Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36189

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
source-shortcode	source-shortcode	N/A	Credits Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute	LOW	*-1.2		June 29, 2026
scratchblocks-for-wp	scratchblocks-for-wp	N/A	scratchblocks for WP <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute	LOW	*-1.0.1		June 29, 2026
quick-table	quick-table	N/A	Quick Table <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'style' Shortcode Attribute	LOW	*-1.0.0		June 29, 2026
suretriggers	suretriggers	N/A	OttoKit: All-in-One Automation Platform < 1.1.23 - Unauthenticated SQL Injection	LOW	[*, 1.1.23)	1.1.23	June 29, 2026
salon-booking-system	salon-booking-system	N/A	Salon Booking System – Free Version <= 10.30.25 - Missing Authorization	LOW	*-10.30.25	10.30.26	June 29, 2026
bookly-responsive-appointment-booking-tool	bookly-responsive-appointment-booking-tool	93	Online Scheduling and Appointment Booking System – Bookly <= 27.4 - Unauthenticated Information Exposure	LOW	*-27.4	27.5	June 29, 2026
wp-travel	wp-travel	N/A	WP Travel – Ultimate Travel Booking System, Tour Management Engine <= 11.4.0 - Authenticated (Contributor+) SQL Injection	LOW	*-11.4.0	11.5.0	June 29, 2026
WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards	wp-data-access	N/A	WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards <= 5.5.70 - Unauthenticated SQL Injection	LOW	*-5.5.70	5.5.71	June 29, 2026
motive-commerce-search	motive-commerce-search	N/A	AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 - Missing Authorization	LOW	*-1.38.2	1.38.3	June 29, 2026
logtivity	logtivity	93	Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity <= 3.3.6 - Unauthenticated Information Disclosure via REST API	LOW	*-3.3.6	3.3.7	June 29, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism	LOW	*-5.5.0	5.5.1	June 29, 2026
Simple CAPTCHA Alternative with Cloudflare Turnstile	simple-cloudflare-turnstile	88	Simple CAPTCHA Alternative with Cloudflare Turnstile <= 1.38.0 - Broken Authorization	LOW	*-1.38.0	1.38.1	June 29, 2026
nmr-strava-activities	nmr-strava-activities	N/A	NMR Strava activities <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.0.14	1.0.15	June 29, 2026
sky-elementor-addons	sky-elementor-addons	N/A	Sky Addons <= 3.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Script	LOW	*-3.3.2	3.3.3	June 29, 2026
e2pdf	e2pdf	93	E2Pdf – Export Pdf Tool for WordPress <= 1.32.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute	LOW	*-1.32.17	1.32.18	June 29, 2026
wp-auto-affiliate-links	wp-auto-affiliate-links	N/A	Auto Affiliate Links <= 6.8.8 - Unauthenticated Stored Cross-Site Scripting via 'url' Parameter	LOW	*-6.8.8	6.8.8.1	June 29, 2026
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration	wp-user-frontend	N/A	User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection	LOW	*-4.3.1	4.3.2	June 29, 2026
yith-woocommerce-wishlist	yith-woocommerce-wishlist	N/A	YITH WooCommerce Wishlist <= 4.12.0 - Unauthenticated Insecure Direct Object Reference	LOW	*-4.12.0	4.13.0	June 29, 2026
wpforo	wpforo	N/A	wpForo Forum <= 3.0.4 - Unauthenticated SQL Injection	LOW	*-3.0.4	3.0.5	June 29, 2026
wp-graphql	wp-graphql	N/A	WPGraphQL <= 2.5.3 - Cross-Site Request Forgery	LOW	*-2.5.3	2.5.4	June 29, 2026
woo-bulk-editor	woo-bulk-editor	N/A	BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery	LOW	*-1.1.5	1.1.6	June 29, 2026
wen-logo-slider	wen-logo-slider	N/A	WEN Logo Slider <= 3.4.0 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-3.4.0	3.5	June 29, 2026
team-showcase-supreme	team-showcase-supreme	N/A	Team Members – Multi Language Supported Team Plugin <= 8.5 - Authenticated (Editor+) SQL Injection	LOW	*-8.5	8.6	June 29, 2026
store-manager-connector	store-manager-connector	N/A	eMagicOne Store Manager for WooCommerce <= 1.3.2 - Unauthenticated SQL Injection	LOW	*-1.3.2		June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Missing Authorization	LOW	[*, 1.7.1053)	1.7.1053	June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	[*, 1.7.1053)	1.7.1053	June 29, 2026
