Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 7941-7960 of 15036 records
Threat Entry Updated 2024-10-10

CVE-2024-8433 - Themehunk Megamenu Plus Plugin

The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘themehunk_megamenu_bg_image' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Please note that this was partially fixed in 1.1.0 due to the missing authorization protection that was added.

PLUGIN Themehunk Megamenu Plus

CVE-2024-8433

MEDIUM CVSS 6.4 2024-10-08
Open Full Technical Breakdown
Threat Entry Updated 2024-10-10

CVE-2024-8629 - Multicurrency With Wpml Plugin

The WooCommerce Multilingual & Multicurrency with WPML plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.3.7. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Multicurrency With Wpml

CVE-2024-8629

MEDIUM CVSS 6.1 2024-10-08
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-8943 - Latepoint Plugin

The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability…

PLUGIN Latepoint

CVE-2024-8943

CRITICAL CVSS 9.8 2024-10-08
Open Full Technical Breakdown
Threat Entry Updated 2025-02-20

CVE-2024-8911 - Latepoint Plugin

The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note that changing a WordPress user's password is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. Without this setting enabled, only…

PLUGIN Latepoint

CVE-2024-8911

CRITICAL CVSS 9.8 2024-10-08
Open Full Technical Breakdown
Threat Entry Updated 2025-12-05

CVE-2024-8964 - Sirv Plugin

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Sirv

CVE-2024-8964

MEDIUM CVSS 6.4 2024-10-08
Open Full Technical Breakdown
Threat Entry Updated 2024-10-10

CVE-2024-9292 - Bridge Core Plugin

The Bridge Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formforall' shortcode in versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Bridge Core

CVE-2024-9292

MEDIUM CVSS 6.4 2024-10-08
Open Full Technical Breakdown
Threat Entry Updated 2025-06-09

CVE-2024-9021 - In The Process Of Testing The Relevanssi Plugin

In the process of testing the Relevanssi WordPress plugin before 4.23.1, a vulnerability was found that allows you to implement Stored XSS on behalf of the Contributor+ by embedding malicious script, which entails account takeover backdoor

PLUGIN In The Process Of Testing The Relevanssi

CVE-2024-9021

MEDIUM CVSS 5.4 2024-10-08
Open Full Technical Breakdown
Threat Entry Updated 2025-09-30

CVE-2024-8983 - Custom Twitter Feeds Plugin

Custom Twitter Feeds WordPress plugin before 2.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Custom Twitter Feeds

CVE-2024-8983

MEDIUM CVSS 4.8 2024-10-08
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-47327 - WordPress Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eyal Fitoussi GEO my WordPress allows Reflected XSS.This issue affects GEO my WordPress: from n/a through 4.5.0.3.

CORE WordPress Core

CVE-2024-47327

HIGH CVSS 7.1 2024-10-06
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-47368 - WordPress Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Leap13 Premium Blocks – Gutenberg Blocks for WordPress allows Stored XSS.This issue affects Premium Blocks – Gutenberg Blocks for WordPress: from n/a through 2.1.33.

CORE WordPress Core

CVE-2024-47368

MEDIUM CVSS 6.5 2024-10-06
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-47386 - WordPress Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Extended The Ultimate WordPress Toolkit – WP Extended allows Reflected XSS.This issue affects The Ultimate WordPress Toolkit – WP Extended: from n/a through 3.0.8.

CORE WordPress Core

CVE-2024-47386

HIGH CVSS 7.1 2024-10-05
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-47647 - WordPress Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HelpieWP Accordion & FAQ – Helpie WordPress Accordion FAQ Plugin allows Stored XSS.This issue affects Accordion & FAQ – Helpie WordPress Accordion FAQ Plugin: from n/a through 1.27.

CORE WordPress Core

CVE-2024-47647

MEDIUM CVSS 5.9 2024-10-05
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2024-47638 - Online Booking Scheduling Calendar Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in vCita Online Booking & Scheduling Calendar for WordPress by vcita allows Reflected XSS.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.4.6.

PLUGIN Online Booking Scheduling Calendar

CVE-2024-47638

HIGH CVSS 7.1 2024-10-05
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-44018 - WordPress Core

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Istmo Plugins Instant Chat Floating Button for WordPress Websites allows PHP Local File Inclusion.This issue affects Instant Chat Floating Button for WordPress Websites: from n/a through 1.0.5.

CORE WordPress Core

CVE-2024-44018

HIGH CVSS 7.5 2024-10-05
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-9314 - Seo Plugin

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.228 via deserialization of untrusted input 'set_redirections' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve…

PLUGIN Seo

CVE-2024-9314

HIGH CVSS 7.2 2024-10-05
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-9161 - Seo Plugin

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'update_metadata' function in all versions up to, and including, 1.0.228. This makes it possible for unauthenticated attackers to insert new and update existing metadata beginning with 'rank_math', and delete arbitrary existing user metadata and term metadata. Deleting existing usermeta can cause a loss of access to the administrator dashboard for any registered users, including Administrators.

PLUGIN Seo

CVE-2024-9161

MEDIUM CVSS 6.5 2024-10-05
Open Full Technical Breakdown
Threat Entry Updated 2025-02-27

CVE-2024-9417 - Hash Form Plugin

The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to limited file uploads due to a misconfigured file type validation in the 'handleUpload' function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to upload files that are excluded from both the 'allowedExtensions' and 'unallowed_extensions' arrays on the affected site's server, including files that may contain cross-site scripting.

PLUGIN Hash Form

CVE-2024-9417

MEDIUM CVSS 6.1 2024-10-05
Open Full Technical Breakdown
Threat Entry Updated 2025-05-22

CVE-2024-8486 - Shortcodes And Extra Features For Phlox Theme

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in the Modern Heading and Icon Picker widgets all versions up to, and including, 2.16.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Shortcodes And Extra Features For Phlox Theme

CVE-2024-8486

MEDIUM CVSS 6.4 2024-10-05
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-8743 - Open Source File Manager And Code Editor For Wordpress Plugin

The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to Limited JavaScript File Upload in all versions up to, and including, 6.5.7. This is due to a lack of proper checks on allowed file types. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an administrator, to upload .css and .js files, which could lead to Stored Cross-Site Scripting.

PLUGIN Open Source File Manager And Code Editor For Wordpress

CVE-2024-8743

MEDIUM CVSS 6.8 2024-10-05
Open Full Technical Breakdown
Threat Entry Updated 2025-02-06

CVE-2024-9528 - Contact Form Plugin

The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form label fields in all versions up to, and including, 5.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with access to edit forms (administrator by default), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Contact Form

CVE-2024-9528

MEDIUM CVSS 4.9 2024-10-05
Open Full Technical Breakdown
Scroll to top