Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 2881-2900 of 10866 records
Threat Entry Updated 2026-01-09

CVE-2025-7965 - Cbx Restaurant Booking Plugin

The CBX Restaurant Booking WordPress plugin through 1.2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

PLUGIN Cbx Restaurant Booking

CVE-2025-7965

MEDIUM CVSS 4.3 2025-08-11
Open Full Technical Breakdown
Threat Entry Updated 2025-08-11

CVE-2025-7726 - The7 Theme

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description' attributes directly via jQuery.attr(), concatenates them into an HTML string, and inserts that string into the DOM using methods such as jQuery.html() without escaping or filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a…

THEME The7

CVE-2025-7726

MEDIUM CVSS 6.4 2025-08-09
Open Full Technical Breakdown
Threat Entry Updated 2025-08-08

CVE-2025-6572 - Through 1 Plugin

The OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) WordPress plugin through 1.2.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Through 1

CVE-2025-6572

MEDIUM CVSS 5.9 2025-08-08
Open Full Technical Breakdown
Threat Entry Updated 2025-08-08

CVE-2025-54940 - WordPress Core

An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered.

CORE WordPress Core

CVE-2025-54940

MEDIUM CVSS 4.6 2025-08-08
Open Full Technical Breakdown
Threat Entry Updated 2025-08-12

CVE-2025-8620 - Givewp Plugin

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id.

PLUGIN Givewp

CVE-2025-8620

MEDIUM CVSS 5.3 2025-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-08-06

CVE-2025-7727 - Gutenverse Plugin

The Gutenverse plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text and Fun Fact blocks in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Gutenverse

CVE-2025-7727

MEDIUM CVSS 6.4 2025-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-08-12

CVE-2025-7498 - Exclusive Addons For Elementor Plugin

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Widget in all versions up to, and including, 2.7.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Exclusive Addons For Elementor

CVE-2025-7498

MEDIUM CVSS 6.4 2025-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-08-06

CVE-2025-7399 - Betheme

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via an Elementor display setting in all versions up to, and including, 28.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Betheme

CVE-2025-7399

MEDIUM CVSS 6.4 2025-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-08-13

CVE-2025-8100 - Element Pack Plugin

The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Element Pack

CVE-2025-8100

MEDIUM CVSS 5.4 2025-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-08-06

CVE-2025-8595 - Zakra Theme

The Zakra theme for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo settings.

THEME Zakra

CVE-2025-8595

MEDIUM CVSS 4.3 2025-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-11-26

CVE-2025-7502 - Page Builder Plugin

The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Page Builder

CVE-2025-7502

MEDIUM CVSS 6.4 2025-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-08-06

CVE-2025-6986 - File Manager Plugin

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 6.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN File Manager

CVE-2025-6986

MEDIUM CVSS 6.5 2025-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-08-06

CVE-2025-6690 - Wp Tournament Registration Plugin

The WP Tournament Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘field’ parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Tournament Registration

CVE-2025-6690

MEDIUM CVSS 6.4 2025-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-08-06

CVE-2025-6259 - Esri Map View Plugin

The esri-map-view plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's esri-map-view shortcode in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Esri Map View

CVE-2025-6259

MEDIUM CVSS 6.4 2025-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-08-06

CVE-2025-6256 - Flex Guten Plugin

The Flex Guten plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘thumbnailHoverEffect’ parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Flex Guten

CVE-2025-6256

MEDIUM CVSS 6.4 2025-08-06
Open Full Technical Breakdown
Threat Entry Updated 2025-08-05

CVE-2025-8295 - Employee Directory Plugin

The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Employee Directory

CVE-2025-8295

MEDIUM CVSS 6.4 2025-08-05
Open Full Technical Breakdown
Threat Entry Updated 2025-08-05

CVE-2025-8294 - Download Counter Plugin

The Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Download Counter

CVE-2025-8294

MEDIUM CVSS 6.4 2025-08-05
Open Full Technical Breakdown
Threat Entry Updated 2025-08-05

CVE-2025-8315 - Wp Easy Contact Plugin

The WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Easy Contact

CVE-2025-8315

MEDIUM CVSS 6.4 2025-08-05
Open Full Technical Breakdown
Threat Entry Updated 2025-08-05

CVE-2025-8313 - Campus Directory Plugin

The Campus Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘noaccess_msg’ parameter in all versions up to, and including, 1.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Campus Directory

CVE-2025-8313

MEDIUM CVSS 6.4 2025-08-05
Open Full Technical Breakdown
Threat Entry Updated 2025-08-04

CVE-2025-7500 - Ocean Social Sharing Plugin

The Ocean Social Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via social icon titles in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ocean Social Sharing

CVE-2025-7500

MEDIUM CVSS 6.4 2025-08-02
Open Full Technical Breakdown
Scroll to top