Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 7421-7440 of 15036 records
Threat Entry Updated 2024-11-19

CVE-2024-10486 - Google Listings And Ads Plugin

The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible print_php_information.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PHP configuration, which can be used to aid other attacks.

PLUGIN Google Listings And Ads

CVE-2024-10486

MEDIUM CVSS 5.3 2024-11-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-10390 - Elfsight Telegram Chat Cc Plugin

The Elfsight Telegram Chat CC plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'updatePreferences' function in all versions up to, and including, 1.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elfsight Telegram Chat Cc

CVE-2024-10390

MEDIUM CVSS 6.4 2024-11-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-20

CVE-2024-52431 - Wordpress Video Robot Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pressaholic WordPress Video Robot - The Ultimate Video Importer allows SQL Injection.This issue affects WordPress Video Robot - The Ultimate Video Importer: from n/a through 1.20.0.

PLUGIN Wordpress Video Robot

CVE-2024-52431

CRITICAL CVSS 9.3 2024-11-18
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-5030 - Cm Table Of Contents Plugin

The CM Table Of Contents WordPress plugin before 1.2.3 does not have CSRF check in place when resetting its settings, which could allow attackers to make a logged in admin perform such action via a CSRF attack

PLUGIN Cm Table Of Contents

CVE-2024-5030

LOW CVSS 3.8 2024-11-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-52408 - WordPress Core

Unrestricted Upload of File with Dangerous Type vulnerability in Team PushAssist Push Notifications for WordPress by PushAssist allows Upload a Web Shell to a Web Server.This issue affects Push Notifications for WordPress by PushAssist: from n/a through 3.0.8.

CORE WordPress Core

CVE-2024-52408

CRITICAL CVSS 9.9 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9887 - Miniorange Wp As Saml Idp Plugin

The Login using WordPress Users ( WP as SAML IDP ) plugin for WordPress is vulnerable to time-based SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.15.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Miniorange Wp As Saml Idp

CVE-2024-9887

HIGH CVSS 7.2 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10592 - Mapster Wp Maps Plugin

The Mapster WP Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup class parameter in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mapster Wp Maps

CVE-2024-10592

MEDIUM CVSS 6.4 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-11094 - 404 Solution Plugin

The 404 Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.35.17 via the export feature. This makes it possible for unauthenticated attackers to extract sensitive data such as redirects including GET parameters which may reveal sensitive information.

PLUGIN 404 Solution

CVE-2024-11094

MEDIUM CVSS 5.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10645 - Blogger 301 Redirect Plugin

The Blogger 301 Redirect plugin for WordPress is vulnerable to blind time-based SQL Injection via the ‘br’ parameter in all versions up to, and including, 2.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Blogger 301 Redirect

CVE-2024-10645

HIGH CVSS 7.5 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-10614 - Customer Reviews For Woocommerce Plugin

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the cancel_import() function in all versions up to, and including, 5.61.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel and import or check on the status.

PLUGIN Customer Reviews For Woocommerce

CVE-2024-10614

MEDIUM CVSS 4.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2025-07-09

CVE-2024-8856 - Backup And Staging By Wp Time Capsule Plugin

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the the UploadHandler.php file and no direct file access prevention in all versions up to, and including, 1.22.21. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Backup And Staging By Wp Time Capsule

CVE-2024-8856

CRITICAL CVSS 9.8 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2025-07-09

CVE-2024-10728 - Postx Plugin

The Post Grid Gutenberg Blocks and WordPress Blog Plugin – PostX plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the 'install_required_plugin_callback' function in all versions up to, and including, 4.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

PLUGIN Postx

CVE-2024-10728

HIGH CVSS 8.8 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9935 - Pdf Generator Addon For Elementor Page Builder Plugin

The PDF Generator Addon for Elementor Page Builder plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5 via the rtw_pgaepb_dwnld_pdf() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Pdf Generator Addon For Elementor Page Builder

CVE-2024-9935

HIGH CVSS 7.5 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9938 - Bounce Handler Mailpoet Plugin

The Bounce Handler MailPoet 3 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.3.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Bounce Handler Mailpoet

CVE-2024-9938

MEDIUM CVSS 6.1 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9849 - Real3d Flipbook Lite Plugin

The 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Real3d Flipbook Lite

CVE-2024-9849

HIGH CVSS 8.8 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9839 - The Uix Slideshow Plugin

The The Uix Slideshow plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

PLUGIN The Uix Slideshow

CVE-2024-9839

HIGH CVSS 7.3 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9850 - Case Study Plugin

The SVG Case Study plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Case Study

CVE-2024-9850

MEDIUM CVSS 6.4 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9386 - Exclusive Divi Plugin

The Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Exclusive Divi

CVE-2024-9386

MEDIUM CVSS 6.4 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9615 - Bulkpress Plugin

The BulkPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.3.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Bulkpress

CVE-2024-9615

MEDIUM CVSS 6.1 2024-11-16
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-9192 - Wordpress Video Robot The Ultimate Video Importer Plugin

The WordPress Video Robot - The Ultimate Video Importer plugin for WordPress is vulnerable to privilege escalation due to insufficient validation on user meta that can be updated in the wpvr_rate_request_result() function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their user meta on a WordPress site. This can be leveraged to update their capabilities to that of an administrator.

PLUGIN Wordpress Video Robot The Ultimate Video Importer

CVE-2024-9192

HIGH CVSS 8.8 2024-11-16
Open Full Technical Breakdown
Scroll to top