Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,036
Critical923
High3,047
Medium10,866
Reset
Showing 4021-4040 of 15036 records
Threat Entry Updated 2025-08-25

CVE-2025-9048 - Wptobe Memberships Plugin

The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Wptobe Memberships

CVE-2025-9048

HIGH CVSS 8.1 2025-08-23
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2025-8062 - Ws Theme Addons Plugin

The WS Theme Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ws_weather shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ws Theme Addons

CVE-2025-8062

MEDIUM CVSS 6.4 2025-08-23
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2025-7957 - Shortcodehub Plugin

The ShortcodeHub plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author_link_target’ parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Shortcodehub

CVE-2025-7957

MEDIUM CVSS 6.4 2025-08-23
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2025-7842 - External Rss Reader Plugin

The Silencesoft RSS Reader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.6. This is due to missing or incorrect nonce validation on the 'sil_rss_edit_page' page. This makes it possible for unauthenticated attackers to delete RSS feeds via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN External Rss Reader

CVE-2025-7842

MEDIUM CVSS 4.3 2025-08-23
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2025-7841 - Sertifier Certificates Open Badges Plugin

The Sertifier Certificate & Badge Maker for WordPress – Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19. This is due to missing or incorrect nonce validation on the 'sertifier_settings' page. This makes it possible for unauthenticated attackers to update the plugin's api key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Sertifier Certificates Open Badges

CVE-2025-7841

MEDIUM CVSS 4.3 2025-08-23
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2025-7642 - Simpler Checkout Plugin

The Simpler Checkout plugin for WordPress is vulnerable to Authentication Bypass in versions 0.7.0 to 1.1.9. This is due to the plugin not properly verifying a user's identity prior to logging them in as an admin through the simplerwc_woocommerce_order_created() function. This makes it possible for unauthenticated attackers to log in as other users based on their order ID, which can be an administrator if a site admin has placed a test order.

PLUGIN Simpler Checkout

CVE-2025-7642

CRITICAL CVSS 9.8 2025-08-23
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2025-7821 - Wc Plus Plugin

The WC Plus plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pluswc_logo_favicon_logo_base' AJAX action in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update the site's favicon logo base.

PLUGIN Wc Plus

CVE-2025-7821

MEDIUM CVSS 5.3 2025-08-23
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2025-7839 - Restore Permanently Delete Post Or Page Data Plugin

The Restore Permanently delete Post or Page Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the rp_dpo_dpa_ajax_dp_delete_data() function. This makes it possible for unauthenticated attackers to delete data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Restore Permanently Delete Post Or Page Data

CVE-2025-7839

MEDIUM CVSS 4.3 2025-08-23
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2025-7828 - Wp Filter Combine Rss Feeds Plugin

The WP Filter & Combine RSS Feeds plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the post_listing_page() function in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete feeds.

PLUGIN Wp Filter Combine Rss Feeds

CVE-2025-7828

MEDIUM CVSS 4.3 2025-08-23
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2025-7827 - Ni Woocommerce Customer Product Report Plugin

The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings.

PLUGIN Ni Woocommerce Customer Product Report

CVE-2025-7827

MEDIUM CVSS 4.3 2025-08-23
Open Full Technical Breakdown
Threat Entry Updated 2025-08-22

CVE-2025-9331 - Spacious Theme

The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'welcome_notice_import_handler' function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data into the site.

THEME Spacious

CVE-2025-9331

MEDIUM CVSS 4.3 2025-08-22
Open Full Technical Breakdown
Threat Entry Updated 2025-08-25

CVE-2025-8678 - Wp Crontrol Plugin

The WP Crontrol plugin for WordPress is vulnerable to blind Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the 'wp_remote_request' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Wp Crontrol

CVE-2025-8678

MEDIUM CVSS 5.9 2025-08-22
Open Full Technical Breakdown
Threat Entry Updated 2026-01-16

CVE-2025-8281 - Wp Talroo Plugin

The WP Talroo WordPress plugin through 2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin and unauthenticated users.

PLUGIN Wp Talroo

CVE-2025-8281

HIGH CVSS 7.1 2025-08-22
Open Full Technical Breakdown
Threat Entry Updated 2025-08-22

CVE-2025-8064 - Bible Supersearch Plugin

The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘selector_height’ parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Bible Supersearch

CVE-2025-8064

MEDIUM CVSS 6.4 2025-08-21
Open Full Technical Breakdown
Threat Entry Updated 2025-08-22

CVE-2025-8895 - Wp Webhooks Plugin

The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server to arbitrary locations. This can be used to copy the contents of wp-config.php into a text file which can then be accessed in a browser to reveal database credentials.

PLUGIN Wp Webhooks

CVE-2025-8895

CRITICAL CVSS 9.8 2025-08-21
Open Full Technical Breakdown
Threat Entry Updated 2025-08-22

CVE-2025-8592 - Inspiro Theme

The Inspiro theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing or incorrect nonce validation on the inspiro_install_plugin() function. This makes it possible for unauthenticated attackers to install plugins from the repository via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

THEME Inspiro

CVE-2025-8592

HIGH CVSS 8.1 2025-08-21
Open Full Technical Breakdown
Threat Entry Updated 2025-08-22

CVE-2025-8607 - WordPress Core

The SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block's attributes in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CORE WordPress Core

CVE-2025-8607

MEDIUM CVSS 6.4 2025-08-21
Open Full Technical Breakdown
Threat Entry Updated 2025-12-03

CVE-2025-7221 - Givewp Plugin

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface.

PLUGIN Givewp

CVE-2025-7221

MEDIUM CVSS 4.3 2025-08-21
Open Full Technical Breakdown
Threat Entry Updated 2025-08-20

CVE-2025-8102 - Easy Digital Downloads Plugin

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Easy Digital Downloads

CVE-2025-8102

MEDIUM CVSS 5.4 2025-08-20
Open Full Technical Breakdown
Threat Entry Updated 2025-12-12

CVE-2025-54677 - Online Booking Scheduling Calendar Plugin

Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Using Malicious Files. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.3.

PLUGIN Online Booking Scheduling Calendar

CVE-2025-54677

CRITICAL CVSS 9.1 2025-08-20
Open Full Technical Breakdown
Scroll to top