Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36406

Across tracked plugins

Affected Plugins

92

With open vulnerabilities

Critical / High

0

Require immediate attention

Recently Updated

0

In the last 30 days

Vulnerability List

Export CSV
Vulnerability list with plugin score and patch status
PluginSlugScoreVulnerabilityCVE IDSeverityAffected VersionsPatchedUpdated
htaccess-login-block htaccess-login-block
91
.htaccess Login block <= 0.9a - Reflected Cross-Site Scripting LOW * - 0.9a July 3, 2026
gpx-viewer gpx-viewer
93
GPX Viewer <= 2.2.11 - Authenticated (Editor+) Path Traversal LOW *-2.2.11 2.2.12 July 3, 2026
google-maps-gpx-viewer google-maps-gpx-viewer
91
Google Maps GPX Viewer <= 3.6 - Reflected Cross-Site Scripting LOW *-3.6 July 3, 2026
fontsampler fontsampler
91
Fontsampler <= 0.4.14 - Reflected Cross-Site Scripting LOW *-0.4.14 July 3, 2026
flickr-slideshow-wrapper flickr-slideshow-wrapper
91
flickr-slideshow-wrapper <= 5.4.6 - Reflected Cross-Site Scripting LOW *-5.4.6 July 3, 2026
flashfader flashfader
91
Flashfader <= 1.1.1 - Reflected Cross-Site Scripting LOW *-1.1.1 July 3, 2026
flagged-content flagged-content
91
Flagged Content <= 1.0.2 - Reflected Cross-Site Scripting LOW *-1.0.2 July 3, 2026
file-icons file-icons
91
File Icons <= 2.1 - Reflected Cross-Site Scripting LOW *-2.1 July 3, 2026
easy-form easy-form
93
Easy Form by AYS <= 2.6.9 - Reflected Cross-Site Scripting LOW *-2.6.9 2.7.0 July 3, 2026
doctor-appointment-booking doctor-appointment-booking
89
Doctor Appointment Booking <= 1.0.0 - Authenticated (Subscriber+) SQL Injection LOW *-1.0.0 July 3, 2026
doctor-appointment-booking doctor-appointment-booking
89
Doctor Appointment Booking <= 1.0.0 - Authenticated (Subscriber+) Local File Inclusion LOW *-1.0.0 July 3, 2026
db-tables-importexport db-tables-importexport
91
DB Tables Import/Export <= 1.0.1 - Reflected Cross-Site Scripting LOW *-1.0.1 July 3, 2026
css-live css-live
91
Live css <= 1.3 - Unauthenticated Stored Cross-Site Scripting LOW *-1.3 July 3, 2026
chatlive chatlive
91
CHATLIVE <= 2.0.1 - Unauthenticated SQL Injection LOW *-2.0.1 July 3, 2026
buddyforms buddyforms
89
Frontend Content Forms for User Submissions (UGC) <= 2.8.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buddyforms_nav' Shortcode LOW *-2.8.15 2.8.16 July 3, 2026
booking-ultra-pro booking-ultra-pro
91
Booking Ultra Pro <= 1.1.19 - Reflected Cross-Site Scripting LOW *-1.1.19 1.1.20 July 3, 2026
all-in-menu all-in-menu
95
All In Menu <= 1.1.5 - Authenticated (Subscriber+) SQL Injection LOW *-1.1.5 July 3, 2026
affiliate-links-manager affiliate-links-manager
95
Affiliate Links Manager <= 1.0 - Reflected Cross-Site Scripting LOW *-1.0 July 3, 2026
adsensei-b30 adsensei-b30
95
Adsmonetizer <= 3.2.4 - Reflected Cross-Site Scripting LOW *-3.2.4 July 3, 2026
a1post-bg-shipping-for-woocommerce a1post-bg-shipping-for-woocommerce
97
A1POST.BG Shipping for WooCommerce <= 1.5 - Cross-Site Request Forgery to Privilege Escalation LOW *-1.5 1.5.1 July 3, 2026
17track 17track
95
17TRACK for WooCommerce <= 1.2.10 - Reflected Cross-Site Scripting LOW *-1.2.10 July 3, 2026
header-footer header-footer
93
Head, Footer and Post Injections <= 3.3.0 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments LOW *-3.3.0 3.3.1 July 3, 2026
wpexperts-square-for-give wpexperts-square-for-give N/A WPExperts Square For GiveWP <= 1.3.1 - Authenticated (Subscriber+) SQL Injection LOW *-1.3.1 1.3.2 July 3, 2026
ulp-duplicate-post-sql-timebased ulp-duplicate-post-sql-timebased N/A Indeed Ultimate Learning Pro <= 3.9 - Authenticated (Administrator+) SQL Injection via post_id Parameter LOW *-3.9 3.9.1 July 3, 2026
wp-appbox wp-appbox N/A WP-Appbox <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via appbox Shortcode LOW *-4.5.4 4.5.5 July 3, 2026
