Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,846
Critical0
High0
Medium10,846
Reset
Showing 1061-1080 of 10846 records
Threat Entry Updated 2026-01-27

CVE-2026-22391 - Cocco Plugin

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cocco: from n/a through

PLUGIN Cocco

CVE-2026-22391

MEDIUM CVSS 5.4 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-22382 - PawFriends - Pet Shop and Veterinary WordPress Theme

Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through

THEME PawFriends - Pet Shop and Veterinary WordPress Theme

CVE-2026-22382

MEDIUM CVSS 5.4 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-27

CVE-2026-22360 - SearchAzon Plugin

Cross-Site Request Forgery (CSRF) vulnerability in AA-Team SearchAzon searchazon allows Cross Site Request Forgery.This issue affects SearchAzon: from n/a through

PLUGIN SearchAzon

CVE-2026-22360

MEDIUM CVSS 4.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-27

CVE-2026-22353 - teachPress Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winkm89 teachPress teachpress allows Stored XSS.This issue affects teachPress: from n/a through

PLUGIN teachPress

CVE-2026-22353

MEDIUM CVSS 6.5 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-27

CVE-2026-22347 - Carousel Horizontal Posts Content Slider Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider allows DOM-Based XSS.This issue affects Carousel Horizontal Posts Content Slider: from n/a through

PLUGIN Carousel Horizontal Posts Content Slider

CVE-2026-22347

MEDIUM CVSS 6.5 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-22349 - Menu In Post Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS.This issue affects Menu In Post: from n/a through

PLUGIN Menu In Post

CVE-2026-22349

MEDIUM CVSS 5.4 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-27

CVE-2026-22348 - Civic Cookie Control Plugin

Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Civic Cookie Control: from n/a through

PLUGIN Civic Cookie Control

CVE-2026-22348

MEDIUM CVSS 5.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-22359 - Wordpress Movies Bulk Importer Plugin

Cross-Site Request Forgery (CSRF) vulnerability in AA-Team Wordpress Movies Bulk Importer movies importer allows Cross Site Request Forgery.This issue affects Wordpress Movies Bulk Importer: from n/a through

PLUGIN Wordpress Movies Bulk Importer

CVE-2026-22359

MEDIUM CVSS 4.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-53240 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamlabs WordPress Photo Gallery photo-gallery-portfolio allows Reflected XSS.This issue affects WordPress Photo Gallery: from n/a through

CORE WordPress Core

CVE-2025-53240

MEDIUM CVSS 6.1 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-49043 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel allows Reflected XSS.This issue affects Magic Responsive Slider and Carousel WordPress: from n/a through

CORE WordPress Core

CVE-2025-49043

MEDIUM CVSS 6.1 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1036 - Photo Gallery Plugin

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin.

PLUGIN Photo Gallery

CVE-2026-1036

MEDIUM CVSS 5.3 2026-01-22
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0690 - Adsense And Custom Code Plugin

The FlatPM – Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rank_math_description' custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Adsense And Custom Code

CVE-2026-0690

MEDIUM CVSS 6.4 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0608 - Head Meta Data Plugin

The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Head Meta Data

CVE-2026-0608

MEDIUM CVSS 6.4 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0548 - Tutor LMS – eLearning and online course solution Theme

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.

THEME Tutor LMS – eLearning and online course solution

CVE-2026-0548

MEDIUM CVSS 5.4 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0554 - NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar Plugin

The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership.

PLUGIN NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar

CVE-2026-0554

MEDIUM CVSS 4.3 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2025-15043 - The Events Calendar Plugin

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action.

PLUGIN The Events Calendar

CVE-2025-15043

MEDIUM CVSS 5.4 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1045 - Viet Contact Plugin

The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Viet Contact

CVE-2026-1045

MEDIUM CVSS 4.4 2026-01-20
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1042 - Wp Hello Bar Plugin

The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Hello Bar

CVE-2026-1042

MEDIUM CVSS 4.4 2026-01-20
Open Full Technical Breakdown
Scroll to top