Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,857
Critical0
High0
Medium10,857
Reset
Showing 2281-2300 of 10857 records
Threat Entry Updated 2025-11-06

CVE-2025-11917 - Wpematico Rss Feed Fetcher Plugin

The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.11 via the wpematico_test_feed() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Wpematico Rss Feed Fetcher

CVE-2025-11917

MEDIUM CVSS 6.4 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-11373 - Post Slider Carousel Plugin

The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability checks in the "depicter-media-upload" AJAX route in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload limited files on the affected site's server.

PLUGIN Post Slider Carousel

CVE-2025-11373

MEDIUM CVSS 4.3 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-6027 - Ace User Management Plugin

The Ace User Management WordPress plugin through 2.0.3 does not properly validate that a password reset token is associated with the user who requested it, allowing any authenticated users, such as subscriber to reset the password of arbitrary accounts, including administrators.

PLUGIN Ace User Management

CVE-2025-6027

MEDIUM CVSS 6.3 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-10567 - Before 3 Plugin

The FunnelKit WordPress plugin before 3.12.0.1 does not sanitize user input before echoing it back in some of its checkout-related AJAX actions, allowing attackers to conduct reflected XSS attacks against logged-in users.

PLUGIN Before 3

CVE-2025-10567

MEDIUM CVSS 6.3 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-10873 - Elementinvader Addons For Elementor Plugin

The ElementInvader Addons for Elementor WordPress plugin before 1.4.1 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses due to missing authorization on the elementinvader_addons_for_elementor_forms_send_form action.

PLUGIN Elementinvader Addons For Elementor

CVE-2025-10873

MEDIUM CVSS 5.3 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-11162 - Ultimate Addons For Gutenberg Plugin

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ultimate Addons For Gutenberg

CVE-2025-11162

MEDIUM CVSS 6.4 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-12580 - Sms For Wordpress Plugin

The SMS for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Sms For Wordpress

CVE-2025-12580

MEDIUM CVSS 6.1 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-11835 - Content Restriction Plugin

The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability and validation check on the PMS_AJAX_Checkout_Handler::process_payment() function in all versions up to, and including, 2.16.4. This makes it possible for unauthenticated attackers to trigger stored auto-renew charges for arbitrary members.

PLUGIN Content Restriction

CVE-2025-11835

MEDIUM CVSS 5.3 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-8871 - WordPress Core

The Everest Forms (Pro) plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input in the mime_content_type() function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a non-required signature form field along with an image upload field. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin…

CORE WordPress Core

CVE-2025-8871

MEDIUM CVSS 5.6 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2025-11-06

CVE-2025-12582 - Features Plugin

The Features plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'features_revert_option AJAX endpoint in all versions up to, and including, 0.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to revert options.

PLUGIN Features

CVE-2025-12582

MEDIUM CVSS 4.3 2025-11-05
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-12184 - Meetinglist Plugin

The MeetingList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Meetinglist

CVE-2025-12184

MEDIUM CVSS 4.4 2025-11-04
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-12045 - Themeisle Companion Plugin

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag 'name' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Themeisle Companion

CVE-2025-12045

MEDIUM CVSS 6.4 2025-11-04
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-12456 - Centangle Team Plugin

The Centangle-Team plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to modify plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Additionally, due to insufficient input sanitization and output escaping on cai_name_color parameter, this issue allows to inject arbitrary web scripts in pages, that will execute whenever a…

PLUGIN Centangle Team

CVE-2025-12456

MEDIUM CVSS 6.1 2025-11-04
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-12452 - Visit Counter Plugin

The Visit Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the widgets.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Visit Counter

CVE-2025-12452

MEDIUM CVSS 6.1 2025-11-04
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-12416 - Pagerank Tools Plugin

The Pagerank Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the pr_save_settings() function and insufficient input sanitization. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses the plugin's settings page.

PLUGIN Pagerank Tools

CVE-2025-12416

MEDIUM CVSS 6.1 2025-11-04
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-12415 - Mapmap Plugin

The MapMap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the admin_shortcode_submit, admin_configuration_submit, and admin_shortcode_delete functions. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Mapmap

CVE-2025-12415

MEDIUM CVSS 6.1 2025-11-04
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-12412 - Top Bar Notification Plugin

The Top Bar Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on th tbn_ajax_add() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Top Bar Notification

CVE-2025-12412

MEDIUM CVSS 6.1 2025-11-04
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-12413 - Wpcf7 Stop Words Plugin

The Social Media WPCF7 Stop Words plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.3. This is due to missing or incorrect nonce validation on the smWpCfSwOptions() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wpcf7 Stop Words

CVE-2025-12413

MEDIUM CVSS 5.4 2025-11-04
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-12410 - Sh Contextual Help Plugin

The SH Contextual Help plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation in the sh_contextual_help_dashboard_widget() function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Sh Contextual Help

CVE-2025-12410

MEDIUM CVSS 6.1 2025-11-04
Open Full Technical Breakdown
Scroll to top