Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,777
Critical0
High0
Medium10,777
Reset
Showing 401-420 of 10777 records
Threat Entry Updated 2026-04-15

CVE-2026-2486 - Master Addons For Elementor Plugin

The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Master Addons For Elementor

CVE-2026-2486

MEDIUM CVSS 6.4 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-26370 - Survey Maker Plugin

WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.

PLUGIN Survey Maker

CVE-2026-26370

MEDIUM CVSS 5.1 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2384 - Quiz Maker Plugin

The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This vulnerability requires WPBakery Page Builder to be installed and active

PLUGIN Quiz Maker

CVE-2026-2384

MEDIUM CVSS 6.4 2026-02-20
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27440 - myCred Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through

PLUGIN myCred

CVE-2026-27440

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27387 - DirectoryPress Plugin

Missing Authorization vulnerability in designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through

PLUGIN DirectoryPress

CVE-2026-27387

MEDIUM CVSS 5.4 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-25

CVE-2026-27368 - Coming Soon Page, Under Construction & Maintenance Mode by SeedProd Plugin

Missing Authorization vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through

PLUGIN Coming Soon Page, Under Construction & Maintenance Mode by SeedProd

CVE-2026-27368

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27360 - Photo Gallery by 10Web Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through

PLUGIN Photo Gallery by 10Web

CVE-2026-27360

MEDIUM CVSS 5.9 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27328 - EduBlink Plugin

Missing Authorization vulnerability in DevsBlink EduBlink edublink allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduBlink: from n/a through

PLUGIN EduBlink

CVE-2026-27328

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-27

CVE-2026-27327 - YayMail – WooCommerce Email Customizer Plugin

Missing Authorization vulnerability in YayCommerce YayMail – WooCommerce Email Customizer yaymail allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayMail – WooCommerce Email Customizer: from n/a through

PLUGIN YayMail – WooCommerce Email Customizer

CVE-2026-27327

MEDIUM CVSS 4.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2718 - Dealia – Request a quote Plugin

The Dealia – Request a Quote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes in all versions up to, and including, 1.0.8. This is due to the use of `wp_kses()` for output escaping within HTML attribute contexts where `esc_attr()` is required. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Dealia – Request a quote

CVE-2026-2718

MEDIUM CVSS 6.4 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2716 - Client Testimonial Slider Plugin

The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Client Testimonial Slider

CVE-2026-2716

MEDIUM CVSS 4.4 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1461 - Simple Membership Plugin

The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.

PLUGIN Simple Membership

CVE-2026-1461

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1219 - MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar Plugin

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.

PLUGIN MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

CVE-2026-1219

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27094 - CoBlocks Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoDaddy CoBlocks coblocks allows Stored XSS.This issue affects CoBlocks: from n/a through

PLUGIN CoBlocks

CVE-2026-27094

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2026-27092 - WPAdverts Plugin

Missing Authorization vulnerability in Greg Winiarski WPAdverts wpadverts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPAdverts: from n/a through

PLUGIN WPAdverts

CVE-2026-27092

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-27

CVE-2026-27074 - Shortcoder Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vaakash Shortcoder shortcoder allows Stored XSS.This issue affects Shortcoder: from n/a through

PLUGIN Shortcoder

CVE-2026-27074

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27069 - Soledad Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through

PLUGIN Soledad

CVE-2026-27069

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27059 - Penci Recipe Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Recipe penci-recipe allows DOM-Based XSS.This issue affects Penci Recipe: from n/a through

PLUGIN Penci Recipe

CVE-2026-27059

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27058 - Penci Podcast Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast penci-podcast allows DOM-Based XSS.This issue affects Penci Podcast: from n/a through

PLUGIN Penci Podcast

CVE-2026-27058

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2026-27066 - Live sales notification for WooCommerce Plugin

Missing Authorization vulnerability in PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live sales notification for WooCommerce: from n/a through

PLUGIN Live sales notification for WooCommerce

CVE-2026-27066

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Scroll to top