Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,865
Critical0
High0
Medium10,865
Reset
Showing 2701-2720 of 10865 records
Threat Entry Updated 2025-09-11

CVE-2025-9128 - Smart Id Plugin

The eID Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Smart Id

CVE-2025-9128

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-9123 - Cbxgooglemap Plugin

The CBX Map for Google Map & OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the popup heading and location address parameters in all versions up to, and including, 1.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Cbxgooglemap

CVE-2025-9123

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8721 - Wrapper For Workable Api Plugin

The Workable Api plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's workable_jobs shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wrapper For Workable Api

CVE-2025-8721

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8691 - Wp Scriptcase Plugin

The WP Scriptcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Scriptcase

CVE-2025-8691

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8689 - Elements Plus Plugin

The Elements Plus! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Comparison, HotSpot Plus, and Google Maps widgets in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elements Plus

CVE-2025-8689

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8686 - Wp Easy Faqs Plugin

The WP Easy FAQs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WP_EASY_FAQ shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Easy Faqs

CVE-2025-8686

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8692 - Coupon Api Plugin

The Coupon API plugin for WordPress is vulnerable to SQL Injection via the ‘log_duration’ parameter in all versions up to, and including, 6.2.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Coupon Api

CVE-2025-8692

MEDIUM CVSS 4.9 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8445 - Countdown Timer For Elementor Plugin

The Countdown Timer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'countdown_label' Parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Countdown Timer For Elementor

CVE-2025-8445

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8423 - My Wp Translate Plugin

The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mtswpt_remove_plugin() and ajax_update_export_code() functions in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and delete arbitrary WordPress options which can cause a denial of service.

PLUGIN My Wp Translate

CVE-2025-8423

MEDIUM CVSS 5.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8492 - Salon Booking System Plugin

The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20. This makes it possible for unauthenticated attackers to execute AJAX actions, including limited file uploads.

PLUGIN Salon Booking System

CVE-2025-8492

MEDIUM CVSS 5.3 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8481 - Blog Designer For Elementor Plugin

The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only function. This makes it possible for unauthenticated attackers to install the 'rs-wp-books-showcase' plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Blog Designer For Elementor

CVE-2025-8481

MEDIUM CVSS 4.3 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8398 - Azurecurve Bbcode Plugin

The azurecurve BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Azurecurve Bbcode

CVE-2025-8398

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8392 - Mitfahrgelegenheit Plugin

The Mitfahrgelegenheit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘date’ parameter in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mitfahrgelegenheit

CVE-2025-8392

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8318 - Jobify Plugin

The Jobify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘keyword’ parameter in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Jobify

CVE-2025-8318

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8316 - Certifica Wp Plugin

The Certifica WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘evento’ parameter in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Certifica Wp

CVE-2025-8316

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8215 - Responsive Addons For Elementor Plugin

The Responsive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Responsive Addons For Elementor

CVE-2025-8215

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-5801 - Digital Events Calendar Plugin

The Digital Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘column’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Digital Events Calendar

CVE-2025-5801

MEDIUM CVSS 6.4 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-0763 - Ultimate Classified Listings Plugin

The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_custom_fields function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change plugin custom fields.

PLUGIN Ultimate Classified Listings

CVE-2025-0763

MEDIUM CVSS 4.3 2025-09-11
Open Full Technical Breakdown
Threat Entry Updated 2025-09-11

CVE-2025-8479 - Zoho Flow Plugin

The Zoho Flow plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.14.1. This is due to missing or incorrect nonce validation on the zoho_flow_deactivate_plugin function. This makes it possible for unauthenticated attackers to modify typography settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Zoho Flow

CVE-2025-8479

MEDIUM CVSS 4.3 2025-09-11
Open Full Technical Breakdown
Scroll to top