Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total14,956
Critical920
High3,037
Medium10,800
Reset
Showing 661-680 of 14956 records
Threat Entry Updated 2026-02-20

CVE-2026-27360 - Photo Gallery by 10Web Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through

PLUGIN Photo Gallery by 10Web

CVE-2026-27360

MEDIUM CVSS 5.9 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27328 - EduBlink Plugin

Missing Authorization vulnerability in DevsBlink EduBlink edublink allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduBlink: from n/a through

PLUGIN EduBlink

CVE-2026-27328

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-27

CVE-2026-27327 - YayMail – WooCommerce Email Customizer Plugin

Missing Authorization vulnerability in YayCommerce YayMail – WooCommerce Email Customizer yaymail allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayMail – WooCommerce Email Customizer: from n/a through

PLUGIN YayMail – WooCommerce Email Customizer

CVE-2026-27327

MEDIUM CVSS 4.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2232 - Product Table And List Builder For Woocommerce Lite Plugin

The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 4.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Product Table And List Builder For Woocommerce Lite

CVE-2026-2232

HIGH CVSS 7.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1581 - Wpforo Forum Plugin

The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Wpforo Forum

CVE-2026-1581

HIGH CVSS 7.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2718 - Dealia – Request a quote Plugin

The Dealia – Request a Quote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes in all versions up to, and including, 1.0.8. This is due to the use of `wp_kses()` for output escaping within HTML attribute contexts where `esc_attr()` is required. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Dealia – Request a quote

CVE-2026-2718

MEDIUM CVSS 6.4 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-2716 - Client Testimonial Slider Plugin

The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Client Testimonial Slider

CVE-2026-2716

MEDIUM CVSS 4.4 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1461 - Simple Membership Plugin

The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.

PLUGIN Simple Membership

CVE-2026-1461

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1219 - MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar Plugin

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.

PLUGIN MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar

CVE-2026-1219

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27094 - CoBlocks Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoDaddy CoBlocks coblocks allows Stored XSS.This issue affects CoBlocks: from n/a through

PLUGIN CoBlocks

CVE-2026-27094

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2026-27092 - WPAdverts Plugin

Missing Authorization vulnerability in Greg Winiarski WPAdverts wpadverts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPAdverts: from n/a through

PLUGIN WPAdverts

CVE-2026-27092

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-27

CVE-2026-27074 - Shortcoder Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vaakash Shortcoder shortcoder allows Stored XSS.This issue affects Shortcoder: from n/a through

PLUGIN Shortcoder

CVE-2026-27074

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27069 - Soledad Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through

PLUGIN Soledad

CVE-2026-27069

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27059 - Penci Recipe Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Recipe penci-recipe allows DOM-Based XSS.This issue affects Penci Recipe: from n/a through

PLUGIN Penci Recipe

CVE-2026-27059

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27058 - Penci Podcast Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast penci-podcast allows DOM-Based XSS.This issue affects Penci Podcast: from n/a through

PLUGIN Penci Podcast

CVE-2026-27058

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2026-27066 - Live sales notification for WooCommerce Plugin

Missing Authorization vulnerability in PI Web Solution Live sales notification for WooCommerce live-sales-notifications-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live sales notification for WooCommerce: from n/a through

PLUGIN Live sales notification for WooCommerce

CVE-2026-27066

MEDIUM CVSS 5.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2026-27090 - Kenta Companion Plugin

Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through

PLUGIN Kenta Companion

CVE-2026-27090

MEDIUM CVSS 4.3 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-27052 - WordPress Core

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer allows PHP Local File Inclusion.This issue affects Sales Countdown Timer for WooCommerce and WordPress: from n/a through < 1.1.9.

CORE WordPress Core

CVE-2026-27052

HIGH CVSS 7.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-20

CVE-2026-27057 - Penci Filter Everything Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Filter Everything penci-filter-everything allows Stored XSS.This issue affects Penci Filter Everything: from n/a through

PLUGIN Penci Filter Everything

CVE-2026-27057

MEDIUM CVSS 6.5 2026-02-19
Open Full Technical Breakdown
Threat Entry Updated 2026-02-19

CVE-2026-27050 - RealPress Plugin

Cross-Site Request Forgery (CSRF) vulnerability in ThimPress RealPress realpress allows Cross Site Request Forgery.This issue affects RealPress: from n/a through

PLUGIN RealPress

CVE-2026-27050

MEDIUM CVSS 5.4 2026-02-19
Open Full Technical Breakdown
Scroll to top