Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36189

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
Frontend File Manager Plugin	nmedia-user-file-uploader	86	Frontend File Manager Plugin <= 23.6 - Authenticated (Subscriber+) Arbitrary File Deletion	LOW	*-23.6		June 28, 2026
custom-registration-form-builder-with-submission-manager	custom-registration-form-builder-with-submission-manager	93	RegistrationMagic <= 6.0.8.6 - Authenticated (Subscriber+) Authentication Bypass via Forged PayPal IPN Request	LOW	*-6.0.8.6	6.0.8.7	June 28, 2026
wp-full-stripe-free	wp-full-stripe-free	N/A	Stripe Payment Forms by WP Full Pay <= 8.4.3 - Missing Authorization to Unauthenticated Payment Record Manipulation via 'paymentIntentId' Parameter	LOW	*-8.4.3	8.5.0	June 28, 2026
quiz-master-next	quiz-master-next	N/A	Quiz and Survey Master (QSM) <= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via qsm_insert_quiz_template AJAX Action	LOW	*-11.1.4	11.1.5	June 28, 2026
product-specifications	product-specifications	N/A	Product Specifications for Woocommerce <= 0.8.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attribute/Group Creation, Modification, and Deletion via 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX Actions	LOW	*-0.8.9	0.8.10	June 28, 2026
learning-management-system	learning-management-system	93	Masteriyo LMS <= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification	LOW	*-2.2.1	2.3.0	June 28, 2026
dokan-lite	dokan-lite	93	Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Information Disclosure via 'id' Parameter	LOW	*-5.0.4	5.0.5	June 28, 2026
dokan-lite	dokan-lite	93	Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (Custom+) Stored Cross-Site Scripting via Product SKU	LOW	*-5.0.4	5.0.5	June 28, 2026
gutenverse	gutenverse	93	Gutenverse <= 3.8.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'fonts[].font.font.value' Parameter	LOW	*-3.8.0	3.8.1	June 28, 2026
surbma-infusionsoft-shortcode	surbma-infusionsoft-shortcode	N/A	Surbma \| Infusionsoft Shortcode <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-2.0.1	2.0.2	June 28, 2026
Page Builder by SiteOrigin	siteorigin-panels	86	Page Builder by SiteOrigin <= 2.34.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via panels_data Parameter	LOW	*-2.34.3	2.34.4	June 28, 2026
nex-forms-express-wp-form-builder	nex-forms-express-wp-form-builder	N/A	NEX-Forms <= 9.2.2 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via CSVExport Class	LOW	*-9.2.2	9.2.3	June 28, 2026
invoice-creator	invoice-creator	N/A	Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter	LOW	*-1.0.0		June 28, 2026
groundhogg	groundhogg	93	Groundhogg <= 4.5.5 - Authenticated (Sales Rep+) SQL Injection via 'query[select]' Parameter	LOW	*-4.5.5	4.5.6	June 28, 2026
codepeople-post-map	codepeople-post-map	93	CodePeople Post Map for Google Maps <= 1.2.6 - Authenticated (Contributor +) Stored Cross-Site Scripting via 'cpm_point' Post Meta	LOW	*-1.2.6	1.2.7	June 28, 2026
add-search-to-menu	add-search-to-menu	97	Ivory Search <= 5.5.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings	LOW	*-5.5.15	5.5.16	June 28, 2026
hd-quiz	hd-quiz	93	HD Quiz 2.2.0 - 2.2.1 - Cross-Site Request Forgery via Multiple AJAX Handlers	LOW	2.2.0-2.2.1	2.2.2	June 28, 2026
reepay-checkout-gateway	reepay-checkout-gateway	N/A	Frisbii Pay <= 1.8.9 - Missing Authorization to Authenticated (Subscriber+) Payment Token Modification	LOW	*-1.8.9	1.8.10	June 28, 2026
maxbuttons	maxbuttons	N/A	MaxButtons <= 9.8.5 - Reflected Cross-Site Scripting via 'view' Parameter	LOW	*-9.8.5	9.8.6	June 28, 2026
groundhogg	groundhogg	93	Groundhogg <= 4.5.5 - Authenticated (Marketer+) SQL Injection via 'search' Parameter	LOW	*-4.5.5	4.5.6	June 28, 2026
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder	user-registration	N/A	User Registration & Membership <= 5.2.0 - Missing Authorization to Unauthenticated Payment Bypass	LOW	*-5.2.0	5.2.1	June 28, 2026
groundhogg	groundhogg	93	Groundhogg <= 4.5.4 - Authenticated (Custom+) SQL Injection via 'after' Parameter	LOW	*-4.5.4	4.5.5	June 28, 2026
tourfic	tourfic	N/A	Tourfic <= 2.22.7 - Unauthenticated SQL Injection via 'post_id' Parameter	LOW	*-2.22.7	2.22.8	June 28, 2026
gf-bookings-premium	gf-bookings-premium	93	Gravity Forms Booking <= 2.7.1 - Authenticated (Subscriber+) Time-Based SQL Injection via 'staff_id'	LOW	*-2.7.1	2.7.2	June 28, 2026
