Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 6721-6740 of 15036 records
Threat Entry Updated 2025-01-07

CVE-2024-11437 - Timeline Designer Plugin

The Timeline Designer plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in all versions up to, and including, 1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Timeline Designer

CVE-2024-11437

MEDIUM CVSS 4.9 2025-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-12302 - Icegram Engage Plugin

The Icegram Engage WordPress plugin before 3.1.32 does not sanitise and escape some of its Campaign settings, which could allow authors and above to perform Stored Cross-Site Scripting attacks

PLUGIN Icegram Engage

CVE-2024-12302

MEDIUM CVSS 6.1 2025-01-06
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-11849 - Before 3 Plugin

The Pods WordPress plugin before 3.2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 3

CVE-2024-11849

MEDIUM CVSS 6.1 2025-01-06
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-11356 - Before 5 Plugin

The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks.

PLUGIN Before 5

CVE-2024-11356

MEDIUM CVSS 6.1 2025-01-06
Open Full Technical Breakdown
Threat Entry Updated 2025-01-06

CVE-2024-10957 - Updraftplus Plugin

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions from 1.23.8 to 1.24.11 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the…

PLUGIN Updraftplus

CVE-2024-10957

HIGH CVSS 8.8 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-12475 - Wp Multi Store Locator Plugin

The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Multi Store Locator

CVE-2024-12475

MEDIUM CVSS 6.4 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-08-12

CVE-2024-12279 - Wp Social Autoconnect Plugin

The WP Social AutoConnect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp Social Autoconnect

CVE-2024-12279

MEDIUM CVSS 6.1 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-12195 - Wp Project Manager Plugin

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to SQL Injection via the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint in all versions up to, and including, 2.6.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, who have been granted access to a project, to append additional SQL queries into already existing queries that can be used…

PLUGIN Wp Project Manager

CVE-2024-12195

MEDIUM CVSS 6.5 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-01-04

CVE-2024-12221 - Weaver For Bbpress Plugin

The Turnkey bbPress by WeaverTheme plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘_wpnonce’ parameter in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Weaver For Bbpress

CVE-2024-12221

MEDIUM CVSS 6.1 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-01-04

CVE-2024-12583 - Dynamics 365 Integration Plugin

The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

PLUGIN Dynamics 365 Integration

CVE-2024-12583

CRITICAL CVSS 9.9 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-02-25

CVE-2024-11930 - Taskbuilder Plugin

The Taskbuilder – WordPress Project & Task Management plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppm_tasks shortcode in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Taskbuilder

CVE-2024-11930

MEDIUM CVSS 6.4 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-01-04

CVE-2024-12701 - Import Any Xml File To Wordpress Plugin

The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Import Any Xml File To Wordpress

CVE-2024-12701

MEDIUM CVSS 6.1 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-08-11

CVE-2024-12047 - Wp Compress Plugin

The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘custom_server’ parameter in all versions up to, and including, 6.30.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Wp Compress

CVE-2024-12047

MEDIUM CVSS 6.1 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-12545 - Scratch Win Plugin

The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.1. This is due to missing nonce validation on the reset_installation() function. This makes it possible for unauthenticated attackers to reset the plugin’s installation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Scratch Win

CVE-2024-12545

MEDIUM CVSS 5.4 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-01-04

CVE-2024-10932 - Backup Backup Plugin

The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site in order to trigger the exploit.

PLUGIN Backup Backup

CVE-2024-10932

HIGH CVSS 8.8 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-03-31

CVE-2024-11974 - Media Library Assistant Plugin

The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘smc_settings_tab', 'unattachfixit-action', and 'woofixit-action’ parameters in all versions up to, and including, 3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Media Library Assistant

CVE-2024-11974

MEDIUM CVSS 6.1 2025-01-04
Open Full Technical Breakdown
Threat Entry Updated 2025-01-03

CVE-2024-11733 - The Wordpress Popular Posts Plugin

The The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

PLUGIN The Wordpress Popular Posts

CVE-2024-11733

HIGH CVSS 7.3 2025-01-03
Open Full Technical Breakdown
Threat Entry Updated 2025-01-03

CVE-2024-12237 - Wp Responsive Photo Gallery Plugin

The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.15 via the rjg_get_youtube_info_justified_gallery_callback function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to retrieve limited information from internal services.

PLUGIN Wp Responsive Photo Gallery

CVE-2024-12237

MEDIUM CVSS 4.3 2025-01-03
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-12132 - Wp Job Portal Plugin

The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker.

PLUGIN Wp Job Portal

CVE-2024-12132

MEDIUM CVSS 4.3 2025-01-03
Open Full Technical Breakdown
Scroll to top