Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 3161-3180 of 10866 records
Threat Entry Updated 2025-06-16

CVE-2025-5930 - Wp2html Plugin

The WP2HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp2html

CVE-2025-5930

MEDIUM CVSS 4.3 2025-06-13
Open Full Technical Breakdown
Threat Entry Updated 2025-06-16

CVE-2025-5928 - Wp Sliding Logindashboard Panel Plugin

The WP Sliding Login/Dashboard Panel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the wp_sliding_panel_user_options() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wp Sliding Logindashboard Panel

CVE-2025-5928

MEDIUM CVSS 4.3 2025-06-13
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-5123 - Contact Us Page Contact People Plugin

The Contact Us Page – Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Contact Us Page Contact People

CVE-2025-5123

MEDIUM CVSS 6.4 2025-06-13
Open Full Technical Breakdown
Threat Entry Updated 2025-07-03

CVE-2025-4586 - Irm Newsroom Plugin

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmcalendarview' shortcode in all versions up to, and including, 1.2.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Irm Newsroom

CVE-2025-4586

MEDIUM CVSS 6.4 2025-06-13
Open Full Technical Breakdown
Threat Entry Updated 2025-07-03

CVE-2025-4585 - Irm Newsroom Plugin

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmflat' shortcode in all versions up to, and including, 1.2.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Irm Newsroom

CVE-2025-4585

MEDIUM CVSS 6.4 2025-06-13
Open Full Technical Breakdown
Threat Entry Updated 2025-07-03

CVE-2025-4584 - Irm Newsroom Plugin

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmeventlist' shortcode in all versions up to, and including, 1.2.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Irm Newsroom

CVE-2025-4584

MEDIUM CVSS 6.4 2025-06-13
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-6003 - WordPress Core

The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 versions of the plugin. This makes it possible for unauthenticated attackers to extract sensitive data including site content that has been restricted to certain users and/or roles.

CORE WordPress Core

CVE-2025-6003

MEDIUM CVSS 5.3 2025-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-5144 - The Events Calendar Plugin

The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-*’ parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN The Events Calendar

CVE-2025-5144

MEDIUM CVSS 6.4 2025-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-07-09

CVE-2025-4798 - Wp Downloadmanager Plugin

The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.

PLUGIN Wp Downloadmanager

CVE-2025-4798

MEDIUM CVSS 4.9 2025-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-4666 - Zotpress Plugin

The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Zotpress

CVE-2025-4666

MEDIUM CVSS 6.4 2025-06-11
Open Full Technical Breakdown
Threat Entry Updated 2025-07-16

CVE-2025-4774 - Premium Addons For Elementor Plugin

The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-countdown attribute of Countdown widget in all versions up to, and including, 4.11.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Premium Addons For Elementor

CVE-2025-4774

MEDIUM CVSS 6.4 2025-06-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-16

CVE-2025-4577 - Smash Balloon Social Post Feed Plugin

The Smash Balloon Social Post Feed – Simple Social Feeds for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-color attribute in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Smash Balloon Social Post Feed

CVE-2025-4577

MEDIUM CVSS 6.4 2025-06-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-14

CVE-2025-2918 - Ultimate Blocks Plugin

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ultimate Blocks

CVE-2025-2918

MEDIUM CVSS 6.4 2025-06-10
Open Full Technical Breakdown
Threat Entry Updated 2025-07-11

CVE-2025-3076 - Elementor Page Builder Plugin

The Elementor Website Builder Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_text’ parameter in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementor Page Builder

CVE-2025-3076

MEDIUM CVSS 6.4 2025-06-10
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-5925 - Bunnys Print Css Plugin

The Bunny’s Print CSS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.95. This is due to missing or incorrect nonce validation on the pcss_options_subpanel() function. This makes it possible for unauthenticated attackers to update settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Bunnys Print Css

CVE-2025-5925

MEDIUM CVSS 4.3 2025-06-10
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-4652 - Before 1 Plugin

The Broadstreet WordPress plugin before 1.51.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 1

CVE-2025-4652

MEDIUM CVSS 6.1 2025-06-09
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-3582 - Before 8 Plugin

The Newsletter WordPress plugin before 8.85 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 8

CVE-2025-3582

MEDIUM CVSS 4.8 2025-06-09
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-3581 - Before 8 Plugin

The Newsletter WordPress plugin before 8.8.5 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 8

CVE-2025-3581

MEDIUM CVSS 4.8 2025-06-09
Open Full Technical Breakdown
Threat Entry Updated 2025-07-15

CVE-2025-5568 - Event Manager And Tickets Selling For Woocommerce Plugin

The WpEvently plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Event Manager And Tickets Selling For Woocommerce

CVE-2025-5568

MEDIUM CVSS 6.4 2025-06-07
Open Full Technical Breakdown
Threat Entry Updated 2025-07-14

CVE-2025-5528 - Sassy Social Share Plugin

The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.75 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action, such as clicking on a link.

PLUGIN Sassy Social Share

CVE-2025-5528

MEDIUM CVSS 6.1 2025-06-07
Open Full Technical Breakdown
Scroll to top