PDF Poster – Display PDF Files with Custom Viewer	pdf-poster	96	PDF Poster – Display PDF Files with Custom Viewer <= 2.4.1 - Missing Authorization	LOW	*-2.4.1	2.5.0	June 29, 2026
happy-elementor-addons	happy-elementor-addons	93	Happy Addons for Elementor <= 3.20.8 - Unauthenticated Information Exposure	LOW	*-3.20.8	3.21.0	June 29, 2026
bus-ticket-booking-with-seat-reservation	bus-ticket-booking-with-seat-reservation	91	Bus Ticket Booking with Seat Reservation < 5.6.8 - Missing Authorization	LOW	[*, 5.6.8)	5.6.8	June 29, 2026
bunnycdn	bunnycdn	93	bunny.net – WordPress CDN Plugin <= 2.3.6 - Missing Authorization	LOW	*-2.3.6	2.3.7	June 29, 2026
revslider	revslider	N/A	Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber+) Arbitrary File Upload via _get_media_url	LOW	7.0.0-7.0.10	7.0.11	June 29, 2026
WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance	wp-optimize	76	WP-Optimize <= 4.5.2 - Authenticated (Author+) Arbitrary File Deletion via 'original-file' Post Meta	LOW	*-4.5.2	4.5.3	June 29, 2026
betterdocs-pro	betterdocs-pro	93	BetterDocs Pro <= 3.7.0 - Unauthenticated SQL Injection via Encyclopedia 'limit' Parameter	LOW	*-3.7.0	3.7.1	June 29, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder	forminator	92	Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook	LOW	*-1.53.0	1.53.0.1	June 29, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Appointment Booking Calendar <= 1.6.10.6 - Unauthenticated Arbitrary Appointment View, Modification and Deletion	LOW	*-1.6.10.6	1.6.11	June 29, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder	forminator	92	Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter	LOW	*-1.51.1	1.52	June 29, 2026
slicewp	slicewp	N/A	Affiliate Program Suite — SliceWP Affiliates <= 1.2.6 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.2.6	1.2.7	June 29, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting	LOW	*-5.5.0	5.5.1	June 29, 2026
gf-bookings-premium	gf-bookings-premium	93	Gravity Bookings <= 2.5.9 - Unauthenticated SQL Injection via 'category_id' Parameter	LOW	*-2.5.9	2.6	June 29, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter	LOW	*-5.5.0	5.5.1	June 29, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update	LOW	*-5.5.0	5.5.1	June 29, 2026
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	fluentform	78	Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal in Email Attachment	LOW	*-6.2.1	6.2.2	June 29, 2026
slicewp	slicewp	N/A	Affiliate Program Suite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode	LOW	*-1.2.7	1.2.8	June 29, 2026
ninja-tables	ninja-tables	N/A	Ninja Tables <= 5.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation	LOW	*-5.2.6	5.2.7	June 29, 2026
Mercado Pago payments for WooCommerce	woocommerce-mercadopago	94	Mercado Pago payments for WooCommerce <= 8.7.11 - Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure	LOW	*-8.7.11	8.7.12	June 29, 2026
all-in-one-wp-migration-unlimited-extension	all-in-one-wp-migration-unlimited-extension	97	All-in-One WP Migration Unlimited Extension <= 2.83 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Backup Schedule Creation and Backup File Download	LOW	*-2.83	2.84	June 29, 2026
wp-business-intelligence-lite	wp-business-intelligence-lite	N/A	WP Business Intelligence Lite <= 3.2.0 - Missing Authorization	LOW	*-3.2.0		June 29, 2026
snow-monkey-blocks	snow-monkey-blocks	N/A	Snow Monkey Blocks <= 24.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-slick' Attribute	LOW	*-24.1.11	24.1.12	June 29, 2026
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder	user-registration	N/A	User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification	LOW	*-5.1.4	5.1.5	June 29, 2026
form-maker	form-maker	93	Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'	LOW	*-1.15.42	1.15.43	June 29, 2026
