Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total10,857
Critical0
High0
Medium10,857
Reset
Showing 1901-1920 of 10857 records
Threat Entry Updated 2026-01-20

CVE-2025-67535 - WordPress Core

Deserialization of Untrusted Data vulnerability in WePlugins - WordPress Development Company WP Maps wp-google-map-plugin allows Object Injection.This issue affects WP Maps: from n/a through

CORE WordPress Core

CVE-2025-67535

MEDIUM CVSS 6.5 2025-12-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-13070 - Csv To Sorttable Plugin

The CSV to SortTable WordPress plugin through 4.2 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as contributor to perform LFI attacks.

PLUGIN Csv To Sorttable

CVE-2025-13070

MEDIUM CVSS 6.6 2025-12-09
Open Full Technical Breakdown
Threat Entry Updated 2025-12-09

CVE-2025-13642 - Wp User Avatar Plugin

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.7 due to insufficient input sanitization on the `type` parameter in the form preview functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes via the `pp_preview_form` endpoint.

PLUGIN Wp User Avatar

CVE-2025-13642

MEDIUM CVSS 5.4 2025-12-09
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-13031 - Wpematico Rss Feed Fetcher Plugin

The WPeMatico RSS Feed Fetcher WordPress plugin before 2.8.13 does not sanitize and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks

PLUGIN Wpematico Rss Feed Fetcher

CVE-2025-13031

MEDIUM CVSS 5.9 2025-12-09
Open Full Technical Breakdown
Threat Entry Updated 2025-12-11

CVE-2025-12558 - Beaver Builder Plugin

The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the path and meta data of private attachments, which can be used to view the attachments.

PLUGIN Beaver Builder

CVE-2025-12558

MEDIUM CVSS 4.3 2025-12-09
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13748 - Conversational Form Builder Plugin

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier.

PLUGIN Conversational Form Builder

CVE-2025-13748

MEDIUM CVSS 5.3 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13907 - Css3 Buttons Plugin

The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Css3 Buttons

CVE-2025-13907

MEDIUM CVSS 6.4 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13899 - Tr Timthumb Plugin

The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Tr Timthumb

CVE-2025-13899

MEDIUM CVSS 6.4 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13898 - Ultra Skype Button Plugin

The Ultra Skype Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_id' parameter of the [ultra_skype] shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ultra Skype Button

CVE-2025-13898

MEDIUM CVSS 6.4 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13896 - Social Feed Gallery Portfolio Plugin

The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [igp-wp] shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Social Feed Gallery Portfolio

CVE-2025-13896

MEDIUM CVSS 6.4 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13863 - Revinsite Plugin

The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `token` parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Revinsite

CVE-2025-13863

MEDIUM CVSS 6.4 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13857 - Yet Another Webclap For Wordpress Plugin

The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclap_button shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Yet Another Webclap For Wordpress

CVE-2025-13857

MEDIUM CVSS 6.4 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13856 - Extra Post Images Plugin

The Extra Post Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the extra-images shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Extra Post Images

CVE-2025-13856

MEDIUM CVSS 6.4 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13656 - Cute News Ticker Plugin

The Cute News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Cute News Ticker

CVE-2025-13656

MEDIUM CVSS 6.4 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13894 - Csv Sumotto Plugin

The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Csv Sumotto

CVE-2025-13894

MEDIUM CVSS 6.1 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13666 - Helloprint Plugin

The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated attackers to arbitrarily modify WooCommerce order statuses via the /wp-json/helloprint/v1/complete_order_from_helloprint_callback endpoint by providing a valid order reference ID.

PLUGIN Helloprint

CVE-2025-13666

MEDIUM CVSS 5.3 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13626 - Mylco Plugin

The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Mylco

CVE-2025-13626

MEDIUM CVSS 6.1 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13137 - Woomotiv Plugin

The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'woomotiv_limit' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Woomotiv

CVE-2025-13137

MEDIUM CVSS 6.1 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13308 - Application Passwords Plugin

The Application Passwords plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'reject_url' parameter in all versions up to, and including, 0.1.3. This is due to insufficient input sanitization and output escaping on user supplied URLs, which allows javascript: URI schemes to be embedded in the reject_url parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when a user clicks the "No, I do not approve of this connection" button, granted they can successfully trick the victim into performing an action such…

PLUGIN Application Passwords

CVE-2025-13308

MEDIUM CVSS 5.4 2025-12-06
Open Full Technical Breakdown
Threat Entry Updated 2025-12-08

CVE-2025-13358 - Codeconfig Accessibility Plugin

The Accessiy By CodeConfig Accessibility plugin for WordPress is vulnerable to unauthorized page creation due to missing authorization checks in versions up to, and including, 1.0.0. This is due to the plugin not performing capability checks in the `Settings::createPage()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary published pages on the site via the `ccpcaCreatePage` AJAX action.

PLUGIN Codeconfig Accessibility

CVE-2025-13358

MEDIUM CVSS 5.3 2025-12-06
Open Full Technical Breakdown
Scroll to top