Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 3601-3620 of 10866 records
Threat Entry Updated 2025-04-21

CVE-2024-13650 - Piotnet Addons For Elementor Plugin

The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'PAFE Before After Image Comparison Slider' widget in all versions up to, and including, 2.4.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Piotnet Addons For Elementor

CVE-2024-13650

MEDIUM CVSS 6.4 2025-04-18
Open Full Technical Breakdown
Threat Entry Updated 2025-04-21

CVE-2025-2613 - Customized Login Plugin

The Login Manager – Design Login Page, View Login Activity, Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom logo and background URLs in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Customized Login

CVE-2025-2613

MEDIUM CVSS 4.4 2025-04-18
Open Full Technical Breakdown
Threat Entry Updated 2025-04-17

CVE-2025-24651 - WordPress Core

Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration allows Retrieve Embedded Sensitive Data. This issue affects WordPress Backup & Migration: from n/a through 1.5.3.

CORE WordPress Core

CVE-2025-24651

MEDIUM CVSS 5.9 2025-04-17
Open Full Technical Breakdown
Threat Entry Updated 2025-04-17

CVE-2025-23906 - WordPress Core

Missing Authorization vulnerability in wpseek WordPress Dashboard Tweeter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordPress Dashboard Tweeter: from n/a through 1.3.2.

CORE WordPress Core

CVE-2025-23906

MEDIUM CVSS 6.5 2025-04-17
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2025-3487 - Forminator Forms Plugin

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘limit’ parameter in all versions up to, and including, 1.42.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Forminator Forms

CVE-2025-3487

MEDIUM CVSS 6.4 2025-04-17
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2025-3479 - Forminator Forms Plugin

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 1.42.0 via the 'handle_stripe_single' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.

PLUGIN Forminator Forms

CVE-2025-3479

MEDIUM CVSS 5.3 2025-04-17
Open Full Technical Breakdown
Threat Entry Updated 2025-04-17

CVE-2025-3453 - Password Protected Plugin

The Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.7 via the 'password_protected_cookie' function. This makes it possible for unauthenticated attackers to extract sensitive data including all protected site content if the 'Use Transient' setting is enabled.

PLUGIN Password Protected

CVE-2025-3453

MEDIUM CVSS 5.3 2025-04-17
Open Full Technical Breakdown
Threat Entry Updated 2025-04-17

CVE-2025-3615 - Fluent Forms Plugin

The Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form-submission.js script in all versions up to, and including, 6.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Fluent Forms

CVE-2025-3615

MEDIUM CVSS 6.4 2025-04-17
Open Full Technical Breakdown
Threat Entry Updated 2025-07-09

CVE-2025-3295 - Wp Editor Plugin

The WP Editor plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the affected site's server which may reveal sensitive information.

PLUGIN Wp Editor

CVE-2025-3295

MEDIUM CVSS 4.9 2025-04-17
Open Full Technical Breakdown
Threat Entry Updated 2025-04-16

CVE-2025-39545 - WordPress Core

Missing Authorization vulnerability in miniOrange WordPress REST API Authentication allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordPress REST API Authentication: from n/a through 3.6.3.

CORE WordPress Core

CVE-2025-39545

MEDIUM CVSS 5.4 2025-04-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-16

CVE-2025-3104 - Wp Staging Pro Wordpress Backup Plugin

The WP STAGING Pro WordPress Backup Plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 6.1.2 due to missing capability checks on the getOutdatedPluginsRequest() function. This makes it possible for unauthenticated attackers to reveal outdated installed active or inactive plugins.

PLUGIN Wp Staging Pro Wordpress Backup

CVE-2025-3104

MEDIUM CVSS 5.3 2025-04-16
Open Full Technical Breakdown
Threat Entry Updated 2025-06-04

CVE-2025-3077 - Betheme

The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Betheme

CVE-2025-3077

MEDIUM CVSS 6.4 2025-04-16
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-3247 - Contact Form 7 Plugin

The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.

PLUGIN Contact Form 7

CVE-2025-3247

MEDIUM CVSS 5.3 2025-04-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-23

CVE-2024-10680 - Form Maker By 10web Plugin

The Form Maker by 10Web WordPress plugin before 1.15.32 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Form Maker By 10web

CVE-2024-10680

MEDIUM CVSS 4.8 2025-04-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-16

CVE-2025-2314 - Profile Builder Plugin

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue was partially patched in version 3.13.6 of the plugin, and fully…

PLUGIN Profile Builder

CVE-2025-2314

MEDIUM CVSS 6.4 2025-04-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-16

CVE-2024-13452 - Contact Form By Supsystic Plugin

The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.29. This is due to missing or incorrect nonce validation on a saveAsCopy function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Contact Form By Supsystic

CVE-2024-13452

MEDIUM CVSS 6.1 2025-04-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-15

CVE-2025-2083 - Awesome Logo Carousel Block Plugin

The Logo Carousel Gutenberg Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘sliderId’ parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Awesome Logo Carousel Block

CVE-2025-2083

MEDIUM CVSS 6.4 2025-04-15
Open Full Technical Breakdown
Threat Entry Updated 2025-08-12

CVE-2025-2225 - Responsive Addons For Elementor Plugin

The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘rael_title_tag' parameter in all versions up to, and including, 1.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 1.6.9.

PLUGIN Responsive Addons For Elementor

CVE-2025-2225

MEDIUM CVSS 6.4 2025-04-15
Open Full Technical Breakdown
Threat Entry Updated 2025-04-29

CVE-2024-13610 - Simple Social Media Share Buttons Plugin

The Simple Social Media Share Buttons WordPress plugin before 6.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Simple Social Media Share Buttons

CVE-2024-13610

MEDIUM CVSS 4.8 2025-04-15
Open Full Technical Breakdown
Threat Entry Updated 2025-04-29

CVE-2024-13207 - Widget For Social Page Feeds Plugin

The Widget for Social Page Feeds WordPress plugin before 6.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Widget For Social Page Feeds

CVE-2024-13207

MEDIUM CVSS 4.8 2025-04-15
Open Full Technical Breakdown
Scroll to top