Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,273
Critical855
High2,814
Medium10,408
Reset
Showing 4741-4760 of 14273 records
Threat Entry Updated 2025-04-02

CVE-2025-3063 - Shopperapproved Reviews Plugin

The Shopper Approved Reviews plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_callback_update_sa_option() function in versions 2.0 to 2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

PLUGIN Shopperapproved Reviews

CVE-2025-3063

HIGH CVSS 8.8 2025-04-02
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2025-2513 - Smart Icons For Wordpress Plugin

The Smart Icons For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Smart Icons For Wordpress

CVE-2025-2513

MEDIUM CVSS 6.4 2025-04-02
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2025-3097 - Wp Time Machine Plugin

The wp Time Machine plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.0. This is due to missing or incorrect nonce validation on the 'wpTimeMachineCore.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp Time Machine

CVE-2025-3097

MEDIUM CVSS 6.1 2025-04-02
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2025-2483 - Gift Certificate Creator Plugin

The Gift Certificate Creator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘receip_address’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Gift Certificate Creator

CVE-2025-2483

MEDIUM CVSS 6.1 2025-04-02
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2024-13637 - Demo Awesome Plugin

The Demo Awesome plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the install_plugin function in all versions up to, and including, 1.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins..

PLUGIN Demo Awesome

CVE-2024-13637

MEDIUM CVSS 6.5 2025-04-02
Open Full Technical Breakdown
Threat Entry Updated 2025-08-12

CVE-2024-12410 - Front End Users Plugin

The Front End Users plugin for WordPress is vulnerable to SQL Injection via the 'UserSearchField' parameter in all versions up to, and including, 3.2.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Front End Users

CVE-2024-12410

MEDIUM CVSS 4.9 2025-04-02
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2025-2779 - Insert Headers And Footers Script Plugin

The Insert Headers and Footers Code – HT Script plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 1/true on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny access to legitimate users or be used to set some values to true,…

PLUGIN Insert Headers And Footers Script

CVE-2025-2779

MEDIUM CVSS 6.5 2025-04-02
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2025-31843 - WooCommerce Plugin

Missing Authorization vulnerability in Wilson OpenAI Tools for WordPress & WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects OpenAI Tools for WordPress & WooCommerce: from n/a through 2.1.5.

PLUGIN WooCommerce

CVE-2025-31843

MEDIUM CVSS 4.3 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2025-2237 - Wp Realestate Plugin

The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to authentication bypass in all versions up to, and including, 1.6.26. This is due to insufficient role restrictions in the 'process_register' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.

PLUGIN Wp Realestate

CVE-2025-2237

CRITICAL CVSS 9.8 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2025-2906 - Contempo Real Estate Core Plugin

The Contempo Real Estate Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Contempo Real Estate Core

CVE-2025-2906

MEDIUM CVSS 6.4 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-05-27

CVE-2024-13553 - Sms Alert Order Notifications Plugin

The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.

PLUGIN Sms Alert Order Notifications

CVE-2024-13553

CRITICAL CVSS 9.8 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-04-10

CVE-2024-12278 - Booster For Woocommerce Plugin

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via any location that typically sanitizes data using wp_kses, like comments, in all versions up to, and including, 7.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Booster For Woocommerce

CVE-2024-12278

HIGH CVSS 7.2 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2025-1512 - Elementor Plugin

The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Cursor Extension in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementor

CVE-2025-1512

MEDIUM CVSS 6.4 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2024-12189 - Wdesignkit Plugin

The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom widgets in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wdesignkit

CVE-2024-12189

MEDIUM CVSS 6.4 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2025-1267 - Groundhogg Plugin

The Groundhogg plugin for Wordpress is vulnerable to Stored Cross-Site Scripting via the ‘label' parameter in versions up to, and including, 3.7.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Groundhogg

CVE-2025-1267

MEDIUM CVSS 5.5 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-2048 - Lana Downloads Manager Plugin

The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server

PLUGIN Lana Downloads Manager

CVE-2025-2048

MEDIUM CVSS 4.1 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2025-1986 - Before 3 Plugin

The Gutentor WordPress plugin before 3.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

PLUGIN Before 3

CVE-2025-1986

MEDIUM CVSS 4.1 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-04-14

CVE-2025-1665 - Avada Builder Plugin

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 3.11.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Avada Builder

CVE-2025-1665

MEDIUM CVSS 6.4 2025-04-01
Open Full Technical Breakdown
Threat Entry Updated 2025-04-01

CVE-2024-13567 - Awesome Support Plugin

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.3.1 via the 'awesome-support' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/awesome-support directory which can contain file attachments included in support tickets. The vulnerability was partially patched in version 6.3.1.

PLUGIN Awesome Support

CVE-2024-13567

HIGH CVSS 7.5 2025-04-01
Open Full Technical Breakdown
Scroll to top