Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total470
Critical68
High135
Medium267
Reset
Showing 21-40 of 470 records
Threat Entry Updated 2026-02-27

CVE-2025-12981 - Listee Theme

The Listee theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.6. This is due to a broken validation check in the bundled listee-core plugin's user registration function that fails to properly sanitize the user_role parameter. This makes it possible for unauthenticated attackers to register as Administrator by manipulating the user_role parameter during registration.

THEME Listee

CVE-2025-12981

CRITICAL CVSS 9.8 2026-02-27
Open Full Technical Breakdown
Threat Entry Updated 2026-02-27

CVE-2025-14040 - Automotive Car Dealership Business Wordpress Theme

The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Automotive Car Dealership Business Wordpress

CVE-2025-14040

MEDIUM CVSS 6.4 2026-02-27
Open Full Technical Breakdown
Threat Entry Updated 2026-02-27

CVE-2026-28132 - WooCommerce Photo Reviews Theme

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a through

THEME WooCommerce Photo Reviews

CVE-2026-28132

MEDIUM CVSS 5.3 2026-02-26
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1311 - Worry Proof Backup Theme

The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload a malicious ZIP archive with path traversal sequences to write arbitrary files anywhere on the server, including executable PHP files. This can lead to remote code execution.

THEME Worry Proof Backup

CVE-2026-1311

HIGH CVSS 8.8 2026-02-26
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2498 - WP Social Meta Theme

The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

THEME WP Social Meta

CVE-2026-2498

MEDIUM CVSS 4.4 2026-02-26
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2410 - Disable Admin Notices – Hide Dashboard Notifications Theme

The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the `showPageContent()` function. This makes it possible for unauthenticated attackers to add arbitrary URLs to the blocked redirects list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

THEME Disable Admin Notices – Hide Dashboard Notifications

CVE-2026-2410

MEDIUM CVSS 4.3 2026-02-25
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1614 - Rise Blocks – A Complete Gutenberg Page Builder Theme

The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘logoTag’ Site Identity block attribute in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Rise Blocks – A Complete Gutenberg Page Builder

CVE-2026-1614

MEDIUM CVSS 6.4 2026-02-25
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2385 - The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce Theme

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the 'email_data' parameter.

THEME The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce

CVE-2026-2385

MEDIUM CVSS 5.3 2026-02-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-22381 - PawFriends - Pet Shop and Veterinary WordPress Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows PHP Local File Inclusion.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through

THEME PawFriends - Pet Shop and Veterinary WordPress Theme

CVE-2026-22381

HIGH CVSS 8.1 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-22383 - PawFriends - Pet Shop and Veterinary WordPress Theme

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through

THEME PawFriends - Pet Shop and Veterinary WordPress Theme

CVE-2026-22383

MEDIUM CVSS 5.4 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-02-23

CVE-2025-69385 - Cartify Allows Exploiting Incorrectly Configured Access Control Security Levels Theme

Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through

THEME Cartify Allows Exploiting Incorrectly Configured Access Control Security Levels

CVE-2025-69385

MEDIUM CVSS 6.5 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-02-23

CVE-2025-69368 - Soho Allows Dom Based Xss Theme

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes SOHO - Photography WordPress Theme soho allows DOM-Based XSS.This issue affects SOHO - Photography WordPress Theme: from n/a through

THEME Soho Allows Dom Based Xss

CVE-2025-69368

HIGH CVSS 7.1 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-02-23

CVE-2025-69367 - Oyster Allows Dom Based Xss Theme

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Oyster - Photography WordPress Theme oyster allows DOM-Based XSS.This issue affects Oyster - Photography WordPress Theme: from n/a through

THEME Oyster Allows Dom Based Xss

CVE-2025-69367

HIGH CVSS 7.1 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-27052 - Sales Countdown Timer for WooCommerce and WordPress Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer allows PHP Local File Inclusion.This issue affects Sales Countdown Timer for WooCommerce and WordPress: from n/a through < 1.1.9.

THEME Sales Countdown Timer for WooCommerce and WordPress

CVE-2026-27052

HIGH CVSS 7.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2026-25416 - News Kit Elementor Addons Theme

Missing Authorization vulnerability in blazethemes News Kit Elementor Addons news-kit-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Kit Elementor Addons: from n/a through

THEME News Kit Elementor Addons

CVE-2026-25416

MEDIUM CVSS 4.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-24

CVE-2026-22333 - YITH WooCommerce Compare Theme

Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through

THEME YITH WooCommerce Compare

CVE-2026-22333

HIGH CVSS 7.2 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2025-14357 - Mega Store Woocommerce Theme

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary pages and modify site settings.

THEME Mega Store Woocommerce

CVE-2025-14357

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2025-13091 - Shopire Theme

The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the 'fable-extra' plugin.

THEME Shopire

CVE-2025-13091

MEDIUM CVSS 4.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2025-12821 - Newsblogger Theme

The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is due to a reverted fix of CVE-2025-1305.

THEME Newsblogger

CVE-2025-12821

HIGH CVSS 8.8 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2025-12117 - Renden Theme

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Renden

CVE-2025-12117

MEDIUM CVSS 6.4 2026-02-19
Open Full Technical Breakdown
Scroll to top