Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,777
Critical0
High0
Medium10,777
Reset
Showing 341-360 of 10777 records
Threat Entry Updated 2026-03-04

CVE-2026-2363 - WP-Members Membership Plugin

The WP-Members Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'order_by' attribute of the [wpmem_user_membership_posts] shortcode in all versions up to, and including, 3.5.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN WP-Members Membership Plugin

CVE-2026-2363

MEDIUM CVSS 6.5 2026-03-04
Open Full Technical Breakdown
Threat Entry Updated 2026-03-04

CVE-2026-2732 - Enable Media Replace Plugin

The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with Author-level access and above, to replace any attachment with a removed background attachment.

PLUGIN Enable Media Replace

CVE-2026-2732

MEDIUM CVSS 5.4 2026-03-04
Open Full Technical Breakdown
Threat Entry Updated 2026-03-04

CVE-2026-1980 - Wpbookit Plugin

The WPBookit plugin for WordPress is vulnerable to unauthorized data disclosure due to a missing authorization check on the 'get_customer_list' route in all versions up to, and including, 1.0.8. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including names, emails, phone numbers, dates of birth, and gender.

PLUGIN Wpbookit

CVE-2026-1980

MEDIUM CVSS 5.3 2026-03-04
Open Full Technical Breakdown
Threat Entry Updated 2026-03-04

CVE-2026-2292 - Morkva Ua Shipping Plugin

The Morkva UA Shipping plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Morkva Ua Shipping

CVE-2026-2292

MEDIUM CVSS 4.4 2026-03-04
Open Full Technical Breakdown
Threat Entry Updated 2026-03-04

CVE-2026-2289 - Taskbuilder – Project Management & Task Management Tool With Kanban Board Plugin

The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Taskbuilder – Project Management & Task Management Tool With Kanban Board

CVE-2026-2289

MEDIUM CVSS 4.4 2026-03-04
Open Full Technical Breakdown
Threat Entry Updated 2026-03-04

CVE-2026-1651 - Email Subscribers Plugin

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflow_ids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Email Subscribers

CVE-2026-1651

MEDIUM CVSS 6.5 2026-03-04
Open Full Technical Breakdown
Threat Entry Updated 2026-03-03

CVE-2026-1487 - Calendar Booking Plugin For Appointments And Events

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary SQL queries on the database that can be used to extract information via time-based techniques, drop tables, or modify data.

PLUGIN Calendar Booking Plugin For Appointments And Events

CVE-2026-1487

MEDIUM CVSS 6.5 2026-03-03
Open Full Technical Breakdown
Threat Entry Updated 2026-03-03

CVE-2026-1336 - Ai Chatbot With Chatgpt And Content Generator By Ays Plugin

The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the store_data() and get_chatgpt_api_key() functions in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to view, modify or delete the plugin's ChatGPT API key. The vulnerability was partially fixed in version 2.7.5 and fully fixed in version 2.7.6

PLUGIN Ai Chatbot With Chatgpt And Content Generator By Ays

CVE-2026-1336

MEDIUM CVSS 5.3 2026-03-03
Open Full Technical Breakdown
Threat Entry Updated 2026-03-03

CVE-2026-2583 - Blocksy Theme

The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Blocksy

CVE-2026-2583

MEDIUM CVSS 6.4 2026-03-02
Open Full Technical Breakdown
Threat Entry Updated 2026-03-02

CVE-2026-28561 - Wpforo Plugin

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing.

PLUGIN Wpforo

CVE-2026-28561

MEDIUM CVSS 4.8 2026-02-28
Open Full Technical Breakdown
Threat Entry Updated 2026-03-02

CVE-2026-28560 - Wpforo Plugin

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG flag. Attackers set a forum slug containing a closing script tag or unescaped single quote to break out of the JavaScript string context and execute arbitrary script in all visitors' browsers.

PLUGIN Wpforo

CVE-2026-28560

MEDIUM CVSS 4.8 2026-02-28
Open Full Technical Breakdown
Threat Entry Updated 2026-03-02

CVE-2026-28559 - Wpforo Plugin

wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers request the RSS feed without a forum ID parameter, bypassing the privacy and status WHERE clauses that are only applied when a specific forum ID is present in the query.

PLUGIN Wpforo

CVE-2026-28559

MEDIUM CVSS 6.9 2026-02-28
Open Full Technical Breakdown
Threat Entry Updated 2026-03-02

CVE-2026-28556 - Wpforo Plugin

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form action handlers. Attackers with a valid form nonce can reorganize arbitrary forum content without moderator permissions, including relocating topics to private forums.

PLUGIN Wpforo

CVE-2026-28556

MEDIUM CVSS 5.3 2026-02-28
Open Full Technical Breakdown
Threat Entry Updated 2026-03-02

CVE-2026-28555 - Wpforo Plugin

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum discussions.

PLUGIN Wpforo

CVE-2026-28555

MEDIUM CVSS 5.3 2026-02-28
Open Full Technical Breakdown
Threat Entry Updated 2026-03-02

CVE-2026-28558 - Wpforo Plugin

wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers upload a crafted SVG containing CSS injection or JavaScript event handlers that execute in the browsers of any user who views the attacker's profile page.

PLUGIN Wpforo

CVE-2026-28558

MEDIUM CVSS 5.1 2026-02-28
Open Full Technical Breakdown
Threat Entry Updated 2026-03-02

CVE-2026-28554 - Wpforo Plugin

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation controls entirely.

PLUGIN Wpforo

CVE-2026-28554

MEDIUM CVSS 5.3 2026-02-28
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1542 - Super Stage Wp Plugin

The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

PLUGIN Super Stage Wp

CVE-2026-1542

MEDIUM CVSS 6.5 2026-02-28
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-27759 - Featured Image From Content Plugin

Featured Image from Content (featured-image-from-content) WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources. Attackers can exploit insecure URL fetching and file write operations to retrieve sensitive internal data and store it in web-accessible upload directories.

PLUGIN Featured Image From Content

CVE-2026-27759

MEDIUM CVSS 5.3 2026-02-27
Open Full Technical Breakdown
Threat Entry Updated 2026-03-02

CVE-2026-3327 - Commit Plugin

Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins. This issue affects Web Previews < v1.0.31.

PLUGIN Commit

CVE-2026-3327

MEDIUM CVSS 4.8 2026-02-27
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2831 - Mailarchiver Plugin

The MailArchiver plugin for WordPress is vulnerable to SQL Injection via the ‘logid’ parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Mailarchiver

CVE-2026-2831

MEDIUM CVSS 4.9 2026-02-27
Open Full Technical Breakdown
Scroll to top