Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total917
Critical917
High0
Medium0
Reset
Showing 61-80 of 917 records
Threat Entry Updated 2026-01-26

CVE-2025-15521 - Wordpress Lms Plugin For Complete Elearning Solution

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.

PLUGIN Wordpress Lms Plugin For Complete Elearning Solution

CVE-2025-15521

CRITICAL CVSS 9.8 2026-01-21
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-14533 - Acf Extended Plugin

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.

PLUGIN Acf Extended

CVE-2025-14533

CRITICAL CVSS 9.8 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-10484 - Login With Mobile Phone Number For Woocommerce Plugin

The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password.

PLUGIN Login With Mobile Phone Number For Woocommerce

CVE-2025-10484

CRITICAL CVSS 9.8 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-15403 - Custom Registration Form Builder With Submission Manager Plugin

The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'add_menu' function is accessible via the 'rm_user_exists' AJAX action and allows arbitrary updates to the 'admin_order' setting. This makes it possible for unauthenticated attackers to injecting an empty slug into the order parameter, and manipulate the plugin's menu generation logic, and when the admin menu is subsequently built, the plugin adds 'manage_options' capability for the target role. Note: The vulnerability can only be exploited unauthenticated, but further…

PLUGIN Custom Registration Form Builder With Submission Manager

CVE-2025-15403

CRITICAL CVSS 9.8 2026-01-17
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23800 - Modular DS Plugin

Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0.

PLUGIN Modular DS

CVE-2026-23800

CRITICAL CVSS 10.0 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23744 - Inspector Plugin

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

PLUGIN Inspector

CVE-2026-23744

CRITICAL CVSS 9.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23722 - WeGIA Plugin

WeGIA is a Web Manager for Charitable Institutions. Prior to 3.6.2, a Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the WeGIA system, specifically within the html/memorando/insere_despacho.php file. The application fails to properly sanitize or encode user-supplied input via the id_memorando GET parameter before reflecting it into the HTML source (likely inside a block or an attribute). This allows unauthenticated attackers to inject arbitrary JavaScript or HTML into the context of the user's browser session. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23722

CRITICAL CVSS 9.1 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-09

CVE-2026-23523 - Dive Plugin

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.

PLUGIN Dive

CVE-2026-23523

CRITICAL CVSS 9.6 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-1021 - Police Statistics Database System Plugin

Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

PLUGIN Police Statistics Database System

CVE-2026-1021

CRITICAL CVSS 9.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-1019 - Police Statistics Database System Plugin

Police Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a specific functionality.

PLUGIN Police Statistics Database System

CVE-2026-1019

CRITICAL CVSS 9.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-21

CVE-2026-22863 - Deno Plugin

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

PLUGIN Deno

CVE-2026-22863

CRITICAL CVSS 9.2 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-1009 - Altium Live Plugin

A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post. Successful exploitation allows the attacker’s payload to execute in the context of the victim’s authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post.

PLUGIN Altium Live

CVE-2026-1009

CRITICAL CVSS 9.0 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2026-23746 - Instant Financial Issuance (IF) Plugin

Entrust Instant Financial Issuance (IFI) On Premise software (formerly referred to as CardWizard) versions 5.x, prior to 6.10.5, and prior to 6.11.1 contain an insecure .NET Remoting exposure in the SmartCardController service (DCG.SmartCardControllerService.exe). The service registers a TCP remoting channel with unsafe formatter/settings that permit untrusted remoting object invocation. A remote, unauthenticated attacker who can reach the remoting port can invoke exposed remoting objects to read arbitrary files from the server and coerce outbound authentication, and may achieve arbitrary file write and remote code execution via known .NET Remoting exploitation…

PLUGIN Instant Financial Issuance (IF)

CVE-2026-23746

CRITICAL CVSS 9.3 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-02-05

CVE-2026-23520 - Arcane Plugin

Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container…

PLUGIN Arcane

CVE-2026-23520

CRITICAL CVSS 9.0 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-22908 - TDC-X401GL Plugin

Uploading unvalidated container images may allow remote attackers to gain full access to the system, potentially compromising its integrity and confidentiality.

PLUGIN TDC-X401GL

CVE-2026-22908

CRITICAL CVSS 9.1 2026-01-15
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2026-22240 - BLUVOYIX Plugin

The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password.

PLUGIN BLUVOYIX

CVE-2026-22240

CRITICAL CVSS 10.0 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2026-22239 - BLUVOYIX Plugin

The vulnerability exists in BLUVOYIX due to design flaws in the email sending API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable email sending API. Successful exploitation of this vulnerability could allow the attacker to send unsolicited emails to anyone on behalf of the company.

PLUGIN BLUVOYIX

CVE-2026-22239

CRITICAL CVSS 10.0 2026-01-14
Open Full Technical Breakdown
Scroll to top