Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,857
Critical0
High0
Medium10,857
Reset
Showing 1681-1700 of 10857 records
Threat Entry Updated 2026-01-20

CVE-2025-69022 - WordPress Core

Missing Authorization vulnerability in Weblizar - WordPress Themes & Plugin HR Management Lite hr-management-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HR Management Lite: from n/a through

CORE WordPress Core

CVE-2025-69022

MEDIUM CVSS 5.4 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14313 - Advance Wp Query Search Filter Plugin

The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Advance Wp Query Search Filter

CVE-2025-14313

MEDIUM CVSS 6.1 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14312 - Advance Wp Query Search Filter Plugin

The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Advance Wp Query Search Filter

CVE-2025-14312

MEDIUM CVSS 6.1 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14280 - Pixelyoursite Plugin

The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1.

PLUGIN Pixelyoursite

CVE-2025-14280

MEDIUM CVSS 5.3 2025-12-29
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-68893 - WordPress Core

Server-Side Request Forgery (SSRF) vulnerability in HETWORKS WordPress Image shrinker allows Server Side Request Forgery.This issue affects WordPress Image shrinker: from n/a through 1.1.0.

CORE WordPress Core

CVE-2025-68893

MEDIUM CVSS 4.9 2025-12-29
Open Full Technical Breakdown
Threat Entry Updated 2025-12-29

CVE-2025-13958 - Yamaps For Plugin

The YaMaps for WordPress Plugin WordPress plugin before 0.6.40 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PLUGIN Yamaps For

CVE-2025-13958

MEDIUM CVSS 5.9 2025-12-29
Open Full Technical Breakdown
Threat Entry Updated 2025-12-29

CVE-2025-14913 - Frontend Post Submission Manager Lite Plugin

The Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to an incorrect authorization check on the 'media_delete_action' function in all versions up to, and including, 1.2.6. This makes it possible for unauthenticated attackers to delete arbitrary attachments.

PLUGIN Frontend Post Submission Manager Lite

CVE-2025-14913

MEDIUM CVSS 5.3 2025-12-26
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-68597 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Stored XSS.This issue affects Jobs for WordPress: from n/a through

CORE WordPress Core

CVE-2025-68597

MEDIUM CVSS 5.4 2025-12-24
Open Full Technical Breakdown
Threat Entry Updated 2025-12-29

CVE-2025-13407 - Gravity Forms Plugin

The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.

PLUGIN Gravity Forms

CVE-2025-13407

MEDIUM CVSS 6.8 2025-12-24
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-14635 - Happy Addons For Elementor Plugin

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ha_page_custom_js' parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, despite the intended role restriction of Custom JS to Administrators.

PLUGIN Happy Addons For Elementor

CVE-2025-14635

MEDIUM CVSS 6.4 2025-12-23
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-14000 - Restrict Content Plugin

The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Restrict Content

CVE-2025-14000

MEDIUM CVSS 6.4 2025-12-23
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-14548 - Calendar Plugin

The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'event_desc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can convince an administrator to enable lower privilege users to manage calendar events via the plugin settings.

PLUGIN Calendar

CVE-2025-14548

MEDIUM CVSS 6.4 2025-12-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-05

CVE-2025-14155 - Premium Addons For Elementor Plugin

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates.

PLUGIN Premium Addons For Elementor

CVE-2025-14155

MEDIUM CVSS 5.3 2025-12-23
Open Full Technical Breakdown
Threat Entry Updated 2026-01-05

CVE-2025-14163 - Premium Addons For Elementor Plugin

The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link.

PLUGIN Premium Addons For Elementor

CVE-2025-14163

MEDIUM CVSS 4.3 2025-12-23
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-13693 - Final Tiles Grid Gallery Lite Plugin

The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Final Tiles Grid Gallery Lite

CVE-2025-13693

MEDIUM CVSS 6.4 2025-12-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-13220 - Ultimate Member Plugin

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode attributes in all versions up to, and including, 2.11.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ultimate Member

CVE-2025-13220

MEDIUM CVSS 6.4 2025-12-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-13361 - Web To Sugarcrm Lead Plugin

The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Web To Sugarcrm Lead

CVE-2025-13361

MEDIUM CVSS 4.3 2025-12-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-12398 - Product Table For Woocommerce Plugin

The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Product Table For Woocommerce

CVE-2025-12398

MEDIUM CVSS 6.1 2025-12-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-14080 - Frontend Post Submission Manager Lite Plugin

The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.5. This is due to missing authorization checks on the post update functionality in the fpsml_form_process AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary posts by providing a post_id parameter via the guest posting form, allowing them to change post titles, content, excerpts, and remove post authors.

PLUGIN Frontend Post Submission Manager Lite

CVE-2025-14080

MEDIUM CVSS 5.3 2025-12-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-14043 - Tainacan Plugin

The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function unconditionally returning true, which bypasses authentication and authorization validation. This makes it possible for unauthenticated attackers to create arbitrary metadata sections for any collection via the public REST API granted they can access the WordPress site.

PLUGIN Tainacan

CVE-2025-14043

MEDIUM CVSS 5.3 2025-12-21
Open Full Technical Breakdown
Scroll to top