Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total563
Critical20
High112
Medium421
Reset
Showing 1-20 of 563 records
Threat Entry Updated 2026-04-15

CVE-2026-3881 - Through 1 Plugin

The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks

PLUGIN Through 1

CVE-2026-3881

MEDIUM CVSS 5.8 2026-03-31
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2418 - Through 1 Plugin

The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email

PLUGIN Through 1

CVE-2026-2418

CRITICAL CVSS 9.1 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1542 - Through 1 Plugin

The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

PLUGIN Through 1

CVE-2026-1542

MEDIUM CVSS 6.5 2026-02-28
Open Full Technical Breakdown
Threat Entry Updated 2026-02-12

CVE-2025-14892 - Through 1 Plugin

The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret.

PLUGIN Through 1

CVE-2025-14892

CRITICAL CVSS 9.8 2026-02-12
Open Full Technical Breakdown
Threat Entry Updated 2026-02-09

CVE-2025-15491 - Through 1 Plugin

The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks

PLUGIN Through 1

CVE-2025-15491

MEDIUM CVSS 5.5 2026-02-07
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-14316 - Through 1 Plugin

The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Through 1

CVE-2025-14316

HIGH CVSS 7.1 2026-01-26
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-12573 - Through 1 Plugin

The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data.

PLUGIN Through 1

CVE-2025-12573

MEDIUM CVSS 6.5 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-12685 - Through 1 Plugin

The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack.

PLUGIN Through 1

CVE-2025-12685

MEDIUM CVSS 6.5 2026-01-02
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14313 - Through 1 Plugin

The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Through 1

CVE-2025-14313

MEDIUM CVSS 6.1 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14312 - Through 1 Plugin

The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Through 1

CVE-2025-14312

MEDIUM CVSS 6.1 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-12820 - Through 1 Plugin

The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them.

PLUGIN Through 1

CVE-2025-12820

MEDIUM CVSS 5.3 2025-12-20
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-12696 - Through 1 Plugin

The HelloLeads CRM Form Shortcode WordPress plugin through 1.0 does not have authorisation and CSRF check when resetting its settings, allowing unauthenticated users to reset them

PLUGIN Through 1

CVE-2025-12696

MEDIUM CVSS 5.3 2025-12-14
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-9116 - Through 1 Plugin

The WPS Visitor Counter Plugin WordPress plugin through 1.4.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.

PLUGIN Through 1

CVE-2025-9116

MEDIUM CVSS 5.8 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-13071 - Through 1 Plugin

The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Through 1

CVE-2025-13071

HIGH CVSS 7.1 2025-12-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2025-13001 - Through 1 Plugin

The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks

PLUGIN Through 1

CVE-2025-13001

MEDIUM CVSS 4.1 2025-12-02
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-11237 - Through 1 Plugin

The Make Email Customizer for WooCommerce WordPress plugin through 1.0.6 lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress options.

PLUGIN Through 1

CVE-2025-11237

MEDIUM CVSS 5.3 2025-11-11
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-11072 - Through 1 Plugin

The MelAbu WP Download Counter Button WordPress plugin through 1.8.6.7 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files.

PLUGIN Through 1

CVE-2025-11072

MEDIUM CVSS 5.3 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2025-10-30

CVE-2025-10636 - Through 1 Plugin

The NS Maintenance Mode for WP WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Through 1

CVE-2025-10636

LOW CVSS 3.5 2025-10-30
Open Full Technical Breakdown
Threat Entry Updated 2025-10-22

CVE-2025-10638 - Through 1 Plugin

The NS Maintenance Mode for WP WordPress plugin through 1.3.1 lacks authorization in its subscriber export function allowing unauthenticated attackers to download a list of a site's subscribers containing their name and email address

PLUGIN Through 1

CVE-2025-10638

MEDIUM CVSS 5.3 2025-10-22
Open Full Technical Breakdown
Scroll to top