Responsive Addons for Elementor – Free Elementor Addons, Kits and Elementor Templates responsive-addons-for-elementor N/A Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.4 - Authenticated (Contributor+) Local File Inclusion LOW *-1.6.4 1.6.5 July 3, 2026
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ultimate-member N/A Ultimate Member <= 2.9.2 - Authenticated SQL Injection LOW *-2.9.2 2.10.0 July 3, 2026
pie-calendar pie-calendar N/A Events Calendar Made Simple – Pie Calendar <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via piecal Shortcode LOW *-1.2.5 1.2.6 July 3, 2026
Events Manager – Calendar, Bookings, Tickets, and more! events-manager
78
Events Manager – Calendar, Bookings, Tickets, and more! <= 6.6.3 - Unauthenticated SQL Injection via Event Status Parameter LOW *-6.6.3 6.6.4 July 3, 2026
booking-system booking-system
91
Pinpoint Booking System – #1 WordPress Booking Plugin <= 2.9.9.5.4 - Authenticated (Subscriber+) SQL Injection LOW *-2.9.9.5.4 2.9.9.6.0 July 3, 2026
c9-admin-dashboard c9-admin-dashboard
91
C9 Admin Dashboard <= 1.3.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload LOW *-1.3.5 July 3, 2026
tcbd-tooltip tcbd-tooltip N/A TCBD Tooltip <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-1.0 July 3, 2026
newpost-catch newpost-catch
93
Newpost Catch <= 1.3.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via npc Shortcode LOW *-1.3.19 1.3.20 July 3, 2026
3d-photo-gallery 3d-photo-gallery
95
3D Photo Gallery <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting LOW *-1.3 July 3, 2026
amo-team-showcase amo-team-showcase
95
AMO Team Showcase <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via amoteam_skills Shortcode LOW *-1.1.4 July 3, 2026
c9-blocks c9-blocks
89
C9 Blocks <= 1.7.7 - Unauthenticated Full Path Disclosure LOW *-1.7.7 July 3, 2026
wpupper-share-buttons wpupper-share-buttons N/A WPUpper Share Buttons <= 3.51 - Cross-Site Request Forgery to Custom CSS Update LOW *-3.51 3.52 July 3, 2026
pie-register pie-register N/A Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction <= 3.8.4 - Sensitive Information Exposure via Log Files LOW *-3.8.4 3.8.4.1 July 3, 2026
mini-course-generator mini-course-generator
93
Mini Course Generator | Embed mini-courses and interactive content <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-1.0.5 1.0.6 July 3, 2026
ziggeo ziggeo N/A Ziggeo <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-3.1 3.1.1 July 3, 2026
wp-e-customers wp-e-customers N/A WP e-Customers Beta <= 0.0.1 - Reflected Cross-Site Scripting LOW *-0.0.1 July 3, 2026
wp-click-info wp-click-info N/A WP Click Info <= 2.7.4 - Reflected Cross-Site Scripting LOW *-2.7.4 July 3, 2026
wowpth wowpth N/A WoWPth <= 2.0 - Reflected Cross-Site Scripting LOW *-2.0 July 3, 2026
wowpth wowpth N/A WoWPth <= 2.0 - Reflected Cross-Site Scripting LOW *-2.0 July 3, 2026
wooexim wooexim N/A WOOEXIM – WooCommerce Export Import Plugin <= 5.0.0 - Reflected Cross-Site Scripting LOW *-5.0.0 July 3, 2026
schedule schedule N/A Schedule <= 1.0.0 - Reflected Cross-Site Scripting LOW *-1.0.0 July 3, 2026
maps-for-wp maps-for-wp
91
Maps for WP <= 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-1.2.4 1.2.5 July 3, 2026
limit-bio limit-bio
89
Limit Bio <= 1.0 - Reflected Cross-Site Scripting LOW *-1.0 July 3, 2026
limit-bio limit-bio
89
Limit Bio <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting LOW *-1.0 July 3, 2026
igumbi-online-booking igumbi-online-booking
93
igumbi Online Booking <= 1.40 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-1.40 1.41 July 3, 2026
autoship-cloud autoship-cloud
91
Autoship Cloud for WooCommerce Subscription Products <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-2.8.0 2.8.1 July 3, 2026
custom-post-widget custom-post-widget
93