generateblocks	generateblocks	93	GenerateBlocks <= 2.2.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Dynamic Tag Replacements	LOW	*-2.2.0	2.2.1	June 29, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder	forminator	92	Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.52.1 - Unauthenticated Arbitrary File Read via 'upload-1[file][file_path]'	LOW	*-1.52.1	1.52.2	June 29, 2026
wp-cookie-allow	wp-cookie-allow	N/A	WeePie Cookie Allow <= 3.4.11 - Unauthenticated SQL Injection via 'consent' Parameter	LOW	*-3.4.11	3.4.12	June 29, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder	forminator	92	Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter	LOW	*-1.52.0	1.52.1	June 29, 2026
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor	elementskit-lite	95	ElementsKit Elementor Addons <= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite	LOW	*-3.8.2	3.9.0	June 29, 2026
geeky-bot	geeky-bot	93	GeekyBot <= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action	LOW	*-1.2.2	1.2.3	June 29, 2026
geeky-bot	geeky-bot	93	GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.2.0 - Unauthenticated SQL Injection via 'attributekey'	LOW	*-1.2.0	1.2.1	June 29, 2026
Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel	wp-carousel-free	N/A	WP Carousel Free <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-caption' Attribute	LOW	*-2.7.10	2.7.11	June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Follow Button Text' Parameter	LOW	*-1.7.1056	1.7.1057	June 29, 2026
gutenverse	gutenverse	93	Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery via 'imageUrl'	LOW	*-3.5.3	3.6.0	June 29, 2026
emailkit	emailkit	93	EmailKit <= 1.6.5 - Authenticated (Author+) Arbitrary File Read via 'emailkit-editor-template' REST Parameter	LOW	*-1.6.5	1.6.6	June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta	LOW	*-1.7.1056	1.7.1057	June 29, 2026
gutenverse	gutenverse	93	Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'separatorIconSVG'	LOW	*-3.5.3	3.6.0	June 29, 2026
subscribe-to-comments-reloaded	subscribe-to-comments-reloaded	N/A	Subscribe To Comments Reloaded <= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management	LOW	*-240119		June 29, 2026
another-wordpress-classifieds-plugin	another-wordpress-classifieds-plugin	97	AWP Classifieds <= 4.4.6 - Unauthenticated SQL Injection via 'regions'	LOW	*-4.4.6	4.4.6.1	June 29, 2026
charts-ninja-graphs-and-charts	charts-ninja-graphs-and-charts	91	Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute	LOW	*-2.1.0		June 29, 2026
blog-settings	blog-settings	91	Blog Settings <= 1.0 - Reflected Cross-Site Scripting via 'page' Parameter	LOW	*-1.0		June 29, 2026
zingaya-click-to-call	zingaya-click-to-call	N/A	Zingaya Click-to-Call <= 1.0 - Reflected Cross-Site Scripting via 'email' Parameter	LOW	*-1.0		June 29, 2026
publish-2-pingfm	publish-2-pingfm	N/A	Publish 2 Ping.fm <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpPingPingKey' Parameter	LOW	*-1.1		June 29, 2026
addfreespace	addfreespace	95	addfreespace <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page	LOW	*-0.1.3		June 29, 2026
dx-sources	dx-sources	91	DX Sources <= 2.0.1 - Cross-Site Request Forgery to Settings Update	LOW	*-2.0.1		June 29, 2026
wp-clippy	wp-clippy	N/A	WP-Clippy <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.0.0		June 29, 2026
simple-owl-shortcodes	simple-owl-shortcodes	N/A	Simple Owl Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Attribute	LOW	*-2.1.1		June 29, 2026
wp-business-intelligence-lite	wp-business-intelligence-lite	N/A	WP Business Intelligence Lite <= 3.2.0 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary SQL Modification	LOW	*-3.2.0		June 29, 2026
post-expirator	post-expirator	N/A	Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute	LOW	*-4.10.0	4.10.1	June 29, 2026
mentoring	mentoring	N/A	Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration	LOW	*-1.2.8	1.2.9	June 29, 2026
Loco Translate	loco-translate	89	Loco Translate <= 2.8.2 - Authenticated (Translator+) Path Traversal to Limited File Read via 'ref' Parameter	LOW	*-2.8.2	2.8.3	June 29, 2026
