Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 9061-9080 of 15036 records
Threat Entry Updated 2024-11-21

CVE-2024-4787 - WordPress Core

The Cost Calculator Builder PRO for WordPress is vulnerable to arbitrary email sending vulnerability in versions up to, and including, 3.1.75. This is due to insufficient limitations on the email recipient and the content in the 'send_pdf' and the 'send_pdf_front' functions which are reachable via AJAX. This makes it possible for unauthenticated attackers to send emails with any content to any recipient.

CORE WordPress Core

CVE-2024-4787

MEDIUM CVSS 5.8 2024-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4873 - Replace Image Plugin

The Replace Image plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.10 via the image replacement functionality due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to replace images uploaded by higher level users such as admins.

PLUGIN Replace Image

CVE-2024-4873

MEDIUM CVSS 4.3 2024-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3984 - Embedalbum Pro Plugin

The EmbedSocial – Social Media Feeds, Reviews and Galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embedsocial_reviews' shortcode in all versions up to, and including, 1.1.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Embedalbum Pro

CVE-2024-3984

MEDIUM CVSS 6.4 2024-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4450 - Aliexpress Dropshipping With Alinext Plugin

The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several actions like importing and modifying products.

PLUGIN Aliexpress Dropshipping With Alinext

CVE-2024-4450

MEDIUM CVSS 6.3 2024-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4541 - Custom Product List Table Plugin

The Custom Product List Table plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation when modifying products. This makes it possible for unauthenticated attackers to add, delete, bulk edit, approve or cancel products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Custom Product List Table

CVE-2024-4541

MEDIUM CVSS 4.3 2024-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-2381 - Aliexpress Dropshipping With Alinext Plugin

The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Aliexpress Dropshipping With Alinext

CVE-2024-2381

HIGH CVSS 8.8 2024-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-6125 - Login With Phone Number Plugin

The Login with phone number plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 1.7.34. This is due to the plugin generating too weak a reset code, and the code used to reset the password has no attempt or time limit. This makes it possible for unauthenticated attackers to reset the password of arbitrary users by guessing a 6-digit numeric reset code.

PLUGIN Login With Phone Number

CVE-2024-6125

HIGH CVSS 8.1 2024-06-19
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5970 - Maxgalleria Plugin

The MaxGalleria plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's maxgallery_thumb shortcode in all versions up to, and including, 6.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Maxgalleria

CVE-2024-5970

MEDIUM CVSS 6.4 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5533 - Divi Plugin

The Divi theme for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.25.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Divi

CVE-2024-5533

MEDIUM CVSS 6.4 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2025-03-18

CVE-2024-4094 - Simple Share Buttons Adder Plugin

The Simple Share Buttons Adder WordPress plugin before 8.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Simple Share Buttons Adder

CVE-2024-4094

MEDIUM CVSS 5.4 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5172 - Expert Invoice Plugin

The Expert Invoice WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Expert Invoice

CVE-2024-5172

MEDIUM CVSS 4.8 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-3276 - Foobox Image Lightbox Premium Plugin

The Lightbox & Modal Popup WordPress Plugin WordPress plugin before 2.7.28, foobox-image-lightbox-premium WordPress plugin before 2.7.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Foobox Image Lightbox Premium

CVE-2024-3276

MEDIUM CVSS 4.8 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2023-5527 - Business Directory Plugin

The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.3 via the class-csv-exporter.php file. This allows authenticated attackers, with author-level permissions and above, to embed untrusted input into CSV files exported by administrators, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

PLUGIN Business Directory

CVE-2023-5527

HIGH CVSS 7.4 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5860 - Tickera Plugin

The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tc_dl_delete_tickets AJAX action in all versions up to, and including, 3.5.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all tickets associated with events.

PLUGIN Tickera

CVE-2024-5860

MEDIUM CVSS 4.3 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5541 - Ibtana Plugin

The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ibtana_visual_editor_register_ajax_json_endpont' function in all versions up to, and including, 1.2.3.3. This makes it possible for unauthenticated attackers to update option values for reCAPTCHA keys on the WordPress site. This can be leveraged to bypass reCAPTCHA on the site.

PLUGIN Ibtana

CVE-2024-5541

MEDIUM CVSS 5.3 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-1634 - Scheduling Plugin Online Booking

The Scheduling Plugin – Online Booking for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'cbsb_disconnect_settings' function in all versions up to, and including, 3.5.10. This makes it possible for unauthenticated attackers to disconnect the plugin from the startbooking service and remove connection data.

PLUGIN Scheduling Plugin Online Booking

CVE-2024-1634

MEDIUM CVSS 6.5 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4375 - Master Slider Plugin

The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ms_layer' shortcode in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on the 'css_id' user supplied attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Master Slider

CVE-2024-4375

MEDIUM CVSS 6.4 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-0845 - Pdf Viewer For Elementor Plugin

The PDF Viewer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the render function in all versions up to, and including, 2.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Pdf Viewer For Elementor

CVE-2024-0845

MEDIUM CVSS 6.4 2024-06-18
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-4305 - Post Grid Gutenberg Blocks And Wordpress Blog Plugin

The Post Grid Gutenberg Blocks and WordPress Blog Plugin WordPress plugin before 4.1.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

PLUGIN Post Grid Gutenberg Blocks And Wordpress Blog

CVE-2024-4305

MEDIUM CVSS 6.8 2024-06-17
Open Full Technical Breakdown
Threat Entry Updated 2025-05-13

CVE-2024-3236 - Popup Builder Plugin

The Popup Builder WordPress plugin before 1.1.33 does not sanitise and escape some of its Notification fields, which could allow users such as contributor and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Popup Builder

CVE-2024-3236

MEDIUM CVSS 5.4 2024-06-17
Open Full Technical Breakdown
Scroll to top