Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 9141-9160 of 15036 records
Threat Entry Updated 2024-11-21

CVE-2024-2762 - Foogallery Premium Plugin

The FooGallery WordPress plugin before 2.4.15, foogallery-premium WordPress plugin before 2.4.15 does not validate and escape some of its Gallery settings before outputting them back in the page, which could allow users with a role as low as Author to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

PLUGIN Foogallery Premium

CVE-2024-2762

MEDIUM CVSS 5.4 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2024-2098 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected files.

PLUGIN Download Manager

CVE-2024-2098

HIGH CVSS 7.5 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2026-02-25

CVE-2024-3922 - Dokan Plugin

The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the 'code' parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Dokan

CVE-2024-3922

CRITICAL CVSS 10.0 2024-06-13
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-37297 - Woocommerce Plugin

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions…

PLUGIN Woocommerce

CVE-2024-37297

MEDIUM CVSS 5.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5674 - Newsletter Plugin

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete newsletter subscribers. This issue affects only sites running the PHP version below 8.0

PLUGIN Newsletter

CVE-2024-5674

MEDIUM CVSS 6.5 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4898 - Instawp Connect Plugin

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.

PLUGIN Instawp Connect

CVE-2024-4898

CRITICAL CVSS 9.8 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-3492 - Events Manager Plugin

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'event', 'location', and 'event_category' shortcodes in all versions up to, and including, 6.4.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Events Manager

CVE-2024-3492

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2024-1766 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.2.86 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability requires social engineering to successfully exploit, and the impact would be very limited due to the attacker requiring a user to login as the user with…

PLUGIN Download Manager

CVE-2024-1766

MEDIUM CVSS 4.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4845 - Icegram Express Plugin

The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Icegram Express

CVE-2024-4845

HIGH CVSS 8.8 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-08-20

CVE-2024-2092 - Elementor Addon Elements Plugin

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementor Addon Elements

CVE-2024-2092

MEDIUM CVSS 5.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5468 - Pearl Header Builder Plugin

The WordPress Header Builder Plugin – Pearl plugin for WordPress is vulnerable to unauthorized site option deletion due to a missing validation and capability checks on the stm_hb_delete() function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to delete arbitrary options that can be used to perform a denial of service attack on a site.

PLUGIN Pearl Header Builder

CVE-2024-5468

MEDIUM CVSS 6.5 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2024-5266 - Download Manager Plugin

The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via wpdm_user_dashboard, wpdm_package, wpdm_packages, wpdm_search_result, and wpdm_tag shortcodes in all versions up to, and including, 3.2.92 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Download Manager

CVE-2024-5266

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-01-29

CVE-2024-3925 - Element Pack Plugin

The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Creative Button widget in all versions up to, and including, 5.6.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Element Pack

CVE-2024-3925

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-5892 - Addons For Divi Plugin

The Divi Torque Lite – Divi Theme and Extra Theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘support_unfiltered_files_upload’ function in all versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Addons For Divi

CVE-2024-5892

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-05-30

CVE-2024-4924 - Social Sharing Plugin

The Social Sharing Plugin WordPress plugin before 3.3.63 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Social Sharing

CVE-2024-4924

MEDIUM CVSS 6.1 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-02-05

CVE-2024-3559 - Custom Field Suite Plugin

The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the 'cfs[post_content]' parameter versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Custom Field Suite

CVE-2024-3559

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-01-15

CVE-2024-5553 - Premium Addons For Elementor Plugin

The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via several parameters in all versions up to, and including, 4.10.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses and edits an injected element, and subsequently clicks the element with the mouse scroll wheel.

PLUGIN Premium Addons For Elementor

CVE-2024-5553

MEDIUM CVSS 4.4 2024-06-12
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2024-4564 - More Plugin

The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Shop Slider, Tabs Classic, and Image Comparison widgets in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN More

CVE-2024-4564

MEDIUM CVSS 6.4 2024-06-12
Open Full Technical Breakdown
Scroll to top