Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total201
Critical0
High0
Medium0
Reset
Showing 61-80 of 201 records
Threat Entry Updated 2025-10-14

CVE-2025-8594 - Before 2 Plugin

The Pz-LinkCard WordPress plugin before 2.5.7 does not validate a parameter before making a request to it, which could allow users with a role as low as Contributor to perform SSRF attack.

PLUGIN Before 2

CVE-2025-8594

LOW CVSS 3.8 2025-10-14
Open Full Technical Breakdown
Threat Entry Updated 2025-10-14

CVE-2025-8606 - Gsheetconnector For Gravity Forms Plugin

The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 1.3.23. This is due to missing or incorrect nonce validation on the activate_plugin and deactivate_plugin functions. This makes it possible for attackers to trick authenticated administrators into activating or deactivating specified plugins via a forged request, such as clicking on a malicious link or visiting a compromised page.

PLUGIN Gsheetconnector For Gravity Forms

CVE-2025-8606

LOW CVSS 2.4 2025-10-11
Open Full Technical Breakdown
Threat Entry Updated 2025-10-06

CVE-2025-10306 - Backup Bolt Plugin

The Backup Bolt plugin for WordPress is vulnerable to arbitrary file downloads and backup location writes in all versions up to, and including, 1.4.1 via the process_backup_batch() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to download directories outside of the webroot and write backup zip files to arbitrary locations.

PLUGIN Backup Bolt

CVE-2025-10306

LOW CVSS 3.8 2025-10-03
Open Full Technical Breakdown
Threat Entry Updated 2025-09-26

CVE-2025-10173 - All In One Woocommerce Solution Plugin

The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings.

PLUGIN All In One Woocommerce Solution

CVE-2025-10173

LOW CVSS 2.7 2025-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-11-13

CVE-2025-8282 - Before 1 Plugin

The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks.

PLUGIN Before 1

CVE-2025-8282

LOW CVSS 3.5 2025-09-23
Open Full Technical Breakdown
Threat Entry Updated 2025-09-15

CVE-2025-3650 - Jquery Colorbox Plugin

The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.

PLUGIN Jquery Colorbox

CVE-2025-3650

LOW CVSS 3.5 2025-09-12
Open Full Technical Breakdown
Threat Entry Updated 2025-11-13

CVE-2025-9111 - Ai Chatbot For Wordpress Plugin

The AI ChatBot for WordPress WordPress plugin before 7.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Ai Chatbot For Wordpress

CVE-2025-9111

LOW CVSS 3.5 2025-09-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2025-8889 - Before 1 Plugin

The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

PLUGIN Before 1

CVE-2025-8889

LOW CVSS 3.8 2025-09-09
Open Full Technical Breakdown
Threat Entry Updated 2025-08-15

CVE-2025-8013 - Quttera Web Malware Scanner Plugin

The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Quttera Web Malware Scanner

CVE-2025-8013

LOW CVSS 3.8 2025-08-15
Open Full Technical Breakdown
Threat Entry Updated 2025-07-22

CVE-2025-54352 - WordPress Core

WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior.

CORE WordPress Core

CVE-2025-54352

LOW CVSS 3.7 2025-07-21
Open Full Technical Breakdown
Threat Entry Updated 2025-07-03

CVE-2025-4654 - Soumettre Fr Plugin

The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed)

PLUGIN Soumettre Fr

CVE-2025-4654

LOW CVSS 3.7 2025-07-02
Open Full Technical Breakdown
Threat Entry Updated 2025-10-02

CVE-2024-7762 - Simple Job Board Plugin

The Simple Job Board WordPress plugin before 2.12.6 does not prevent uploaded files from being listed, allowing unauthenticated users to access and download uploaded resumes

PLUGIN Simple Job Board

CVE-2024-7762

LOW CVSS 3.7 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-11-13

CVE-2024-4091 - Responsive Gallery Grid Plugin

The Responsive Gallery Grid WordPress plugin before 2.3.15 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PLUGIN Responsive Gallery Grid

CVE-2024-4091

LOW CVSS 3.5 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-11-13

CVE-2024-4004 - Advanced Cron Manager Plugin

The Advanced Cron Manager WordPress plugin before 2.5.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Advanced Cron Manager

CVE-2024-4004

LOW CVSS 3.5 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-11-13

CVE-2024-4002 - Gallery By Wp Carousel Plugin

The Carousel, Slider, Gallery by WP Carousel WordPress plugin before 2.6.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Gallery By Wp Carousel

CVE-2024-4002

LOW CVSS 3.5 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-11-13

CVE-2024-3996 - Smart Post Show Plugin

The Smart Post Show WordPress plugin before 2.4.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Smart Post Show

CVE-2024-3996

LOW CVSS 3.5 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-09

CVE-2024-11140 - Real Wp Shop Lite Ajax Ecommerce Shopping Cart Plugin

The Real WP Shop Lite Ajax eCommerce Shopping Cart WordPress plugin through 2.0.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Real Wp Shop Lite Ajax Ecommerce Shopping Cart

CVE-2024-11140

LOW CVSS 3.5 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-09

CVE-2024-10098 - Before 2 Plugin

The ApplyOnline WordPress plugin before 2.6.3 does not protect uploaded files during the application process, allowing unauthenticated users to access them and any private information they contain

PLUGIN Before 2

CVE-2024-10098

LOW CVSS 2.7 2025-05-15
Open Full Technical Breakdown
Scroll to top