Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,857
Critical0
High0
Medium10,857
Reset
Showing 1161-1180 of 10857 records
Threat Entry Updated 2026-01-30

CVE-2026-23727 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoSaidaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23727

MEDIUM CVSS 4.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23726 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, An Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=TipoEntradaControle. The application fails to validate or restrict the nextPage parameter, allowing attackers to redirect users to arbitrary external websites. This can be abused for phishing attacks, credential theft, malware distribution, and social engineering using the trusted WeGIA domain. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23726

MEDIUM CVSS 4.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23724 - WeGIA Plugin

WeGIA is a web manager for charitable institutions. Prior to 3.6.2, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the html/atendido/cadastro_ocorrencia.php endpoint of the WeGIA application. The application does not sanitize user-controlled data before rendering it inside the “Atendido” selection dropdown. This vulnerability is fixed in 3.6.2.

PLUGIN WeGIA

CVE-2026-23724

MEDIUM CVSS 4.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-30

CVE-2026-23645 - Siyuan Plugin

SiYuan is self-hosted, open source personal knowledge management software. Prior to 3.5.4-dev2, a Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session. This vulnerability is fixed in 3.5.4-dev2.

PLUGIN Siyuan

CVE-2026-23645

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-02-10

CVE-2026-0949 - Postgres Enterprise Manager (PEM) Plugin

PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu.

PLUGIN Postgres Enterprise Manager (PEM)

CVE-2026-0949

MEDIUM CVSS 6.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-26

CVE-2026-23528 - Distributed Plugin

Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the…

PLUGIN Distributed

CVE-2026-23528

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-27

CVE-2026-0696 - PSA Plugin

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values.

PLUGIN PSA

CVE-2026-0696

MEDIUM CVSS 6.5 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2026-20894 - Multiple Network Cameras TRIFORA 3 series Plugin

Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses the setting screen.

PLUGIN Multiple Network Cameras TRIFORA 3 series

CVE-2026-20894

MEDIUM CVSS 4.8 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1004 - Essential Addons For Elementor Lite Plugin

The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.

PLUGIN Essential Addons For Elementor Lite

CVE-2026-1004

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0913 - Enable Users To Submit Posts From The Front End Plugin

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Enable Users To Submit Posts From The Front End

CVE-2026-0913

MEDIUM CVSS 6.4 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2025-14757 - Cost Calculator Builder Plugin

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order's payment status as "completed" without…

PLUGIN Cost Calculator Builder

CVE-2025-14757

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2025-14375 - And Autoblogging Plugin

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN And Autoblogging

CVE-2025-14375

MEDIUM CVSS 6.1 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1003 - GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools Plugin

The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user is authorized to delete a specific post. This makes it possible for authenticated attackers, with Author-level access and above, to delete any post on the WordPress site, including posts authored by other users.

PLUGIN GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools

CVE-2026-1003

MEDIUM CVSS 4.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0942 - Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit Plugin

The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.5. This makes it possible for unauthenticated attackers to delete the Rede Order Logs metadata from all WooCommerce orders.

PLUGIN Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit

CVE-2026-0942

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0916 - Related Posts By Taxonomy Plugin

The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'related_posts_by_tax' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Related Posts By Taxonomy

CVE-2026-0916

MEDIUM CVSS 6.4 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0939 - For Woocommerce Plugin

The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed.

PLUGIN For Woocommerce

CVE-2026-0939

MEDIUM CVSS 5.3 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2025-14793 - Dk Pdf Plugin

The DK PDF – WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Dk Pdf

CVE-2025-14793

MEDIUM CVSS 5.0 2026-01-16
Open Full Technical Breakdown
Threat Entry Updated 2026-01-23

CVE-2026-23769 - Lucy Xss Filter Plugin

lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files.

PLUGIN Lucy Xss Filter

CVE-2026-23769

MEDIUM CVSS 6.1 2026-01-16
Open Full Technical Breakdown
Scroll to top