Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,244
Critical854
High2,808
Medium10,387
Reset
Showing 1081-1100 of 14244 records
Threat Entry Updated 2026-01-26

CVE-2024-11976 - The Buddypress Plugin

The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

PLUGIN The Buddypress

CVE-2024-11976

HIGH CVSS 7.3 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-14745 - And Autoblogging Plugin

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-rss-aggregator' shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN And Autoblogging

CVE-2025-14745

MEDIUM CVSS 6.4 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0927 - Kivicare Clinic Management System Plugin

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files.

PLUGIN Kivicare Clinic Management System

CVE-2026-0927

MEDIUM CVSS 5.3 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-14069 - Schema And Structured Data For Wp Plugin

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Schema And Structured Data For Wp

CVE-2025-14069

MEDIUM CVSS 6.4 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-15522 - Uncanny Automator Plugin

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page.

PLUGIN Uncanny Automator

CVE-2025-15522

MEDIUM CVSS 6.4 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24390 - Elementor Plugin

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion.This issue affects Kentha Elementor Widgets: from n/a through < 3.1.

PLUGIN Elementor

CVE-2026-24390

HIGH CVSS 7.5 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24386 - Elementor Plugin

Missing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader – Template Kits for Elementor: from n/a through

PLUGIN Elementor

CVE-2026-24386

MEDIUM CVSS 4.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24366 - WooCommerce Plugin

Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Request A Quote: from n/a through

PLUGIN WooCommerce

CVE-2026-24366

MEDIUM CVSS 5.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24365 - WooCommerce Plugin

Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery.This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0.

PLUGIN WooCommerce

CVE-2026-24365

MEDIUM CVSS 5.4 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-22468 - Elementor Plugin

Missing Authorization vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Absolute Addons For Elementor: from n/a through

PLUGIN Elementor

CVE-2026-22468

MEDIUM CVSS 4.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-22461 - WooCommerce Plugin

Missing Authorization vulnerability in WebAppick CTX Feed webappick-product-feed-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CTX Feed: from n/a through

PLUGIN WooCommerce

CVE-2026-22461

MEDIUM CVSS 5.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-22359 - Wordpress Movies Bulk Importer Plugin

Cross-Site Request Forgery (CSRF) vulnerability in AA-Team Wordpress Movies Bulk Importer movies importer allows Cross Site Request Forgery.This issue affects Wordpress Movies Bulk Importer: from n/a through

PLUGIN Wordpress Movies Bulk Importer

CVE-2026-22359

MEDIUM CVSS 4.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0920 - La Studio Element Kit For Elementor Plugin

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.

PLUGIN La Studio Element Kit For Elementor

CVE-2026-0920

CRITICAL CVSS 9.8 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1036 - Photo Gallery Plugin

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin.

PLUGIN Photo Gallery

CVE-2026-1036

MEDIUM CVSS 5.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-15521 - Wordpress Lms Plugin For Complete Elearning Solution

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.

PLUGIN Wordpress Lms Plugin For Complete Elearning Solution

CVE-2025-15521

CRITICAL CVSS 9.8 2026-01-21
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0726 - Site Enhancements Toolkit Plugin

The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on…

PLUGIN Site Enhancements Toolkit

CVE-2026-0726

HIGH CVSS 8.1 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0690 - FlatPM – Ad Manager, AdSense and Custom Code Plugin

The FlatPM – Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rank_math_description' custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN FlatPM – Ad Manager, AdSense and Custom Code

CVE-2026-0690

MEDIUM CVSS 6.4 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0608 - Head Meta Data Plugin

The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Head Meta Data

CVE-2026-0608

MEDIUM CVSS 6.4 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0548 - Elearning And Online Course Solution Plugin

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.

PLUGIN Elearning And Online Course Solution

CVE-2026-0548

MEDIUM CVSS 5.4 2026-01-20
Open Full Technical Breakdown
Scroll to top