Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,032
Critical923
High3,046
Medium10,863
Reset
Showing 2521-2540 of 15032 records
Threat Entry Updated 2026-01-20

CVE-2025-28949 - WordPress Core

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Codedraft Mediabay - WordPress Media Library Folders allows Blind SQL Injection.This issue affects Mediabay - WordPress Media Library Folders: from n/a through 1.4.

CORE WordPress Core

CVE-2025-28949

HIGH CVSS 8.5 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-62088 - WooCommerce Plugin

Server-Side Request Forgery (SSRF) vulnerability in extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site allows Server Side Request Forgery.This issue affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site: from n/a through 1.0.7.

PLUGIN WooCommerce

CVE-2025-62088

MEDIUM CVSS 5.4 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-62083 - WordPress Core

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Messiah BoomDevs WordPress Coming Soon Plugin allows Retrieve Embedded Sensitive Data.This issue affects BoomDevs WordPress Coming Soon Plugin: from n/a through 1.0.4.

CORE WordPress Core

CVE-2025-62083

MEDIUM CVSS 4.3 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-63005 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tomas WordPress Tooltips allows Stored XSS.This issue affects WordPress Tooltips: from n/a through 10.7.9.

CORE WordPress Core

CVE-2025-63005

MEDIUM CVSS 6.5 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14783 - Easy Digital Downloads Plugin

The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.

PLUGIN Easy Digital Downloads

CVE-2025-14783

MEDIUM CVSS 4.3 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-02

CVE-2025-14434 - Ultimate Post Kit Addons For Elementor Plugin

The Ultimate Post Kit Addons for Elementor WordPress plugin before 4.0.16 exposes multiple AJAX “load more” endpoints such as upk_alex_grid_loadmore_posts without ensuring that posts to be displayed are published authentication. This allows an unauthenticated attacker to query arbitrary posts and retrieve rendered HTML content of private and unpublished ones.

PLUGIN Ultimate Post Kit Addons For Elementor

CVE-2025-14434

MEDIUM CVSS 5.3 2025-12-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-52835 - WordPress Core

Cross-Site Request Forgery (CSRF) vulnerability in ConoHa by GMO WING WordPress Migrator allows Upload a Web Shell to a Web Server.This issue affects WING WordPress Migrator: from n/a through 1.1.9.

CORE WordPress Core

CVE-2025-52835

CRITICAL CVSS 9.6 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-62746 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeFlavors Featured Video for WordPress & VideographyWP allows Stored XSS.This issue affects Featured Video for WordPress & VideographyWP: from n/a through 1.0.18.

CORE WordPress Core

CVE-2025-62746

MEDIUM CVSS 6.5 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14426 - Strong Testimonials Plugin

The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.

PLUGIN Strong Testimonials

CVE-2025-14426

MEDIUM CVSS 4.3 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14509 - Woo Lucky Wheel Plugin

The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing…

PLUGIN Woo Lucky Wheel

CVE-2025-14509

HIGH CVSS 7.2 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-69022 - WordPress Core

Missing Authorization vulnerability in Weblizar - WordPress Themes & Plugin HR Management Lite hr-management-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HR Management Lite: from n/a through

CORE WordPress Core

CVE-2025-69022

MEDIUM CVSS 5.4 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-68987 - For Movie Studios And Filmmakers Cinerama Allows Php Local File Inclusion Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Cinerama - A WordPress Theme for Movie Studios and Filmmakers cinerama allows PHP Local File Inclusion.This issue affects Cinerama - A WordPress Theme for Movie Studios and Filmmakers: from n/a through

THEME For Movie Studios And Filmmakers Cinerama Allows Php Local File Inclusion

CVE-2025-68987

CRITICAL CVSS 9.8 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-68974 - WordPress Core

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through

CORE WordPress Core

CVE-2025-68974

CRITICAL CVSS 9.8 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14313 - Advance Wp Query Search Filter Plugin

The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Advance Wp Query Search Filter

CVE-2025-14313

MEDIUM CVSS 6.1 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14312 - Advance Wp Query Search Filter Plugin

The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

PLUGIN Advance Wp Query Search Filter

CVE-2025-14312

MEDIUM CVSS 6.1 2025-12-30
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-13592 - Advanced Ads Plugin

The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server.

PLUGIN Advanced Ads

CVE-2025-13592

HIGH CVSS 7.2 2025-12-29
Open Full Technical Breakdown
Threat Entry Updated 2025-12-31

CVE-2025-14280 - Pixelyoursite Plugin

The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1.

PLUGIN Pixelyoursite

CVE-2025-14280

MEDIUM CVSS 5.3 2025-12-29
Open Full Technical Breakdown
Threat Entry Updated 2026-01-20

CVE-2025-68893 - WordPress Core

Server-Side Request Forgery (SSRF) vulnerability in HETWORKS WordPress Image shrinker allows Server Side Request Forgery.This issue affects WordPress Image shrinker: from n/a through 1.1.0.

CORE WordPress Core

CVE-2025-68893

MEDIUM CVSS 4.9 2025-12-29
Open Full Technical Breakdown
Scroll to top