Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,866
Critical0
High0
Medium10,866
Reset
Showing 3801-3820 of 10866 records
Threat Entry Updated 2025-03-28

CVE-2025-2163 - Zoorum Comments Plugin

The Zoorum Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the zoorum_set_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Zoorum Comments

CVE-2025-2163

MEDIUM CVSS 6.1 2025-03-15
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2025-1670 - Wpschoolpress Plugin

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wpschoolpress

CVE-2025-1670

MEDIUM CVSS 6.5 2025-03-15
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2025-1669 - Wpschoolpress Plugin

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'addNotify' action in all versions up to, and including, 2.2.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with teacher-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wpschoolpress

CVE-2025-1669

MEDIUM CVSS 6.5 2025-03-15
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2025-1668 - Wpschoolpress Plugin

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpsp_DeleteUser() function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access and above, to delete arbitrary user accounts.

PLUGIN Wpschoolpress

CVE-2025-1668

MEDIUM CVSS 4.3 2025-03-15
Open Full Technical Breakdown
Threat Entry Updated 2025-03-28

CVE-2024-12336 - Wc Affiliate Plugin

The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'export_all_data' function in all versions up to, and including, 2.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive affiliate data, including personally identifiable information (PII).

PLUGIN Wc Affiliate

CVE-2024-12336

MEDIUM CVSS 6.5 2025-03-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-17

CVE-2024-13772 - Civi Plugin

The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.6.1. This is due to a lack of password randomization and user validation through the fb_ajax_login_or_register and google_ajax_login_or_register actions. This makes it possible for unauthenticated attackers to login as any user as long as they have access to the email.

PLUGIN Civi

CVE-2024-13772

MEDIUM CVSS 5.6 2025-03-14
Open Full Technical Breakdown
Threat Entry Updated 2025-03-27

CVE-2025-1507 - Dashboard For Google Analytics Plugin

The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_actions() function in all versions up to, and including, 3.2.1. This makes it possible for unauthenticated attackers to disable all features.

PLUGIN Dashboard For Google Analytics

CVE-2025-1507

MEDIUM CVSS 5.3 2025-03-14
Open Full Technical Breakdown
Threat Entry Updated 2025-03-24

CVE-2025-1526 - Dethemekit For Elementor

The DethemeKit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the De Product Display Widget (countdown feature) in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Dethemekit For Elementor

CVE-2025-1526

MEDIUM CVSS 6.4 2025-03-14
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2024-13407 - Omnipress Plugin

The Omnipress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.5.4 via the megamenu block due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

PLUGIN Omnipress

CVE-2024-13407

MEDIUM CVSS 4.3 2025-03-14
Open Full Technical Breakdown
Threat Entry Updated 2025-03-21

CVE-2025-2289 - Zegen Plugin

The Zegen - Church WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX endpoints in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import, export, and update theme options.

PLUGIN Zegen

CVE-2025-2289

MEDIUM CVSS 4.3 2025-03-14
Open Full Technical Breakdown
Threat Entry Updated 2025-03-14

CVE-2025-2166 - CM FAQ – Simplify support with an intuitive FAQ management tool Plugin

The CM FAQ – Simplify support with an intuitive FAQ management tool plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN CM FAQ – Simplify support with an intuitive FAQ management tool

CVE-2025-2166

MEDIUM CVSS 6.1 2025-03-14
Open Full Technical Breakdown
Threat Entry Updated 2025-03-14

CVE-2025-1528 - Search & Filter Pro Plugin

The Search & Filter Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_meta_values' function in all versions up to, and including, 2.5.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the values of arbitrary post meta.

PLUGIN Search & Filter Pro

CVE-2025-1528

MEDIUM CVSS 4.3 2025-03-14
Open Full Technical Breakdown
Threat Entry Updated 2025-03-14

CVE-2025-1285 - Resido - Real Estate WordPress Theme

The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details.

THEME Resido - Real Estate WordPress Theme

CVE-2025-1285

MEDIUM CVSS 5.3 2025-03-14
Open Full Technical Breakdown
Threat Entry Updated 2025-03-14

CVE-2025-0955 - Vidorev Extensions Plugin

The VidoRev Extensions plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'vidorev_import_single_video' AJAX action in all versions up to, and including, 2.9.9.9.9.9.5. This makes it possible for unauthenticated attackers to import arbitrary youtube videos.

PLUGIN Vidorev Extensions

CVE-2025-0955

MEDIUM CVSS 5.3 2025-03-14
Open Full Technical Breakdown
Threat Entry Updated 2025-07-08

CVE-2025-1785 - Download Manager Plugin

The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite select file types outside of the originally intended directory, which may cause a denial of service.

PLUGIN Download Manager

CVE-2025-1785

MEDIUM CVSS 5.4 2025-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-05-26

CVE-2025-2104 - Pagelayer Plugin

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1.9.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to bypass post moderation and publish posts to the site.

PLUGIN Pagelayer

CVE-2025-2104

MEDIUM CVSS 4.3 2025-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-13

CVE-2025-1503 - Wp Recipe Maker Plugin

The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Roundup Recipe Name field in all versions up to, and including, 9.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Recipe Maker

CVE-2025-1503

MEDIUM CVSS 6.4 2025-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-13

CVE-2025-2250 - WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins

The WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins

CVE-2025-2250

MEDIUM CVSS 4.9 2025-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-13

CVE-2024-13887 - Easy Listing Directories For Wordpress Plugin

The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.14 via the 'ajax_listing_submit_image_upload' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to add arbitrary images to listings.

PLUGIN Easy Listing Directories For Wordpress

CVE-2024-13887

MEDIUM CVSS 5.3 2025-03-13
Open Full Technical Breakdown
Threat Entry Updated 2025-03-13

CVE-2025-1559 - Cc Img Shortcode Plugin

The CC-IMG-Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'img' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Cc Img Shortcode

CVE-2025-1559

MEDIUM CVSS 6.4 2025-03-13
Open Full Technical Breakdown
Scroll to top