Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 2761-2780 of 10866 records
Threat Entry Updated 2025-09-05

CVE-2025-8684 - Flatsome Theme

The Flatsome Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Flatsome

CVE-2025-8684

MEDIUM CVSS 6.4 2025-09-05
Open Full Technical Breakdown
Threat Entry Updated 2025-09-04

CVE-2025-9616 - Popad Plugin

The PopAd plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the PopAd_reset_cookie_time function. This makes it possible for unauthenticated attackers to reset cookie time settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Popad

CVE-2025-9616

MEDIUM CVSS 5.3 2025-09-04
Open Full Technical Breakdown
Threat Entry Updated 2025-09-04

CVE-2025-9516 - Atec Debug Plugin

The atec Debug plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to view the contents of files outside of the originally intended directory.

PLUGIN Atec Debug

CVE-2025-9516

MEDIUM CVSS 4.9 2025-09-04
Open Full Technical Breakdown
Threat Entry Updated 2025-09-04

CVE-2025-8268 - Ai Engine Plugin

The AI Engine plugin for WordPress is vulnerable to unauthorized access and loss of data due to a missing capability check on the rest_list and delete_files functions in all versions up to, and including, 2.9.5. This makes it possible for unauthenticated attackers to list and delete files uploaded by other users.

PLUGIN Ai Engine

CVE-2025-8268

MEDIUM CVSS 6.5 2025-09-03
Open Full Technical Breakdown
Threat Entry Updated 2025-09-04

CVE-2025-58632 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dadevarzan Dadevarzan WordPress Common allows Stored XSS. This issue affects Dadevarzan WordPress Common: from n/a through 2.2.2.

CORE WordPress Core

CVE-2025-58632

MEDIUM CVSS 6.5 2025-09-03
Open Full Technical Breakdown
Threat Entry Updated 2025-09-04

CVE-2025-58621 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Amuse Labs PuzzleMe for WordPress allows Stored XSS. This issue affects PuzzleMe for WordPress: from n/a through 1.2.0.

CORE WordPress Core

CVE-2025-58621

MEDIUM CVSS 6.5 2025-09-03
Open Full Technical Breakdown
Threat Entry Updated 2025-09-04

CVE-2025-9219 - Amazon Ses And More Plugin

The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_post_smtp_pro_option_callback' function in all versions up to, and including, 3.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable pro extensions.

PLUGIN Amazon Ses And More

CVE-2025-9219

MEDIUM CVSS 4.3 2025-09-03
Open Full Technical Breakdown
Threat Entry Updated 2025-09-04

CVE-2025-9378 - Vayu Blocks Plugin

The Vayu Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attributes in the Lottie block in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Vayu Blocks

CVE-2025-9378

MEDIUM CVSS 6.4 2025-09-03
Open Full Technical Breakdown
Threat Entry Updated 2025-09-04

CVE-2025-9260 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to PHP Object Injection in versions 5.1.16 to 6.1.1 via deserialization of untrusted input in the parseUserProperties function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to read arbitrary files. If allow_url_include is enabled on the server, remote code execution is possible. While the vendor patched this issue in version 6.1.0, the patch caused…

PLUGIN Conversational Form Builder

CVE-2025-9260

MEDIUM CVSS 6.5 2025-09-03
Open Full Technical Breakdown
Threat Entry Updated 2025-09-02

CVE-2025-5083 - Amministrazione Trasparente Plugin

The Amministrazione Trasparente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Amministrazione Trasparente

CVE-2025-5083

MEDIUM CVSS 5.5 2025-08-31
Open Full Technical Breakdown
Threat Entry Updated 2025-09-02

CVE-2025-9500 - Tablepress Plugin

The TablePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘shortcode_debug’ parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Tablepress

CVE-2025-9500

MEDIUM CVSS 6.4 2025-08-30
Open Full Technical Breakdown
Threat Entry Updated 2025-09-02

CVE-2025-9499 - Ocean Extra Plugin

The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's oceanwp_library shortcode in all versions up to, and including, 2.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ocean Extra

CVE-2025-9499

MEDIUM CVSS 6.4 2025-08-30
Open Full Technical Breakdown
Threat Entry Updated 2025-09-02

CVE-2025-9618 - Related Posts Lite Plugin

The Related Posts Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Related Posts Lite

CVE-2025-9618

MEDIUM CVSS 4.3 2025-08-30
Open Full Technical Breakdown
Threat Entry Updated 2025-08-29

CVE-2025-9217 - Slider Revolution Plugin

The Slider Revolution plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.7.36 via the 'used_svg' and 'used_images' parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Slider Revolution

CVE-2025-9217

MEDIUM CVSS 6.5 2025-08-29
Open Full Technical Breakdown
Threat Entry Updated 2025-08-29

CVE-2025-8150 - Events Addon For Elementor Plugin

The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter and Countdown widgets in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Events Addon For Elementor

CVE-2025-8150

MEDIUM CVSS 6.4 2025-08-29
Open Full Technical Breakdown
Threat Entry Updated 2025-08-29

CVE-2025-9441 - Iats Online Forms Plugin

The iATS Online Forms plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order' parameter in all versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Iats Online Forms

CVE-2025-9441

MEDIUM CVSS 6.5 2025-08-29
Open Full Technical Breakdown
Threat Entry Updated 2025-08-29

CVE-2025-9374 - Utw Importer Plugin

The Ultimate Tag Warrior Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to import tags granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Utw Importer

CVE-2025-9374

MEDIUM CVSS 4.3 2025-08-29
Open Full Technical Breakdown
Threat Entry Updated 2025-08-29

CVE-2025-8619 - Osm Map Elementor Plugin

The OSM Map Widget for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Map Block URL in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Osm Map Elementor

CVE-2025-8619

MEDIUM CVSS 6.4 2025-08-29
Open Full Technical Breakdown
Threat Entry Updated 2025-08-29

CVE-2025-8290 - List Sub Pages Plugin

The List Subpages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN List Sub Pages

CVE-2025-8290

MEDIUM CVSS 6.4 2025-08-29
Open Full Technical Breakdown
Scroll to top