Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,025
Critical923
High3,045
Medium10,857
Reset
Showing 2141-2160 of 15025 records
Threat Entry Updated 2026-01-15

CVE-2026-20969 - Samsung Mobile Devices Plugin

Improper input validation in SecSettings prior to SMR Jan-2026 Release 1 allows local attacker to access file with system privilege. User interaction is required for triggering this vulnerability.

PLUGIN Samsung Mobile Devices

CVE-2026-20969

LOW CVSS 2.3 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-15057 - Slimstat Analytics Plugin

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient input sanitization and output escaping on the fingerprint value stored in the database. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the Real-time Access Log report.

PLUGIN Slimstat Analytics

CVE-2025-15057

HIGH CVSS 7.2 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-15055 - Slimstat Analytics Plugin

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report.

PLUGIN Slimstat Analytics

CVE-2025-15055

HIGH CVSS 7.2 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0563 - WP Google Street View (with 360° virtual tour) & Google maps + Local SEO Plugin

The WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsv_map' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN WP Google Street View (with 360° virtual tour) & Google maps + Local SEO

CVE-2026-0563

MEDIUM CVSS 6.4 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-15019 - Woocommerce Plugin

The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the post editor.

PLUGIN Woocommerce

CVE-2025-15019

MEDIUM CVSS 6.4 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-14736 - Frontend Admin By Dynamiapps Plugin

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field.

PLUGIN Frontend Admin By Dynamiapps

CVE-2025-14736

CRITICAL CVSS 9.8 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-14980 - Betterdocs Plugin

The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings.

PLUGIN Betterdocs

CVE-2025-14980

MEDIUM CVSS 6.5 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-14893 - Indieweb Plugin

The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Indieweb

CVE-2025-14893

MEDIUM CVSS 6.4 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-14782 - Custom Form Builder Plugin

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information.

PLUGIN Custom Form Builder

CVE-2025-14782

MEDIUM CVSS 5.3 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-14720 - Amelia Plugin

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things.

PLUGIN Amelia

CVE-2025-14720

MEDIUM CVSS 5.3 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-14718 - Schedule Post Changes With Publishpress Future Plugin

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators.

PLUGIN Schedule Post Changes With Publishpress Future

CVE-2025-14718

MEDIUM CVSS 5.4 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-14574 - Wedocs Plugin

The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys.

PLUGIN Wedocs

CVE-2025-14574

MEDIUM CVSS 5.3 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-14803 - Before 9 Plugin

The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting.

PLUGIN Before 9

CVE-2025-14803

MEDIUM CVSS 6.8 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-13749 - Defer Plugin

The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it possible for unauthenticated attackers to disable plugin/theme update notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Defer

CVE-2025-13749

MEDIUM CVSS 4.3 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2025-14886 - Woocommerce For Japan Plugin

The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order as processed/completed.

PLUGIN Woocommerce For Japan

CVE-2025-14886

MEDIUM CVSS 5.3 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-01-13

CVE-2026-22714 - Mediawiki - Monaco Skin Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Monaco Skin: 1.45, 1.44, 1.43, 1.39.

PLUGIN Mediawiki - Monaco Skin

CVE-2026-22714

LOW CVSS 2.3 2026-01-09
Open Full Technical Breakdown
Threat Entry Updated 2026-02-12

CVE-2026-22713 - Mediawiki - GrowthExperiments Extension Plugin

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GrowthExperiments Extension: 1.45, 1.44, 1.43, 1.39.

PLUGIN Mediawiki - GrowthExperiments Extension

CVE-2026-22713

LOW CVSS 2.3 2026-01-09
Open Full Technical Breakdown
Scroll to top