Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total3,039
Critical0
High3,039
Medium0
Reset
Showing 761-780 of 3039 records
Threat Entry Updated 2025-11-12

CVE-2025-12846 - Blocksy Companion Plugin

The Blocksy Companion plugin for WordPress is vulnerable to authenticated arbitrary file upload in all versions up to, and including, 2.1.19. This is due to insufficient file type validation detecting SVG files, allowing double extension files to bypass sanitization while being accepted as a valid SVG file. This makes it possible for authenticated attackers, with author level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Blocksy Companion

CVE-2025-12846

HIGH CVSS 8.8 2025-11-11
Open Full Technical Breakdown
Threat Entry Updated 2025-11-13

CVE-2025-11855 - Age Restriction Plugin

The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password.

PLUGIN Age Restriction

CVE-2025-11855

HIGH CVSS 7.5 2025-11-11
Open Full Technical Breakdown
Threat Entry Updated 2025-11-13

CVE-2025-11307 - Before 9 Plugin

The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped.

PLUGIN Before 9

CVE-2025-11307

HIGH CVSS 8.8 2025-11-11
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-12637 - Elastic Theme Editor Plugin

The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Elastic Theme Editor

CVE-2025-12637

HIGH CVSS 8.8 2025-11-11
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-11168 - Mementor Core Plugin

The Mementor Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.5. This is due to plugin not properly handling the user switch back function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges by accessing an administrator account through the switch back functionality.

PLUGIN Mementor Core

CVE-2025-11168

HIGH CVSS 8.8 2025-11-11
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-11521 - Getastra Plugin

The Astra Security Suite – Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Getastra

CVE-2025-11521

HIGH CVSS 8.1 2025-11-11
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-11451 - Amazon Auto Links Plugin

The Auto Amazon Links – Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the '/wp-json/wp/v2/aal_ajax_unit_loading' RST API endpoint. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Amazon Auto Links

CVE-2025-11451

HIGH CVSS 7.5 2025-11-11
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-12399 - Alex Reservations Plugin

The Alex Reservations: Smart Restaurant Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-json/srr/v1/app/upload/file REST endpoint in all versions up to, and including, 2.2.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Alex Reservations

CVE-2025-12399

HIGH CVSS 7.2 2025-11-08
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-11967 - Mail Mint Plugin

The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_contact_attribute_import function in all versions up to, and including, 1.18.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Mail Mint

CVE-2025-11967

HIGH CVSS 7.2 2025-11-08
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-12099 - Wordpress Lms Plugin For Complete Elearning Solution

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.3.8 via deserialization of untrusted input in the 'import_all_courses' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is…

PLUGIN Wordpress Lms Plugin For Complete Elearning Solution

CVE-2025-12099

HIGH CVSS 7.2 2025-11-08
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-9334 - Ai Powered Suggestions Plugin

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.

PLUGIN Ai Powered Suggestions

CVE-2025-9334

HIGH CVSS 8.8 2025-11-08
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-12161 - Smart Auto Upload Images Plugin

The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Smart Auto Upload Images

CVE-2025-12161

HIGH CVSS 8.8 2025-11-08
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-11452 - Asgaros Forum Plugin

The Asgaros Forum plugin for WordPress is vulnerable to SQL Injection via the '$_COOKIE['asgarosforum_unread_exclude']' cookie in all versions up to, and including, 3.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Asgaros Forum

CVE-2025-11452

HIGH CVSS 7.5 2025-11-08
Open Full Technical Breakdown
Threat Entry Updated 2025-12-04

CVE-2025-4519 - Idonate Plugin

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_password() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to initiate a password reset for any user (including administrators) and elevate their privileges for full site takeover.

PLUGIN Idonate

CVE-2025-4519

HIGH CVSS 8.8 2025-11-07
Open Full Technical Breakdown
Threat Entry Updated 2025-11-12

CVE-2025-5483 - Lc Wizard Plugin

The LC Wizard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check in the ghl-wizard/inc/wp_user.php file in versions 1.2.10 to 1.3.0. This makes it possible for unauthenticated attackers to create new user accounts with the administrator role when the PRO functionality is enabled.

PLUGIN Lc Wizard

CVE-2025-5483

HIGH CVSS 8.1 2025-11-07
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-60199 - Inhype Allows Php Local File Inclusion Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx InHype - Blog & Magazine WordPress Theme inhype allows PHP Local File Inclusion.This issue affects InHype - Blog & Magazine WordPress Theme: from n/a through

THEME Inhype Allows Php Local File Inclusion

CVE-2025-60199

HIGH CVSS 8.2 2025-11-06
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-60198 - Saxon Allows Php Local File Inclusion Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx Saxon - Viral Content Blog & Magazine Marketing WordPress Theme saxon allows PHP Local File Inclusion.This issue affects Saxon - Viral Content Blog & Magazine Marketing WordPress Theme: from n/a through

THEME Saxon Allows Php Local File Inclusion

CVE-2025-60198

HIGH CVSS 8.1 2025-11-06
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-60190 - Immocaster Allows Php Local File Inclusion Plugin

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hinnerk Altenburg Immocaster WordPress Plugin immocaster allows PHP Local File Inclusion.This issue affects Immocaster WordPress Plugin: from n/a through

PLUGIN Immocaster Allows Php Local File Inclusion

CVE-2025-60190

HIGH CVSS 8.1 2025-11-06
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-12497 - Premium Portfolio Features For Phlox Theme Plugin

The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3.10 via the 'args[extra_template_path]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

PLUGIN Premium Portfolio Features For Phlox Theme

CVE-2025-12497

HIGH CVSS 8.1 2025-11-05
Open Full Technical Breakdown
Scroll to top