dokan-pro	dokan-pro	91	Dokan Pro <= 5.0.4 - Unauthenticated SQL Injection via 'latitude' and 'longitude' Parameters	LOW	*-5.0.4	5.0.5	June 28, 2026
dokan-pro	dokan-pro	91	Dokan Pro <= 5.0.4 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter	LOW	*-5.0.4	5.0.5	June 28, 2026
essential-blocks	essential-blocks	93	Gutenberg Essential Blocks - Page Builder for Gutenberg Blocks & Patterns <= 6.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'configurablePrefix' Block Attribute	LOW	*-6.1.4	6.2.0	June 28, 2026
wp-meta-seo	wp-meta-seo	N/A	WP Meta SEO <= 4.5.18 - Authenticated (Contributor+) Server-Side Request Forgery via 'new_link' Parameter	LOW	*-4.5.18		June 28, 2026
wp-meta-seo	wp-meta-seo	N/A	WP Meta SEO <= 4.5.18 - Unauthenticated Stored Cross-Site Scripting via REQUEST_URI in 404 Logging	LOW	*-4.5.18		June 28, 2026
wp-latest-posts	wp-latest-posts	N/A	WP Latest Posts <= 5.0.11 - Authenticated (Author+) Stored Cross-Site Scripting via Post Content Image src Attribute	LOW	*-5.0.11		June 28, 2026
newscred-publishing	newscred-publishing	N/A	Welcome Software Publishing <= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Update to Privilege Escalation via 'nc.setOption' XML-RPC Method	LOW	*-0.0.31		June 28, 2026
mir-blocks-and-shortcodes	mir-blocks-and-shortcodes	N/A	MIR blocks and shortcodes <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.0.0		June 28, 2026
link-preview	link-preview	N/A	URL Preview <= 1.0 - Unauthenticated Server-Side Request Forgery via 'url' Parameter	LOW	*-1.0		June 28, 2026
kargo-takip	kargo-takip	N/A	Kargo Takip <= 1.2 - Unauthenticated Server-Side Request Forgery via 'api_url' Parameter	LOW	*-1.2		June 28, 2026
advanced-contact-form-7-compact-db	advanced-contact-form-7-compact-db	N/A	Advanced Contact Form 7 <= 1.0.0 - Missing Authorization to Unauthenticated Arbitrary Contact Form Submission Deletion via 'form_id' Parameter	LOW	*-1.0.0		June 28, 2026
bulk-seo-image	bulk-seo-image	N/A	Bulk SEO Image <= 1.1 - Cross-Site Request Forgery to Settings Update	LOW	*-1.1		June 28, 2026
blue-captcha	blue-captcha	93	Blue Captcha <= 2.0.1 - Cross-Site Request Forgery via 'blcap_action' Parameter	LOW	*-2.0.1		June 28, 2026
motordesk	motordesk	N/A	MotorDesk <= 1.1.2 - Cross-Site Request Forgery to Settings Update	LOW	*-1.1.2		June 28, 2026
book-a-room-event-calendar	book-a-room-event-calendar	N/A	Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update	LOW	*-1.9		June 28, 2026
avalon23-products-filter-for-woocommerce	avalon23-products-filter-for-woocommerce	N/A	Avalon23 Products Filter for WooCommerce <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.1.6		June 28, 2026
generate-security-txt	generate-security-txt	N/A	Generate Security.txt <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Security.txt Deletion via delete_securitytxt AJAX Action	LOW	*-1.0.12		June 28, 2026
reviews-and-rating-docplanner	reviews-and-rating-docplanner	N/A	Reviews and Rating <= 1.1.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via sync_reviews AJAX Action	LOW	*-1.1.4		June 28, 2026
whatsorder-instant-checkout-for-woocommerce	whatsorder-instant-checkout-for-woocommerce	N/A	WhatsOrder <= 1.0.1 - Unauthenticated Sensitive Information Exposure via Predictable Invoice File URLs	LOW	*-1.0.1		June 28, 2026
entredropper	entredropper	N/A	EntreDroppers <= 1.1.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter	LOW	*-1.1.2		June 28, 2026
image-sizes-on-demand	image-sizes-on-demand	N/A	Image Sizes on Demand <= 1.3 - Reflected Cross-Site Scripting via PHP_SELF Server Variable	LOW	*-1.3		June 28, 2026
devs-accounting	devs-accounting	N/A	Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Account Deletion via /delete-account/ REST Endpoint	LOW	*-1.2.0		June 28, 2026
devs-accounting	devs-accounting	N/A	Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'id' Parameter	LOW	*-1.2.0		June 28, 2026
wp-forms-connector	wp-forms-connector	N/A	WP Forms Connector <= 1.8 - Missing Authorization to Unauthenticated Information Exposure via 'user/list' REST Endpoint	LOW	*-1.8		June 28, 2026
wp-forms-connector	wp-forms-connector	N/A	WP Forms Connector <= 1.8 - Unauthenticated SQL Injection via 'order' Parameter	LOW	*-1.8		June 28, 2026
24liveblog	24liveblog	N/A	24liveblog <= 2.2 - Missing Authorization to Authenticated (Author+) Settings Modification via update_lb24_token AJAX action	LOW	*-2.2		June 28, 2026
