendGrid for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SendGrid for WordPress: from n/a through 1.4.

PLUGIN SendGrid for WordPress

CVE-2025-23423

MEDIUM CVSS 4.3 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2024-13387 - Wp Responsive Tabs Plugin

The WP Responsive Tabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wprtabs' shortcode in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Responsive Tabs

CVE-2024-13387

MEDIUM CVSS 6.4 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12614 - Passwords Manager Plugin

The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings and add passwords.

PLUGIN Passwords Manager

CVE-2024-12614

HIGH CVSS 7.5 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12615 - Passwords Manager Plugin

The Passwords Manager plugin for WordPress is vulnerable to SQL Injection via the $wpdb->prefix value in several AJAX actions in all versions up to, and including, 1.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Passwords Manager

CVE-2024-12615

MEDIUM CVSS 6.5 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-16

CVE-2024-13355 - Orderconvo Plugin

The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload files on the affected site's server which may make remote code execution possible and is confirmed to make Cross-Site Scripting possible.

PLUGIN Orderconvo

CVE-2024-13355

MEDIUM CVSS 5.4 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-12613 - Passwords Manager Plugin

The Passwords Manager plugin for WordPress is vulnerable to SQL Injection via the $wpdb->prefix value in several AJAX fuctions in all versions up to, and including, 1.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Passwords Manager

CVE-2024-12613

HIGH CVSS 7.5 2025-01-16
Open Full Technical Breakdown
Threat Entry Updated 2025-03-04

CVE-2024-12427 - Multi Step Form Plugin

The Multi Step Form plugin for WordPress is vulnerable to unauthorized limited file upload due to a missing capability check on the fw_upload_file AJAX action in all versions up to, and including, 1.7.23. This makes it possible for unauthenticated attackers to upload limited file types such as images.

PLUGIN Multi Step Form

CVE-2024-12427

MEDIUM CVSS 5.3 2025-01-16
Open Full Technical Breakdown
Scroll to top