Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 8501-8520 of 15036 records
Threat Entry Updated 2024-08-08

CVE-2024-7350 - Bookingpress Appointment Booking Plugin

The Appointment Booking Calendar Plugin and Online Scheduling Plugin – BookingPress plugin for WordPress is vulnerable to authentication bypass in versions 1.1.6 to 1.1.7. This is due to the plugin not properly verifying a user's identity prior to logging them in when completing a booking. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they have access to that user's email. This is only exploitable when the 'Auto login user after successful booking' setting is enabled.

PLUGIN Bookingpress Appointment Booking

CVE-2024-7350

CRITICAL CVSS 9.8 2024-08-08
Open Full Technical Breakdown
Threat Entry Updated 2024-08-08

CVE-2024-7561 - The Next Theme

The The Next theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the wpeden_post_meta post meta value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

THEME The Next

CVE-2024-7561

HIGH CVSS 8.8 2024-08-08
Open Full Technical Breakdown
Threat Entry Updated 2024-08-08

CVE-2024-7486 - Multipurpose Theme

The MultiPurpose theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.0 via deserialization of untrusted input through the 'wpeden_post_meta' post meta. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

THEME Multipurpose

CVE-2024-7486

HIGH CVSS 8.8 2024-08-08
Open Full Technical Breakdown
Threat Entry Updated 2024-08-08

CVE-2024-7560 - News Flash Theme

The News Flash theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the newsflash_post_meta meta value. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

THEME News Flash

CVE-2024-7560

HIGH CVSS 7.2 2024-08-08
Open Full Technical Breakdown
Threat Entry Updated 2025-03-01

CVE-2024-7355 - Organization Chart Plugin

The Organization chart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_input’ and 'node_description' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure charts can be extended to subscribers.

PLUGIN Organization Chart

CVE-2024-7355

MEDIUM CVSS 4.9 2024-08-07
Open Full Technical Breakdown
Threat Entry Updated 2024-08-07

CVE-2024-7353 - Stripe Payments Plugin

The Accept Stripe Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's accept_stripe_payment_ng shortcode in all versions up to, and including, 2.0.86 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Stripe Payments

CVE-2024-7353

MEDIUM CVSS 5.4 2024-08-07
Open Full Technical Breakdown
Threat Entry Updated 2025-03-01

CVE-2024-6522 - Modern Events Calendar Lite Plugin

The Modern Events Calendar plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.12.1 via the 'mec_fes_form' AJAX function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Modern Events Calendar Lite

CVE-2024-6522

HIGH CVSS 8.5 2024-08-07
Open Full Technical Breakdown
Threat Entry Updated 2025-04-11

CVE-2024-6494 - Wordpress File Upload Plugin

The WordPress File Upload WordPress plugin before 4.24.8 does not properly sanitize and escape certain parameters, which could allow unauthenticated users to execute stored cross-site scripting (XSS) attacks.

PLUGIN Wordpress File Upload

CVE-2024-6494

MEDIUM CVSS 6.1 2024-08-07
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-3973 - House Manager Plugin

The House Manager WordPress plugin through 1.0.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN House Manager

CVE-2024-3973

MEDIUM CVSS 4.8 2024-08-07
Open Full Technical Breakdown
Threat Entry Updated 2024-10-28

CVE-2024-6720 - Light Poll Plugin

The Light Poll WordPress plugin through 1.0.0 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Light Poll

CVE-2024-6720

HIGH CVSS 8.8 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2024-11-22

CVE-2024-7317 - Folders Plugin

The Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Folders

CVE-2024-7317

MEDIUM CVSS 6.4 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-7082 - Easy Table Of Contents Plugin

The Easy Table of Contents WordPress plugin before 2.0.68 does not sanitise and escape some parameters, which could allow users with a role as low as Editor to perform Cross-Site Scripting attacks.

PLUGIN Easy Table Of Contents

CVE-2024-7082

MEDIUM CVSS 6.1 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-06-13

CVE-2024-6766 - Shortcodes Ultimate Pro Plugin

The shortcodes-ultimate-pro WordPress plugin before 7.2.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Shortcodes Ultimate Pro

CVE-2024-6766

MEDIUM CVSS 5.4 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-7084 - Ajax Search Lite Plugin

The Ajax Search Lite WordPress plugin before 4.12.1 does not sanitise and escape some parameters, which could allow users with a role as low as Admin+ to perform Cross-Site Scripting attacks.

PLUGIN Ajax Search Lite

CVE-2024-7084

MEDIUM CVSS 4.8 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-04-11

CVE-2024-6651 - Wordpress File Upload Plugin

The WordPress File Upload WordPress plugin before 4.24.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Wordpress File Upload

CVE-2024-6651

MEDIUM CVSS 6.1 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-5709 - Page Builder Plugin

The WPBakery Visual Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.7 via the 'layout_name' parameter. This makes it possible for authenticated attackers, with Author-level access and above, and with post permissions granted by an Administrator, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be…

PLUGIN Page Builder

CVE-2024-5709

HIGH CVSS 8.8 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-03-11

CVE-2024-5708 - Wpbakery Page Builder Plugin

The WPBakery Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ parameter in all versions up to, and including, 7.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, and with post permissions granted by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wpbakery Page Builder

CVE-2024-5708

MEDIUM CVSS 6.4 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2024-08-06

CVE-2024-6315 - Blox Page Builder Plugin

The Blox Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handleUploadFile' function in all versions up to, and including, 1.0.65. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Blox Page Builder

CVE-2024-6315

HIGH CVSS 8.8 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2024-08-06

CVE-2023-5000 - horizontal_scrolling_announcement Plugin

The Horizontal scrolling announcements plugin for WordPress is vulnerable to SQL Injection via the plugin's 'hsas-shortcode' shortcode in versions up to, and including, 2.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN horizontal_scrolling_announcement

CVE-2023-5000

HIGH CVSS 8.8 2024-08-06
Open Full Technical Breakdown
Threat Entry Updated 2024-08-06

CVE-2024-7485 - Traffic Manager Plugin

The Traffic Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page' parameter in the 'UserWebStat' AJAX function in all versions up to, and including, 1.4.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Traffic Manager

CVE-2024-7485

HIGH CVSS 7.2 2024-08-06
Open Full Technical Breakdown
Scroll to top