Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 3821-3840 of 15036 records
Threat Entry Updated 2025-09-19

CVE-2025-10690 - Goza Nonprofit Charity Wordpress Theme

The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.

THEME Goza Nonprofit Charity Wordpress Theme

CVE-2025-10690

CRITICAL CVSS 9.8 2025-09-19
Open Full Technical Breakdown
Threat Entry Updated 2025-09-18

CVE-2025-8565 - Wp Legal Pages Plugin

The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on the wplp_gdpr_install_plugin_ajax_handler() function in all versions up to, and including, 3.4.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to install arbitrary repository plugins.

PLUGIN Wp Legal Pages

CVE-2025-8565

HIGH CVSS 8.1 2025-09-18
Open Full Technical Breakdown
Threat Entry Updated 2025-09-18

CVE-2025-9992 - Extensions Plugin

The Ghost Kit – Page Builder Blocks, Motion Effects & Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS field in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Extensions

CVE-2025-9992

MEDIUM CVSS 6.4 2025-09-18
Open Full Technical Breakdown
Threat Entry Updated 2025-09-18

CVE-2025-10493 - Chained Quiz Plugin

The Chained Quiz plugin for WordPress is vulnerable to Insecure Direct Object Reference in version 1.3.4 and below via the quiz submission and completion mechanisms due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to hijack and modify other users' quiz attempts by manipulating the chained_completion_id cookie value, allowing them to alter quiz answers, scores, and results of any user. The vulnerability was partially patched in versions 1.3.4 and 1.3.5.

PLUGIN Chained Quiz

CVE-2025-10493

MEDIUM CVSS 5.3 2025-09-18
Open Full Technical Breakdown
Threat Entry Updated 2025-12-23

CVE-2025-9083 - Before 3 Plugin

The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

PLUGIN Before 3

CVE-2025-9083

CRITICAL CVSS 9.8 2025-09-18
Open Full Technical Breakdown
Threat Entry Updated 2025-09-22

CVE-2025-8942 - Wp Hotel Booking Plugin

The WP Hotel Booking WordPress plugin before 2.2.3 lacks proper server-side validation for review ratings, allowing an attacker to manipulate the rating value (e.g., sending negative or out-of-range values) by intercepting and modifying requests.

PLUGIN Wp Hotel Booking

CVE-2025-8942

CRITICAL CVSS 9.1 2025-09-18
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-8999 - Sydney Theme

The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_modules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate various theme modules.

THEME Sydney

CVE-2025-8999

MEDIUM CVSS 5.3 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-9565 - Blocksy Companion Plugin

The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocksy_newsletter_subscribe shortcode in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Blocksy Companion

CVE-2025-9565

MEDIUM CVSS 6.4 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-9216 - More Plugin

The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import() function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN More

CVE-2025-9216

HIGH CVSS 8.8 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-9215 - More Plugin

The StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the file_download() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

PLUGIN More

CVE-2025-9215

MEDIUM CVSS 6.5 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-9203 - Media Player Addons For Elementor Plugin

The Media Player Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtitle_ssize', 'track_title', and 'track_artist_name' parameters in version 1.0.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Media Player Addons For Elementor

CVE-2025-9203

MEDIUM CVSS 6.4 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-10058 - Ultimate Csv Xml Importer For Wordpress Plugin

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the upload_function() function in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Ultimate Csv Xml Importer For Wordpress

CVE-2025-10058

HIGH CVSS 8.1 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-10057 - For Wordpress Is Vulnerable To Remote Code Execution In All Versions Up To Plugin

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.28. This is due to the write_to_customfile() function writing unfiltered PHP code to a file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject the customFunction.php file with PHP code that can be accessed to trigger remote code execution.

PLUGIN For Wordpress Is Vulnerable To Remote Code Execution In All Versions Up To

CVE-2025-10057

HIGH CVSS 8.8 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-12-19

CVE-2025-10042 - Quiz Maker Plugin

The Quiz Maker plugin for WordPress is vulnerable to SQL Injection via spoofed IP headers in all versions up to, and including, 6.7.0.56 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable in configurations where the server is set up to retrieve the IP from a user-supplied field like…

PLUGIN Quiz Maker

CVE-2025-10042

MEDIUM CVSS 5.9 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-10188 - Hackrepair Plugin Archiver

The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the bulk_remove() function. This makes it possible for unauthenticated attackers to arbitrary directory deletion in /wp-content via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Hackrepair Plugin Archiver

CVE-2025-10188

MEDIUM CVSS 5.4 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-10125 - Memberlite Shortcodes Plugin

The Memberlite Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'row' shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Memberlite Shortcodes

CVE-2025-10125

MEDIUM CVSS 6.4 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-9891 - User Sync Plugin

The User Sync – Remote User Sync plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the mo_user_sync_form_handler() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN User Sync

CVE-2025-9891

MEDIUM CVSS 4.3 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-17

CVE-2025-10166 - Social Media Shortcodes Plugin

The Social Media Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'twitter' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Social Media Shortcodes

CVE-2025-10166

MEDIUM CVSS 6.4 2025-09-17
Open Full Technical Breakdown
Threat Entry Updated 2025-09-19

CVE-2025-9851 - Appointmind Plugin

The Appointmind plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'appointmind_calendar' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Appointmind

CVE-2025-9851

MEDIUM CVSS 6.4 2025-09-17
Open Full Technical Breakdown
Scroll to top