Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 8641-8660 of 15036 records
Threat Entry Updated 2025-05-16

CVE-2024-4260 - Page Builder Gutenberg Blocks Plugin

The Page Builder Gutenberg Blocks WordPress plugin before 3.1.12 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks.

PLUGIN Page Builder Gutenberg Blocks

CVE-2024-4260

MEDIUM CVSS 6.5 2024-07-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6885 - Maxi Blocks Plugin

The MaxiBlocks: 2200+ Patterns, 190 Pages, 14.2K Icons & 100 Styles plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maxi_remove_custom_image_size and maxi_add_custom_image_size functions in all versions up to, and including, 1.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Maxi Blocks

CVE-2024-6885

HIGH CVSS 8.1 2024-07-23
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6828 - Redux Framework Plugin

The Redux Framework plugin for WordPress is vulnerable to unauthenticated JSON file uploads due to missing authorization and capability checks on the Redux_Color_Scheme_Import function in versions 4.4.12 to 4.4.17. This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution.

PLUGIN Redux Framework

CVE-2024-6828

HIGH CVSS 7.2 2024-07-23
Open Full Technical Breakdown
Threat Entry Updated 2025-06-10

CVE-2024-37262 - Online Booking Scheduling Calendar Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in vCita.Com Online Booking & Scheduling Calendar for WordPress by vcita allows Reflected XSS.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.4.2.

PLUGIN Online Booking Scheduling Calendar

CVE-2024-37262

HIGH CVSS 7.1 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37259 - Wp Extended Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WP Extended The Ultimate WordPress Toolkit – WP Extended allows Reflected XSS.This issue affects The Ultimate WordPress Toolkit – WP Extended: from n/a through 2.4.7.

PLUGIN Wp Extended

CVE-2024-37259

HIGH CVSS 7.1 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2025-03-19

CVE-2024-6244 - Pz Frontend Manager Plugin

The PZ Frontend Manager WordPress plugin before 1.0.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

PLUGIN Pz Frontend Manager

CVE-2024-6244

HIGH CVSS 8.8 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5973 - Masterstudy Lms Plugin

The MasterStudy LMS WordPress Plugin WordPress plugin before 3.3.24 does not prevent students from creating instructor accounts, which could be used to get access to functionalities they shouldn't have.

PLUGIN Masterstudy Lms

CVE-2024-5973

HIGH CVSS 8.8 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6271 - Community Events Plugin

The Community Events WordPress plugin before 1.5 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete arbitrary events via a CSRF attack

PLUGIN Community Events

CVE-2024-6271

MEDIUM CVSS 5.4 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2024-6243 - Before 1 Plugin

The HTML Forms WordPress plugin before 1.3.33 does not sanitize and escape the form message inputs, allowing high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disabled.

PLUGIN Before 1

CVE-2024-6243

MEDIUM CVSS 4.8 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2025-03-18

CVE-2024-5529 - Wp Quicklatex Plugin

The WP QuickLaTeX WordPress plugin before 3.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Wp Quicklatex

CVE-2024-5529

MEDIUM CVSS 4.8 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5004 - Cm Popup Plugin For Wordpress

The CM Popup Plugin for WordPress WordPress plugin before 1.6.6 does not sanitise and escape some of the campaign settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

PLUGIN Cm Popup Plugin For Wordpress

CVE-2024-5004

MEDIUM CVSS 4.8 2024-07-22
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37519 - Premium Blocks For Gutenburg Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Leap13 Premium Blocks – Gutenberg Blocks for WordPress allows Stored XSS.This issue affects Premium Blocks – Gutenberg Blocks for WordPress: from n/a through 2.1.27.

PLUGIN Premium Blocks For Gutenburg

CVE-2024-37519

MEDIUM CVSS 6.5 2024-07-21
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37556 - Wordpress Notification Bar Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SeedProd WordPress Notification Bar allows Stored XSS.This issue affects WordPress Notification Bar: from n/a through 1.3.10.

PLUGIN Wordpress Notification Bar

CVE-2024-37556

MEDIUM CVSS 5.9 2024-07-21
Open Full Technical Breakdown
Threat Entry Updated 2025-03-20

CVE-2024-6848 - Post And Page Builder Plugin

The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 1.26.6 due to insufficient input sanitization and output escaping affecting the boldgrid_canvas_image AJAX endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Post And Page Builder

CVE-2024-6848

MEDIUM CVSS 6.4 2024-07-20
Open Full Technical Breakdown
Threat Entry Updated 2025-04-05

CVE-2024-6497 - Seo Plugin By Squirrly Seo

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 12.3.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Seo Plugin By Squirrly Seo

CVE-2024-6497

HIGH CVSS 8.8 2024-07-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37959 - Power Bi Embedded Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Atlas Public Policy Power BI Embedded for WordPress allows Stored XSS.This issue affects Power BI Embedded for WordPress: from n/a through 1.1.7.

PLUGIN Power Bi Embedded

CVE-2024-37959

MEDIUM CVSS 6.5 2024-07-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37946 - WordPress Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in weDevs ReCaptcha Integration for WordPress allows Stored XSS.This issue affects ReCaptcha Integration for WordPress: from n/a through 1.2.5.

CORE WordPress Core

CVE-2024-37946

MEDIUM CVSS 5.9 2024-07-20
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37918 - WordPress Core

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPCone.Com ConeBlog – WordPress Blog Widgets allows Stored XSS.This issue affects ConeBlog – WordPress Blog Widgets: from n/a through 1.4.8.

CORE WordPress Core

CVE-2024-37918

MEDIUM CVSS 6.5 2024-07-20
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-6636 - Woocommerce Social Login Plugin

The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'woo_slg_login_email' function in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to change the default role to Administrator while registering for an account.

PLUGIN Woocommerce Social Login

CVE-2024-6636

CRITICAL CVSS 9.8 2024-07-20
Open Full Technical Breakdown
Threat Entry Updated 2025-02-11

CVE-2024-6637 - Woocommerce Social Login Plugin

The WooCommerce - Social Login plugin for WordPress is vulnerable to unauthenticated privilege escalation in all versions up to, and including, 2.7.3. This is due to a lack of brute force controls on a weak one-time password. This makes it possible for unauthenticated attackers to brute force the one-time password for any user, except an Administrator, if they know the email of user.

PLUGIN Woocommerce Social Login

CVE-2024-6637

HIGH CVSS 7.3 2024-07-20
Open Full Technical Breakdown
Scroll to top