Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total15,024
Critical923
High3,044
Medium10,857
Reset
Showing 1741-1760 of 15024 records
Threat Entry Updated 2026-01-20

CVE-2026-22820 - Outray Plugin

Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5.

PLUGIN Outray

CVE-2026-22820

MEDIUM CVSS 6.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2026-22237 - BLUVOYIX Plugin

The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability could allow the attacker to cause damage to the targeted platform by abusing internal functionality.

PLUGIN BLUVOYIX

CVE-2026-22237

CRITICAL CVSS 10.0 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-02-02

CVE-2026-22236 - BLUVOYIX Plugin

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform.

PLUGIN BLUVOYIX

CVE-2026-22236

CRITICAL CVSS 10.0 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2026-0532 - Kibana Plugin

External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitrary network requests and for arbitrary file reads.

PLUGIN Kibana

CVE-2026-0532

HIGH CVSS 8.6 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2026-0529 - Packetbeat Plugin

Improper Validation of Array Index (CWE-129) in Packetbeat’s MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This requires an attacker to send a malformed payload to a monitored network interface where MongoDB protocol parsing is enabled.

PLUGIN Packetbeat

CVE-2026-0529

MEDIUM CVSS 6.5 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0813 - Short Link Plugin

The Short Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'short_link_post_title' and 'short_link_page_title' parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.

PLUGIN Short Link

CVE-2026-0813

MEDIUM CVSS 4.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0812 - Linkedin Sc Plugin

The LinkedIn SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkedin_sc_date_format', 'linkedin_sc_api_key', and 'linkedin_sc_secret_key' parameters in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.

PLUGIN Linkedin Sc

CVE-2026-0812

MEDIUM CVSS 4.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0741 - Electric Studio Download Counter Plugin

The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Electric Studio Download Counter

CVE-2026-0741

MEDIUM CVSS 4.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0739 - Wmf Mobile Redirector Plugin

The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wmf Mobile Redirector

CVE-2026-0739

MEDIUM CVSS 4.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0734 - Wp Allow Hosts Plugin

The WP Allowed Hosts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allowed-hosts' parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

PLUGIN Wp Allow Hosts

CVE-2026-0734

MEDIUM CVSS 4.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-15513 - Float Gateway Plugin

The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed.

PLUGIN Float Gateway

CVE-2025-15513

MEDIUM CVSS 5.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-15512 - Aplazo Payment Gateway Plugin

The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status.

PLUGIN Aplazo Payment Gateway

CVE-2025-15512

MEDIUM CVSS 5.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-15475 - Payhere Payment Gateway Plugin

The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold.

PLUGIN Payhere Payment Gateway

CVE-2025-15475

MEDIUM CVSS 5.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-14770 - Shipping Rate By Cities Plugin

The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Shipping Rate By Cities

CVE-2025-14770

HIGH CVSS 7.5 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-15376 - Stopwords For Comments Plugin

The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for_comments' and 'delete_stopwords_for_comments' functions. This makes it possible for unauthenticated attackers to add or delete stopwords via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Stopwords For Comments

CVE-2025-15376

MEDIUM CVSS 4.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-14846 - Auto Post To Social Media Wp To Social Champ Plugin

The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing nonce validation on the wpsc_settings_tab_menu function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Auto Post To Social Media Wp To Social Champ

CVE-2025-14846

MEDIUM CVSS 4.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-01-14

CVE-2025-14173 - Perfit Woocommerce Plugin

The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function called via the `actions` function hooked to `admin_init`. This makes it possible for unauthenticated attackers to delete arbitrary plugin settings via the `action` parameter.

PLUGIN Perfit Woocommerce

CVE-2025-14173

MEDIUM CVSS 5.3 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0694 - Searchwiz Plugin

The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in post titles that will execute whenever a user performs a search and views the search results page.

PLUGIN Searchwiz

CVE-2026-0694

MEDIUM CVSS 6.4 2026-01-14
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0717 - Lottie Block For Gutenberg Plugin

The LottieFiles – Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the `/wp-json/lottiefiles/v1/settings/` REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site owner's LottieFiles.com account credentials including their API access token and email address when the 'Share LottieFiles account with other WordPress users' option is enabled.

PLUGIN Lottie Block For Gutenberg

CVE-2026-0717

MEDIUM CVSS 5.3 2026-01-14
Open Full Technical Breakdown
Scroll to top