24liveblog	24liveblog	N/A	24liveblog <= 2.2 - Authenticated (Contributor+) Exposure of Sensitive Information via Block Editor Script Localization	LOW	*-2.2		June 28, 2026
osiris-signature-banner	osiris-signature-banner	N/A	Osiris Signature Banner <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'prepend_text' Parameter	LOW	*-0.5		June 28, 2026
rentmy-online-rental-shop	rentmy-online-rental-shop	N/A	RentMy Real-Time Rental Management Plugin <= 4.0.4.1 - Missing Authorization to Unauthenticated Settings Update via rentmy_cdn_request AJAX Action	LOW	*-4.0.4.1		June 28, 2026
advance-nav-menu-manager	advance-nav-menu-manager	N/A	Advance Nav Menu Manager <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Nav Menu Item Modification via anmm_save_menu_data AJAX Action	LOW	*-1.3		June 28, 2026
searchplus	searchplus	N/A	SearchPlus <= 1.7.1 - Missing Authorization to Unauthenticated Settings Modification and Deletion via searchplus_save_token & searchplus_reset_token AJAX Actions	LOW	*-1.7.1		June 28, 2026
assistio	assistio	N/A	Assistio <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Deletion via assistio_plugin_delete_assistio_settings AJAX Action	LOW	*-1.1.2		June 28, 2026
wpoauth	wpoauth	N/A	Secufor_OAuth <= 1.0.7 - Missing Authorization to Unauthenticated Account Logout via 'secuforoauth_unregister_action' AJAX Action	LOW	*-1.0.7		June 28, 2026
mp-customize-login-page	mp-customize-login-page	N/A	MP Customize Login Page <= 1.0 - Cross-Site Request Forgery to Settings Update	LOW	*-1.0		June 28, 2026
invoice-creator	invoice-creator	N/A	Invoice Generator <= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter	LOW	*-1.0.0		June 28, 2026
signup-signin	signup-signin	N/A	SignUp & SignIn <= 1.0.0 - Unauthenticated Privilege Escalation via Weak Password Reset Validation via 'reset_activation_code' Leading to Account Takeover	LOW	*-1.0.0		June 28, 2026
clearsale-total	clearsale-total	N/A	ClearSale Total <= 3.4.2 - Unauthenticated SQL Injection	LOW	*-3.4.2		June 28, 2026
video-playlist-and-gallery-plugin	video-playlist-and-gallery-plugin	N/A	Cincopa video and media plug-in <= 1.163 - Unauthenticated Stored Cross-Site Scripting via cincopa Shortcode in Post Comments	LOW	*-1.163		June 28, 2026
email-javascript-cloaker	email-javascript-cloaker	N/A	Email JavaScript Cloak <= 1.03 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.03		June 28, 2026
xpro-elementor-addons	xpro-elementor-addons	N/A	Xpro Addons <= 1.7.2 - Authenticated (Author+) Stored Cross-Site Scripting via 'custom_attributes' Parameter of Multiple Widgets	LOW	*-1.7.2	1.7.3	June 28, 2026
arforms	arforms	95	ARForms <= 7.1.3 - Unauthenticated Stored Cross-Site Scripting via 'value' Parameter	LOW	*-7.1.3		June 28, 2026
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin	ultimate-member	N/A	Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure	LOW	*-2.11.4	2.12.0	June 28, 2026
AdRotate Banner Manager	adrotate	74	AdRotate Banner Manager <= 5.17.7 - Authenticated (Contributor+) PHP Code Injection via 'banner' Shortcode Attribute	LOW	*-5.17.7	5.17.8	June 28, 2026
transbank-webpay-plus-rest	transbank-webpay-plus-rest	N/A	Transbank Webpay < 1.14.0 - Unauthenticated Stored Cross-Site Scripting	LOW	[*, 1.14.0)	1.14.0	June 28, 2026
profilegrid-user-profiles-groups-and-communities	profilegrid-user-profiles-groups-and-communities	N/A	ProfileGrid <= 5.9.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Message Content	LOW	*-5.9.9.2	5.9.9.3	June 28, 2026
pie-register	pie-register	N/A	Pie Register – User Registration, Profiles & Content Restriction < 3.8.4.10 - Missing Authorization	LOW	[*, 3.8.4.10)	3.8.4.10	June 28, 2026
motors-car-dealership-classified-listings	motors-car-dealership-classified-listings	N/A	Motors – Car Dealership & Classified Listings Plugin < 1.4.110 - Cross-Site Request Forgery	LOW	[*, 1.4.110)	1.4.110	June 28, 2026
Simple File List	simple-file-list	90	Simple File List <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute	LOW	*-6.3.7	6.3.8	June 28, 2026
Simple File List	simple-file-list	90	Simple File List <= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter	LOW	*-6.3.7	6.3.8	June 28, 2026
Simple File List	simple-file-list	90	Simple File List <= 6.3.7 - Missing Authorization to Unauthenticated File Modification via simplefilelist_edit_job AJAX Action	LOW	*-6.3.7	6.3.8	June 28, 2026
