Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 3021-3040 of 10866 records
Threat Entry Updated 2025-07-15

CVE-2025-6838 - Broken Link Notifier Plugin

The Broken Link Notifier plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.3.0 via broken links that are later exported. This makes it possible for authenticated attackers, with Contributor-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration.

PLUGIN Broken Link Notifier

CVE-2025-6838

MEDIUM CVSS 4.1 2025-07-11
Open Full Technical Breakdown
Threat Entry Updated 2025-07-17

CVE-2025-6068 - Foogallery Plugin

The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Foogallery

CVE-2025-6068

MEDIUM CVSS 6.4 2025-07-11
Open Full Technical Breakdown
Threat Entry Updated 2025-07-17

CVE-2025-5530 - Wpc Smart Compare For Woocommerce Plugin

The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wpc Smart Compare For Woocommerce

CVE-2025-5530

MEDIUM CVSS 6.4 2025-07-11
Open Full Technical Breakdown
Threat Entry Updated 2025-07-15

CVE-2025-6745 - Woodmart Plugin

The WoodMart plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.2.5 via the woodmart_get_posts_by_query() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.

PLUGIN Woodmart

CVE-2025-6745

MEDIUM CVSS 5.3 2025-07-11
Open Full Technical Breakdown
Threat Entry Updated 2025-07-15

CVE-2025-4593 - Wp Register Profile With Shortcode Plugin

The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'rp_user_data' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from user meta like hashed passwords, usernames, and more.

PLUGIN Wp Register Profile With Shortcode

CVE-2025-4593

MEDIUM CVSS 6.5 2025-07-11
Open Full Technical Breakdown
Threat Entry Updated 2025-07-15

CVE-2025-6716 - Openai Plugin

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'upload[1][title]' parameter in all versions up to, and including, 26.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Openai

CVE-2025-6716

MEDIUM CVSS 6.4 2025-07-11
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-6200 - Before 2 Plugin

The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 2

CVE-2025-6200

MEDIUM CVSS 5.9 2025-07-11
Open Full Technical Breakdown
Threat Entry Updated 2025-07-17

CVE-2025-2942 - Order Delivery Date Plugin

The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information

PLUGIN Order Delivery Date

CVE-2025-2942

MEDIUM CVSS 4.3 2025-07-11
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-7387 - Lana Downloads Manager Plugin

The Lana Downloads Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the endpoint parameters in versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Lana Downloads Manager

CVE-2025-7387

MEDIUM CVSS 5.5 2025-07-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-11

CVE-2025-6236 - Before 1 Plugin

The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 1

CVE-2025-6236

MEDIUM CVSS 4.8 2025-07-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-11

CVE-2025-6234 - Before 1 Plugin

The Hostel WordPress plugin before 1.1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 1

CVE-2025-6234

MEDIUM CVSS 6.1 2025-07-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-5807 - Gwolle Guestbook Plugin

The Gwolle Guestbook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘gwolle_gb_content’ parameter in all versions up to, and including, 4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Gwolle Guestbook

CVE-2025-5807

MEDIUM CVSS 6.1 2025-07-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-4406 - Wpforo Forum Plugin

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

PLUGIN Wpforo Forum

CVE-2025-4406

MEDIUM CVSS 5.4 2025-07-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-11

CVE-2025-6976 - Events Manager Plugin

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Events Manager

CVE-2025-6976

MEDIUM CVSS 6.4 2025-07-09
Open Full Technical Breakdown
Threat Entry Updated 2025-07-11

CVE-2025-6975 - Events Manager Plugin

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘calendar_header’ parameter in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Events Manager

CVE-2025-6975

MEDIUM CVSS 6.1 2025-07-09
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-7059 - Simple Featured Image Plugin

The Simple Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slideshow’ parameter in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Simple Featured Image

CVE-2025-7059

MEDIUM CVSS 6.4 2025-07-09
Open Full Technical Breakdown
Threat Entry Updated 2025-07-17

CVE-2025-5678 - Gutenberg Blocks With Ai Plugin

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘redirectURL’ parameter in all versions up to, and including, 3.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Gutenberg Blocks With Ai

CVE-2025-5678

MEDIUM CVSS 6.4 2025-07-09
Open Full Technical Breakdown
Threat Entry Updated 2025-07-17

CVE-2025-3780 - Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible Plugin

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys

PLUGIN Frontend Manager For Woocommerce Along With Bookings Subscription Listings Compatible

CVE-2025-3780

MEDIUM CVSS 6.5 2025-07-09
Open Full Technical Breakdown
Threat Entry Updated 2025-07-09

CVE-2025-6743 - Woodmart Plugin

The Woodmart theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'multiple_markers' attribute in all versions up to, and including, 8.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Woodmart

CVE-2025-6743

MEDIUM CVSS 6.4 2025-07-08
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-5537 - Foobox Plugin

The Lightbox & Modal Popup WordPress Plugin – FooBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alternative texts in all versions up to, and including, 2.7.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Foobox

CVE-2025-5537

MEDIUM CVSS 6.4 2025-07-08
Open Full Technical Breakdown
Scroll to top