Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 8781-8800 of 15036 records
Threat Entry Updated 2024-11-21

CVE-2024-6023 - Contentlock Plugin

The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when adding emails, which could allow attackers to make a logged in admin perform such action via a CSRF attack

PLUGIN Contentlock

CVE-2024-6023

HIGH CVSS 8.8 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6555 - Wordpress Popup Builder Plugin

The WP Popups – WordPress Popup builder plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.2.0.1. This is due the plugin utilizing mobiledetect without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

PLUGIN Wordpress Popup Builder

CVE-2024-6555

MEDIUM CVSS 5.3 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6022 - Contentlock Plugin

The ContentLock WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Contentlock

CVE-2024-6022

HIGH CVSS 8.8 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5626 - Inline Related Posts Plugin

The Inline Related Posts WordPress plugin before 3.7.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Inline Related Posts

CVE-2024-5626

MEDIUM CVSS 6.1 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5811 - Simple Video Directory Plugin

The Simple Video Directory WordPress plugin before 1.4.4 does not sanitise and escape some of its settings, which could allow contributors and higher to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Simple Video Directory

CVE-2024-5811

MEDIUM CVSS 5.4 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4753 - Wp Secure Maintenance Plugin

The WP Secure Maintenance WordPress plugin before 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Wp Secure Maintenance

CVE-2024-4753

MEDIUM CVSS 4.8 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2640 - Before 3 Plugin

The Watu Quiz WordPress plugin before 3.4.1.2 does not sanitise and escape some of its settings, which could allow users such as authors (if they've been authorized by admins) to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

PLUGIN Before 3

CVE-2024-2640

MEDIUM CVSS 5.4 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2430 - Website Content In Page Or Post Plugin

The Website Content in Page or Post WordPress plugin before 2024.04.09 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Website Content In Page Or Post

CVE-2024-2430

MEDIUM CVSS 5.4 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3112 - Quotes And Tips By Bestwebsoft Plugin

The Quotes and Tips by BestWebSoft WordPress plugin before 1.45 does not properly validate image files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

PLUGIN Quotes And Tips By Bestwebsoft

CVE-2024-3112

MEDIUM CVSS 4.8 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2025-06-04

CVE-2024-2696 - Socialdriver Framework Plugin

The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Socialdriver Framework

CVE-2024-2696

MEDIUM CVSS 4.8 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2025-06-10

CVE-2024-0974 - Social Media Widget Plugin

The Social Media Widget WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Social Media Widget

CVE-2024-0974

MEDIUM CVSS 4.8 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1375 - Event Post Plugin

The Event post plugin for WordPress is vulnerable to unauthorized bulk metadata update due to a missing nonce check on the save_bulkdatas function in all versions up to, and including, 5.9.5. This makes it possible for unauthenticated attackers to update post_meta_data via a forged request, granted they can trick a logged-in user into performing an action such as clicking on a link.

PLUGIN Event Post

CVE-2024-1375

MEDIUM CVSS 4.3 2024-07-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6392 - Sirv Plugin

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized plugin settings modification due to missing capability checks on the plugin functions in all versions up to, and including, 7.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the connected Sirv account to an attacker-controlled one.

PLUGIN Sirv

CVE-2024-6392

MEDIUM CVSS 5.4 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6666 - Wp Erp Plugin

The WP ERP plugin for WordPress is vulnerable to SQL Injection via the ‘vendor_id’ parameter in all versions up to, and including, 1.13.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Accounting Manager access (erp_ac_view_sales_summary capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wp Erp

CVE-2024-6666

HIGH CVSS 8.8 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6624 - Json Api User Plugin

The JSON API User plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.9.3. This is due to improper controls on custom user meta fields. This makes it possible for unauthenticated attackers to register as administrators on the site. The plugin requires the JSON API plugin to also be installed.

PLUGIN Json Api User

CVE-2024-6624

CRITICAL CVSS 9.8 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6256 - Feeds For Youtube Plugin

The Feeds for YouTube (YouTube video, channel, and gallery plugin) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'youtube-feed' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Feeds For Youtube

CVE-2024-6256

MEDIUM CVSS 6.4 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6138 - Secure Copy Content Protection And Content Locking Plugin

The Secure Copy Content Protection and Content Locking WordPress plugin before 4.0.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Secure Copy Content Protection And Content Locking

CVE-2024-6138

MEDIUM CVSS 4.8 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6026 - Slider By 10web Plugin

The Slider by 10Web WordPress plugin before 1.2.56 does not sanitise and escape some of its Slide options, which could allow authenticated users with access to the Sliders (by default Administrator, however this can be changed via the Slider by 10Web WordPress plugin before 1.2.56's options) and the ability to add images (Editor+) to perform Stored Cross-Site Scripting attacks

PLUGIN Slider By 10web

CVE-2024-6026

MEDIUM CVSS 5.4 2024-07-11
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6025 - Before 9 Plugin

The Quiz and Survey Master (QSM) WordPress plugin before 9.0.5 does not sanitise and escape some of its Quiz settings, which could allow contributors and higher to perform Stored Cross-Site Scripting attacks

PLUGIN Before 9

CVE-2024-6025

MEDIUM CVSS 5.4 2024-07-11
Open Full Technical Breakdown
Scroll to top