Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,202
Critical852
High2,807
Medium10,348
Reset
Showing 581-600 of 14202 records
Threat Entry Updated 2026-04-15

CVE-2026-2385 - Woocommerce Plugin

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the 'email_data' parameter.

PLUGIN Woocommerce

CVE-2026-2385

MEDIUM CVSS 5.3 2026-02-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1787 - LearnPress – Backup & Migration Tool Plugin

The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.

PLUGIN LearnPress – Backup & Migration Tool

CVE-2026-1787

MEDIUM CVSS 4.8 2026-02-21
Open Full Technical Breakdown
Threat Entry Updated 2026-02-23

CVE-2025-14339 - And Automation Plugin

The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to…

PLUGIN And Automation

CVE-2025-14339

MEDIUM CVSS 6.5 2026-02-21
Open Full Technical Breakdown
Threat Entry Updated 2026-02-23

CVE-2026-24956 - Download Manager Addons for Elementor Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issue affects Download Manager Addons for Elementor: from n/a through

PLUGIN Download Manager Addons for Elementor

CVE-2026-24956

CRITICAL CVSS 9.3 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-02-26

CVE-2026-24946 - Print Invoice & Delivery Notes for WooCommerce Plugin

Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through

PLUGIN Print Invoice & Delivery Notes for WooCommerce

CVE-2026-24946

MEDIUM CVSS 6.5 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-02-24

CVE-2026-22354 - Woocommerce Category Banner Management Plugin

Deserialization of Untrusted Data vulnerability in Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce allows Object Injection.This issue affects Woocommerce Category Banner Management: from n/a through

PLUGIN Woocommerce Category Banner Management

CVE-2026-22354

HIGH CVSS 8.8 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-02-23

CVE-2026-22352 - Persian Woocommerce SMS Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PersianScript Persian Woocommerce SMS persian-woocommerce-sms allows Reflected XSS.This issue affects Persian Woocommerce SMS: from n/a through

PLUGIN Persian Woocommerce SMS

CVE-2026-22352

HIGH CVSS 7.1 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-02-25

CVE-2026-22350 - PDF for Elementor Forms + Drag And Drop Template Builder Plugin

Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through

PLUGIN PDF for Elementor Forms + Drag And Drop Template Builder

CVE-2026-22350

MEDIUM CVSS 6.5 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2486 - Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations Plugin

The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations

CVE-2026-2486

MEDIUM CVSS 6.4 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-26370 - Survey Maker Plugin

WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.

PLUGIN Survey Maker

CVE-2026-26370

MEDIUM CVSS 5.1 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2384 - Quiz Maker Plugin

The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This vulnerability requires WPBakery Page Builder to be installed and active

PLUGIN Quiz Maker

CVE-2026-2384

MEDIUM CVSS 6.4 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-02-27

CVE-2026-27327 - YayMail – WooCommerce Email Customizer Plugin

Missing Authorization vulnerability in YayCommerce YayMail – WooCommerce Email Customizer yaymail allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayMail – WooCommerce Email Customizer: from n/a through

PLUGIN YayMail – WooCommerce Email Customizer

CVE-2026-27327

MEDIUM CVSS 4.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2232 - Wc Product Table Lite Plugin

The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 4.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wc Product Table Lite

CVE-2026-2232

HIGH CVSS 7.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1581 - Wpforo Forum Plugin

The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wpforo Forum

CVE-2026-1581

HIGH CVSS 7.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2718 - Dealia – Request a quote Plugin

The Dealia – Request a Quote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes in all versions up to, and including, 1.0.8. This is due to the use of `wp_kses()` for output escaping within HTML attribute contexts where `esc_attr()` is required. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Dealia – Request a quote

CVE-2026-2718

MEDIUM CVSS 6.4 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2716 - Client Testimonial Slider Plugin

The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Client Testimonial Slider

CVE-2026-2716

MEDIUM CVSS 4.4 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1461 - Simple Membership Plugin

The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.

PLUGIN Simple Membership

CVE-2026-1461

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1219 - MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar Plugin

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.

PLUGIN MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

CVE-2026-1219

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2026-27066 - Live sales notification for WooCommerce Plugin

Missing Authorization vulnerability in PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live sales notification for WooCommerce: from n/a through

PLUGIN Live sales notification for WooCommerce

CVE-2026-27066

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Scroll to top