Database for Contact Form 7, WPforms, Elementor forms	contact-form-entries	84	Database for Contact Form 7, WPforms, Elementor forms <= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value	LOW	*-1.5.1	1.5.2	June 28, 2026
branda-white-labeling	branda-white-labeling	93	Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover	LOW	*-3.4.29	3.4.31	June 28, 2026
WP Go Maps (formerly WP Google Maps)	wp-google-maps	66	WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Creation	LOW	*-10.1.01	10.1.02	June 28, 2026
WP Activity Log	wp-security-audit-log	N/A	WP Activity Log <= 5.6.3.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-5.6.3.1	5.6.4	June 28, 2026
WP Hotel Booking	wp-hotel-booking	N/A	WP Hotel Booking < 2.3.1 - Missing Authorization	LOW	[*, 2.3.1)	2.3.1	June 28, 2026
woocommerce-abandon-cart-pro	woocommerce-abandon-cart-pro	N/A	Abandoned Cart Pro for WooCommerce <= 10.4.0 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-10.4.0	10.4.1	June 28, 2026
upi-qr-code-payment-for-woocommerce	upi-qr-code-payment-for-woocommerce	N/A	UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 - Missing Authorization	LOW	*-1.6.2	1.6.3	June 28, 2026
paymob-for-woocommerce	paymob-for-woocommerce	N/A	Paymob for WooCommerce <= 4.1.2 - Missing Authorization	LOW	*-4.1.2		June 28, 2026
Master Slider – Responsive Touch Slider	master-slider	N/A	Master Slider – Responsive Touch Slider <= 3.11.2 - Unauthenticated Stored Cross-Site Scripting	LOW	*-3.11.2		June 28, 2026
mappress-google-maps-for-wordpress	mappress-google-maps-for-wordpress	N/A	MapPress Maps for WordPress <= 2.97.3 - Unauthenticated Stored Cross-Site Scripting	LOW	*-2.97.3	2.97.4	June 28, 2026
license-manager-for-woocommerce	license-manager-for-woocommerce	93	License Manager for WooCommerce <= 3.0.15 - Unauthenticated Insecure Direct Object Reference	LOW	*-3.0.15	3.0.16	June 28, 2026
checkview	checkview	N/A	CheckView – Form & Checkout Testing <= 2.1.0 - Missing Authorization	LOW	*-2.1.0	2.2.0	June 28, 2026
strabl-a-checkout-solution	strabl-a-checkout-solution	N/A	STRABL <= 4.5 - Unauthenticated Arbitrary Webhook Creation via REST API Endpoint	LOW	*-4.5	4.6	June 28, 2026
2download-connector	2download-connector	N/A	2Download Connector for 2DL Hosted Checkout <= 0.1.5 - Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure via 'ToDownload_email' Parameter	LOW	*-0.1.5	0.1.6	June 28, 2026
betterdocs-pro	betterdocs-pro	93	BetterDocs Pro <= 3.8.0 - Unauthenticated Local File Inclusion via doc_style	LOW	*-3.8.0	3.8.1	June 28, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1058 - 1.7.1059 - Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source	LOW	1.7.1058-1.7.1059	1.7.1060	June 28, 2026
fusion-builder	fusion-builder	93	Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value	LOW	*-3.15.3	3.15.4	June 28, 2026
creavi-booking-service	creavi-booking-service	N/A	Appointment Booking Calendar <= 1.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Booking Field Label	LOW	*-1.4.4	1.4.5	June 28, 2026
integration-marktplaats-for-woocommerce	integration-marktplaats-for-woocommerce	N/A	Woosa <= 2.0.5 - Authenticated (Administrator+) Arbitrary File Read via 'log_file' Parameter	LOW	*-2.0.5	2.0.6	June 28, 2026
shapepress-dsgvo	shapepress-dsgvo	N/A	WP DSGVO Tools (GDPR) <= 3.1.39 - Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure via subject-access-request AJAX Endpoint (process_now/is_ajax Parameters)	LOW	*-3.1.39	3.1.40	June 28, 2026
bogo	bogo	N/A	Bogo <= 3.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via REST API	LOW	*-3.9.1	3.9.2	June 28, 2026
bit-integrations	bit-integrations	93	Bit integrations <= 2.8.7 - Unauthenticated Server-Side Request Forgery via Form Field Upload Mapping	LOW	*-2.8.7	2.8.8	June 28, 2026
advanced-import	advanced-import	97	Advanced Import: One-Click Demo Import for WordPress <= 1.4.6 - Authenticated (Author+) Server-Side Request Forgery via 'demo_file' Parameter	LOW	*-1.4.6	2.0.0	June 28, 2026
Blocksy Companion	blocksy-companion	N/A	Blocksy Companion <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter	LOW	*-2.1.45	2.1.46	June 28, 2026
betterdocs	betterdocs	93	BetterDocs <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'blockId' Block Attribute	LOW	*-4.5.3	4.5.4	June 28, 2026
classified-listing	classified-listing	93	Classified Listing <= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification via Multiple AJAX Handlers ('listingId'/'id' Parameters)	LOW	*-5.4.2	5.4.3	June 28, 2026

