Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 8241-8260 of 15036 records
Threat Entry Updated 2025-05-16

CVE-2024-7891 - Floating Contact Button Plugin

The Floating Contact Button WordPress plugin before 2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Floating Contact Button

CVE-2024-7891

MEDIUM CVSS 4.8 2024-09-10
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-8268 - Frontend Dashboard Plugin

The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to call arbitrary functions that can be leverage for privilege escalation by changing user's passwords.

PLUGIN Frontend Dashboard

CVE-2024-8268

HIGH CVSS 8.8 2024-09-10
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-8478 - The Affiliate Super Assistent Plugin

The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

PLUGIN The Affiliate Super Assistent

CVE-2024-8478

HIGH CVSS 7.3 2024-09-10
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-7688 - Azindex Plugin

The AZIndex WordPress plugin through 0.8.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin delete arbitrary indexes via a CSRF attack

PLUGIN Azindex

CVE-2024-7688

MEDIUM CVSS 6.5 2024-09-09
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-7918 - Pocket Widget Plugin

The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Pocket Widget

CVE-2024-7918

MEDIUM CVSS 4.8 2024-09-09
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-6910 - Before 2 Plugin

The EventON WordPress plugin before 2.2.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

PLUGIN Before 2

CVE-2024-6910

MEDIUM CVSS 4.8 2024-09-09
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-7689 - Snapshot Backup Plugin

The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Snapshot Backup

CVE-2024-7689

MEDIUM CVSS 4.3 2024-09-09
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-7687 - Azindex Plugin

The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

PLUGIN Azindex

CVE-2024-7687

MEDIUM CVSS 4.3 2024-09-09
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-5561 - Before 1 Plugin

The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Before 1

CVE-2024-5561

MEDIUM CVSS 4.8 2024-09-09
Open Full Technical Breakdown
Threat Entry Updated 2024-10-07

CVE-2024-6928 - Opti Marketing Plugin

The Opti Marketing WordPress plugin through 2.0.9 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

PLUGIN Opti Marketing

CVE-2024-6928

CRITICAL CVSS 9.8 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6924 - Before 1 Plugin

The TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

PLUGIN Before 1

CVE-2024-6924

CRITICAL CVSS 9.8 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6859 - Wp Multitasking Plugin

The WP MultiTasking WordPress plugin through 0.1.12 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Wp Multitasking

CVE-2024-6859

MEDIUM CVSS 5.4 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6925 - Before 1 Plugin

The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

PLUGIN Before 1

CVE-2024-6925

MEDIUM CVSS 4.3 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6856 - Wp Multitasking Plugin

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Wp Multitasking

CVE-2024-6856

MEDIUM CVSS 4.3 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6855 - Wp Multitasking Plugin

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating exit popups, which could allow attackers to make logged admins perform such action via a CSRF attack

PLUGIN Wp Multitasking

CVE-2024-6855

MEDIUM CVSS 4.3 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6853 - Wp Multitasking Plugin

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating welcome popups, which could allow attackers to make logged admins perform such action via a CSRF attack

PLUGIN Wp Multitasking

CVE-2024-6853

MEDIUM CVSS 4.3 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2024-09-11

CVE-2024-6852 - Wp Multitasking Plugin

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Wp Multitasking

CVE-2024-6852

MEDIUM CVSS 4.3 2024-09-08
Open Full Technical Breakdown
Threat Entry Updated 2024-09-26

CVE-2024-7112 - Pinpoint Booking System Plugin

The Pinpoint Booking System – #1 WordPress Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘schedule’ parameter in all versions up to, and including, 2.9.9.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Pinpoint Booking System

CVE-2024-7112

HIGH CVSS 8.8 2024-09-07
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2024-7620 - Customizer Export Import Plugin

The Customizer Export/Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the '_import' function in all versions up to, and including, 0.9.7. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: This vulnerability is only exploitable when used in conjunction with a race condition as the uploaded file is deleted shortly after it is created.

PLUGIN Customizer Export Import

CVE-2024-7620

MEDIUM CVSS 6.6 2024-09-07
Open Full Technical Breakdown
Threat Entry Updated 2024-10-23

CVE-2024-6010 - Cost Calculator Builder Plugin

The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'create_cc_order' function, called from the Cost Calculator Builder plugin. This makes it possible for unauthenticated attackers to manipulate the price of orders submitted via the calculator. Note: this vulnerability was partially patched with the release of Cost Calculator Builder version 3.2.17.

PLUGIN Cost Calculator Builder

CVE-2024-6010

MEDIUM CVSS 5.3 2024-09-07
Open Full Technical Breakdown
Scroll to top