Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total443
Critical34
High82
Medium311
Reset
Showing 1-20 of 443 records
Threat Entry Updated 2026-04-15

CVE-2026-3830 - Before 3 Plugin

The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks

PLUGIN Before 3

CVE-2026-3830

HIGH CVSS 8.6 2026-04-13
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1890 - Before 3 Plugin

The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data

PLUGIN Before 3

CVE-2026-1890

MEDIUM CVSS 5.3 2026-03-26
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1430 - Before 3 Plugin

The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 3

CVE-2026-1430

MEDIUM CVSS 4.8 2026-03-26
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2025-15396 - Before 3 Plugin

The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 3

CVE-2025-15396

HIGH CVSS 7.1 2026-02-02
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2025-15030 - Before 3 Plugin

The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account

PLUGIN Before 3

CVE-2025-15030

CRITICAL CVSS 9.8 2026-02-02
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-14973 - Before 3 Plugin

The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks.

PLUGIN Before 3

CVE-2025-14973

MEDIUM CVSS 6.8 2026-01-26
Open Full Technical Breakdown
Threat Entry Updated 2026-01-08

CVE-2025-9543 - Before 3 Plugin

The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 3

CVE-2025-9543

LOW CVSS 3.5 2026-01-05
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-13456 - Before 3 Plugin

The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 3

CVE-2025-13456

MEDIUM CVSS 6.1 2026-01-02
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-14072 - Before 3 Plugin

The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.

PLUGIN Before 3

CVE-2025-14072

MEDIUM CVSS 5.3 2026-01-02
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-13029 - Before 3 Plugin

The Knowband Mobile App Builder WordPress plugin before 3.0.0 does not have authorisation when deleting users via its REST API, allowing unauthenticated attackers to delete arbitrary users.

PLUGIN Before 3

CVE-2025-13029

HIGH CVSS 7.5 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-12057 - Before 3 Plugin

The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE

PLUGIN Before 3

CVE-2025-12057

CRITICAL CVSS 9.8 2025-11-19
Open Full Technical Breakdown
Threat Entry Updated 2025-12-19

CVE-2025-11560 - Before 3 Plugin

The Team Members Showcase WordPress plugin before 3.5.0 does not sanitize and escape a parameter before outputting it back in the page, leading to reflected cross-site scripting, which could be used against high-privilege users such as admins.

PLUGIN Before 3

CVE-2025-11560

HIGH CVSS 7.1 2025-11-12
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-10567 - Before 3 Plugin

The FunnelKit WordPress plugin before 3.12.0.1 does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users.

PLUGIN Before 3

CVE-2025-10567

MEDIUM CVSS 6.3 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-10874 - Before 3 Plugin

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.

PLUGIN Before 3

CVE-2025-10874

MEDIUM CVSS 5.5 2025-10-24
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-10406 - Before 3 Plugin

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks.

PLUGIN Before 3

CVE-2025-10406

MEDIUM CVSS 5.5 2025-10-15
Open Full Technical Breakdown
Threat Entry Updated 2025-09-22

CVE-2025-9115 - Before 3 Plugin

The Etsy Shop WordPress plugin before 3.0.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.

PLUGIN Before 3

CVE-2025-9115

MEDIUM CVSS 5.6 2025-09-22
Open Full Technical Breakdown
Threat Entry Updated 2025-09-22

CVE-2025-9541 - Before 3 Plugin

The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 3

CVE-2025-9541

MEDIUM CVSS 4.7 2025-09-22
Open Full Technical Breakdown
Threat Entry Updated 2025-09-22

CVE-2025-9540 - Before 3 Plugin

The Markup Markdown WordPress plugin before 3.20.10 allows links to contain JavaScript which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 3

CVE-2025-9540

MEDIUM CVSS 4.7 2025-09-22
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-9083 - Before 3 Plugin

The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

PLUGIN Before 3

CVE-2025-9083

CRITICAL CVSS 9.8 2025-09-18
Open Full Technical Breakdown
Scroll to top