LOW

Frontend File Manager Plugin

nmedia-user-file-uploader

Score: 86/100 Frontend File Manager Plugin <= 23.6 - Authenticated (Subscriber+) Arbitrary File Deletion Affected: *-23.6 Patched: Updated: June 28, 2026

LOW

custom-registration-form-builder-with-submission-manager

Score: 93/100 RegistrationMagic <= 6.0.8.6 - Authenticated (Subscriber+) Authentication Bypass via Forged PayPal IPN Request Affected: *-6.0.8.6 Patched: 6.0.8.7 Updated: June 28, 2026

LOW

Score: N/A Stripe Payment Forms by WP Full Pay <= 8.4.3 - Missing Authorization to Unauthenticated Payment Record Manipulation via 'paymentIntentId' Parameter Affected: *-8.4.3 Patched: 8.5.0 Updated: June 28, 2026

LOW

quiz-master-next

Score: N/A Quiz and Survey Master (QSM) <= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via qsm_insert_quiz_template AJAX Action Affected: *-11.1.4 Patched: 11.1.5 Updated: June 28, 2026

LOW

product-specifications

Score: N/A Product Specifications for Woocommerce <= 0.8.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attribute/Group Creation, Modification, and Deletion via 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX Actions Affected: *-0.8.9 Patched: 0.8.10 Updated: June 28, 2026

LOW

learning-management-system

Score: 93/100 Masteriyo LMS <= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification Affected: *-2.2.1 Patched: 2.3.0 Updated: June 28, 2026

LOW

dokan-lite

Score: 93/100 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Information Disclosure via 'id' Parameter Affected: *-5.0.4 Patched: 5.0.5 Updated: June 28, 2026

LOW

dokan-lite

Score: 93/100 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (Custom+) Stored Cross-Site Scripting via Product SKU Affected: *-5.0.4 Patched: 5.0.5 Updated: June 28, 2026

LOW

gutenverse

Score: 93/100 Gutenverse <= 3.8.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'fonts[].font.font.value' Parameter Affected: *-3.8.0 Patched: 3.8.1 Updated: June 28, 2026

LOW

surbma-infusionsoft-shortcode

Score: N/A Surbma | Infusionsoft Shortcode <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-2.0.1 Patched: 2.0.2 Updated: June 28, 2026

LOW

Page Builder by SiteOrigin

siteorigin-panels

Score: 86/100 Page Builder by SiteOrigin <= 2.34.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via panels_data Parameter Affected: *-2.34.3 Patched: 2.34.4 Updated: June 28, 2026

LOW

nex-forms-express-wp-form-builder

Score: N/A NEX-Forms <= 9.2.2 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via CSVExport Class Affected: *-9.2.2 Patched: 9.2.3 Updated: June 28, 2026

LOW

invoice-creator

Score: N/A Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover via 'user_id' Parameter Affected: *-1.0.0 Patched: Updated: June 28, 2026

LOW

groundhogg

Score: 93/100 Groundhogg <= 4.5.5 - Authenticated (Sales Rep+) SQL Injection via 'query[select]' Parameter Affected: *-4.5.5 Patched: 4.5.6 Updated: June 28, 2026

LOW

codepeople-post-map

Score: 93/100 CodePeople Post Map for Google Maps <= 1.2.6 - Authenticated (Contributor +) Stored Cross-Site Scripting via 'cpm_point' Post Meta Affected: *-1.2.6 Patched: 1.2.7 Updated: June 28, 2026

LOW

add-search-to-menu

Score: 97/100 Ivory Search <= 5.5.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings Affected: *-5.5.15 Patched: 5.5.16 Updated: June 28, 2026

LOW

hd-quiz

Score: 93/100 HD Quiz 2.2.0 - 2.2.1 - Cross-Site Request Forgery via Multiple AJAX Handlers Affected: 2.2.0-2.2.1 Patched: 2.2.2 Updated: June 28, 2026

LOW

reepay-checkout-gateway

Score: N/A Frisbii Pay <= 1.8.9 - Missing Authorization to Authenticated (Subscriber+) Payment Token Modification Affected: *-1.8.9 Patched: 1.8.10 Updated: June 28, 2026

LOW

maxbuttons

Score: N/A MaxButtons <= 9.8.5 - Reflected Cross-Site Scripting via 'view' Parameter Affected: *-9.8.5 Patched: 9.8.6 Updated: June 28, 2026

LOW

groundhogg

Score: 93/100 Groundhogg <= 4.5.5 - Authenticated (Marketer+) SQL Injection via 'search' Parameter Affected: *-4.5.5 Patched: 4.5.6 Updated: June 28, 2026

LOW

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Score: N/A User Registration & Membership <= 5.2.0 - Missing Authorization to Unauthenticated Payment Bypass Affected: *-5.2.0 Patched: 5.2.1 Updated: June 28, 2026

LOW

groundhogg

Score: 93/100 Groundhogg <= 4.5.4 - Authenticated (Custom+) SQL Injection via 'after' Parameter Affected: *-4.5.4 Patched: 4.5.5 Updated: June 28, 2026

LOW

tourfic

Score: N/A Tourfic <= 2.22.7 - Unauthenticated SQL Injection via 'post_id' Parameter Affected: *-2.22.7 Patched: 2.22.8 Updated: June 28, 2026

LOW

gf-bookings-premium

Score: 93/100 Gravity Forms Booking <= 2.7.1 - Authenticated (Subscriber+) Time-Based SQL Injection via 'staff_id' Affected: *-2.7.1 Patched: 2.7.2 Updated: June 28, 2026

LOW

dokan-pro

Score: 91/100 Dokan Pro <= 5.0.4 - Unauthenticated SQL Injection via 'latitude' and 'longitude' Parameters Affected: *-5.0.4 Patched: 5.0.5 Updated: June 28, 2026

LOW

dokan-pro

Score: 91/100 Dokan Pro <= 5.0.4 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter Affected: *-5.0.4 Patched: 5.0.5 Updated: June 28, 2026

LOW

essential-blocks

Score: 93/100 Gutenberg Essential Blocks - Page Builder for Gutenberg Blocks & Patterns <= 6.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'configurablePrefix' Block Attribute Affected: *-6.1.4 Patched: 6.2.0 Updated: June 28, 2026

