Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,857
Critical0
High0
Medium10,857
Reset
Showing 1661-1680 of 10857 records
Threat Entry Updated 2026-01-15

CVE-2026-0547 - Online Course Registration Plugin

A vulnerability was found in PHPGurukul Online Course Registration up to 3.1. This issue affects some unknown processing of the file /admin/edit-student-profile.php of the component Student Registration Page. The manipulation of the argument photo results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used.

PLUGIN Online Course Registration

CVE-2026-0547

MEDIUM CVSS 5.3 2026-01-02
Open Full Technical Breakdown
Threat Entry Updated 2026-01-15

CVE-2026-0546 - Content Management System Plugin

A vulnerability was determined in code-projects Content Management System 1.0. This impacts an unknown function of the file search.php. This manipulation of the argument Value causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

PLUGIN Content Management System

CVE-2026-0546

MEDIUM CVSS 6.9 2026-01-02
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-12685 - Through 1 Plugin

The WPBookit WordPress plugin through 1.0.7 lacks a CSRF check when deleting customers. This could allow an unauthenticated attacker to delete any customer through a CSRF attack.

PLUGIN Through 1

CVE-2025-12685

MEDIUM CVSS 6.5 2026-01-02
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-13456 - Before 3 Plugin

The ShopBuilder WordPress plugin before 3.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

PLUGIN Before 3

CVE-2025-13456

MEDIUM CVSS 6.1 2026-01-02
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-13153 - Before 4 Plugin

The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Before 4

CVE-2025-13153

MEDIUM CVSS 6.1 2026-01-02
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-14072 - Before 3 Plugin

The Ninja Forms WordPress plugin before 3.13.3 allows unauthenticated attackers to generate valid access tokens via the REST API which can then be used to read form submissions.

PLUGIN Before 3

CVE-2025-14072

MEDIUM CVSS 5.3 2026-01-02
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-14047 - Wp User Frontend Plugin

The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment.

PLUGIN Wp User Frontend

CVE-2025-14047

MEDIUM CVSS 5.3 2026-01-02
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2026-21436 - Eopkg Plugin

eopkg is a Solus package manager implemented in python3. In versions prior to 4.4.0, a malicious package could escape the directory set by `--destdir`. This requires the installation of a package from a malicious or compromised source. Files in such packages would not be installed in the path given by `--destdir`, but on a different location on the host. The issue has been fixed in v4.4.0. Users only installing packages from the Solus repositories are not affected.

PLUGIN Eopkg

CVE-2026-21436

MEDIUM CVSS 5.8 2026-01-01
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-14627 - For Wordpress Is Vulnerable To Server Side Request Forgery In All Versions Up To Plugin

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.35. This is due to inadequate validation of the resolved URL after following Bitly shortlink redirects in the `upload_function()` method. While the initial URL is validated using `wp_http_validate_url()`, when a Bitly shortlink is detected, the `unshorten_bitly_url()` function follows redirects to the final destination URL without re-validating it. This makes it possible for authenticated attackers with Contributor-level access or higher to make the server perform…

PLUGIN For Wordpress Is Vulnerable To Server Side Request Forgery In All Versions Up To

CVE-2025-14627

MEDIUM CVSS 6.4 2026-01-01
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-14428 - Mystickyelements Plugin

The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin.

PLUGIN Mystickyelements

CVE-2025-14428

MEDIUM CVSS 4.3 2026-01-01
Open Full Technical Breakdown
Threat Entry Updated 2026-01-06

CVE-2026-0544 - School Management System Plugin

A security flaw has been discovered in itsourcecode School Management System 1.0. This affects an unknown part of the file /student/index.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

PLUGIN School Management System

CVE-2026-0544

MEDIUM CVSS 6.9 2026-01-01
Open Full Technical Breakdown
Threat Entry Updated 2026-01-05

CVE-2025-13820 - Before 7 Plugin

The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.

PLUGIN Before 7

CVE-2025-13820

MEDIUM CVSS 5.3 2026-01-01
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-62088 - WooCommerce Plugin

Server-Side Request Forgery (SSRF) vulnerability in extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site allows Server Side Request Forgery.This issue affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site: from n/a through 1.0.7.

PLUGIN WooCommerce

CVE-2025-62088

MEDIUM CVSS 5.4 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-62083 - WordPress Core

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Messiah BoomDevs WordPress Coming Soon Plugin allows Retrieve Embedded Sensitive Data.This issue affects BoomDevs WordPress Coming Soon Plugin: from n/a through 1.0.4.

CORE WordPress Core

CVE-2025-62083

MEDIUM CVSS 4.3 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-63005 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tomas WordPress Tooltips allows Stored XSS.This issue affects WordPress Tooltips: from n/a through 10.7.9.

CORE WordPress Core

CVE-2025-63005

MEDIUM CVSS 6.5 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14783 - Easy Digital Downloads Plugin

The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.

PLUGIN Easy Digital Downloads

CVE-2025-14783

MEDIUM CVSS 4.3 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-14434 - Ultimate Post Kit Addons For Elementor Plugin

The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and retrieve rendered HTML content of private and unpublished ones.

PLUGIN Ultimate Post Kit Addons For Elementor

CVE-2025-14434

MEDIUM CVSS 5.3 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-62746 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeFlavors Featured Video for WordPress & VideographyWP allows Stored XSS.This issue affects Featured Video for WordPress & VideographyWP: from n/a through 1.0.18.

CORE WordPress Core

CVE-2025-62746

MEDIUM CVSS 6.5 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14426 - Strong Testimonials Plugin

The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.

PLUGIN Strong Testimonials

CVE-2025-14426

MEDIUM CVSS 4.3 2025-12-30
Open Full Technical Breakdown
Scroll to top