Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total11,547
Critical0
High0
Medium11,547
Reset
Showing 101-120 of 11547 records
Threat Entry Updated 2026-05-27

CVE-2026-7614 - Old Posts Highlighter Plugin

The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH_options function. This makes it possible for unauthenticated attackers to update the plugin's configuration settings without authorization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Old Posts Highlighter

CVE-2026-7614

MEDIUM CVSS 4.3 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-27

CVE-2026-9236 - Cm Ad Changer Plugin

The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmac_campaigns_action function. This makes it possible for unauthenticated attackers to permanently delete arbitrary advertising campaigns, including their associated banner records and uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Cm Ad Changer

CVE-2026-9236

MEDIUM CVSS 4.3 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-27

CVE-2026-6287 - Gutenberg Plugin

The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockUniqId' block attribute in multiple Product Gride blocks in versions up to, and including, 3.3.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Gutenberg

CVE-2026-6287

MEDIUM CVSS 5.4 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-27

CVE-2026-9022 - Splide Carousel Plugin

The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'url' Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload must be published before it executes for site visitors, which requires an editor or administrator to approve and publish the contributor's post.

PLUGIN Splide Carousel

CVE-2026-9022

MEDIUM CVSS 6.4 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-27

CVE-2026-6565 - Elementor Patterns Plugin

The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endpoint kit title parameter in versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping in an admin attribute context. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementor Patterns

CVE-2026-6565

MEDIUM CVSS 6.4 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-27

CVE-2026-7493 - Simply Schedule Appointments Plugin

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users.

PLUGIN Simply Schedule Appointments

CVE-2026-7493

MEDIUM CVSS 5.3 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-27331 - WpTravelly Plugin

Missing Authorization vulnerability in Magepeople inc. WpTravelly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpTravelly: from n/a through 2.1.5.

PLUGIN WpTravelly

CVE-2026-27331

MEDIUM CVSS 6.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-25426 - Taxi Booking Manager for WooCommerce Plugin

Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.1.

PLUGIN Taxi Booking Manager for WooCommerce

CVE-2026-25426

MEDIUM CVSS 5.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-25444 - WpBookingly Plugin

Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9.

PLUGIN WpBookingly

CVE-2026-25444

MEDIUM CVSS 4.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-24520 - Tiktok Feed Plugin

Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24.

PLUGIN Tiktok Feed

CVE-2026-24520

MEDIUM CVSS 4.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-8174 - Zoho Mail Plugin

Zohocorp Zoho Mail wordpress plugin is vulnerable to Cross-Site request forgery (CSRF). This issue affects Zoho Mail wordpress plugin versions before 1.6.2.

PLUGIN Zoho Mail

CVE-2026-8174

MEDIUM CVSS 5.7 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-39642 - Nyla Plugin

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in SpabRice Nyla allows Code Injection. This issue affects Nyla: from n/a through 1.7.

PLUGIN Nyla

CVE-2026-39642

MEDIUM CVSS 5.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-27427 - Geo Mashup Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup allows Stored XSS. This issue affects Geo Mashup: from n/a through 1.13.18.

PLUGIN Geo Mashup

CVE-2026-27427

MEDIUM CVSS 6.5 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-24590 - Paid Videochat Turnkey Site Plugin

Missing Authorization vulnerability in VideoWhisper.Com Paid Videochat Turnkey Site allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Videochat Turnkey Site: from n/a through 7.3.23.

PLUGIN Paid Videochat Turnkey Site

CVE-2026-24590

MEDIUM CVSS 5.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-24638 - RepairBuddy Plugin

Missing Authorization vulnerability in Webful Creations RepairBuddy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RepairBuddy: from n/a through 4.1121.

PLUGIN RepairBuddy

CVE-2026-24638

MEDIUM CVSS 4.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-39655 - Mayosis Core Plugin

Missing Authorization vulnerability in TeconceTheme Mayosis Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mayosis Core: from n/a through 5.4.7.

PLUGIN Mayosis Core

CVE-2026-39655

MEDIUM CVSS 5.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-45435 - WP Activity Log Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Melapress WP Activity Log allows DOM-Based XSS. This issue affects WP Activity Log: from n/a through 5.6.3.

PLUGIN WP Activity Log

CVE-2026-45435

MEDIUM CVSS 6.5 2026-05-25
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-45217 - Stripe Payment Gateway for WooCommerce Plugin

Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemeHigh Stripe Payment Gateway for WooCommerce allows Password Recovery Exploitation. This issue affects Stripe Payment Gateway for WooCommerce: from n/a through 5.0.7.

PLUGIN Stripe Payment Gateway for WooCommerce

CVE-2026-45217

MEDIUM CVSS 6.5 2026-05-25
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-42776 - Sunshine Photo Cart Plugin

Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through 3.6.7.

PLUGIN Sunshine Photo Cart

CVE-2026-42776

MEDIUM CVSS 6.3 2026-05-25
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-42763 - SePay Gateway Plugin

Missing Authorization vulnerability in SePay team SePay Gateway allows Retrieve Embedded Sensitive Data. This issue affects SePay Gateway: from n/a through 1.1.20.

PLUGIN SePay Gateway

CVE-2026-42763

MEDIUM CVSS 6.5 2026-05-25
Open Full Technical Breakdown
Scroll to top