LOW

wp-meta-seo

Score: N/A WP Meta SEO <= 4.5.18 - Authenticated (Contributor+) Server-Side Request Forgery via 'new_link' Parameter Affected: *-4.5.18 Patched: Updated: June 28, 2026

LOW

wp-meta-seo

Score: N/A WP Meta SEO <= 4.5.18 - Unauthenticated Stored Cross-Site Scripting via REQUEST_URI in 404 Logging Affected: *-4.5.18 Patched: Updated: June 28, 2026

LOW

wp-latest-posts

Score: N/A WP Latest Posts <= 5.0.11 - Authenticated (Author+) Stored Cross-Site Scripting via Post Content Image src Attribute Affected: *-5.0.11 Patched: Updated: June 28, 2026

LOW

newscred-publishing

Score: N/A Welcome Software Publishing <= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Update to Privilege Escalation via 'nc.setOption' XML-RPC Method Affected: *-0.0.31 Patched: Updated: June 28, 2026

LOW

mir-blocks-and-shortcodes

Score: N/A MIR blocks and shortcodes <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0.0 Patched: Updated: June 28, 2026

LOW

link-preview

Score: N/A URL Preview <= 1.0 - Unauthenticated Server-Side Request Forgery via 'url' Parameter Affected: *-1.0 Patched: Updated: June 28, 2026

LOW

kargo-takip

Score: N/A Kargo Takip <= 1.2 - Unauthenticated Server-Side Request Forgery via 'api_url' Parameter Affected: *-1.2 Patched: Updated: June 28, 2026

LOW

advanced-contact-form-7-compact-db

Score: N/A Advanced Contact Form 7 <= 1.0.0 - Missing Authorization to Unauthenticated Arbitrary Contact Form Submission Deletion via 'form_id' Parameter Affected: *-1.0.0 Patched: Updated: June 28, 2026

LOW

bulk-seo-image

Score: N/A Bulk SEO Image <= 1.1 - Cross-Site Request Forgery to Settings Update Affected: *-1.1 Patched: Updated: June 28, 2026

LOW

blue-captcha

Score: 93/100 Blue Captcha <= 2.0.1 - Cross-Site Request Forgery via 'blcap_action' Parameter Affected: *-2.0.1 Patched: Updated: June 28, 2026

LOW

motordesk

Score: N/A MotorDesk <= 1.1.2 - Cross-Site Request Forgery to Settings Update Affected: *-1.1.2 Patched: Updated: June 28, 2026

LOW

book-a-room-event-calendar

Score: N/A Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update Affected: *-1.9 Patched: Updated: June 28, 2026

LOW

avalon23-products-filter-for-woocommerce

Score: N/A Avalon23 Products Filter for WooCommerce <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.1.6 Patched: Updated: June 28, 2026

LOW

generate-security-txt

Score: N/A Generate Security.txt <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Security.txt Deletion via delete_securitytxt AJAX Action Affected: *-1.0.12 Patched: Updated: June 28, 2026

LOW

reviews-and-rating-docplanner

Score: N/A Reviews and Rating <= 1.1.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via sync_reviews AJAX Action Affected: *-1.1.4 Patched: Updated: June 28, 2026

LOW

whatsorder-instant-checkout-for-woocommerce

Score: N/A WhatsOrder <= 1.0.1 - Unauthenticated Sensitive Information Exposure via Predictable Invoice File URLs Affected: *-1.0.1 Patched: Updated: June 28, 2026

LOW

entredropper

Score: N/A EntreDroppers <= 1.1.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter Affected: *-1.1.2 Patched: Updated: June 28, 2026

LOW

image-sizes-on-demand

Score: N/A Image Sizes on Demand <= 1.3 - Reflected Cross-Site Scripting via PHP_SELF Server Variable Affected: *-1.3 Patched: Updated: June 28, 2026

LOW

devs-accounting

Score: N/A Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Account Deletion via /delete-account/ REST Endpoint Affected: *-1.2.0 Patched: Updated: June 28, 2026

LOW

devs-accounting

Score: N/A Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'id' Parameter Affected: *-1.2.0 Patched: Updated: June 28, 2026

LOW

wp-forms-connector

Score: N/A WP Forms Connector <= 1.8 - Missing Authorization to Unauthenticated Information Exposure via 'user/list' REST Endpoint Affected: *-1.8 Patched: Updated: June 28, 2026

LOW

wp-forms-connector

Score: N/A WP Forms Connector <= 1.8 - Unauthenticated SQL Injection via 'order' Parameter Affected: *-1.8 Patched: Updated: June 28, 2026

LOW

24liveblog

Score: N/A 24liveblog <= 2.2 - Missing Authorization to Authenticated (Author+) Settings Modification via update_lb24_token AJAX action Affected: *-2.2 Patched: Updated: June 28, 2026

LOW

24liveblog

Score: N/A 24liveblog <= 2.2 - Authenticated (Contributor+) Exposure of Sensitive Information via Block Editor Script Localization Affected: *-2.2 Patched: Updated: June 28, 2026

LOW

osiris-signature-banner

Score: N/A Osiris Signature Banner <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'prepend_text' Parameter Affected: *-0.5 Patched: Updated: June 28, 2026

LOW

rentmy-online-rental-shop

Score: N/A RentMy Real-Time Rental Management Plugin <= 4.0.4.1 - Missing Authorization to Unauthenticated Settings Update via rentmy_cdn_request AJAX Action Affected: *-4.0.4.1 Patched: Updated: June 28, 2026

