Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,857
Critical0
High0
Medium10,857
Reset
Showing 1261-1280 of 10857 records
Threat Entry Updated 2026-01-14

CVE-2025-14880 - Netcash Pay Now Payment Gateway For Woocommerce Plugin

The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processing/completed.

PLUGIN Netcash Pay Now Payment Gateway For Woocommerce

CVE-2025-14880

MEDIUM CVSS 5.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-15021 - Gotham Block Extra Light Plugin

The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Gotham Block Extra Light

CVE-2025-15021

MEDIUM CVSS 4.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-14725 - Internal Link Builder Plugin

The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Internal Link Builder

CVE-2025-14725

MEDIUM CVSS 4.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-14464 - Pdf Resume Parser Plugin

The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials.

PLUGIN Pdf Resume Parser

CVE-2025-14464

MEDIUM CVSS 5.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-14379 - Testimonials Creator Plugin

The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Testimonials Creator

CVE-2025-14379

MEDIUM CVSS 4.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-14482 - Crush Pics Plugin

The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings.

PLUGIN Crush Pics

CVE-2025-14482

MEDIUM CVSS 4.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-14389 - Wpblogsync Plugin

The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Wpblogsync

CVE-2025-14389

MEDIUM CVSS 4.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-13627 - Makesweat Plugin

The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Makesweat

CVE-2025-13627

MEDIUM CVSS 4.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-12178 - Spiceforms Form Builder Plugin

The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Spiceforms Form Builder

CVE-2025-12178

MEDIUM CVSS 6.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2026-0716 - Red Hat Enterprise Linux 10 Plugin

A flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup’s WebSocket support with this configuration may be impacted.

PLUGIN Red Hat Enterprise Linux 10

CVE-2026-0716

MEDIUM CVSS 4.8 2026-01-13
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2026-21303 - Substance3D - Modeler Plugin

Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

PLUGIN Substance3D - Modeler

CVE-2026-21303

MEDIUM CVSS 5.5 2026-01-13
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2026-21302 - Substance3D - Modeler Plugin

Substance3D - Modeler versions 1.22.4 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

PLUGIN Substance3D - Modeler

CVE-2026-21302

MEDIUM CVSS 5.5 2026-01-13
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2026-21301 - Substance3D - Modeler Plugin

Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

PLUGIN Substance3D - Modeler

CVE-2026-21301

MEDIUM CVSS 5.5 2026-01-13
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2026-21300 - Substance3D - Modeler Plugin

Substance3D - Modeler versions 1.22.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

PLUGIN Substance3D - Modeler

CVE-2026-21300

MEDIUM CVSS 5.5 2026-01-13
Open Full Technical Breakdown
Threat Entry Updated 2026-01-22

CVE-2026-0543 - Kibana Plugin

Improper Input Validation (CWE-20) in Kibana's Email Connector can allow an attacker to cause an Excessive Allocation (CAPEC-130) through a specially crafted email address parameter. This requires an attacker to have authenticated access with view-level privileges sufficient to execute connector actions. The application attempts to process specially crafted email format, resulting in complete service unavailability for all users until manual restart is performed.

PLUGIN Kibana

CVE-2026-0543

MEDIUM CVSS 6.5 2026-01-13
Open Full Technical Breakdown
Threat Entry Updated 2026-01-22

CVE-2026-0531 - Kibana Plugin

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.

PLUGIN Kibana

CVE-2026-0531

MEDIUM CVSS 6.5 2026-01-13
Open Full Technical Breakdown
Threat Entry Updated 2026-01-22

CVE-2026-0530 - Kibana Plugin

Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted request. This causes the application to perform redundant processing operations that continuously consume system resources until service degradation or complete unavailability occurs.

PLUGIN Kibana

CVE-2026-0530

MEDIUM CVSS 6.5 2026-01-13
Open Full Technical Breakdown
Threat Entry Updated 2026-01-22

CVE-2026-0528 - Metricbeat Plugin

Improper Validation of Array Index (CWE-129) exists in Metricbeat can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed payloads sent to the Graphite server metricset or Zookeeper server metricset. Additionally, Improper Input Validation (CWE-20) exists in the Prometheus helper module that can allow an attacker to cause a Denial of Service through Input Data Manipulation (CAPEC-153) via specially crafted, malformed metric data.

PLUGIN Metricbeat

CVE-2026-0528

MEDIUM CVSS 6.5 2026-01-13
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2026-22809 - tarteaucitron.js Plugin

tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0.

PLUGIN tarteaucitron.js

CVE-2026-22809

MEDIUM CVSS 4.4 2026-01-13
Open Full Technical Breakdown
Scroll to top