Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,039
Critical0
High3,039
Medium0
Reset
Showing 681-700 of 3039 records
Threat Entry Updated 2025-12-12

CVE-2025-14044 - Logic Pro Plugin

The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized cookie data directly to the `unserialize()` function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker…

PLUGIN Logic Pro

CVE-2025-14044

HIGH CVSS 8.1 2025-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-13334 - Blaze Demo Importer Plugin

The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder.

PLUGIN Blaze Demo Importer

CVE-2025-13334

HIGH CVSS 8.1 2025-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-12968 - Infility Global Plugin

The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.23. This is due to the `upload_file` function in the `infility_import_file` class only validating the MIME type which can be easily spoofed, and the `import_data` function missing capability checks. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Infility Global

CVE-2025-12968

HIGH CVSS 8.8 2025-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-12824 - Player Leaderboard Plugin

The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's 'mode' attribute in a call to include() without proper path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain…

PLUGIN Player Leaderboard

CVE-2025-12824

HIGH CVSS 8.8 2025-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-13886 - Lt Unleashed Plugin

The LT Unleashed plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the 'template' parameter in the `book` shortcode due to insufficient path sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where files such as wp-config.php can be included.

PLUGIN Lt Unleashed

CVE-2025-13886

HIGH CVSS 7.5 2025-12-12
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-13073 - Before 2 Plugin

The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Before 2

CVE-2025-13073

HIGH CVSS 7.1 2025-12-10
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-13072 - Before 2 Plugin

The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 2

CVE-2025-13072

HIGH CVSS 7.1 2025-12-10
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-13339 - Hippoo Mobile App For Woocommerce Plugin

The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1 via the template_redirect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Hippoo Mobile App For Woocommerce

CVE-2025-13339

HIGH CVSS 7.5 2025-12-10
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-67472 - Online Booking Scheduling Calendar Plugin

Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through

PLUGIN Online Booking Scheduling Calendar

CVE-2025-67472

HIGH CVSS 8.8 2025-12-09
Open Full Technical Breakdown
Threat Entry Updated 2025-12-09

CVE-2025-13604 - Security Malware Firewall Plugin

The Login Security, FireWall, Malware removal by CleanTalk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the page URL in all versions up to, and including, 2.168 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Security Malware Firewall

CVE-2025-13604

HIGH CVSS 7.2 2025-12-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-13071 - Custom Admin Menu Plugin

The Custom Admin Menu WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Custom Admin Menu

CVE-2025-13071

HIGH CVSS 7.1 2025-12-09
Open Full Technical Breakdown
Threat Entry Updated 2025-12-09

CVE-2025-12705 - Fb Reviews Widget Plugin

The Social Reviews & Recommendations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in the 'trim_text' function in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.5.

PLUGIN Fb Reviews Widget

CVE-2025-12705

HIGH CVSS 7.2 2025-12-09
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13065 - Starter Templates Plugin

The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Starter Templates

CVE-2025-13065

HIGH CVSS 8.8 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-12966 - All In One Video Gallery Plugin

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN All In One Video Gallery

CVE-2025-12966

HIGH CVSS 8.8 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-12499 - Rich Shortcodes For Google Reviews Plugin

The Rich Shortcodes for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contents of a Google Review in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in version 6.6.2.

PLUGIN Rich Shortcodes For Google Reviews

CVE-2025-12499

HIGH CVSS 7.2 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-12510 - Widgets For Google Reviews Plugin

The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 13.2.4 due to insufficient input sanitization and output escaping on Google Reviews data imported by the plugin. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute in the admin panel (and potentially on the frontend) whenever a user accesses imported reviews, granted they can add a malicious review to a Google Place that is connected to the vulnerable site.

PLUGIN Widgets For Google Reviews

CVE-2025-12510

HIGH CVSS 7.2 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-12879 - User Importer And Generator Plugin

The User Generator and Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce validation in the "Import Using CSV File" function. This makes it possible for unauthenticated attackers to elevate user privileges by creating arbitrary accounts with administrator privileges via a forged request, provided they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN User Importer And Generator

CVE-2025-12879

HIGH CVSS 8.8 2025-12-05
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13614 - Cool Tag Cloud Plugin

The Cool Tag Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cool_tag_cloud' shortcode in all versions up to, and including, 2.29 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Cool Tag Cloud

CVE-2025-13614

HIGH CVSS 8.1 2025-12-05
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-12851 - My Auctions Allegro Plugin

The My auctions allegro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.6.32 via the 'controller' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

PLUGIN My Auctions Allegro

CVE-2025-12851

HIGH CVSS 8.1 2025-12-05
Open Full Technical Breakdown
Scroll to top