Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 7561-7580 of 15036 records
Threat Entry Updated 2024-11-12

CVE-2024-10586 - Debug Tool Plugin

The Debug Tool plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the dbt_pull_image() function and missing file type validation in all versions up to, and including, 2.2. This makes it possible for unauthenticated attackers to to create arbitrary files such as .php files that can be leveraged for remote code execution.

PLUGIN Debug Tool

CVE-2024-10586

CRITICAL CVSS 9.8 2024-11-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-10285 - Ce21 Suite Plugin

The CE21 Suite plugin for WordPress is vulnerable to sensitive information disclosure via the plugin-log.txt in versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to log in the user associated with the JWT token.

PLUGIN Ce21 Suite

CVE-2024-10285

CRITICAL CVSS 9.8 2024-11-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-10294 - Ce21 Suite Plugin

The CE21 Suite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ce21_single_sign_on_save_api_settings' function in versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to change plugin settings.

PLUGIN Ce21 Suite

CVE-2024-10294

MEDIUM CVSS 6.5 2024-11-09
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-10284 - Ce21 Suite Plugin

The CE21 Suite plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.2.0. This is due to hardcoded encryption key in the 'ce21_authentication_phrase' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

PLUGIN Ce21 Suite

CVE-2024-10284

CRITICAL CVSS 9.8 2024-11-09
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-10325 - Elementor Header Footer Builder Plugin

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.6.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Elementor Header Footer Builder

CVE-2024-10325

MEDIUM CVSS 6.4 2024-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-10187 - Mycred Plugin

The myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mycred_link shortcode in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mycred

CVE-2024-10187

MEDIUM CVSS 6.4 2024-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-13

CVE-2024-10269 - Easy Svg Support Plugin

The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Easy Svg Support

CVE-2024-10269

MEDIUM CVSS 6.4 2024-11-08
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-7982 - Registrations For The Events Calendar Plugin

The Registrations for the Events Calendar WordPress plugin before 2.12.4 does not sanitise and escape some parameters when accepting event registrations, which could allow unauthenticated users to perform Cross-Site Scripting attacks.

PLUGIN Registrations For The Events Calendar

CVE-2024-7982

CRITICAL CVSS 9.6 2024-11-08
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10621 - Simple Shortcode For Google Maps Plugin

The Simple Shortcode for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pw_map shortcode in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Simple Shortcode For Google Maps

CVE-2024-10621

MEDIUM CVSS 6.4 2024-11-08
Open Full Technical Breakdown
Threat Entry Updated 2025-05-17

CVE-2024-8378 - Before 2 Plugin

The Safe SVG WordPress plugin before 2.2.6 has its sanitisation code is only running for paths that call wp_handle_upload, but not for example for code that uses wp_handle_sideload which is often used to upload attachments via raw POST data.

PLUGIN Before 2

CVE-2024-8378

MEDIUM CVSS 4.8 2024-11-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-9926 - Jetpack Plugin

The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form

PLUGIN Jetpack

CVE-2024-9926

MEDIUM CVSS 4.3 2024-11-07
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-8442 - Prime Slider Plugin

The Prime Slider – Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Blog widget in all versions up to, and including, 3.15.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Prime Slider

CVE-2024-8442

MEDIUM CVSS 6.4 2024-11-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-15

CVE-2024-10027 - Wp Booking Calendar Plugin

The WP Booking Calendar WordPress plugin before 10.6.3 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Wp Booking Calendar

CVE-2024-10027

MEDIUM CVSS 4.8 2024-11-07
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10186 - Event Post Plugin

The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's events_cal shortcode in all versions up to, and including, 5.9.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Event Post

CVE-2024-10186

MEDIUM CVSS 6.4 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10168 - Woot Plugin

The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's woot_button shortcode in all versions up to, and including, 1.0.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Woot

CVE-2024-10168

MEDIUM CVSS 6.4 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-8323 - Easy Pricing Tables Plugin

The Pricing Tables WordPress Plugin – Easy Pricing Tables plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fontFamily’ attribute in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Easy Pricing Tables

CVE-2024-8323

MEDIUM CVSS 6.4 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-10715 - Mappress Plugin

The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Map block in all versions up to, and including, 2.94.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mappress

CVE-2024-10715

MEDIUM CVSS 6.4 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-8615 - Jobsearch Wp Job Board Plugin

The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_location_load_excel_file_callback() function in all versions up to, and including, 2.6.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Jobsearch Wp Job Board

CVE-2024-8615

CRITICAL CVSS 10.0 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-8614 - Jobsearch Wp Job Board Plugin

The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_wp_handle_upload() function in all versions up to, and including, 2.6.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Jobsearch Wp Job Board

CVE-2024-8614

CRITICAL CVSS 9.9 2024-11-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-08

CVE-2024-9307 - Mfolio Plugin

The mFolio Lite plugin for WordPress is vulnerable to file uploads due to a missing capability check in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file or upload arbitrary EXE files on the affected site's server which may make remote code execution possible if the attacker can also gain access to run the .exe file, or trick a site visitor into downloading…

PLUGIN Mfolio

CVE-2024-9307

CRITICAL CVSS 9.9 2024-11-06
Open Full Technical Breakdown
Scroll to top