Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total16,420
Critical1,046
High3,625
Medium11,546
Reset
Showing 161-180 of 16420 records
Threat Entry Updated 2026-05-27

CVE-2026-6268 - Before 22 Theme

The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.

THEME Before 22

CVE-2026-6268

HIGH CVSS 7.1 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-27

CVE-2026-9236 - Cm Ad Changer Plugin

The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmac_campaigns_action function. This makes it possible for unauthenticated attackers to permanently delete arbitrary advertising campaigns, including their associated banner records and uploaded files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Cm Ad Changer

CVE-2026-9236

MEDIUM CVSS 4.3 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-27

CVE-2026-6287 - Gutenberg Plugin

The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockUniqId' block attribute in multiple Product Gride blocks in versions up to, and including, 3.3.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Gutenberg

CVE-2026-6287

MEDIUM CVSS 5.4 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-27

CVE-2026-9022 - Splide Carousel Plugin

The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'url' Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload must be published before it executes for site visitors, which requires an editor or administrator to approve and publish the contributor's post.

PLUGIN Splide Carousel

CVE-2026-9022

MEDIUM CVSS 6.4 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-27

CVE-2026-6565 - Elementor Patterns Plugin

The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endpoint kit title parameter in versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping in an admin attribute context. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Elementor Patterns

CVE-2026-6565

MEDIUM CVSS 6.4 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-27

CVE-2026-7493 - Simply Schedule Appointments Plugin

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users.

PLUGIN Simply Schedule Appointments

CVE-2026-7493

MEDIUM CVSS 5.3 2026-05-27
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-27331 - WpTravelly Plugin

Missing Authorization vulnerability in Magepeople inc. WpTravelly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpTravelly: from n/a through 2.1.5.

PLUGIN WpTravelly

CVE-2026-27331

MEDIUM CVSS 6.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-25426 - Taxi Booking Manager for WooCommerce Plugin

Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.1.

PLUGIN Taxi Booking Manager for WooCommerce

CVE-2026-25426

MEDIUM CVSS 5.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-25444 - WpBookingly Plugin

Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9.

PLUGIN WpBookingly

CVE-2026-25444

MEDIUM CVSS 4.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-24520 - Tiktok Feed Plugin

Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24.

PLUGIN Tiktok Feed

CVE-2026-24520

MEDIUM CVSS 4.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-8174 - Zoho Mail Plugin

Zohocorp Zoho Mail wordpress plugin is vulnerable to Cross-Site request forgery (CSRF). This issue affects Zoho Mail wordpress plugin versions before 1.6.2.

PLUGIN Zoho Mail

CVE-2026-8174

MEDIUM CVSS 5.7 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-39661 - SW Core Plugin

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magentech SW Core allows PHP Local File Inclusion. This issue affects SW Core: from n/a through 1.7.18.

PLUGIN SW Core

CVE-2026-39661

HIGH CVSS 7.5 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-39642 - Nyla Plugin

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in SpabRice Nyla allows Code Injection. This issue affects Nyla: from n/a through 1.7.

PLUGIN Nyla

CVE-2026-39642

MEDIUM CVSS 5.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-27427 - Geo Mashup Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup allows Stored XSS. This issue affects Geo Mashup: from n/a through 1.13.18.

PLUGIN Geo Mashup

CVE-2026-27427

MEDIUM CVSS 6.5 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-24590 - Paid Videochat Turnkey Site Plugin

Missing Authorization vulnerability in VideoWhisper.Com Paid Videochat Turnkey Site allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paid Videochat Turnkey Site: from n/a through 7.3.23.

PLUGIN Paid Videochat Turnkey Site

CVE-2026-24590

MEDIUM CVSS 5.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-24638 - RepairBuddy Plugin

Missing Authorization vulnerability in Webful Creations RepairBuddy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RepairBuddy: from n/a through 4.1121.

PLUGIN RepairBuddy

CVE-2026-24638

MEDIUM CVSS 4.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-39655 - Mayosis Core Plugin

Missing Authorization vulnerability in TeconceTheme Mayosis Core allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mayosis Core: from n/a through 5.4.7.

PLUGIN Mayosis Core

CVE-2026-39655

MEDIUM CVSS 5.3 2026-05-26
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-42774 - JetEngine Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetEngine allows SQL Injection. This issue affects JetEngine: from n/a through 3.8.8.1.

PLUGIN JetEngine

CVE-2026-42774

CRITICAL CVSS 9.3 2026-05-25
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-45216 - Smart Manager Plugin

Incorrect Privilege Assignment vulnerability in StoreApps Smart Manager allows Privilege Escalation. This issue affects Smart Manager: from n/a through 8.85.0.

PLUGIN Smart Manager

CVE-2026-45216

HIGH CVSS 8.8 2026-05-25
Open Full Technical Breakdown
Threat Entry Updated 2026-05-26

CVE-2026-48837 - Elementor Plugin

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Unlimited Elements For Elementor allows Blind SQL Injection. This issue affects Unlimited Elements For Elementor: from n/a through 2.0.8.

PLUGIN Elementor

CVE-2026-48837

HIGH CVSS 8.5 2026-05-25
Open Full Technical Breakdown
Scroll to top