smart-wishlist-for-more-convert-premium	smart-wishlist-for-more-convert-premium	N/A	MoreConvert Pro <= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token Reuse	LOW	*-1.9.14	1.9.15	June 29, 2026
webinar-ignition	webinar-ignition	N/A	WebinarIgnition < 4.09.86 - Unauthenticated SQL Injection	LOW	[*, 4.09.86)	4.09.86	June 29, 2026
nex-forms-express-wp-form-builder	nex-forms-express-wp-form-builder	N/A	NEX-Forms <= 9.1.11 - Unauthenticated Stored Cross-Site Scripting via POST Parameter Key Names	LOW	*-9.1.11	9.1.12	June 29, 2026
Event Tickets and Registration	event-tickets	86	Event Tickets and Registration <= 5.27.5 - Missing Authorization	LOW	*-5.27.5	5.27.6.1	June 29, 2026
premium-addons-for-elementor	premium-addons-for-elementor	N/A	Premium Addons for Elementor <= 4.11.70 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'custom_svg' Parameter	LOW	*-4.11.70	4.11.71	June 29, 2026
Quiz Maker by AYS	quiz-maker	66	Quiz Maker by AYS <= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via 'rate_reason'	LOW	*-6.7.1.29	6.7.1.30	June 29, 2026
salon-booking-system	salon-booking-system	N/A	Salon Booking System – Free Version <= 10.30.25 - Unauthenticated Arbitrary File Read via Booking File Field Path Traversal	LOW	*-10.30.25	10.30.26	June 29, 2026
brizy	brizy	93	Brizy – Page Builder <= 2.8.11 - Unauthenticated Stored Cross-Site Scripting via FileUpload Field Value	LOW	*-2.8.11	2.8.12	June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification	LOW	*-1.7.1056	1.7.1057	June 29, 2026
fundpress	fundpress	93	FundPress <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status Modification via donate_action_status AJAX Handler	LOW	*-2.0.8	2.0.9	June 29, 2026
Booking for Appointments and Events Calendar – Amelia	ameliabooking	97	Booking for Appointments and Events Calendar – Amelia <= 2.2.1 - Unauthenticated Authorization Bypass via Remote Approval Endpoint	LOW	*-2.2.1	2.3	June 29, 2026
geo-mashup	geo-mashup	93	Geo Mashup <= 1.13.19 - Authenticated (Subscriber+) SQL Injection via 'geo_mashup_null_fields' Parameter	LOW	*-1.13.19	1.13.20	June 29, 2026
armember-membership	armember-membership	95	ARMember <= 5.5 - Unauthenticated SQL Injection via 'orderby' Parameter	LOW	*-5.5	5.6	June 29, 2026
profile-builder-pro	profile-builder-pro	N/A	Profile Builder Pro <= 3.14.5 - Unauthenticated PHP Object Injection	LOW	*-3.14.5	3.14.6	June 29, 2026
pixelyoursite-pro	pixelyoursite-pro	N/A	PixelYourSite Pro <= 12.5.0.1 - Unauthenticated Blind Server-Side Request Forgery via 'urls[]' Parameter	LOW	*-12.5.0.1	12.5.0.2	June 29, 2026
jeg-elementor-kit	jeg-elementor-kit	93	Jeg Kit for Elementor <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sg_content_number_prefix' Shortcode Attribute	LOW	*-3.1.0	3.1.1	June 29, 2026
import-users-from-csv-with-meta	import-users-from-csv-with-meta	93	Import and export users and customers <= 2.0.8 - Authenticated (Subscriber+) Privilege Escalation via Multisite Capability Meta Fields	LOW	*-2.0.8	2.0.9	June 29, 2026
essential-blocks	essential-blocks	93	Gutenberg Essential Blocks <= 6.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes	LOW	*-6.0.4	6.1.0	June 29, 2026
social-photo-feed-widget	social-photo-feed-widget	N/A	Widgets for Social Photo Feed <= 1.8 - Missing Authentication to Unauthenticated Plugin Settings Access/Update via trustindex_feed_hook_instagram REST API endpoints	LOW	*-1.8	1.8.1	June 29, 2026
user-verification	user-verification	N/A	User Verification by PickPlugins <= 2.0.46 - Unauthenticated Authentication Bypass via OTP Verification REST API Endpoint	LOW	*-2.0.46	2.0.47	June 29, 2026
user-registration-advanced-fields	user-registration-advanced-fields	N/A	User Registration Advanced Fields <= 1.6.20 - Unauthenticated Arbitrary File Upload	LOW	*-1.6.20	1.6.21	June 29, 2026
app-builder	app-builder	95	App Builder <= 5.5.10 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Avatar Modification via 'user_id' Parameter	LOW	*-5.6.0		June 29, 2026
simple-link-directory	simple-link-directory	N/A	Simple Link Directory <= 8.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-8.9.2	8.9.4	June 29, 2026

