Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total1,046
Critical1,046
High0
Medium0
Reset
Showing 121-140 of 1046 records
Threat Entry Updated 2026-04-22

CVE-2026-2991 - Kivicare Clinic Management System Plugin

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before authenticating a user. This makes it possible for unauthenticated attackers to log in as any patient registered on the system by providing only their email address and an arbitrary value for the access token, bypassing all credential verification. The attacker gains access to sensitive medical records, appointments, prescriptions, and billing…

PLUGIN Kivicare Clinic Management System

CVE-2026-2991

CRITICAL CVSS 9.8 2026-03-18
Open Full Technical Breakdown
Threat Entry Updated 2026-04-23

CVE-2026-25449 - Traveler Plugin

Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects Traveler: from n/a through < 3.2.8.1.

PLUGIN Traveler

CVE-2026-25449

CRITICAL CVSS 9.8 2026-03-18
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-3891 - Pix For Woocommerce Plugin

The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Pix For Woocommerce

CVE-2026-3891

CRITICAL CVSS 9.8 2026-03-13
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-32367 - Modal Dialog Plugin

Improper Control of Generation of Code ('Code Injection') vulnerability in Yannick Lefebvre Modal Dialog modal-dialog allows Remote Code Inclusion.This issue affects Modal Dialog: from n/a through

PLUGIN Modal Dialog

CVE-2026-32367

CRITICAL CVSS 9.1 2026-03-13
Open Full Technical Breakdown
Threat Entry Updated 2026-03-17

CVE-2026-22193 - Wpdiscuz Plugin

wpDiscuz before 7.6.47 contains an SQL injection vulnerability in the getAllSubscriptions() function where string parameters lack proper quote escaping in SQL queries. Attackers can inject malicious SQL code through email, activation_key, subscription_date, and imported_from parameters to manipulate database queries and extract sensitive information.

PLUGIN Wpdiscuz

CVE-2026-22193

CRITICAL CVSS 9.2 2026-03-13
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2631 - Datalogics Ecommerce Delivery Plugin

The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.

PLUGIN Datalogics Ecommerce Delivery

CVE-2026-2631

CRITICAL CVSS 9.8 2026-03-11
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-0953 - Tutor LMS Pro Theme

The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.

THEME Tutor LMS Pro

CVE-2026-0953

CRITICAL CVSS 9.8 2026-03-10
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2446 - Powerpack For Learndash Plugin

The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users

PLUGIN Powerpack For Learndash

CVE-2026-2446

CRITICAL CVSS 9.8 2026-03-06
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-2599 - Contact Form Entries Plugin

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme…

PLUGIN Contact Form Entries

CVE-2026-2599

CRITICAL CVSS 9.8 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2418 - Login With Salesforce Plugin

The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email

PLUGIN Login With Salesforce

CVE-2026-2418

CRITICAL CVSS 9.1 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-28115 - WP Attractive Donations System - Easy Stripe & Paypal donations Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Blind SQL Injection.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through

PLUGIN WP Attractive Donations System - Easy Stripe & Paypal donations

CVE-2026-28115

CRITICAL CVSS 9.3 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-28105 - Good Energy Plugin

Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.This issue affects Good Energy: from n/a through

PLUGIN Good Energy

CVE-2026-28105

CRITICAL CVSS 9.8 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-28114 - WooCommerce License Manager Plugin

Unrestricted Upload of File with Dangerous Type vulnerability in firassaidi WooCommerce License Manager fs-license-manager allows Upload a Web Shell to a Web Server.This issue affects WooCommerce License Manager: from n/a through

PLUGIN WooCommerce License Manager

CVE-2026-28114

CRITICAL CVSS 9.1 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-28074 - Pizza House Plugin

Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.This issue affects Pizza House: from n/a through

PLUGIN Pizza House

CVE-2026-28074

CRITICAL CVSS 9.8 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-28043 - Healer - Doctor, Clinic & Medical WordPress Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical WordPress Theme: from n/a through

THEME Healer - Doctor, Clinic & Medical WordPress Theme

CVE-2026-28043

CRITICAL CVSS 9.8 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-27983 - LMS Elementor Pro Theme

Incorrect Privilege Assignment vulnerability in designthemes LMS Elementor Pro lms-elementor-pro allows Privilege Escalation.This issue affects LMS Elementor Pro: from n/a through

THEME LMS Elementor Pro

CVE-2026-27983

CRITICAL CVSS 9.8 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-27984 - Widget Options Plugin

Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through

PLUGIN Widget Options

CVE-2026-27984

CRITICAL CVSS 9.0 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-27439 - Dentario Plugin

Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.This issue affects Dentario: from n/a through

PLUGIN Dentario

CVE-2026-27439

CRITICAL CVSS 9.8 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-27438 - Kingler Plugin

Deserialization of Untrusted Data vulnerability in ThemeREX Kingler kingler allows Object Injection.This issue affects Kingler: from n/a through

PLUGIN Kingler

CVE-2026-27438

CRITICAL CVSS 9.8 2026-03-05
Open Full Technical Breakdown
Threat Entry Updated 2026-04-22

CVE-2026-27437 - Tennis Club Plugin

Deserialization of Untrusted Data vulnerability in ThemeREX Tennis Club tennis-sportclub allows Object Injection.This issue affects Tennis Club: from n/a through

PLUGIN Tennis Club

CVE-2026-27437

CRITICAL CVSS 9.8 2026-03-05
Open Full Technical Breakdown
Scroll to top