Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 7481-7500 of 15036 records
Threat Entry Updated 2024-11-19

CVE-2024-9059 - Royal Elementor Addons Plugin

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Maps widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Royal Elementor Addons

CVE-2024-9059

MEDIUM CVSS 6.4 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-10877 - Advanced Form Integration Plugin

The AFI – The Easiest Integration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.92.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Advanced Form Integration

CVE-2024-10877

MEDIUM CVSS 6.1 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-11150 - User Extra Fields Plugin

The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_tmp_uploaded_file() function in all versions up to, and including, 16.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN User Extra Fields

CVE-2024-11150

CRITICAL CVSS 9.8 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-10800 - User Extra Fields Plugin

The WordPress User Extra Fields plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the ajax_save_fields() function in all versions up to, and including, 16.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to add custom fields that can be updated and then use the check_and_overwrite_wp_or_woocommerce_fields function to update the wp_capabilities field to have administrator privileges.

PLUGIN User Extra Fields

CVE-2024-10800

HIGH CVSS 8.8 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-10820 - Woocommerce Upload Files Plugin

The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 84.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Woocommerce Upload Files

CVE-2024-10820

CRITICAL CVSS 9.8 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-19

CVE-2024-10828 - Advanced Order Export For Woocommerce Plugin

The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.5 via deserialization of untrusted input during Order export when the "Try to convert serialized values" option is enabled. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Advanced Order Export For Woocommerce

CVE-2024-10828

HIGH CVSS 8.1 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-10816 - Luna Radio Player Plugin

The LUNA RADIO PLAYER plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.24.01.24 via the js/fallback.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Luna Radio Player

CVE-2024-10816

HIGH CVSS 7.5 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-10802 - Hash Elements Plugin

The Hash Elements plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hash_elements_get_posts_title_by_id() function in all versions up to, and including, 1.4.7. This makes it possible for unauthenticated attackers to retrieve draft post titles that should not be accessible to unauthenticated users.

PLUGIN Hash Elements

CVE-2024-10802

MEDIUM CVSS 5.3 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-10174 - Wp Project Manager Plugin

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.13 via the 'Abstract_Permission' class due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to spoof their identity to that of an administrator and access all of the plugins REST routes.

PLUGIN Wp Project Manager

CVE-2024-10174

HIGH CVSS 7.3 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-10794 - Boostify Header Footer Builder For Elementor Plugin

The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.3.6 via the 'bhf' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.

PLUGIN Boostify Header Footer Builder For Elementor

CVE-2024-10794

MEDIUM CVSS 4.3 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-11143 - Kognetiks Chatbot Plugin

The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.8. This is due to missing or incorrect nonce validation on the update_assistant, add_new_assistant, and delete_assistant functions. This makes it possible for unauthenticated attackers to modify assistants via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Kognetiks Chatbot

CVE-2024-11143

MEDIUM CVSS 4.3 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-10882 - Product Delivery Date For Woocommerce Lite Plugin

The Product Delivery Date for WooCommerce – Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Product Delivery Date For Woocommerce Lite

CVE-2024-10882

MEDIUM CVSS 6.1 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10684 - Kognetiks Chatbot Plugin

The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dir' parameter in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Kognetiks Chatbot

CVE-2024-10684

MEDIUM CVSS 6.1 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10531 - Kognetiks Chatbot Plugin

The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_assistant() function in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to update GTP assistants.

PLUGIN Kognetiks Chatbot

CVE-2024-10531

MEDIUM CVSS 5.3 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2024-10593 - Wpforms Plugin

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.1.6. This is due to missing or incorrect nonce validation on the process_admin_ui function. This makes it possible for unauthenticated attackers to delete WPForm logs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wpforms

CVE-2024-10593

MEDIUM CVSS 4.3 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10529 - Kognetiks Chatbot Plugin

The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_assistant() function in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete GTP assistants.

PLUGIN Kognetiks Chatbot

CVE-2024-10529

MEDIUM CVSS 5.3 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-18

CVE-2024-10530 - Kognetiks Chatbot Plugin

The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the add_new_assistant() function in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to create new GTP assistants.

PLUGIN Kognetiks Chatbot

CVE-2024-10530

MEDIUM CVSS 4.3 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-9426 - Aqua Svg Sprite Plugin

The Aqua SVG Sprite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Aqua Svg Sprite

CVE-2024-9426

MEDIUM CVSS 6.4 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2025-07-11

CVE-2024-9614 - Constant Contact Forms Plugin

The Constant Contact Forms by MailMunch plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Constant Contact Forms

CVE-2024-9614

MEDIUM CVSS 6.1 2024-11-13
Open Full Technical Breakdown
Threat Entry Updated 2025-07-09

CVE-2024-9578 - Hide Links Plugin

The Hide Links plugin for WordPress is vulnerable to unauthorized shortcode execution due to do_shortcode being hooked through the comment_text filter in all versions up to and including 1.4.2. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes available on the target site.

PLUGIN Hide Links

CVE-2024-9578

MEDIUM CVSS 5.3 2024-11-13
Open Full Technical Breakdown
Scroll to top