LOW

source-shortcode

Score: N/A Credits Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Shortcode Attribute Affected: *-1.2 Patched: Updated: June 29, 2026

LOW

scratchblocks-for-wp

Score: N/A scratchblocks for WP <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'element' Shortcode Attribute Affected: *-1.0.1 Patched: Updated: June 29, 2026

LOW

quick-table

Score: N/A Quick Table <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'style' Shortcode Attribute Affected: *-1.0.0 Patched: Updated: June 29, 2026

LOW

suretriggers

Score: N/A OttoKit: All-in-One Automation Platform < 1.1.23 - Unauthenticated SQL Injection Affected: [*, 1.1.23) Patched: 1.1.23 Updated: June 29, 2026

LOW

salon-booking-system

Score: N/A Salon Booking System – Free Version <= 10.30.25 - Missing Authorization Affected: *-10.30.25 Patched: 10.30.26 Updated: June 29, 2026

LOW

bookly-responsive-appointment-booking-tool

Score: 93/100 Online Scheduling and Appointment Booking System – Bookly <= 27.4 - Unauthenticated Information Exposure Affected: *-27.4 Patched: 27.5 Updated: June 29, 2026

LOW

wp-travel

Score: N/A WP Travel – Ultimate Travel Booking System, Tour Management Engine <= 11.4.0 - Authenticated (Contributor+) SQL Injection Affected: *-11.4.0 Patched: 11.5.0 Updated: June 29, 2026

LOW

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards

wp-data-access

Score: N/A WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards <= 5.5.70 - Unauthenticated SQL Injection Affected: *-5.5.70 Patched: 5.5.71 Updated: June 29, 2026

LOW

motive-commerce-search

Score: N/A AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 - Missing Authorization Affected: *-1.38.2 Patched: 1.38.3 Updated: June 29, 2026

LOW

Score: 93/100 Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity <= 3.3.6 - Unauthenticated Information Disclosure via REST API Affected: *-3.3.6 Patched: 3.3.7 Updated: June 29, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism Affected: *-5.5.0 Patched: 5.5.1 Updated: June 29, 2026

LOW

Simple CAPTCHA Alternative with Cloudflare Turnstile

simple-cloudflare-turnstile

Score: 88/100 Simple CAPTCHA Alternative with Cloudflare Turnstile <= 1.38.0 - Broken Authorization Affected: *-1.38.0 Patched: 1.38.1 Updated: June 29, 2026

LOW

nmr-strava-activities

Score: N/A NMR Strava activities <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0.14 Patched: 1.0.15 Updated: June 29, 2026

LOW

sky-elementor-addons

Score: N/A Sky Addons <= 3.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Script Affected: *-3.3.2 Patched: 3.3.3 Updated: June 29, 2026

LOW

e2pdf

Score: 93/100 E2Pdf – Export Pdf Tool for WordPress <= 1.32.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute Affected: *-1.32.17 Patched: 1.32.18 Updated: June 29, 2026

LOW

wp-auto-affiliate-links

Score: N/A Auto Affiliate Links <= 6.8.8 - Unauthenticated Stored Cross-Site Scripting via 'url' Parameter Affected: *-6.8.8 Patched: 6.8.8.1 Updated: June 29, 2026

LOW

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

wp-user-frontend

Score: N/A User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection Affected: *-4.3.1 Patched: 4.3.2 Updated: June 29, 2026

LOW

yith-woocommerce-wishlist

Score: N/A YITH WooCommerce Wishlist <= 4.12.0 - Unauthenticated Insecure Direct Object Reference Affected: *-4.12.0 Patched: 4.13.0 Updated: June 29, 2026

LOW

wpforo

Score: N/A wpForo Forum <= 3.0.4 - Unauthenticated SQL Injection Affected: *-3.0.4 Patched: 3.0.5 Updated: June 29, 2026

LOW

wp-graphql

Score: N/A WPGraphQL <= 2.5.3 - Cross-Site Request Forgery Affected: *-2.5.3 Patched: 2.5.4 Updated: June 29, 2026

LOW

woo-bulk-editor

Score: N/A BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery Affected: *-1.1.5 Patched: 1.1.6 Updated: June 29, 2026

LOW

wen-logo-slider

Score: N/A WEN Logo Slider <= 3.4.0 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-3.4.0 Patched: 3.5 Updated: June 29, 2026

LOW

team-showcase-supreme

Score: N/A Team Members – Multi Language Supported Team Plugin <= 8.5 - Authenticated (Editor+) SQL Injection Affected: *-8.5 Patched: 8.6 Updated: June 29, 2026

LOW

store-manager-connector

Score: N/A eMagicOne Store Manager for WooCommerce <= 1.3.2 - Unauthenticated SQL Injection Affected: *-1.3.2 Patched: Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Missing Authorization Affected: [*, 1.7.1053) Patched: 1.7.1053 Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Addons for Elementor – Addons and Templates Kit for Elementor < 1.7.1053 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: [*, 1.7.1053) Patched: 1.7.1053 Updated: June 29, 2026

LOW

PDF Poster – Display PDF Files with Custom Viewer

pdf-poster

Score: 96/100 PDF Poster – Display PDF Files with Custom Viewer <= 2.4.1 - Missing Authorization Affected: *-2.4.1 Patched: 2.5.0 Updated: June 29, 2026

LOW

happy-elementor-addons

Score: 93/100 Happy Addons for Elementor <= 3.20.8 - Unauthenticated Information Exposure Affected: *-3.20.8 Patched: 3.21.0 Updated: June 29, 2026

LOW

bus-ticket-booking-with-seat-reservation

Score: 91/100 Bus Ticket Booking with Seat Reservation < 5.6.8 - Missing Authorization Affected: [*, 5.6.8) Patched: 5.6.8 Updated: June 29, 2026

