Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 3401-3420 of 15036 records
Threat Entry Updated 2025-12-19

CVE-2025-8383 - Depicter Plugin

The Depicter plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions less than, or equal to, 4.0.4. This is due to missing or incorrect nonce validation on the depicter-document-rules-store function. This makes it possible for unauthenticated attackers to modify document rules via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Depicter

CVE-2025-8383

MEDIUM CVSS 4.3 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-12094 - Oopspam Anti Spam Plugin

The OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) plugin for WordPress is vulnerable to IP Header Spoofing in all versions up to, and including, 1.2.53. This is due to the plugin trusting client-controlled forwarded headers (such as CF-Connecting-IP, X-Forwarded-For, and others) without verifying that those headers originate from legitimate, trusted proxies. This makes it possible for unauthenticated attackers to spoof their IP address and bypass IP-based security controls, including blocked IP lists and rate limiting protections, by sending arbitrary HTTP headers with their requests.

PLUGIN Oopspam Anti Spam

CVE-2025-12094

MEDIUM CVSS 5.3 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-12175 - The Events Calendar Plugin

The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them.

PLUGIN The Events Calendar

CVE-2025-12175

MEDIUM CVSS 4.3 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-10897 - Woocommerce Designer Pro Theme

The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read.

THEME Woocommerce Designer Pro

CVE-2025-10897

HIGH CVSS 8.6 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-8385 - Zombify Plugin

The Zombify plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.5. This is due to insufficient input validation in the zf_get_file_by_url function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read arbitrary files on the server, including sensitive system files like /etc/passwd, via a forged request. It's worth noting that successfully exploiting this vulnerability relies on a race condition as the file generated will be deleted immediately.

PLUGIN Zombify

CVE-2025-8385

MEDIUM CVSS 6.8 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-8489 - King Addons Plugin

The King Addons for Elementor – Free Elements, Widgets, Templates, and Features for Elementor plugin for WordPress is vulnerable to privilege escalation in versions 24.12.92 to 51.1.14 . This is due to the plugin not properly restricting the roles that users can register with. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.

PLUGIN King Addons

CVE-2025-8489

CRITICAL CVSS 9.8 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-7846 - Wordpress User Extra Fields Plugin

The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the save_fields() function in all versions up to, and including, 16.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Wordpress User Extra Fields

CVE-2025-7846

HIGH CVSS 8.8 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-5397 - Noo Jobmonster Theme

The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the check_login() function not properly verifying a user's identity prior to successfully authenticating them This makes it possible for unauthenticated attackers to bypass standard authentication and access administrative user accounts. Please note social login needs to be enabled in order for a site to be impacted by this vulnerability.

THEME Noo Jobmonster

CVE-2025-5397

CRITICAL CVSS 9.8 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2026-01-09

CVE-2025-11191 - Before 1 Plugin

The RealPress WordPress plugin before 1.1.0 registers the REST routes without proper permission checks, allowing the creation of pages and sending of emails from the site.

PLUGIN Before 1

CVE-2025-11191

MEDIUM CVSS 5.3 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-11806 - Qzzr Shortcode Plugin

The Qzzr Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'qzzr' shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping on the 'quiz' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Qzzr Shortcode

CVE-2025-11806

MEDIUM CVSS 6.4 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-11-04

CVE-2025-11975 - Changeset Plugin

The FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_changes() function in all versions up to, and including, 1.1.23.0. This makes it possible for unauthenticated attackers to add and edit sync rules.

PLUGIN Changeset

CVE-2025-11975

MEDIUM CVSS 4.3 2025-10-31
Open Full Technical Breakdown
Threat Entry Updated 2025-10-30

CVE-2025-11881 - Mobile App Framework Plugin

The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data including plugin and theme names and version numbers, which can be used to facilitate targeted attacks against outdated or vulnerable components.

PLUGIN Mobile App Framework

CVE-2025-11881

MEDIUM CVSS 5.3 2025-10-30
Open Full Technical Breakdown
Threat Entry Updated 2025-10-30

CVE-2025-11627 - Site Checkup Plugin

The Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue plugin for WordPress is vulnerable to log file poisoning in all versions up to, and including, 1.47. This makes it possible for unauthenticated attackers to insert arbitrary content into log files, and potentially cause denial of service via disk space exhaustion.

PLUGIN Site Checkup

CVE-2025-11627

MEDIUM CVSS 6.5 2025-10-30
Open Full Technical Breakdown
Threat Entry Updated 2025-10-30

CVE-2025-10636 - Ns Maintenance Mode For Wp Plugin

The NS Maintenance Mode for WP WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

PLUGIN Ns Maintenance Mode For Wp

CVE-2025-10636

LOW CVSS 3.5 2025-10-30
Open Full Technical Breakdown
Threat Entry Updated 2025-10-30

CVE-2025-10008 - Weglot Plugin

The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited transients that contain cached plugin options.

PLUGIN Weglot

CVE-2025-10008

MEDIUM CVSS 5.3 2025-10-30
Open Full Technical Breakdown
Threat Entry Updated 2025-10-30

CVE-2025-12475 - Blocksy Companion Plugin

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Blocksy Companion

CVE-2025-12475

MEDIUM CVSS 6.4 2025-10-30
Open Full Technical Breakdown
Threat Entry Updated 2025-10-30

CVE-2025-11632 - Call Now Button Plugin

The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate links to billing portal, where they can view and modify billing information of the connected, account, generate chat session tokens, view domain status, etc. This vulnerability was partially fixed in version 1.5.4 and fully fixed in…

PLUGIN Call Now Button

CVE-2025-11632

MEDIUM CVSS 4.3 2025-10-29
Open Full Technical Breakdown
Threat Entry Updated 2025-12-19

CVE-2025-11587 - Call Now Button Plugin

The Call Now Button – The #1 Click to Call Button for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the activate function in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to link the plugin to their nowbuttons.com account and add malicious buttons to the site. The vulnerability is only exploitable on fresh installs where the plugin has not been previously configured with an API key.

PLUGIN Call Now Button

CVE-2025-11587

MEDIUM CVSS 4.3 2025-10-29
Open Full Technical Breakdown
Threat Entry Updated 2025-10-30

CVE-2025-12450 - Litespeed Cache Plugin

The LiteSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URLs in all versions up to, and including, 7.5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Litespeed Cache

CVE-2025-12450

MEDIUM CVSS 6.1 2025-10-29
Open Full Technical Breakdown
Scroll to top