Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,857
Critical0
High0
Medium10,857
Reset
Showing 1761-1780 of 10857 records
Threat Entry Updated 2025-12-15

CVE-2025-12900 - File Manager Plugin

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 6.5.1 via the "ConvertController::insertToNewTable" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author level access and above, to inject global folders and reassign arbitrary media attachments to those folders under certain circumstances.

PLUGIN File Manager

CVE-2025-12900

MEDIUM CVSS 4.3 2025-12-15
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-13740 - Lightweight Accordion Plugin

The Lightweight Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `lightweight-accordion` shortcode in all versions up to, and including, 1.5.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Lightweight Accordion

CVE-2025-13740

MEDIUM CVSS 6.4 2025-12-15
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-12537 - Addon Elements For Elementor Plugin

The Addon Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.14.3. This is due to insufficient input sanitization and output escaping on multiple widget parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via multiple widget parameters in pages that will execute whenever a user accesses an injected page.

PLUGIN Addon Elements For Elementor

CVE-2025-12537

MEDIUM CVSS 6.4 2025-12-14
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-9873 - A3 Lazy Load Plugin

The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN A3 Lazy Load

CVE-2025-9873

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-9856 - Popup Builder Plugin

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Popup Builder

CVE-2025-9856

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-9488 - Redux Framework Plugin

The Redux Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data’ parameter in all versions up to, and including, 4.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Redux Framework

CVE-2025-9488

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-8780 - Livemesh Siteorigin Widgets Plugin

The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Hero Header and Pricing Table widgets in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Livemesh Siteorigin Widgets

CVE-2025-8780

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-8779 - Widgetkit For Elementor Plugin

The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Team and Countdown widgets in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Widgetkit For Elementor

CVE-2025-8779

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-8687 - Enteraddons Plugin

The Enter Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown and Image Comparison widgets in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Enteraddons

CVE-2025-8687

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-8617 - Yith Woocommerce Quick View Plugin

The YITH WooCommerce Quick View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yith_quick_view shortcode in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Yith Woocommerce Quick View

CVE-2025-8617

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-9116 - Wps Visitor Counter Plugin

The WPS Visitor Counter Plugin WordPress plugin through 1.4.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.

PLUGIN Wps Visitor Counter

CVE-2025-9116

MEDIUM CVSS 5.8 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-9207 - Ti Woocommerce Wishlist Plugin

The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.10.0. This is due to the plugin accepting hidden fields and not limiting the values or data that can input and is later output. This makes it possible for unauthenticated attackers to inject arbitrary HTML into wishlist items.

PLUGIN Ti Woocommerce Wishlist

CVE-2025-9207

MEDIUM CVSS 5.3 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-8199 - Marquee Addons For Elementor Plugin

The MarqueeAddons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Testimonial Marquee widget in all versions up to, and including, 2.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Marquee Addons For Elementor

CVE-2025-8199

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-8195 - Jetwidgets For Elementor Plugin

The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Comparison and Subscribe widgets in all versions up to, and including, 1.0.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Jetwidgets For Elementor

CVE-2025-8195

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-7960 - King Addons Plugin

The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Slider, Pricing Calculator, and Image Accordion widgets in all versions up to, and including, 51.1.39 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN King Addons

CVE-2025-7960

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-7058 - Kingcabs Theme

The Kingcabs theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘progressbarLayout’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Kingcabs

CVE-2025-7058

MEDIUM CVSS 6.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-14539 - The Shortcode Ajax Plugin

The The Shortcode Ajax plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

PLUGIN The Shortcode Ajax

CVE-2025-14539

MEDIUM CVSS 5.4 2025-12-13
Open Full Technical Breakdown
Threat Entry Updated 2025-12-15

CVE-2025-14581 - Happy Helpdesk Support Ticket System Plugin

The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket.

PLUGIN Happy Helpdesk Support Ticket System

CVE-2025-14581

MEDIUM CVSS 5.3 2025-12-13
Open Full Technical Breakdown
Scroll to top