LOW

bunnycdn

Score: 93/100 bunny.net – WordPress CDN Plugin <= 2.3.6 - Missing Authorization Affected: *-2.3.6 Patched: 2.3.7 Updated: June 29, 2026

LOW

revslider

Score: N/A Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber+) Arbitrary File Upload via _get_media_url Affected: 7.0.0-7.0.10 Patched: 7.0.11 Updated: June 29, 2026

LOW

WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance

wp-optimize

Score: 76/100 WP-Optimize <= 4.5.2 - Authenticated (Author+) Arbitrary File Deletion via 'original-file' Post Meta Affected: *-4.5.2 Patched: 4.5.3 Updated: June 29, 2026

LOW

betterdocs-pro

Score: 93/100 BetterDocs Pro <= 3.7.0 - Unauthenticated SQL Injection via Encyclopedia 'limit' Parameter Affected: *-3.7.0 Patched: 3.7.1 Updated: June 29, 2026

LOW

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

Score: 92/100 Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook Affected: *-1.53.0 Patched: 1.53.0.1 Updated: June 29, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Appointment Booking Calendar <= 1.6.10.6 - Unauthenticated Arbitrary Appointment View, Modification and Deletion Affected: *-1.6.10.6 Patched: 1.6.11 Updated: June 29, 2026

LOW

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

Score: 92/100 Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter Affected: *-1.51.1 Patched: 1.52 Updated: June 29, 2026

LOW

slicewp

Score: N/A Affiliate Program Suite — SliceWP Affiliates <= 1.2.6 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.2.6 Patched: 1.2.7 Updated: June 29, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting Affected: *-5.5.0 Patched: 5.5.1 Updated: June 29, 2026

LOW

gf-bookings-premium

Score: 93/100 Gravity Bookings <= 2.5.9 - Unauthenticated SQL Injection via 'category_id' Parameter Affected: *-2.5.9 Patched: 2.6 Updated: June 29, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter Affected: *-5.5.0 Patched: 5.5.1 Updated: June 29, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update Affected: *-5.5.0 Patched: 5.5.1 Updated: June 29, 2026

LOW

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

Score: 78/100 Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal in Email Attachment Affected: *-6.2.1 Patched: 6.2.2 Updated: June 29, 2026

LOW

slicewp

Score: N/A Affiliate Program Suite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode Affected: *-1.2.7 Patched: 1.2.8 Updated: June 29, 2026

LOW

ninja-tables

Score: N/A Ninja Tables <= 5.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation Affected: *-5.2.6 Patched: 5.2.7 Updated: June 29, 2026

LOW

Mercado Pago payments for WooCommerce

woocommerce-mercadopago

Score: 94/100 Mercado Pago payments for WooCommerce <= 8.7.11 - Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure Affected: *-8.7.11 Patched: 8.7.12 Updated: June 29, 2026

LOW

all-in-one-wp-migration-unlimited-extension

Score: 97/100 All-in-One WP Migration Unlimited Extension <= 2.83 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Backup Schedule Creation and Backup File Download Affected: *-2.83 Patched: 2.84 Updated: June 29, 2026

LOW

wp-business-intelligence-lite

Score: N/A WP Business Intelligence Lite <= 3.2.0 - Missing Authorization Affected: *-3.2.0 Patched: Updated: June 29, 2026

LOW

snow-monkey-blocks

Score: N/A Snow Monkey Blocks <= 24.1.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-slick' Attribute Affected: *-24.1.11 Patched: 24.1.12 Updated: June 29, 2026

LOW

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Score: N/A User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification Affected: *-5.1.4 Patched: 5.1.5 Updated: June 29, 2026

LOW

form-maker

Score: 93/100 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs' Affected: *-1.15.42 Patched: 1.15.43 Updated: June 29, 2026

LOW

generateblocks

Score: 93/100 GenerateBlocks <= 2.2.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Dynamic Tag Replacements Affected: *-2.2.0 Patched: 2.2.1 Updated: June 29, 2026

LOW

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

Score: 92/100 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.52.1 - Unauthenticated Arbitrary File Read via 'upload-1[file][file_path]' Affected: *-1.52.1 Patched: 1.52.2 Updated: June 29, 2026

LOW

wp-cookie-allow

Score: N/A WeePie Cookie Allow <= 3.4.11 - Unauthenticated SQL Injection via 'consent' Parameter Affected: *-3.4.11 Patched: 3.4.12 Updated: June 29, 2026

LOW

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

Score: 92/100 Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter Affected: *-1.52.0 Patched: 1.52.1 Updated: June 29, 2026

