Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 7901-7920 of 15036 records
Threat Entry Updated 2024-10-15

CVE-2024-9232 - Download Plugins And Themes In Zip From Dashboard

The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Download Plugins And Themes In Zip From Dashboard

CVE-2024-9232

MEDIUM CVSS 6.1 2024-10-11
Open Full Technical Breakdown
Threat Entry Updated 2025-03-07

CVE-2024-9221 - Tainacan Plugin

The Tainacan plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 0.21.10. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Tainacan

CVE-2024-9221

MEDIUM CVSS 6.1 2024-10-11
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9051 - Wp Ultimate Post Grid Plugin

The WP Ultimate Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpupg-grid-with-filters shortcode in all versions up to, and including, 3.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Ultimate Post Grid

CVE-2024-9051

MEDIUM CVSS 6.4 2024-10-11
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9211 - Full Customer Plugin

The FULL – Cliente plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 3.1.22. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Full Customer

CVE-2024-9211

MEDIUM CVSS 6.1 2024-10-11
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-8913 - Plus Addons For Elementor Plugin

The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.6.11 via the render function in modules/widgets/tp_accordion.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.

PLUGIN Plus Addons For Elementor

CVE-2024-8913

MEDIUM CVSS 4.3 2024-10-11
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-7514 - Comments Import Export Woocommerce Plugin

The WordPress Comments Import & Export plugin for WordPress is vulnerable to to arbitrary file read due to insufficient file path validation during the comments import process, in versions up to, and including, 2.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The issue was partially fixed in version 2.3.8 and fully fixed in 2.3.9

PLUGIN Comments Import Export Woocommerce

CVE-2024-7514

MEDIUM CVSS 6.5 2024-10-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-15

CVE-2024-9822 - Pedalo Connector Plugin

The Pedalo Connector plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.5. This is due to insufficient restriction on the 'login_admin_user' function. This makes it possible for unauthenticated attackers to log to the first user, who is usually the administrator, or if it does not exist, then to the first administrator.

PLUGIN Pedalo Connector

CVE-2024-9822

CRITICAL CVSS 9.8 2024-10-11
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9796 - Wp Advanced Search Plugin

The WP-Advanced-Search WordPress plugin before 3.3.9.2 does not sanitize and escape the t parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

PLUGIN Wp Advanced Search

CVE-2024-9796

CRITICAL CVSS 9.8 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9156 - Ti Woocommerce Wishlist Plugin

The TI WooCommerce Wishlist WordPress plugin through 2.8.2 is vulnerable to SQL Injection due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Ti Woocommerce Wishlist

CVE-2024-9156

HIGH CVSS 7.5 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9520 - Userplus Plugin

The UserPlus plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.0. This makes it possible for authenticated attackers with subscriber-level permissions or above, to add, modify, or delete user meta and plugin options.

PLUGIN Userplus

CVE-2024-9520

MEDIUM CVSS 6.3 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9022 - Ts Poll Plugin

The TS Poll – Survey, Versus Poll, Image Poll, Video Poll plugin for WordPress is vulnerable to SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Ts Poll

CVE-2024-9022

HIGH CVSS 7.2 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9074 - Advanced Blocks Pro Plugin

The Advanced Blocks Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Advanced Blocks Pro

CVE-2024-9074

MEDIUM CVSS 6.4 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9067 - Youzify Plugin

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'delete_attachment' function in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments.

PLUGIN Youzify

CVE-2024-9067

MEDIUM CVSS 4.3 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-8477 - Newsletter Smtp Email Marketing And Subscribe Plugin

The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.87. This is due to missing or incorrect nonce validation on the Init() function. This makes it possible for unauthenticated attackers to log out of a Brevo connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Newsletter Smtp Email Marketing And Subscribe

CVE-2024-8477

MEDIUM CVSS 4.3 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9522 - Wp Users Masquerade Plugin

The WP Users Masquerade plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.0. This is due to incorrect authentication and capability checking in the 'ajax_masq_login' function. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.

PLUGIN Wp Users Masquerade

CVE-2024-9522

HIGH CVSS 8.8 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9581 - Shortcodes Anywhere Plugin

The Shortcodes AnyWhere plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

PLUGIN Shortcodes Anywhere

CVE-2024-9581

HIGH CVSS 7.3 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9685 - Notification For Telegram Plugin

The Notification for Telegram plugin for WordPress is vulnerable to unauthorized test message sending due to a missing capability check on the 'nftb_test_action' function in versions up to, and including, 3.3.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to send a test message via the Telegram Bot API to all users configured in the settings.

PLUGIN Notification For Telegram

CVE-2024-9685

MEDIUM CVSS 4.3 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9518 - Userplus Plugin

The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and 'userplus_update_user_profile' functions. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration.

PLUGIN Userplus

CVE-2024-9518

CRITICAL CVSS 9.8 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9519 - Userplus Plugin

The UserPlus plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'save_metabox_form' function in versions up to, and including, 2.0. This makes it possible for authenticated attackers, with editor-level permissions or above, to update the registration form role to administrator, which leads to privilege escalation.

PLUGIN Userplus

CVE-2024-9519

HIGH CVSS 7.2 2024-10-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-15

CVE-2024-9457 - Wp Builder Plugin

The WP Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Wp Builder

CVE-2024-9457

MEDIUM CVSS 6.4 2024-10-10
Open Full Technical Breakdown
Scroll to top