LOW

advance-nav-menu-manager

Score: N/A Advance Nav Menu Manager <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Nav Menu Item Modification via anmm_save_menu_data AJAX Action Affected: *-1.3 Patched: Updated: June 28, 2026

LOW

searchplus

Score: N/A SearchPlus <= 1.7.1 - Missing Authorization to Unauthenticated Settings Modification and Deletion via searchplus_save_token & searchplus_reset_token AJAX Actions Affected: *-1.7.1 Patched: Updated: June 28, 2026

LOW

assistio

Score: N/A Assistio <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Deletion via assistio_plugin_delete_assistio_settings AJAX Action Affected: *-1.1.2 Patched: Updated: June 28, 2026

LOW

wpoauth

Score: N/A Secufor_OAuth <= 1.0.7 - Missing Authorization to Unauthenticated Account Logout via 'secuforoauth_unregister_action' AJAX Action Affected: *-1.0.7 Patched: Updated: June 28, 2026

LOW

mp-customize-login-page

Score: N/A MP Customize Login Page <= 1.0 - Cross-Site Request Forgery to Settings Update Affected: *-1.0 Patched: Updated: June 28, 2026

LOW

invoice-creator

Score: N/A Invoice Generator <= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Validation via 'reset_user_id' Parameter Affected: *-1.0.0 Patched: Updated: June 28, 2026

LOW

signup-signin

Score: N/A SignUp & SignIn <= 1.0.0 - Unauthenticated Privilege Escalation via Weak Password Reset Validation via 'reset_activation_code' Leading to Account Takeover Affected: *-1.0.0 Patched: Updated: June 28, 2026

LOW

clearsale-total

Score: N/A ClearSale Total <= 3.4.2 - Unauthenticated SQL Injection Affected: *-3.4.2 Patched: Updated: June 28, 2026

LOW

video-playlist-and-gallery-plugin

Score: N/A Cincopa video and media plug-in <= 1.163 - Unauthenticated Stored Cross-Site Scripting via cincopa Shortcode in Post Comments Affected: *-1.163 Patched: Updated: June 28, 2026

LOW

email-javascript-cloaker

Score: N/A Email JavaScript Cloak <= 1.03 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.03 Patched: Updated: June 28, 2026

LOW

xpro-elementor-addons

Score: N/A Xpro Addons <= 1.7.2 - Authenticated (Author+) Stored Cross-Site Scripting via 'custom_attributes' Parameter of Multiple Widgets Affected: *-1.7.2 Patched: 1.7.3 Updated: June 28, 2026

LOW

arforms

Score: 95/100 ARForms <= 7.1.3 - Unauthenticated Stored Cross-Site Scripting via 'value' Parameter Affected: *-7.1.3 Patched: Updated: June 28, 2026

LOW

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

ultimate-member

Score: N/A Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure Affected: *-2.11.4 Patched: 2.12.0 Updated: June 28, 2026

LOW

AdRotate Banner Manager

adrotate

Score: 74/100 AdRotate Banner Manager <= 5.17.7 - Authenticated (Contributor+) PHP Code Injection via 'banner' Shortcode Attribute Affected: *-5.17.7 Patched: 5.17.8 Updated: June 28, 2026

LOW

transbank-webpay-plus-rest

Score: N/A Transbank Webpay < 1.14.0 - Unauthenticated Stored Cross-Site Scripting Affected: [*, 1.14.0) Patched: 1.14.0 Updated: June 28, 2026

LOW

profilegrid-user-profiles-groups-and-communities

Score: N/A ProfileGrid <= 5.9.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Message Content Affected: *-5.9.9.2 Patched: 5.9.9.3 Updated: June 28, 2026

LOW

pie-register

Score: N/A Pie Register – User Registration, Profiles & Content Restriction < 3.8.4.10 - Missing Authorization Affected: [*, 3.8.4.10) Patched: 3.8.4.10 Updated: June 28, 2026

LOW

motors-car-dealership-classified-listings

Score: N/A Motors – Car Dealership & Classified Listings Plugin < 1.4.110 - Cross-Site Request Forgery Affected: [*, 1.4.110) Patched: 1.4.110 Updated: June 28, 2026

LOW

Simple File List

simple-file-list

Score: 90/100 Simple File List <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute Affected: *-6.3.7 Patched: 6.3.8 Updated: June 28, 2026

LOW

Simple File List

simple-file-list

Score: 90/100 Simple File List <= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter Affected: *-6.3.7 Patched: 6.3.8 Updated: June 28, 2026

LOW

Simple File List

simple-file-list

Score: 90/100 Simple File List <= 6.3.7 - Missing Authorization to Unauthenticated File Modification via simplefilelist_edit_job AJAX Action Affected: *-6.3.7 Patched: 6.3.8 Updated: June 28, 2026

LOW

Database for Contact Form 7, WPforms, Elementor forms

contact-form-entries

Score: 84/100 Database for Contact Form 7, WPforms, Elementor forms <= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value Affected: *-1.5.1 Patched: 1.5.2 Updated: June 28, 2026

LOW

branda-white-labeling

Score: 93/100 Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover Affected: *-3.4.29 Patched: 3.4.31 Updated: June 28, 2026