LOW

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

elementskit-lite

Score: 95/100 ElementsKit Elementor Addons <= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite Affected: *-3.8.2 Patched: 3.9.0 Updated: June 29, 2026

LOW

geeky-bot

Score: 93/100 GeekyBot <= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action Affected: *-1.2.2 Patched: 1.2.3 Updated: June 29, 2026

LOW

geeky-bot

Score: 93/100 GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.2.0 - Unauthenticated SQL Injection via 'attributekey' Affected: *-1.2.0 Patched: 1.2.1 Updated: June 29, 2026

LOW

Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel

wp-carousel-free

Score: N/A WP Carousel Free <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-caption' Attribute Affected: *-2.7.10 Patched: 2.7.11 Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Follow Button Text' Parameter Affected: *-1.7.1056 Patched: 1.7.1057 Updated: June 29, 2026

LOW

gutenverse

Score: 93/100 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery via 'imageUrl' Affected: *-3.5.3 Patched: 3.6.0 Updated: June 29, 2026

LOW

emailkit

Score: 93/100 EmailKit <= 1.6.5 - Authenticated (Author+) Arbitrary File Read via 'emailkit-editor-template' REST Parameter Affected: *-1.6.5 Patched: 1.6.6 Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta Affected: *-1.7.1056 Patched: 1.7.1057 Updated: June 29, 2026

LOW

gutenverse

Score: 93/100 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'separatorIconSVG' Affected: *-3.5.3 Patched: 3.6.0 Updated: June 29, 2026

LOW

subscribe-to-comments-reloaded

Score: N/A Subscribe To Comments Reloaded <= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management Affected: *-240119 Patched: Updated: June 29, 2026

LOW

another-wordpress-classifieds-plugin

Score: 97/100 AWP Classifieds <= 4.4.6 - Unauthenticated SQL Injection via 'regions' Affected: *-4.4.6 Patched: 4.4.6.1 Updated: June 29, 2026

LOW

charts-ninja-graphs-and-charts

Score: 91/100 Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute Affected: *-2.1.0 Patched: Updated: June 29, 2026

LOW

blog-settings

Score: 91/100 Blog Settings <= 1.0 - Reflected Cross-Site Scripting via 'page' Parameter Affected: *-1.0 Patched: Updated: June 29, 2026

LOW

zingaya-click-to-call

Score: N/A Zingaya Click-to-Call <= 1.0 - Reflected Cross-Site Scripting via 'email' Parameter Affected: *-1.0 Patched: Updated: June 29, 2026

LOW

publish-2-pingfm

Score: N/A Publish 2 Ping.fm <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpPingPingKey' Parameter Affected: *-1.1 Patched: Updated: June 29, 2026

LOW

addfreespace

Score: 95/100 addfreespace <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page Affected: *-0.1.3 Patched: Updated: June 29, 2026

LOW

dx-sources

Score: 91/100 DX Sources <= 2.0.1 - Cross-Site Request Forgery to Settings Update Affected: *-2.0.1 Patched: Updated: June 29, 2026

LOW

wp-clippy

Score: N/A WP-Clippy <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0.0 Patched: Updated: June 29, 2026

LOW

simple-owl-shortcodes

Score: N/A Simple Owl Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Attribute Affected: *-2.1.1 Patched: Updated: June 29, 2026

LOW

wp-business-intelligence-lite

Score: N/A WP Business Intelligence Lite <= 3.2.0 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary SQL Modification Affected: *-3.2.0 Patched: Updated: June 29, 2026

LOW

post-expirator

Score: N/A Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute Affected: *-4.10.0 Patched: 4.10.1 Updated: June 29, 2026

LOW

mentoring

Score: N/A Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration Affected: *-1.2.8 Patched: 1.2.9 Updated: June 29, 2026

LOW

Loco Translate

loco-translate

Score: 89/100 Loco Translate <= 2.8.2 - Authenticated (Translator+) Path Traversal to Limited File Read via 'ref' Parameter Affected: *-2.8.2 Patched: 2.8.3 Updated: June 29, 2026

LOW

smart-wishlist-for-more-convert-premium

Score: N/A MoreConvert Pro <= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token Reuse Affected: *-1.9.14 Patched: 1.9.15 Updated: June 29, 2026

LOW

webinar-ignition

Score: N/A WebinarIgnition < 4.09.86 - Unauthenticated SQL Injection Affected: [*, 4.09.86) Patched: 4.09.86 Updated: June 29, 2026

LOW

nex-forms-express-wp-form-builder

Score: N/A NEX-Forms <= 9.1.11 - Unauthenticated Stored Cross-Site Scripting via POST Parameter Key Names Affected: *-9.1.11 Patched: 9.1.12 Updated: June 29, 2026

