Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,261
Critical855
High2,811
Medium10,399
Reset
Showing 1181-1200 of 14261 records
Threat Entry Updated 2026-01-26

CVE-2025-14029 - Community Events Plugin

The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to approve arbitrary events via the 'eventlist' parameter.

PLUGIN Community Events

CVE-2025-14029

MEDIUM CVSS 5.3 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-12825 - User Registration Using Contact Form 7 Plugin

The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets.

PLUGIN User Registration Using Contact Form 7

CVE-2025-12825

MEDIUM CVSS 5.3 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-12168 - Phrase Tms Integration For Wordpress Plugin

The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files.

PLUGIN Phrase Tms Integration For Wordpress

CVE-2025-12168

MEDIUM CVSS 4.3 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0820 - RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes.

PLUGIN RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress

CVE-2026-0820

MEDIUM CVSS 5.3 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-14463 - Wp Paypal Plugin

The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation.…

PLUGIN Wp Paypal

CVE-2025-14463

MEDIUM CVSS 5.3 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0682 - Church Admin Plugin

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Church Admin

CVE-2026-0682

LOW CVSS 2.2 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-13725 - Thim Blocks Plugin

The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php.

PLUGIN Thim Blocks

CVE-2025-13725

MEDIUM CVSS 6.5 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-15403 - Custom Registration Form Builder With Submission Manager Plugin

The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further…

PLUGIN Custom Registration Form Builder With Submission Manager

CVE-2025-15403

CRITICAL CVSS 9.8 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-14450 - Wallet System For Woocommerce Plugin

The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to manipulate wallet withdrawal requests and arbitrarily increase their wallet balance or decrease other users' balances.

PLUGIN Wallet System For Woocommerce

CVE-2025-14450

MEDIUM CVSS 6.5 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-12718 - Quick Contact Form Plugin

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.

PLUGIN Quick Contact Form

CVE-2025-12718

MEDIUM CVSS 5.8 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-14075 - Wp Hotel Booking Plugin

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce.

PLUGIN Wp Hotel Booking

CVE-2025-14075

MEDIUM CVSS 5.3 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-14632 - Filr Protection Plugin

The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type.

PLUGIN Filr Protection

CVE-2025-14632

MEDIUM CVSS 4.4 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-12002 - Feeds For Youtube Plugin

The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version…

PLUGIN Feeds For Youtube

CVE-2025-12002

MEDIUM CVSS 5.9 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2026-0518 - Secure Access Plugin

CVE-2026-0518 is a cross-site scripting vulnerability in versions of Secure Access prior to 14.20. An attacker with administrative privileges can interfere with another administrator’s use of the console.

PLUGIN Secure Access

CVE-2026-0518

MEDIUM CVSS 4.8 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2026-0519 - Secure Access Plugin

In Secure Access 12.70 and prior to 14.20, the logging subsystem may write an unredacted authentication token to logs under certain configurations. Any party with access to those logs could read the token and reuse it to access an integrated system.

PLUGIN Secure Access

CVE-2026-0519

MEDIUM CVSS 4.6 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2026-0517 - Secure Access Plugin

CVE-2026-0517 is a denial-of-service vulnerability in versions of Secure Access Server prior to 14.20. An attacker can send a specially crafted packet to a server and cause the server to crash

PLUGIN Secure Access

CVE-2026-0517

MEDIUM CVSS 6.0 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-02-18

CVE-2026-22865 - Gradle Plugin

Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next…

PLUGIN Gradle

CVE-2026-22865

HIGH CVSS 8.6 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-18

CVE-2026-22816 - Gradle Plugin

Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another…

PLUGIN Gradle

CVE-2026-22816

HIGH CVSS 8.6 2026-01-16
Open Full Technical Breakdown
Scroll to top