Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,807
Critical0
High0
Medium10,807
Reset
Showing 801-820 of 10807 records
Threat Entry Updated 2026-02-03

CVE-2026-24965 - Contest Gallery Plugin

Missing Authorization vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contest Gallery: from n/a through

PLUGIN Contest Gallery

CVE-2026-24965

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-09

CVE-2026-24962 - Sigmize Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery.This issue affects Sigmize: from n/a through

PLUGIN Sigmize

CVE-2026-24962

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24951 - myCred Plugin

Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through

PLUGIN myCred

CVE-2026-24951

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24938 - Better Search Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.This issue affects Better Search: from n/a through

PLUGIN Better Search

CVE-2026-24938

MEDIUM CVSS 5.9 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24945 - Contact Form 7 Plugin

Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through

PLUGIN Contact Form 7

CVE-2026-24945

MEDIUM CVSS 5.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24947 - Elementor Plugin

Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3.

PLUGIN Elementor

CVE-2026-24947

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24942 - WpEvently Plugin

Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam WpEvently mage-eventpress allows Cross Site Request Forgery.This issue affects WpEvently: from n/a through

PLUGIN WpEvently

CVE-2026-24942

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24940 - Travelfic Toolkit Plugin

Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelfic Toolkit: from n/a through

PLUGIN Travelfic Toolkit

CVE-2026-24940

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24939 - Modula Image Gallery Plugin

Missing Authorization vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modula Image Gallery: from n/a through

PLUGIN Modula Image Gallery

CVE-2026-24939

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1371 - Elearning And Online Course Solution Plugin

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.

PLUGIN Elearning And Online Course Solution

CVE-2026-1371

MEDIUM CVSS 5.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1210 - Happy Addons For Elementor Plugin

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Happy Addons For Elementor

CVE-2026-1210

MEDIUM CVSS 6.4 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1447 - Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more Plugin

The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting.

PLUGIN Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more

CVE-2026-1447

MEDIUM CVSS 5.4 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0950 - Spectra Gutenberg Blocks – Website Builder for the Block Editor Plugin

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block.

PLUGIN Spectra Gutenberg Blocks – Website Builder for the Block Editor

CVE-2026-0950

MEDIUM CVSS 5.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2025-14274 - Unlimited Elements For Elementor Plugin

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget's Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Unlimited Elements For Elementor

CVE-2025-14274

MEDIUM CVSS 5.4 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0909 - WP ULike – Engagement Analytics & Interactive Buttons to Understand Your Audience Plugin

The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.8.3.1. This is due to the `wp_ulike_delete_history_api` AJAX action not verifying that the log entry being deleted belongs to the current user. This makes it possible for authenticated attackers, with Subscriber-level access and above (granted the 'stats' capability is assigned to their role), to delete arbitrary log entries belonging to other users via the 'id' parameter.

PLUGIN WP ULike – Engagement Analytics & Interactive Buttons to Understand Your Audience

CVE-2026-0909

MEDIUM CVSS 5.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-23

CVE-2026-24007 - Git Plugin

Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (creating artifact links from the release). This vulnerability is fixed in Tuleap Community Edition 17.0.99.1768924735 and Tuleap Enterprise Edition 17.2-5, 17.1-6, and 17.0-9.

PLUGIN Git

CVE-2026-24007

MEDIUM CVSS 4.6 2026-02-02
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0658 - Five Star Restaurant Reservations Plugin

The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks.

PLUGIN Five Star Restaurant Reservations

CVE-2026-0658

MEDIUM CVSS 4.3 2026-02-02
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1165 - Ays Popup Box Plugin

The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.

PLUGIN Ays Popup Box

CVE-2026-1165

MEDIUM CVSS 4.3 2026-01-31
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1251 - Customer Support Ticket System Plugin

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners.

PLUGIN Customer Support Ticket System

CVE-2026-1251

MEDIUM CVSS 5.4 2026-01-31
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0683 - Customer Support Ticket System Plugin

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Customer Support Ticket System

CVE-2026-0683

MEDIUM CVSS 6.5 2026-01-31
Open Full Technical Breakdown
Scroll to top