Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 3781-3800 of 10866 records
Threat Entry Updated 2025-03-27

CVE-2025-1408 - Profilegrid Plugin

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pm_decline_join_group_request and pm_approve_join_group_request functions in all versions up to, and including, 5.9.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to approve or decline join group requests which is normally should be available to administrators only.

PLUGIN Profilegrid

CVE-2025-1408

MEDIUM CVSS 4.3 2025-03-22
Open Full Technical Breakdown
Threat Entry Updated 2025-03-27

CVE-2024-13739 - Newsletters Plugin

The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an admin user into performing an action such as clicking on a link.

PLUGIN Newsletters

CVE-2024-13739

MEDIUM CVSS 6.1 2025-03-22
Open Full Technical Breakdown
Threat Entry Updated 2025-03-27

CVE-2024-13737 - Motors Car Dealer Classifieds Listing Plugin

The Motors – Car Dealer, Classifieds & Listing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the motors_create_template and motors_delete_template functions in all versions up to, and including, 1.4.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts or create listing templates. This issue requires Elementor plugin to be installed, which is a required plugin for Motors Starter Theme.

PLUGIN Motors Car Dealer Classifieds Listing

CVE-2024-13737

MEDIUM CVSS 4.3 2025-03-22
Open Full Technical Breakdown
Threat Entry Updated 2025-03-26

CVE-2025-1802 - Ht Mega Plugin

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘marker_title’, 'notification_content', and 'stt_button_text' parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.3.

PLUGIN Ht Mega

CVE-2025-1802

MEDIUM CVSS 6.4 2025-03-20
Open Full Technical Breakdown
Threat Entry Updated 2025-03-27

CVE-2024-13920 - Order Export Order Import For Woocommerce Plugin

The Order Export & Order Import for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary log files on the server, which can contain sensitive information.

PLUGIN Order Export Order Import For Woocommerce

CVE-2024-13920

MEDIUM CVSS 4.9 2025-03-20
Open Full Technical Breakdown
Threat Entry Updated 2025-03-20

CVE-2025-2108 - 140+ Widgets | Xpro Addons For Elementor – FREE Plugin

The 140+ Widgets | Xpro Addons For Elementor – FREE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Site Title’ widget's 'title_tag' and 'html_tag' parameters in all versions up to, and including, 1.4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN 140+ Widgets | Xpro Addons For Elementor – FREE

CVE-2025-2108

MEDIUM CVSS 6.4 2025-03-20
Open Full Technical Breakdown
Threat Entry Updated 2025-08-11

CVE-2025-1766 - Eventin Plugin

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated attackers to update the status of ticket payments to 'completed', possibly resulting in financial loss.

PLUGIN Eventin

CVE-2025-1766

MEDIUM CVSS 5.3 2025-03-20
Open Full Technical Breakdown
Threat Entry Updated 2025-03-20

CVE-2025-1314 - Custom Twitter Feeds – A Tweets Widget or X Feed Widget Plugin

The Custom Twitter Feeds – A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Custom Twitter Feeds – A Tweets Widget or X Feed Widget

CVE-2025-1314

MEDIUM CVSS 4.3 2025-03-20
Open Full Technical Breakdown
Threat Entry Updated 2025-03-19

CVE-2025-2511 - AHAthat Plugin

The AHAthat Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN AHAthat Plugin

CVE-2025-2511

MEDIUM CVSS 4.9 2025-03-19
Open Full Technical Breakdown
Threat Entry Updated 2025-07-11

CVE-2025-2290 - Lifterlms Plugin

The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to "Trash" for every published post, therefore limiting the availability of the website's content.

PLUGIN Lifterlms

CVE-2025-2290

MEDIUM CVSS 5.3 2025-03-19
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2025-1621 - Gdpr Cookie Compliance Plugin

The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Gdpr Cookie Compliance

CVE-2025-1621

MEDIUM CVSS 4.8 2025-03-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2025-1620 - Gdpr Cookie Compliance Plugin

The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Gdpr Cookie Compliance

CVE-2025-1620

MEDIUM CVSS 4.8 2025-03-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-02

CVE-2025-1619 - Gdpr Cookie Compliance Plugin

The GDPR Cookie Compliance WordPress plugin before 4.15.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Gdpr Cookie Compliance

CVE-2025-1619

MEDIUM CVSS 4.8 2025-03-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-09

CVE-2024-13602 - Before 5 Plugin

The Poll Maker WordPress plugin before 5.5.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Before 5

CVE-2024-13602

MEDIUM CVSS 4.8 2025-03-16
Open Full Technical Breakdown
Threat Entry Updated 2025-04-09

CVE-2024-13126 - Download Manager Plugin

The Download Manager WordPress plugin before 3.3.07 doesn't prevent directory listing on web servers that don't use htaccess, allowing unauthorized access of files.

PLUGIN Download Manager

CVE-2024-13126

MEDIUM CVSS 4.6 2025-03-16
Open Full Technical Breakdown
Threat Entry Updated 2025-03-25

CVE-2025-2025 - Givewp Plugin

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.

PLUGIN Givewp

CVE-2025-2025

MEDIUM CVSS 6.5 2025-03-15
Open Full Technical Breakdown
Threat Entry Updated 2025-03-25

CVE-2025-1530 - Tripetto Plugin

The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. This is due to missing nonce validation. This makes it possible for unauthenticated attackers to delete arbitrary results via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Tripetto

CVE-2025-1530

MEDIUM CVSS 4.3 2025-03-15
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2025-1773 - Traveler Plugin

The Traveler theme for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Traveler

CVE-2025-1773

MEDIUM CVSS 6.1 2025-03-15
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2025-2267 - Wp01 Plugin

The WP01 plugin for WordPress is vulnerable to Arbitrary File Download in all versions up to, and including, 2.6.2 due to a missing capability check and insufficient restrictions on the make_archive() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download and read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN Wp01

CVE-2025-2267

MEDIUM CVSS 6.5 2025-03-15
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2025-2164 - Pixelstats Plugin

The pixelstats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' and 'sortby' parameters in all versions up to, and including, 0.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Pixelstats

CVE-2025-2164

MEDIUM CVSS 6.1 2025-03-15
Open Full Technical Breakdown
Scroll to top