Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,273
Critical855
High2,814
Medium10,408
Reset
Showing 4061-4080 of 14273 records
Threat Entry Updated 2025-07-16

CVE-2025-4577 - Smash Balloon Social Post Feed Plugin

The Smash Balloon Social Post Feed – Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Smash Balloon Social Post Feed

CVE-2025-4577

MEDIUM CVSS 6.4 2025-06-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-14

CVE-2025-2918 - Ultimate Blocks Plugin

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ultimate Blocks

CVE-2025-2918

MEDIUM CVSS 6.4 2025-06-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-02

CVE-2025-4954 - Axle Demo Importer Plugin

The Axle Demo Importer WordPress plugin through 1.0.3 does not validate files to be uploaded, which could allow authenticated users (author and above) to upload arbitrary files such as PHP on the server

PLUGIN Axle Demo Importer

CVE-2025-4954

HIGH CVSS 8.8 2025-06-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-02

CVE-2025-4840 - Likes And Dislikes Plugin

The inprosysmedia-likes-dislikes-post WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

PLUGIN Likes And Dislikes

CVE-2025-4840

HIGH CVSS 7.5 2025-06-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-11

CVE-2025-3076 - Elementor Page Builder Plugin

The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementor Page Builder

CVE-2025-3076

MEDIUM CVSS 6.4 2025-06-10
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-5925 - Bunnys Print Css Plugin

The Bunny’s Print CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.95. This is due to missing or incorrect nonce validation on the pcss_options_subpanel() function. This makes it possible for unauthenticated attackers to update settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Bunnys Print Css

CVE-2025-5925

MEDIUM CVSS 4.3 2025-06-10
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-4652 - Before 1 Plugin

The Broadstreet WordPress plugin before 1.51.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 1

CVE-2025-4652

MEDIUM CVSS 6.1 2025-06-09
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-3582 - Before 8 Plugin

The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 8

CVE-2025-3582

MEDIUM CVSS 4.8 2025-06-09
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-3581 - Before 8 Plugin

The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 8

CVE-2025-3581

MEDIUM CVSS 4.8 2025-06-09
Open Full Technical Breakdown
Threat Entry Updated 2025-07-15

CVE-2025-5568 - Event Manager And Tickets Selling For Woocommerce Plugin

The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Event Manager And Tickets Selling For Woocommerce

CVE-2025-5568

MEDIUM CVSS 6.4 2025-06-07
Open Full Technical Breakdown
Threat Entry Updated 2025-07-14

CVE-2025-5528 - Sassy Social Share Plugin

The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link.

PLUGIN Sassy Social Share

CVE-2025-5528

MEDIUM CVSS 6.1 2025-06-07
Open Full Technical Breakdown
Threat Entry Updated 2025-07-14

CVE-2024-9994 - Essential Addons For Elementor Lite Plugin

The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_pricing_item_tooltip_content parameter of the Pricing Table Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Essential Addons For Elementor Lite

CVE-2024-9994

MEDIUM CVSS 6.4 2025-06-07
Open Full Technical Breakdown
Threat Entry Updated 2025-07-14

CVE-2024-9993 - Essential Addons For Elementor Lite Plugin

The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the eael_event_details_text parameter of Event Calendar Widget in all versions up to, and including, 6.1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Essential Addons For Elementor Lite

CVE-2024-9993

MEDIUM CVSS 6.4 2025-06-07
Open Full Technical Breakdown
Threat Entry Updated 2025-06-09

CVE-2025-5303 - Ltl Freight Quotes Day Ross Edition Plugin

The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expiry_date parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ltl Freight Quotes Day Ross Edition

CVE-2025-5303

HIGH CVSS 7.2 2025-06-07
Open Full Technical Breakdown
Threat Entry Updated 2025-06-09

CVE-2025-5814 - Profiler What Slowing Down Plugin

The Profiler – What Slowing Down Your WP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpsd_plugin_control() function in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to reactivate previously deactivated plugins after accessing the "Profiler" page.

PLUGIN Profiler What Slowing Down

CVE-2025-5814

MEDIUM CVSS 5.3 2025-06-07
Open Full Technical Breakdown
Threat Entry Updated 2025-06-06

CVE-2025-30977 - Chatbots Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chaport Live Chat WP Live Chat + Chatbots Plugin for WordPress – Chaport allows Stored XSS. This issue affects WP Live Chat + Chatbots Plugin for WordPress – Chaport: from n/a through 1.1.5.

PLUGIN Chatbots

CVE-2025-30977

MEDIUM CVSS 5.9 2025-06-06
Open Full Technical Breakdown
Threat Entry Updated 2025-06-06

CVE-2025-5239 - Domain For Sale Plugin

The Domain For Sale plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 3.0.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Domain For Sale

CVE-2025-5239

MEDIUM CVSS 6.4 2025-06-06
Open Full Technical Breakdown
Threat Entry Updated 2025-06-06

CVE-2025-5760 - Simple History Plugin

The Simple History plugin for WordPress is vulnerable to sensitive data exposure via Detective Mode due to improper sanitization within the append_debug_info_to_context() function in versions prior to 5.8.1. When Detective Mode is enabled, the plugin’s logger captures the entire contents of $_POST (and sometimes raw request bodies or $_GET) without redacting any password‐related keys. As a result, whenever a user submits a login form, whether via native wp_login or a third‐party login widget, their actual password is written in clear text into the logs. An authenticated attacker or any user…

PLUGIN Simple History

CVE-2025-5760

MEDIUM CVSS 4.9 2025-06-06
Open Full Technical Breakdown
Threat Entry Updated 2025-07-15

CVE-2025-5703 - Stageshow Plugin

The StageShow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘anchor’ parameter in all versions up to, and including, 10.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Stageshow

CVE-2025-5703

MEDIUM CVSS 6.4 2025-06-06
Open Full Technical Breakdown
Threat Entry Updated 2025-06-06

CVE-2025-5686 - Paged Gallery Plugin

The Paged Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Paged Gallery

CVE-2025-5686

MEDIUM CVSS 6.4 2025-06-06
Open Full Technical Breakdown
Scroll to top