Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10
Critical1
High0
Medium8
Reset
Showing 1-10 of 10 records
Threat Entry Updated 2026-02-19

CVE-2025-14270 - Security Plugin

The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.

PLUGIN Security

CVE-2025-14270

LOW CVSS 2.7 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-01-08

CVE-2025-14845 - Security Plugin

The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.

PLUGIN Security

CVE-2025-14845

MEDIUM CVSS 4.3 2026-01-07
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-13728 - Security Plugin

The FluentAuth – The Ultimate Authorization & Security Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fluent_auth_reset_password` shortcode in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Security

CVE-2025-13728

MEDIUM CVSS 6.4 2025-12-15
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-14393 - Security Plugin

The Wpik WordPress Basic Ajax Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dname' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Security

CVE-2025-14393

MEDIUM CVSS 6.4 2025-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-11-21

CVE-2025-11885 - Security Plugin

The EchBay Admin Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_ebnonce' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Security

CVE-2025-11885

MEDIUM CVSS 6.1 2025-11-21
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-12589 - Security Plugin

The WP-Walla plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 0.5.3.5. This is due to missing nonce verification on the settings page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link.

PLUGIN Security

CVE-2025-12589

MEDIUM CVSS 6.1 2025-11-11
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2025-6722 - Security Plugin

The BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5 via the bitfire_* directory that automatically gets created and stores potentially sensitive files without any access restrictions. This makes it possible for unauthenticated attackers to extract sensitive data from various files like config.ini, debug.log, and more when directory listing is enabled on the server and the ~/wp-content/plugins/index.php file is missing or ignored.

PLUGIN Security

CVE-2025-6722

MEDIUM CVSS 5.3 2025-08-02
Open Full Technical Breakdown
Threat Entry Updated 2025-07-29

CVE-2025-6895 - Security Plugin

The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user.

PLUGIN Security

CVE-2025-6895

CRITICAL CVSS 9.8 2025-07-26
Open Full Technical Breakdown
Threat Entry Updated 2024-11-21

CVE-2022-2877 - Security Plugin

The Titan Anti-spam & Security WordPress plugin before 7.3.1 does not properly checks HTTP headers in order to validate the origin IP address, allowing threat actors to bypass it's block feature by spoofing the headers.

PLUGIN Security

CVE-2022-2877

MEDIUM CVSS 5.3 2022-09-16
Open Full Technical Breakdown
Scroll to top