LOW

WP Go Maps (formerly WP Google Maps)

wp-google-maps

Score: 66/100 WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Creation Affected: *-10.1.01 Patched: 10.1.02 Updated: June 28, 2026

LOW

WP Activity Log

wp-security-audit-log

Score: N/A WP Activity Log <= 5.6.3.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-5.6.3.1 Patched: 5.6.4 Updated: June 28, 2026

LOW

WP Hotel Booking

wp-hotel-booking

Score: N/A WP Hotel Booking < 2.3.1 - Missing Authorization Affected: [*, 2.3.1) Patched: 2.3.1 Updated: June 28, 2026

LOW

woocommerce-abandon-cart-pro

Score: N/A Abandoned Cart Pro for WooCommerce <= 10.4.0 - Authenticated (Subscriber+) Privilege Escalation Affected: *-10.4.0 Patched: 10.4.1 Updated: June 28, 2026

LOW

upi-qr-code-payment-for-woocommerce

Score: N/A UPI QR Code Payment Gateway for WooCommerce <= 1.6.2 - Missing Authorization Affected: *-1.6.2 Patched: 1.6.3 Updated: June 28, 2026

LOW

paymob-for-woocommerce

Score: N/A Paymob for WooCommerce <= 4.1.2 - Missing Authorization Affected: *-4.1.2 Patched: Updated: June 28, 2026

LOW

Master Slider – Responsive Touch Slider

master-slider

Score: N/A Master Slider – Responsive Touch Slider <= 3.11.2 - Unauthenticated Stored Cross-Site Scripting Affected: *-3.11.2 Patched: Updated: June 28, 2026

LOW

mappress-google-maps-for-wordpress

Score: N/A MapPress Maps for WordPress <= 2.97.3 - Unauthenticated Stored Cross-Site Scripting Affected: *-2.97.3 Patched: 2.97.4 Updated: June 28, 2026

LOW

license-manager-for-woocommerce

Score: 93/100 License Manager for WooCommerce <= 3.0.15 - Unauthenticated Insecure Direct Object Reference Affected: *-3.0.15 Patched: 3.0.16 Updated: June 28, 2026

LOW

checkview

Score: N/A CheckView – Form & Checkout Testing <= 2.1.0 - Missing Authorization Affected: *-2.1.0 Patched: 2.2.0 Updated: June 28, 2026

LOW

strabl-a-checkout-solution

Score: N/A STRABL <= 4.5 - Unauthenticated Arbitrary Webhook Creation via REST API Endpoint Affected: *-4.5 Patched: 4.6 Updated: June 28, 2026

LOW

2download-connector

Score: N/A 2Download Connector for 2DL Hosted Checkout <= 0.1.5 - Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure via 'ToDownload_email' Parameter Affected: *-0.1.5 Patched: 0.1.6 Updated: June 28, 2026

LOW

betterdocs-pro

Score: 93/100 BetterDocs Pro <= 3.8.0 - Unauthenticated Local File Inclusion via doc_style Affected: *-3.8.0 Patched: 3.8.1 Updated: June 28, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1058 - 1.7.1059 - Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source Affected: 1.7.1058-1.7.1059 Patched: 1.7.1060 Updated: June 28, 2026

LOW

fusion-builder

Score: 93/100 Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value Affected: *-3.15.3 Patched: 3.15.4 Updated: June 28, 2026

LOW

creavi-booking-service

Score: N/A Appointment Booking Calendar <= 1.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Booking Field Label Affected: *-1.4.4 Patched: 1.4.5 Updated: June 28, 2026

LOW

integration-marktplaats-for-woocommerce

Score: N/A Woosa <= 2.0.5 - Authenticated (Administrator+) Arbitrary File Read via 'log_file' Parameter Affected: *-2.0.5 Patched: 2.0.6 Updated: June 28, 2026

LOW

shapepress-dsgvo

Score: N/A WP DSGVO Tools (GDPR) <= 3.1.39 - Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure via subject-access-request AJAX Endpoint (process_now/is_ajax Parameters) Affected: *-3.1.39 Patched: 3.1.40 Updated: June 28, 2026

LOW

bogo

Score: N/A Bogo <= 3.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via REST API Affected: *-3.9.1 Patched: 3.9.2 Updated: June 28, 2026

LOW

bit-integrations

Score: 93/100 Bit integrations <= 2.8.7 - Unauthenticated Server-Side Request Forgery via Form Field Upload Mapping Affected: *-2.8.7 Patched: 2.8.8 Updated: June 28, 2026

LOW

advanced-import

Score: 97/100 Advanced Import: One-Click Demo Import for WordPress <= 1.4.6 - Authenticated (Author+) Server-Side Request Forgery via 'demo_file' Parameter Affected: *-1.4.6 Patched: 2.0.0 Updated: June 28, 2026

LOW

Blocksy Companion

blocksy-companion

Score: N/A Blocksy Companion <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter Affected: *-2.1.45 Patched: 2.1.46 Updated: June 28, 2026

LOW

betterdocs

Score: 93/100 BetterDocs <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'blockId' Block Attribute Affected: *-4.5.3 Patched: 4.5.4 Updated: June 28, 2026

LOW

classified-listing

Score: 93/100 Classified Listing <= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification via Multiple AJAX Handlers ('listingId'/'id' Parameters) Affected: *-5.4.2 Patched: 5.4.3 Updated: June 28, 2026

Showing 1 to 100 of 36189 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 28, 2026 at 16:40 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List