Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,863
Critical0
High0
Medium10,863
Reset
Showing 2401-2420 of 10863 records
Threat Entry Updated 2025-10-27

CVE-2025-10701 - Time Clock Plugin

The Time Clock – A WordPress Employee & Volunteer Time Clock Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data' parameter in all versions up to, and including, 1.3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with Time Clock user credentials to inject arbitrary web scripts in pages that will execute whenever a user accesses an affected page.

PLUGIN Time Clock

CVE-2025-10701

MEDIUM CVSS 6.4 2025-10-24
Open Full Technical Breakdown
Threat Entry Updated 2025-10-27

CVE-2025-10740 - Exact Links Plugin

The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to unauthorized access to functionality provided by the API due to a missing capability check on the verifyRequest function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify links.

PLUGIN Exact Links

CVE-2025-10740

MEDIUM CVSS 6.3 2025-10-24
Open Full Technical Breakdown
Threat Entry Updated 2025-10-27

CVE-2025-10749 - Microsoft Azure Storage For Wordpress Plugin

The Microsoft Azure Storage for WordPress plugin for WordPress is vulnerable to Unauthorized Arbitrary Media Deletion in all versions up to, and including, 4.5.1. This is due to missing capability checks on the 'azure-storage-media-replace' AJAX action. This makes it possible for authenticated attackers with subscriber-level access and above to delete arbitrary media files from the WordPress Media Library via the replace_attachment parameter granted they can access the nonce which is exposed to all authenticated users.

PLUGIN Microsoft Azure Storage For Wordpress

CVE-2025-10749

MEDIUM CVSS 5.4 2025-10-24
Open Full Technical Breakdown
Threat Entry Updated 2025-10-27

CVE-2025-10901 - Originality Ai Plugin

The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ai_get_table' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read all data in the wp_originalityai_log database table, which can include post titles, scan scores, credits used, and other data.

PLUGIN Originality Ai

CVE-2025-10901

MEDIUM CVSS 4.3 2025-10-24
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-10874 - Before 3 Plugin

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.

PLUGIN Before 3

CVE-2025-10874

MEDIUM CVSS 5.5 2025-10-24
Open Full Technical Breakdown
Threat Entry Updated 2025-10-27

CVE-2025-7730 - Bold Page Builder Plugin

The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘percentage’ parameter in all versions up to, and including, 5.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Bold Page Builder

CVE-2025-7730

MEDIUM CVSS 6.4 2025-10-23
Open Full Technical Breakdown
Threat Entry Updated 2025-12-19

CVE-2025-8427 - Beaver Builder Plugin

The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘auto_play’ parameter in all versions up to, and including, 2.9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Beaver Builder

CVE-2025-8427

MEDIUM CVSS 6.4 2025-10-23
Open Full Technical Breakdown
Threat Entry Updated 2025-10-27

CVE-2025-11128 - Feedzy Rss Feeds Plugin

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.1.0 via the 'feedzy_sanitize_feeds' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.

PLUGIN Feedzy Rss Feeds

CVE-2025-11128

MEDIUM CVSS 5.0 2025-10-23
Open Full Technical Breakdown
Threat Entry Updated 2025-10-27

CVE-2025-10705 - Ai Chatbot For Wordpress Plugin

The MxChat – AI Chatbot for WordPress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.4.6. This is due to insufficient validation of user-supplied URLs in the PDF processing functionality. This makes it possible for unauthenticated attackers to make the WordPress server perform HTTP requests to arbitrary destinations via the mxchat_handle_chat_request AJAX action.

PLUGIN Ai Chatbot For Wordpress

CVE-2025-10705

MEDIUM CVSS 5.3 2025-10-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-62048 - WordPress Core

Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform SmartCrawl smartcrawl-seo.This issue affects SmartCrawl: from n/a through

CORE WordPress Core

CVE-2025-62048

MEDIUM CVSS 5.4 2025-10-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-49960 - This Issue Affects Leadbi Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in leadbi LeadBI Plugin for WordPress leadbi allows Stored XSS.This issue affects LeadBI Plugin for WordPress: from n/a through

PLUGIN This Issue Affects Leadbi

CVE-2025-49960

MEDIUM CVSS 6.5 2025-10-22
Open Full Technical Breakdown
Threat Entry Updated 2025-10-22

CVE-2025-6833 - Tracking Employee Time Has Never Been Easier Plugin

The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber access and above, to clock other users in and out.

PLUGIN Tracking Employee Time Has Never Been Easier

CVE-2025-6833

MEDIUM CVSS 4.3 2025-10-22
Open Full Technical Breakdown
Threat Entry Updated 2025-10-22

CVE-2025-11883 - Responsive Progress Bar Plugin

The Responsive Progress Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rprogress shortcode in versions less than, or equal to, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Responsive Progress Bar

CVE-2025-11883

MEDIUM CVSS 6.4 2025-10-22
Open Full Technical Breakdown
Threat Entry Updated 2025-10-22

CVE-2025-11880 - Sm Countdown Widget Plugin

The SM CountDown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's smcountdown shortcode in versions less than, or equal to, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Sm Countdown Widget

CVE-2025-11880

MEDIUM CVSS 6.4 2025-10-22
Open Full Technical Breakdown
Threat Entry Updated 2025-10-22

CVE-2025-11878 - St Category Wp Plugin

The ST Categories Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's st-categories shortcode in versions less than, or equal to, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN St Category Wp

CVE-2025-11878

MEDIUM CVSS 6.4 2025-10-22
Open Full Technical Breakdown
Threat Entry Updated 2025-10-22

CVE-2025-11872 - Material Design Iconic Font Integration Plugin

The Material Design Iconic Font Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdiconic' shortcode in all versions up to, and including, 2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Material Design Iconic Font Integration

CVE-2025-11872

MEDIUM CVSS 6.4 2025-10-22
Open Full Technical Breakdown
Threat Entry Updated 2025-10-22

CVE-2025-11870 - Simple Business Data Plugin

The Simple Business Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'simple_business_data' shortcode attributes in all versions up to, and including, 1.0.1. This is due to the plugin not properly sanitizing user input or escaping output when embedding the `type` attribute into the `class` attribute in rendered HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Simple Business Data

CVE-2025-11870

MEDIUM CVSS 6.4 2025-10-22
Open Full Technical Breakdown
Threat Entry Updated 2025-10-22

CVE-2025-11867 - Bg Book Publisher Plugin

The Bg Book Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `book_author` post meta, rendered through the `[book_author]` shortcode, in all versions up to, and including, 1.25. This is due to the plugin not properly escaping the meta value before output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Bg Book Publisher

CVE-2025-11867

MEDIUM CVSS 6.4 2025-10-22
Open Full Technical Breakdown
Threat Entry Updated 2025-10-22

CVE-2025-11866 - Photographers Galleries Plugin

The Photographers galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes (`w`, `h`, `raw_css`, `look`, etc.) in all versions up to, and including, 1.1.8. This is due to the plugin not properly sanitizing user input or escaping output when inserting these values into HTML attributes and inline styles. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Photographers Galleries

CVE-2025-11866

MEDIUM CVSS 6.4 2025-10-22
Open Full Technical Breakdown
Scroll to top