LOW

Event Tickets and Registration

event-tickets

Score: 86/100 Event Tickets and Registration <= 5.27.5 - Missing Authorization Affected: *-5.27.5 Patched: 5.27.6.1 Updated: June 29, 2026

LOW

premium-addons-for-elementor

Score: N/A Premium Addons for Elementor <= 4.11.70 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'custom_svg' Parameter Affected: *-4.11.70 Patched: 4.11.71 Updated: June 29, 2026

LOW

Quiz Maker by AYS

quiz-maker

Score: 66/100 Quiz Maker by AYS <= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via 'rate_reason' Affected: *-6.7.1.29 Patched: 6.7.1.30 Updated: June 29, 2026

LOW

salon-booking-system

Score: N/A Salon Booking System – Free Version <= 10.30.25 - Unauthenticated Arbitrary File Read via Booking File Field Path Traversal Affected: *-10.30.25 Patched: 10.30.26 Updated: June 29, 2026

LOW

brizy

Score: 93/100 Brizy – Page Builder <= 2.8.11 - Unauthenticated Stored Cross-Site Scripting via FileUpload Field Value Affected: *-2.8.11 Patched: 2.8.12 Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification Affected: *-1.7.1056 Patched: 1.7.1057 Updated: June 29, 2026

LOW

fundpress

Score: 93/100 FundPress <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status Modification via donate_action_status AJAX Handler Affected: *-2.0.8 Patched: 2.0.9 Updated: June 29, 2026

LOW

Booking for Appointments and Events Calendar – Amelia

ameliabooking

Score: 97/100 Booking for Appointments and Events Calendar – Amelia <= 2.2.1 - Unauthenticated Authorization Bypass via Remote Approval Endpoint Affected: *-2.2.1 Patched: 2.3 Updated: June 29, 2026

LOW

geo-mashup

Score: 93/100 Geo Mashup <= 1.13.19 - Authenticated (Subscriber+) SQL Injection via 'geo_mashup_null_fields' Parameter Affected: *-1.13.19 Patched: 1.13.20 Updated: June 29, 2026

LOW

armember-membership

Score: 95/100 ARMember <= 5.5 - Unauthenticated SQL Injection via 'orderby' Parameter Affected: *-5.5 Patched: 5.6 Updated: June 29, 2026

LOW

profile-builder-pro

Score: N/A Profile Builder Pro <= 3.14.5 - Unauthenticated PHP Object Injection Affected: *-3.14.5 Patched: 3.14.6 Updated: June 29, 2026

LOW

pixelyoursite-pro

Score: N/A PixelYourSite Pro <= 12.5.0.1 - Unauthenticated Blind Server-Side Request Forgery via 'urls[]' Parameter Affected: *-12.5.0.1 Patched: 12.5.0.2 Updated: June 29, 2026

LOW

jeg-elementor-kit

Score: 93/100 Jeg Kit for Elementor <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sg_content_number_prefix' Shortcode Attribute Affected: *-3.1.0 Patched: 3.1.1 Updated: June 29, 2026

LOW

import-users-from-csv-with-meta

Score: 93/100 Import and export users and customers <= 2.0.8 - Authenticated (Subscriber+) Privilege Escalation via Multisite Capability Meta Fields Affected: *-2.0.8 Patched: 2.0.9 Updated: June 29, 2026

LOW

essential-blocks

Score: 93/100 Gutenberg Essential Blocks <= 6.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes Affected: *-6.0.4 Patched: 6.1.0 Updated: June 29, 2026

LOW

social-photo-feed-widget

Score: N/A Widgets for Social Photo Feed <= 1.8 - Missing Authentication to Unauthenticated Plugin Settings Access/Update via trustindex_feed_hook_instagram REST API endpoints Affected: *-1.8 Patched: 1.8.1 Updated: June 29, 2026

LOW

user-verification

Score: N/A User Verification by PickPlugins <= 2.0.46 - Unauthenticated Authentication Bypass via OTP Verification REST API Endpoint Affected: *-2.0.46 Patched: 2.0.47 Updated: June 29, 2026

LOW

user-registration-advanced-fields

Score: N/A User Registration Advanced Fields <= 1.6.20 - Unauthenticated Arbitrary File Upload Affected: *-1.6.20 Patched: 1.6.21 Updated: June 29, 2026

LOW

app-builder

Score: 95/100 App Builder <= 5.5.10 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Avatar Modification via 'user_id' Parameter Affected: *-5.6.0 Patched: Updated: June 29, 2026

LOW

simple-link-directory

Score: N/A Simple Link Directory <= 8.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-8.9.2 Patched: 8.9.4 Updated: June 29, 2026

Showing 901 to 1000 of 36189 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 29, 2026 at 04:25 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List