Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total115
Critical9
High20
Medium85
Reset
Showing 1-20 of 115 records
Threat Entry Updated 2026-04-08

CVE-2026-3311 - Woocommerce Plugin

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Progress Bar shortcode in all versions up to, and including, 6.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Woocommerce

CVE-2026-3311

MEDIUM CVSS 6.4 2026-04-08
Open Full Technical Breakdown
Threat Entry Updated 2026-03-16

CVE-2026-32412 - WooCommerce Plugin

Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through

PLUGIN WooCommerce

CVE-2026-32412

MEDIUM CVSS 5.4 2026-03-13
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-3589 - WooCommerce Plugin

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

PLUGIN WooCommerce

CVE-2026-3589

HIGH CVSS 7.5 2026-03-06
Open Full Technical Breakdown
Threat Entry Updated 2026-02-27

CVE-2026-28132 - WooCommerce Plugin

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a through

PLUGIN WooCommerce

CVE-2026-28132

MEDIUM CVSS 5.3 2026-02-26
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2385 - Woocommerce Plugin

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the 'email_data' parameter.

PLUGIN Woocommerce

CVE-2026-2385

MEDIUM CVSS 5.3 2026-02-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-27052 - WooCommerce Plugin

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer allows PHP Local File Inclusion.This issue affects Sales Countdown Timer for WooCommerce and WordPress: from n/a through < 1.1.9.

PLUGIN WooCommerce

CVE-2026-27052

HIGH CVSS 7.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2026-24999 - WooCommerce Plugin

Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Alma: from n/a through

PLUGIN WooCommerce

CVE-2026-24999

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-24

CVE-2026-22333 - WooCommerce Plugin

Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through

PLUGIN WooCommerce

CVE-2026-22333

HIGH CVSS 7.2 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2386 - Woocommerce Plugin

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpae_create_page() AJAX handler authorizing users only with current_user_can('edit_posts') while accepting a user-controlled 'post_type' value passed directly to wp_insert_post() without post-type-specific capability checks. This makes it possible for authenticated attackers, with Author-level access and above, to create arbitrary draft posts for restricted post types (e.g., 'page' and 'nxt_builder') via the 'post_type' parameter.

PLUGIN Woocommerce

CVE-2026-2386

MEDIUM CVSS 4.3 2026-02-18
Open Full Technical Breakdown
Threat Entry Updated 2026-02-11

CVE-2025-13391 - WooCommerce Plugin

The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60.

PLUGIN WooCommerce

CVE-2025-13391

MEDIUM CVSS 5.8 2026-02-11
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24992 - WooCommerce Plugin

Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Retrieve Embedded Sensitive Data.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through

PLUGIN WooCommerce

CVE-2026-24992

MEDIUM CVSS 5.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24625 - WooCommerce Plugin

Missing Authorization vulnerability in Imaginate Solutions File Uploads Addon for WooCommerce woo-addon-uploads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects File Uploads Addon for WooCommerce: from n/a through

PLUGIN WooCommerce

CVE-2026-24625

MEDIUM CVSS 5.3 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24606 - WooCommerce Plugin

Missing Authorization vulnerability in Web Impian Bayarcash WooCommerce bayarcash-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bayarcash WooCommerce: from n/a through

PLUGIN WooCommerce

CVE-2026-24606

MEDIUM CVSS 5.3 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24585 - WooCommerce Plugin

Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hyyan WooCommerce Polylang Integration: from n/a through

PLUGIN WooCommerce

CVE-2026-24585

MEDIUM CVSS 6.5 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24581 - WooCommerce Plugin

Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Points and Rewards for WooCommerce: from n/a through

PLUGIN WooCommerce

CVE-2026-24581

MEDIUM CVSS 5.4 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24583 - WooCommerce Plugin

Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SumUp Payment Gateway For WooCommerce: from n/a through

PLUGIN WooCommerce

CVE-2026-24583

MEDIUM CVSS 5.3 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24562 - WooCommerce Plugin

Missing Authorization vulnerability in Ryviu Ryviu – Product Reviews for WooCommerce ryviu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ryviu – Product Reviews for WooCommerce: from n/a through

PLUGIN WooCommerce

CVE-2026-24562

MEDIUM CVSS 5.3 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24553 - WooCommerce Plugin

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Retrieve Embedded Sensitive Data.This issue affects Fraud Prevention For Woocommerce: from n/a through

PLUGIN WooCommerce

CVE-2026-24553

MEDIUM CVSS 4.3 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-27

CVE-2026-24526 - WooCommerce Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Steve Truman Email Inquiry & Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS.This issue affects Email Inquiry & Cart Options for WooCommerce: from n/a through

PLUGIN WooCommerce

CVE-2026-24526

MEDIUM CVSS 6.5 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24366 - WooCommerce Plugin

Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Request A Quote: from n/a through

PLUGIN WooCommerce

CVE-2026-24366

MEDIUM CVSS 5.3 2026-01-22
Open Full Technical Breakdown
Scroll to top