Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,261
Critical855
High2,811
Medium10,399
Reset
Showing 1101-1120 of 14261 records
Threat Entry Updated 2026-01-26

CVE-2025-14069 - Schema And Structured Data For Wp Plugin

The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'saswp_custom_schema_field' profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Schema And Structured Data For Wp

CVE-2025-14069

MEDIUM CVSS 6.4 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-15522 - Uncanny Automator Plugin

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page.

PLUGIN Uncanny Automator

CVE-2025-15522

MEDIUM CVSS 6.4 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24390 - Elementor Plugin

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion.This issue affects Kentha Elementor Widgets: from n/a through < 3.1.

PLUGIN Elementor

CVE-2026-24390

HIGH CVSS 7.5 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24386 - Elementor Plugin

Missing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader – Template Kits for Elementor: from n/a through

PLUGIN Elementor

CVE-2026-24386

MEDIUM CVSS 4.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24366 - WooCommerce Plugin

Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Request A Quote: from n/a through

PLUGIN WooCommerce

CVE-2026-24366

MEDIUM CVSS 5.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-24365 - WooCommerce Plugin

Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery.This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0.

PLUGIN WooCommerce

CVE-2026-24365

MEDIUM CVSS 5.4 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-22468 - Elementor Plugin

Missing Authorization vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Absolute Addons For Elementor: from n/a through

PLUGIN Elementor

CVE-2026-22468

MEDIUM CVSS 4.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-22461 - WooCommerce Plugin

Missing Authorization vulnerability in WebAppick CTX Feed webappick-product-feed-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CTX Feed: from n/a through

PLUGIN WooCommerce

CVE-2026-22461

MEDIUM CVSS 5.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-22359 - Wordpress Movies Bulk Importer Plugin

Cross-Site Request Forgery (CSRF) vulnerability in AA-Team Wordpress Movies Bulk Importer movies importer allows Cross Site Request Forgery.This issue affects Wordpress Movies Bulk Importer: from n/a through

PLUGIN Wordpress Movies Bulk Importer

CVE-2026-22359

MEDIUM CVSS 4.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0920 - La Studio Element Kit For Elementor Plugin

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.

PLUGIN La Studio Element Kit For Elementor

CVE-2026-0920

CRITICAL CVSS 9.8 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1036 - Photo Gallery Plugin

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin.

PLUGIN Photo Gallery

CVE-2026-1036

MEDIUM CVSS 5.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-15521 - Wordpress Lms Plugin For Complete Elearning Solution

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.

PLUGIN Wordpress Lms Plugin For Complete Elearning Solution

CVE-2025-15521

CRITICAL CVSS 9.8 2026-01-21
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0726 - Site Enhancements Toolkit Plugin

The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on…

PLUGIN Site Enhancements Toolkit

CVE-2026-0726

HIGH CVSS 8.1 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0690 - FlatPM – Ad Manager, AdSense and Custom Code Plugin

The FlatPM – Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rank_math_description' custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN FlatPM – Ad Manager, AdSense and Custom Code

CVE-2026-0690

MEDIUM CVSS 6.4 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0608 - Head Meta Data Plugin

The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Head Meta Data

CVE-2026-0608

MEDIUM CVSS 6.4 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0548 - Elearning And Online Course Solution Plugin

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.

PLUGIN Elearning And Online Course Solution

CVE-2026-0548

MEDIUM CVSS 5.4 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0554 - NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar Plugin

The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership.

PLUGIN NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar

CVE-2026-0554

MEDIUM CVSS 4.3 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-15347 - And Trainers Plugin

The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options.

PLUGIN And Trainers

CVE-2025-15347

HIGH CVSS 8.8 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-15380 - Floating Notification Bar Plugin

The NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site.

PLUGIN Floating Notification Bar

CVE-2025-15380

HIGH CVSS 7.2 2026-01-20
Open Full Technical Breakdown
Scroll to top