Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 3781-3800 of 15036 records
Threat Entry Updated 2025-09-26

CVE-2025-8200 - Mega Elements Addons For Elementor Plugin

The Mega Elements – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown Timer widget in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Mega Elements Addons For Elementor

CVE-2025-8200

MEDIUM CVSS 6.4 2025-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-09-26

CVE-2025-10752 - Miniorange Login With Eve Online Google Facebook Plugin

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter (base64 encoded app name) without any randomness in the OAuth flow. This makes it possible for unauthenticated attackers to forge OAuth authorization requests and potentially hijack the OAuth flow via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Miniorange Login With Eve Online Google Facebook

CVE-2025-10752

MEDIUM CVSS 4.3 2025-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-09-26

CVE-2025-10178 - Cm Business Directory Plugin

The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cmbd_featured_image' shortcode in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Cm Business Directory

CVE-2025-10178

MEDIUM CVSS 6.4 2025-09-26
Open Full Technical Breakdown
Threat Entry Updated 2025-09-24

CVE-2025-9353 - Themify Builder Plugin

The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9.

PLUGIN Themify Builder

CVE-2025-9353

MEDIUM CVSS 6.4 2025-09-24
Open Full Technical Breakdown
Threat Entry Updated 2025-09-24

CVE-2025-9054 - Multiloca Woocommerce Multi Locations Inventory Management Plugin

The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

PLUGIN Multiloca Woocommerce Multi Locations Inventory Management

CVE-2025-9054

CRITICAL CVSS 9.8 2025-09-24
Open Full Technical Breakdown
Threat Entry Updated 2025-10-01

CVE-2025-58674 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10,…

CORE WordPress Core

CVE-2025-58674

MEDIUM CVSS 5.9 2025-09-23
Open Full Technical Breakdown
Threat Entry Updated 2025-10-01

CVE-2025-58246 - WordPress Core

Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from…

CORE WordPress Core

CVE-2025-58246

MEDIUM CVSS 4.3 2025-09-23
Open Full Technical Breakdown
Threat Entry Updated 2025-09-24

CVE-2025-10412 - WooCommerce Plugin

The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.54. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN WooCommerce

CVE-2025-10412

CRITICAL CVSS 9.8 2025-09-23
Open Full Technical Breakdown
Threat Entry Updated 2025-09-24

CVE-2025-10147 - Podlove Podcast Publisher Plugin

The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and including, 4.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Podlove Podcast Publisher

CVE-2025-10147

CRITICAL CVSS 9.8 2025-09-23
Open Full Technical Breakdown
Threat Entry Updated 2025-11-13

CVE-2025-8282 - Before 1 Plugin

The SureForms WordPress plugin before 1.9.1 does not sanitise and escape some parameters when outputing them in the page, which could allow admin and above users to perform Cross-Site Scripting attacks.

PLUGIN Before 1

CVE-2025-8282

LOW CVSS 3.5 2025-09-23
Open Full Technical Breakdown
Threat Entry Updated 2025-09-24

CVE-2025-9321 - Wpcasa Plugin

The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. This is due to insufficient input validation and restriction on the 'api_requests' function. This makes it possible for unauthenticated attackers to call arbitrary functions and execute code.

PLUGIN Wpcasa

CVE-2025-9321

CRITICAL CVSS 9.8 2025-09-23
Open Full Technical Breakdown
Threat Entry Updated 2025-09-24

CVE-2025-8902 - Widget Options Extended Plugin

The Widget Options - Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'do_sidebar' shortcode in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Widget Options Extended

CVE-2025-8902

MEDIUM CVSS 6.4 2025-09-23
Open Full Technical Breakdown
Threat Entry Updated 2025-09-24

CVE-2025-10380 - Acf Views Plugin

The Advanced Views – Display Posts, Custom Fields, and More plugin for WordPress is vulnerable to Server-Side Template Injection in all versions up to, and including, 3.7.19. This is due to insufficient input sanitization and lack of access control when processing custom Twig templates in the Model panel. This makes it possible for authenticated attackers, with author-level access or higher, to execute arbitrary PHP code and commands on the server.

PLUGIN Acf Views

CVE-2025-10380

HIGH CVSS 8.8 2025-09-23
Open Full Technical Breakdown
Threat Entry Updated 2025-09-22

CVE-2025-58669 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Modern Minds Magento 2 WordPress Integration allows Stored XSS. This issue affects Magento 2 WordPress Integration: from n/a through 1.4.1.

CORE WordPress Core

CVE-2025-58669

MEDIUM CVSS 5.9 2025-09-22
Open Full Technical Breakdown
Threat Entry Updated 2025-09-22

CVE-2025-58665 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tmontg1 Form Generator for WordPress allows Stored XSS. This issue affects Form Generator for WordPress: from n/a through 1.5.2.

CORE WordPress Core

CVE-2025-58665

MEDIUM CVSS 5.9 2025-09-22
Open Full Technical Breakdown
Threat Entry Updated 2025-09-22

CVE-2025-58020 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeroen Schmit Theater for WordPress allows Stored XSS. This issue affects Theater for WordPress: from n/a through 0.18.8.

CORE WordPress Core

CVE-2025-58020

MEDIUM CVSS 6.5 2025-09-22
Open Full Technical Breakdown
Threat Entry Updated 2025-09-22

CVE-2025-57989 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brajesh Singh WordPress Widgets Shortcode allows Stored XSS. This issue affects WordPress Widgets Shortcode: from n/a through 1.0.3.

CORE WordPress Core

CVE-2025-57989

MEDIUM CVSS 6.5 2025-09-22
Open Full Technical Breakdown
Threat Entry Updated 2025-09-22

CVE-2025-57977 - WooCommerce Plugin

Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce & WordPress allows Cross Site Request Forgery. This issue affects Flexible PDF Invoices for WooCommerce & WordPress: from n/a through 6.0.13.

PLUGIN WooCommerce

CVE-2025-57977

HIGH CVSS 7.1 2025-09-22
Open Full Technical Breakdown
Threat Entry Updated 2025-10-24

CVE-2025-57923 - Exposes The Api Key Plugin

An Insertion of Sensitive Information into Sent Data vulnerability in the Ideal Postcodes UK Address Postcode Validation WordPress plugin exposes the API key, allowing unauthorized third parties to retrieve and reuse the key across any domain. Since API keys are unrestricted by default, with the “Allowed URLs” field left empty upon creation of API key this can lead to unauthorized use and depletion of API credits.Note: the vulnerability is assessed based on the default configuration.This issue affects UK Address Postcode Validation: from n/a through 3.9.2.

PLUGIN Exposes The Api Key

CVE-2025-57923

MEDIUM CVSS 5.3 2025-09-22
Open Full Technical Breakdown
Threat Entry Updated 2025-09-22

CVE-2025-57919 - WordPress Core

Deserialization of Untrusted Data vulnerability in ConveyThis Language Translate Widget for WordPress – ConveyThis allows Object Injection. This issue affects Language Translate Widget for WordPress – ConveyThis: from n/a through 264.

CORE WordPress Core

CVE-2025-57919

HIGH CVSS 7.2 2025-09-22
Open Full Technical Breakdown
Scroll to top