Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,273
Critical855
High2,814
Medium10,408
Reset
Showing 3941-3960 of 14273 records
Threat Entry Updated 2025-07-07

CVE-2025-6350 - Wp Vr Plugin

The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hotspot-hover’ parameter in all versions up to, and including, 8.5.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Vr

CVE-2025-6350

MEDIUM CVSS 6.4 2025-06-28
Open Full Technical Breakdown
Threat Entry Updated 2025-06-30

CVE-2025-53260 - Upload Of File With Dangerous Type Vulnerability In Getredhawkstudio File Manager Plugin

Unrestricted Upload of File with Dangerous Type vulnerability in getredhawkstudio File Manager Plugin For Wordpress allows Upload a Web Shell to a Web Server. This issue affects File Manager Plugin For Wordpress: from n/a through 7.5.

PLUGIN Upload Of File With Dangerous Type Vulnerability In Getredhawkstudio File Manager

CVE-2025-53260

CRITICAL CVSS 9.1 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-07

CVE-2025-5398 - Ninja Forms Plugin

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ninja Forms

CVE-2025-5398

MEDIUM CVSS 6.4 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-07

CVE-2025-2940 - Ninja Tables Plugin

The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.18 via the args[url] parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Ninja Tables

CVE-2025-2940

HIGH CVSS 7.2 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-02

CVE-2025-6688 - Simple Payment Plugin

The Simple Payment plugin for WordPress is vulnerable to Authentication Bypass in versions 1.3.6 to 2.3.8. This is due to the plugin not properly verifying a user's identity prior to logging them in through the create_user() function. This makes it possible for unauthenticated attackers to log in as administrative users.

PLUGIN Simple Payment

CVE-2025-6688

CRITICAL CVSS 9.8 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-6689 - Fl3r Accessibility Suite Plugin

The FL3R Accessibility Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fl3raccessibilitysuite shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Fl3r Accessibility Suite

CVE-2025-6689

MEDIUM CVSS 6.4 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-6550 - Pack Elementor Addons Plugin

The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slider_options’ parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Pack Elementor Addons

CVE-2025-6550

MEDIUM CVSS 6.4 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-07

CVE-2025-5940 - Osom Blocks Plugin

The Osom Blocks – Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Osom Blocks

CVE-2025-5940

MEDIUM CVSS 6.4 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-06-30

CVE-2025-4587 - Ab Testing For Wp Plugin

The A/B Testing for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ab-testing-for-wp/ab-test-block' block in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on the 'id' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ab Testing For Wp

CVE-2025-4587

MEDIUM CVSS 6.4 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-07

CVE-2025-5936 - Vr Calendar Plugin

The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.7. This is due to missing or incorrect nonce validation on the syncCalendar() function. This makes it possible for unauthenticated attackers to trigger a calendar sync via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Vr Calendar

CVE-2025-5936

MEDIUM CVSS 4.3 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-01

CVE-2025-5093 - Before 2 Plugin

The Responsive Lightbox & Gallery WordPress plugin before 2.5.2 use the Swipebox library which does not validate and escape title attributes before outputting them back in a page/post where used, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2025-5093

MEDIUM CVSS 5.4 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-01

CVE-2025-5035 - Firelight Lightbox Plugin

The Firelight Lightbox WordPress plugin before 2.3.16 does not sanitise and escape title attributes before outputting them in the page, which could allow users with a role as low as contributors to perform stored Cross-Site Scripting attacks.

PLUGIN Firelight Lightbox

CVE-2025-5035

MEDIUM CVSS 5.4 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-07

CVE-2025-5194 - Wp Map Block Plugin

The WP Map Block WordPress plugin before 2.0.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Wp Map Block

CVE-2025-5194

MEDIUM CVSS 4.8 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-03

CVE-2025-5526 - Buddypress Docs Plugin

The BuddyPress Docs WordPress plugin before 2.2.5 lacks proper access controls and allows a logged in user to view and download files belonging to another user

PLUGIN Buddypress Docs

CVE-2025-5526

MEDIUM CVSS 4.3 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-06-30

CVE-2025-6488 - Ismobile Plugin

The isMobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ parameter in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ismobile

CVE-2025-6488

MEDIUM CVSS 6.4 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-6212 - Ultimate Addons For Contact Form 7 Plugin

The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Database module in versions 3.5.11 to 3.5.19 due to insufficient input sanitization and output escaping. The unfiltered field names are stored alongside the sanitized values. Later, the admin-side AJAX endpoint ajax_get_table_data() returns those raw names as JSON column headers, and the client-side DataTables renderer injects them directly into the DOM without any HTML encoding. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever…

PLUGIN Ultimate Addons For Contact Form 7

CVE-2025-6212

HIGH CVSS 7.2 2025-06-26
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-5842 - Modern Design Library Plugin

The Modern Design Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Modern Design Library

CVE-2025-5842

MEDIUM CVSS 6.4 2025-06-26
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-5338 - Royal Elementor Addons Plugin

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.1024 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Royal Elementor Addons

CVE-2025-5338

MEDIUM CVSS 6.4 2025-06-26
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-6546 - Drive Folder Embedder Plugin

The Drive Folder Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tablecssclass’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Drive Folder Embedder

CVE-2025-6546

MEDIUM CVSS 6.4 2025-06-26
Open Full Technical Breakdown
Threat Entry Updated 2025-07-07

CVE-2025-6540 - Web Cam Plugin

The web-cam plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slug’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Web Cam

CVE-2025-6540

MEDIUM CVSS 6.4 2025-06-26
Open Full Technical Breakdown
Scroll to top