Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 6741-6760 of 15036 records
Threat Entry Updated 2025-01-02

CVE-2024-56302 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ConvertCalculator ConvertCalculator for WordPress allows Stored XSS.This issue affects ConvertCalculator for WordPress: from n/a through 1.1.1.

CORE WordPress Core

CVE-2024-56302

MEDIUM CVSS 6.5 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-02

CVE-2024-56245 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leap13 Premium Blocks – Gutenberg Blocks for WordPress allows Stored XSS.This issue affects Premium Blocks – Gutenberg Blocks for WordPress: from n/a through 2.1.42.

CORE WordPress Core

CVE-2024-56245

MEDIUM CVSS 6.5 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-02

CVE-2024-56022 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress Monsters Preloader by WordPress Monsters allows Reflected XSS.This issue affects Preloader by WordPress Monsters: from n/a through 1.2.3.

CORE WordPress Core

CVE-2024-56022

HIGH CVSS 7.1 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-02

CVE-2023-46644 - WordPress CTA Plugin

Missing Authorization vulnerability in WP CTA PRO WordPress CTA allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through 1.5.8.

PLUGIN WordPress CTA

CVE-2023-46644

MEDIUM CVSS 6.5 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-01-02

CVE-2023-45636 - WordPress Backup & Migration Plugin

Missing Authorization vulnerability in WebToffee WordPress Backup & Migration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Backup & Migration: from n/a through 1.4.1.

PLUGIN WordPress Backup & Migration

CVE-2023-45636

MEDIUM CVSS 5.4 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-11357 - Goodlayers Core Plugin

The goodlayers-core WordPress plugin before 2.0.10 does not sanitise and escape some of its settings, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Goodlayers Core

CVE-2024-11357

MEDIUM CVSS 5.9 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2024-12595 - Ahathat Plugin

The AHAthat Plugin WordPress plugin through 1.6 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers

PLUGIN Ahathat

CVE-2024-12595

MEDIUM CVSS 4.7 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-06-24

CVE-2024-11184 - Wp Enable Svg Plugin

The wp-enable-svg WordPress plugin through 0.7 does not sanitize SVG files when uploaded, allowing for authors and above to upload SVGs containing malicious scripts

PLUGIN Wp Enable Svg

CVE-2024-11184

MEDIUM CVSS 4.8 2025-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-05-17

CVE-2024-11972 - Hunk Companion Plugin

The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed.

PLUGIN Hunk Companion

CVE-2024-11972

CRITICAL CVSS 9.8 2024-12-31
Open Full Technical Breakdown
Threat Entry Updated 2025-04-18

CVE-2024-12238 - Ninja Forms Plugin

The The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.22. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

PLUGIN Ninja Forms

CVE-2024-12238

MEDIUM CVSS 6.3 2024-12-29
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-11644 - Wp Svg Plugin

The WP-SVG WordPress plugin through 0.9 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Wp Svg

CVE-2024-11644

MEDIUM CVSS 5.9 2024-12-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-11921 - Before 3 Plugin

The GiveWP WordPress plugin before 3.19.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 3

CVE-2024-11921

MEDIUM CVSS 4.8 2024-12-27
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2024-11645 - Float Block Plugin

The float block WordPress plugin through 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Float Block

CVE-2024-11645

MEDIUM CVSS 4.8 2024-12-27
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2024-11605 - Wp Publications Plugin

The wp-publications WordPress plugin through 1.2 does not escape filenames before outputting them back in the page, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Wp Publications

CVE-2024-11605

MEDIUM CVSS 4.8 2024-12-27
Open Full Technical Breakdown
Threat Entry Updated 2025-05-08

CVE-2024-11223 - Before 1 Plugin

The WPForms WordPress plugin before 1.9.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 1

CVE-2024-11223

MEDIUM CVSS 4.7 2024-12-26
Open Full Technical Breakdown
Threat Entry Updated 2025-05-14

CVE-2024-10903 - Broken Link Checker Plugin

The Broken Link Checker WordPress plugin before 2.4.2 does not validate a the link URLs before making a request to them, which could allow admin users to perform SSRF attack, for example on a multisite installation.

PLUGIN Broken Link Checker

CVE-2024-10903

MEDIUM CVSS 4.7 2024-12-26
Open Full Technical Breakdown
Threat Entry Updated 2024-12-25

CVE-2024-11281 - Woocommerce Point Of Sale Plugin

The WooCommerce Point of Sale plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.1.0. This is due to insufficient validation on the 'logged_in_user_id' value when option values are empty and the ability for attackers to change the email of arbitrary user accounts. This makes it possible for unauthenticated attackers to change the email of arbitrary user accounts, including administrators, and reset their password to gain access to the account.

PLUGIN Woocommerce Point Of Sale

CVE-2024-11281

CRITICAL CVSS 9.8 2024-12-25
Open Full Technical Breakdown
Threat Entry Updated 2025-01-17

CVE-2024-10862 - Nex Forms Plugin

The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to SQL Injection via the 'search_params' parameter in all versions up to, and including, 8.7.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This can be exploited via CSRF due to a lack of nonce…

PLUGIN Nex Forms

CVE-2024-10862

MEDIUM CVSS 4.9 2024-12-25
Open Full Technical Breakdown
Threat Entry Updated 2025-04-14

CVE-2024-12335 - Avada Builder Plugin

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.11.12 via the handle_clone_post() function and the 'fusion_blog' shortcode and due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

PLUGIN Avada Builder

CVE-2024-12335

MEDIUM CVSS 4.3 2024-12-25
Open Full Technical Breakdown
Scroll to top