Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 8621-8640 of 15036 records
Threat Entry Updated 2024-11-21

CVE-2024-3896 - Robo Gallery Plugin

The Photo Gallery, Images, Slider in Rbs Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the Gallery title field in all versions up to, and including, 3.2.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Robo Gallery

CVE-2024-3896

MEDIUM CVSS 6.4 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6896 - Accelerated Mobile Pages Plugin

The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.96.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Accelerated Mobile Pages

CVE-2024-6896

MEDIUM CVSS 6.4 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6930 - Booking Calendar Plugin

The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute within the plugin's bookingform shortcode in all versions up to, and including, 10.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Booking Calendar

CVE-2024-6930

MEDIUM CVSS 6.4 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6629 - All In One Video Gallery Plugin

The All-in-One Video Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Video shortcode in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN All In One Video Gallery

CVE-2024-6629

MEDIUM CVSS 6.4 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6571 - Optimize Images Alt Text Alt Tag Names For Seo Using Ai Plugin

The Optimize Images ALT Text (alt tag) & names for SEO using AI plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.1.1. This is due the plugin utilizing cocur and not preventing direct access to the generate-default.php file. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an…

PLUGIN Optimize Images Alt Text Alt Tag Names For Seo Using Ai

CVE-2024-6571

MEDIUM CVSS 5.3 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6553 - Wp Meteor Plugin

The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.3.This is due to the plugin utilizing wpdesk and leaving test files with display_errors on. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

PLUGIN Wp Meteor

CVE-2024-6553

MEDIUM CVSS 5.3 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6836 - Funnel Builder Plugin

The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple functions in all versions up to, and including, 3.4.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to update multiple settings, including templates, designs, checkouts, and other plugin settings.

PLUGIN Funnel Builder

CVE-2024-6836

MEDIUM CVSS 4.3 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6094 - Before 4 Plugin

The WP ULike WordPress plugin before 4.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 4

CVE-2024-6094

MEDIUM CVSS 4.8 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3246 - Litespeed Cache Plugin

The LiteSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0.1. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the token setting and inject malicious JavaScript via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Litespeed Cache

CVE-2024-3246

MEDIUM CVSS 6.1 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5861 - Wp Easypay Plugin

The WP EasyPay – Square for WordPress plugin for WordPress is vulnerable to unauthorized modification of datadue to a missing capability check on the wpep_square_disconnect() function in all versions up to, and including, 4.2.3. This makes it possible for unauthenticated attackers to disconnect square.

PLUGIN Wp Easypay

CVE-2024-5861

MEDIUM CVSS 5.3 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-7027 - Woocommerce Pdf Vouchers Plugin

The WooCommerce - PDF Vouchers plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.9.3. This is due to insufficient verification on the user being supplied during a QR code login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing Voucher Vendor user on the site, if they have access to the user id.

PLUGIN Woocommerce Pdf Vouchers

CVE-2024-7027

HIGH CVSS 7.3 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6756 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpw_auto_poster_get_image_path' function in all versions up to, and including, 5.3.14. This makes it possible for authenticated attackers, with Contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. An attacker can use CVE-2024-6754 to exploit with subscriber-level access.

PLUGIN Social Auto Poster

CVE-2024-6756

HIGH CVSS 8.8 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6753 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mapTypes’ parameter in the 'wpw_auto_poster_map_wordpress_post_type' AJAX function in all versions up to, and including, 5.3.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Social Auto Poster

CVE-2024-6753

HIGH CVSS 7.2 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6755 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the ‘wpw_auto_poster_quick_delete_multiple’ function in all versions up to, and including, 5.3.14. This makes it possible for unauthenticated attackers to delete arbitrary posts.

PLUGIN Social Auto Poster

CVE-2024-6755

MEDIUM CVSS 6.5 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6752 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wp_name’ parameter in the 'wpw_auto_poster_map_wordpress_post_type' AJAX function in all versions up to, and including, 5.3.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Social Auto Poster

CVE-2024-6752

MEDIUM CVSS 6.4 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6754 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the ‘wpw_auto_poster_update_tweet_template’ function in all versions up to, and including, 5.3.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary post metadata.

PLUGIN Social Auto Poster

CVE-2024-6754

MEDIUM CVSS 5.4 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6750 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.3.14. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.

PLUGIN Social Auto Poster

CVE-2024-6750

HIGH CVSS 7.3 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6751 - Social Auto Poster Plugin

The Social Auto Poster plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.3.14. This is due to missing or incorrect nonce validation on multiple functions. This makes it possible for unauthenticated attackers to add, modify, or delete post meta and plugin options.

PLUGIN Social Auto Poster

CVE-2024-6751

MEDIUM CVSS 6.3 2024-07-24
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2024-6420 - Hide My Wp Ghost Plugin

The Hide My WP Ghost WordPress plugin before 5.2.02 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.

PLUGIN Hide My Wp Ghost

CVE-2024-6420

HIGH CVSS 8.6 2024-07-23
Open Full Technical Breakdown
Threat Entry Updated 2025-05-20

CVE-2024-6231 - Request A Quote Plugin

The Request a Quote WordPress plugin before 2.4.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Request A Quote

CVE-2024-6231

MEDIUM CVSS 5.9 2024-07-23
Open Full Technical Breakdown
Scroll to top