Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,024
Critical923
High3,044
Medium10,857
Reset
Showing 1181-1200 of 15024 records
Threat Entry Updated 2026-02-03

CVE-2026-24961 - Grand Blog Plugin

Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Server Side Request Forgery.This issue affects Grand Blog: from n/a through < 3.1.5.

PLUGIN Grand Blog

CVE-2026-24961

MEDIUM CVSS 5.4 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24965 - Contest Gallery Plugin

Missing Authorization vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contest Gallery: from n/a through

PLUGIN Contest Gallery

CVE-2026-24965

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-09

CVE-2026-24962 - Sigmize Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery.This issue affects Sigmize: from n/a through

PLUGIN Sigmize

CVE-2026-24962

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24951 - myCred Plugin

Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through

PLUGIN myCred

CVE-2026-24951

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24938 - Better Search Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.This issue affects Better Search: from n/a through

PLUGIN Better Search

CVE-2026-24938

MEDIUM CVSS 5.9 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24945 - Contact Form 7 Plugin

Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through

PLUGIN Contact Form 7

CVE-2026-24945

MEDIUM CVSS 5.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24947 - Elementor Plugin

Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3.

PLUGIN Elementor

CVE-2026-24947

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24942 - WpEvently Plugin

Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam WpEvently mage-eventpress allows Cross Site Request Forgery.This issue affects WpEvently: from n/a through

PLUGIN WpEvently

CVE-2026-24942

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24940 - Travelfic Toolkit Plugin

Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelfic Toolkit: from n/a through

PLUGIN Travelfic Toolkit

CVE-2026-24940

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2026-24939 - Modula Image Gallery Plugin

Missing Authorization vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modula Image Gallery: from n/a through

PLUGIN Modula Image Gallery

CVE-2026-24939

MEDIUM CVSS 4.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1730 - Os Datahub Maps Plugin

The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Os Datahub Maps

CVE-2026-1730

HIGH CVSS 8.8 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1375 - Elearning And Online Course Solution Plugin

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.

PLUGIN Elearning And Online Course Solution

CVE-2026-1375

HIGH CVSS 8.1 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1371 - Elearning And Online Course Solution Plugin

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.

PLUGIN Elearning And Online Course Solution

CVE-2026-1371

MEDIUM CVSS 5.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1210 - Happy Addons For Elementor Plugin

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Happy Addons For Elementor

CVE-2026-1210

MEDIUM CVSS 6.4 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1447 - Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more Plugin

The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting.

PLUGIN Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more

CVE-2026-1447

MEDIUM CVSS 5.4 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1065 - Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Plugin

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.

PLUGIN Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

CVE-2026-1065

HIGH CVSS 7.2 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0617 - Calendar Booking Plugin For Appointments And Events

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history.

PLUGIN Calendar Booking Plugin For Appointments And Events

CVE-2026-0617

HIGH CVSS 7.2 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-1058 - Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Plugin

The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions…

PLUGIN Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder

CVE-2026-1058

HIGH CVSS 7.1 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0950 - Spectra Gutenberg Blocks – Website Builder for the Block Editor Plugin

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block.

PLUGIN Spectra Gutenberg Blocks – Website Builder for the Block Editor

CVE-2026-0950

MEDIUM CVSS 5.3 2026-02-03
Open Full Technical Breakdown
Threat Entry Updated 2026-02-03

CVE-2025-14274 - Unlimited Elements For Elementor Plugin

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget's Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Unlimited Elements For Elementor

CVE-2025-14274

MEDIUM CVSS 5.4 2026-02-03
Open Full Technical Breakdown
Scroll to top