Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total808
Critical39
High132
Medium616
Reset
Showing 1-20 of 808 records
Threat Entry Updated 2026-04-15

CVE-2026-1540 - Before 1 Plugin

The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header

PLUGIN Before 1

CVE-2026-1540

HIGH CVSS 7.2 2026-04-02
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2687 - Before 1 Plugin

The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 1

CVE-2026-2687

MEDIUM CVSS 4.3 2026-03-12
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1753 - Before 1 Plugin

The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register).

PLUGIN Before 1

CVE-2026-1753

MEDIUM CVSS 6.8 2026-03-11
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1508 - Before 1 Plugin

The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack

PLUGIN Before 1

CVE-2026-1508

MEDIUM CVSS 4.3 2026-03-10
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2446 - Before 1 Plugin

The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users

PLUGIN Before 1

CVE-2026-2446

CRITICAL CVSS 9.8 2026-03-06
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2025 - Before 1 Plugin

The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog

PLUGIN Before 1

CVE-2026-2025

HIGH CVSS 7.5 2026-03-04
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-13355 - Before 1 Plugin

The URL Shortify WordPress plugin before 1.11.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 1

CVE-2025-13355

HIGH CVSS 7.1 2025-12-15
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-12684 - Before 1 Plugin

The URL Shortify WordPress plugin before 1.11.3 does not sanitize and escape a parameter before outputting it back in the page, leading to a reflected cross site scripting, which could be used against high-privilege users such as admins.

PLUGIN Before 1

CVE-2025-12684

HIGH CVSS 7.1 2025-12-15
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-11363 - Before 1 Plugin

The Royal Addons for Elementor WordPress plugin before 1.7.1037 does not have proper authorisation, allowing unauthenticated users to upload media files via the wpr_addons_upload_file action.

PLUGIN Before 1

CVE-2025-11363

MEDIUM CVSS 5.3 2025-12-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-10684 - Before 1 Theme

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary .

THEME Before 1

CVE-2025-10684

MEDIUM CVSS 4.3 2025-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-12-02

CVE-2025-12630 - Before 1 Plugin

The Upload.am WordPress plugin before 1.0.1 is vulnerable to arbitrary option disclosure due to a missing capability check on its AJAX request handler, allowing users such as contributor to view site options.

PLUGIN Before 1

CVE-2025-12630

MEDIUM CVSS 4.9 2025-12-02
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-12061 - Before 1 Plugin

The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements

PLUGIN Before 1

CVE-2025-12061

HIGH CVSS 8.6 2025-11-26
Open Full Technical Breakdown
Threat Entry Updated 2025-11-14

CVE-2025-10686 - Before 1 Plugin

The Creta Testimonial Showcase WordPress plugin before 1.2.4 is vulnerable to Local File Inclusion. This makes it possible for authenticated attackers, with editor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.

PLUGIN Before 1

CVE-2025-10686

HIGH CVSS 7.2 2025-11-14
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-10873 - Before 1 Plugin

The ElementInvader Addons for Elementor WordPress plugin before 1.4.1 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses due to missing authorization on the elementinvader_addons_for_elementor_forms_send_form action.

PLUGIN Before 1

CVE-2025-10873

MEDIUM CVSS 5.3 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-11191 - Before 1 Plugin

The RealPress WordPress plugin before 1.1.0 registers the REST routes without proper permission checks, allowing the creation of pages and sending of emails from the site.

PLUGIN Before 1

CVE-2025-11191

MEDIUM CVSS 5.3 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-10-21

CVE-2025-10916 - Before 1 Plugin

The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

PLUGIN Before 1

CVE-2025-10916

CRITICAL CVSS 9.1 2025-10-21
Open Full Technical Breakdown
Threat Entry Updated 2025-10-02

CVE-2025-9512 - Before 1 Plugin

The Schema & Structured Data for WP & AMP WordPress plugin before 1.50 does not properly handles HTML tag attribute modifications, making it possible for unauthenticated attackers to conduct Stored XSS attacks via post comments.

PLUGIN Before 1

CVE-2025-9512

MEDIUM CVSS 6.1 2025-10-01
Open Full Technical Breakdown
Threat Entry Updated 2025-11-13

CVE-2024-5200 - Before 1 Plugin

The Postie WordPress plugin before 1.9.71 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 1

CVE-2024-5200

MEDIUM CVSS 4.8 2025-09-29
Open Full Technical Breakdown
Threat Entry Updated 2025-11-13

CVE-2025-8282 - Before 1 Plugin

The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks.

PLUGIN Before 1

CVE-2025-8282

LOW CVSS 3.5 2025-09-23
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-9034 - Before 1 Plugin

The Wp Edit Password Protected WordPress plugin before 1.3.5 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue

PLUGIN Before 1

CVE-2025-9034

MEDIUM CVSS 6.1 2025-09-11
Open Full Technical Breakdown
Scroll to top