Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 8921-8940 of 15036 records
Threat Entry Updated 2024-11-21

CVE-2024-5790 - Happy Addons For Elementor Plugin

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Happy Addons For Elementor

CVE-2024-5790

MEDIUM CVSS 6.4 2024-06-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5666 - Extensions For Elementor Plugin

The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the EE Button widget in all versions up to, and including, 2.0.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Extensions For Elementor

CVE-2024-5666

MEDIUM CVSS 6.4 2024-06-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6265 - Userswp Plugin

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uwp_sort_by’ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Userswp

CVE-2024-6265

CRITICAL CVSS 9.8 2024-06-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5889 - Events Manager Plugin

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Events Manager

CVE-2024-5889

MEDIUM CVSS 6.1 2024-06-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5942 - Page And Post Clone Plugin

The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to clone and read private posts.

PLUGIN Page And Post Clone

CVE-2024-5942

MEDIUM CVSS 4.3 2024-06-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5598 - Advanced File Manager Plugin

The Advanced File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.4 via the 'fma_local_file_system' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive information if the files have been moved to the built-in Trash folder.

PLUGIN Advanced File Manager

CVE-2024-5598

HIGH CVSS 7.5 2024-06-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5192 - Funnel Builder Plugin

The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mimes’ parameter in all versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Funnel Builder

CVE-2024-5192

MEDIUM CVSS 6.4 2024-06-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6405 - Floating Social Buttons Plugin

The Floating Social Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the floating_social_buttons_option() function. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Floating Social Buttons

CVE-2024-6405

MEDIUM CVSS 6.1 2024-06-29
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5925 - Theron Lite Theme

The Theron Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Theron Lite

CVE-2024-5925

MEDIUM CVSS 6.4 2024-06-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5922 - Scylla Lite Theme

The Scylla lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Scylla Lite

CVE-2024-5922

MEDIUM CVSS 6.4 2024-06-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5662 - Ultimate Post Kit Plugin

The Ultimate Post Kit Addons For Elementor – (Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the Social Count (Static) widget in all versions up to, and including, 3.11.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ultimate Post Kit

CVE-2024-5662

MEDIUM CVSS 6.4 2024-06-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5424 - Simply Gallery Block Plugin

The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘galleryID’ and 'className' parameters in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Simply Gallery Block

CVE-2024-5424

MEDIUM CVSS 6.4 2024-06-28
Open Full Technical Breakdown
Threat Entry Updated 2025-07-01

CVE-2024-6288 - Enhanced E Commerce For Woocommerce Store Plugin

The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tiktok_user_id’ parameter in all versions up to, and including, 7.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Enhanced E Commerce For Woocommerce Store

CVE-2024-6288

MEDIUM CVSS 4.7 2024-06-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5796 - Infinite Theme

The Infinite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘project_url’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Infinite

CVE-2024-5796

MEDIUM CVSS 6.4 2024-06-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5788 - Silesia Theme

The Silesia theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ attribute within the theme's Button shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Silesia

CVE-2024-5788

MEDIUM CVSS 6.4 2024-06-28
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2795 - Seo Simple Pack Plugin

The SEO SIMPLE PACK plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.1 via META description. This makes it possible for unauthenticated attackers to extract limited information about password protected posts.

PLUGIN Seo Simple Pack

CVE-2024-2795

MEDIUM CVSS 5.3 2024-06-28
Open Full Technical Breakdown
Threat Entry Updated 2025-05-19

CVE-2024-5570 - Simple Photoswipe Plugin

The Simple Photoswipe WordPress plugin through 0.1 does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

PLUGIN Simple Photoswipe

CVE-2024-5570

MEDIUM CVSS 6.5 2024-06-28
Open Full Technical Breakdown
Threat Entry Updated 2025-05-19

CVE-2024-5730 - Pagerank Tools Plugin

The Pagerank tools WordPress plugin through 1.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Pagerank Tools

CVE-2024-5730

MEDIUM CVSS 6.1 2024-06-28
Open Full Technical Breakdown
Threat Entry Updated 2025-05-19

CVE-2024-5729 - Simple Al Slider Plugin

The Simple AL Slider WordPress plugin through 1.2.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Simple Al Slider

CVE-2024-5729

MEDIUM CVSS 6.1 2024-06-28
Open Full Technical Breakdown
Threat Entry Updated 2025-05-19

CVE-2024-5728 - Animated Al List Plugin

The Animated AL List WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Animated Al List

CVE-2024-5728

MEDIUM CVSS 5.4 2024-06-28
Open Full Technical Breakdown
Scroll to top