Content Blocks (Custom Post Widget) <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter LOW *-3.3.5 3.3.6 July 3, 2026
ultimate-classified-listings ultimate-classified-listings N/A Ultimate Classified Listings <= 1.4 Authenticated (Administrator+) Stored Cross-Site Scripting via Title Parameter LOW *-1.4 1.5 July 3, 2026
ultimate-classified-listings ultimate-classified-listings N/A Ultimate Classified Listings <= 1.5 - Cross-Site Request Forgery to Account Takeover LOW *-1.5 1.6 July 3, 2026
gift-voucher gift-voucher
93
Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) <= 4.4.9 - Missing Authorization to Unauthenticated Price, Date, and Note Updates LOW *-4.4.9 4.5.0 July 3, 2026
bandsintown bandsintown
93
Bandsintown Events <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-1.3.1 1.3.2 July 3, 2026
cookie-notice-bar cookie-notice-bar
91
Cookie Notice Bar <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting LOW *-1.3.0 July 3, 2026
legoeso-pdf-manager legoeso-pdf-manager
91
Legoeso PDF Manager <= 1.2.2 - Authenticated (Author+) SQL Injection via checkedVals Parameter LOW *-1.2.2 July 3, 2026
ravpage ravpage N/A Ravpage <= 2.31 - PHP Object Injection LOW *-2.31 2.33 July 3, 2026
prime-addons-for-elementor prime-addons-for-elementor N/A Prime Addons for Elementor <= 2.0.1 - Authenticated (Contributor+) Insecure Direct Object Reference via pae_global_block Shortcode LOW *-2.0.1 2.0.2 July 3, 2026
mrlegend-typedjs mrlegend-typedjs
91
Typed JS: A typewriter style animation <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via typespeed Parameter LOW *-1.2.0 July 3, 2026
wpappninja wpappninja N/A WPMobile.App <= 11.56 - Open Redirect via 'redirect' Parameter LOW *-11.56 11.57 July 3, 2026
modal-window modal-window
93
Modal Window <= 6.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via iframeBox Shortcode LOW *-6.1.5 6.1.6 July 3, 2026
unlimited-elements-for-elementor unlimited-elements-for-elementor N/A Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.140 - Authenticated (Contributor+) Stored Cross-Site Scripting via Transparent Split Hero Widget LOW *-1.5.140 1.5.141 July 3, 2026
Elementor Website Builder – more than just a page builder elementor
79
Elementor Website Builder – More Than Just a Page Builder <= 3.27.4 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-3.27.4 3.27.5 July 3, 2026
woo-exfood woo-exfood N/A WooCommerce Food - Restaurant Menu & Food ordering <= 3.3.2 - Unauthenticated Arbitrary Shortcode Execution via ids LOW *-3.3.2 3.3.3 July 3, 2026
social-warfare social-warfare N/A Social Sharing Plugin – Social Warfare <= 4.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-4.5.5 4.5.6 July 3, 2026
ltl-freight-quotes-globaltranz-edition ltl-freight-quotes-globaltranz-edition
93
LTL Freight Quotes – GlobalTranz Edition <= 2.3.12 - Missing Authorization to Unauthenticated Settings Update LOW *-2.3.12 2.3.13 July 3, 2026
ltl-freight-quotes-globaltranz-edition ltl-freight-quotes-globaltranz-edition
93
LTL Freight Quotes – GlobalTranz Edition <= 2.3.11 - Unauthenticated SQL Injection LOW *-2.3.11 2.3.12 July 3, 2026
lenix-elementor-leads-addon lenix-elementor-leads-addon
93
Lenix Elementor Leads addon <= 1.8.2 - Unauthenticated Stored Cross-Site Scripting via URL Form Field LOW *-1.8.2 1.8.3 July 3, 2026
embed-any-document embed-any-document
93
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files <= 2.7.5 - Authenticated (Contributor+) Blind Server-Side Request Forgery via embeddoc Shortcode LOW *-2.7.5 2.7.6 July 3, 2026
easy-login-woocommerce easy-login-woocommerce
93
Login/Signup Popup ( Inline Form + Woocommerce ) <= 2.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via xoo_el_action Shortcode LOW *-2.8.5 2.8.6 July 3, 2026
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor elementskit-lite
95
ElementsKit Elementor addons <= 3.4.0 - Unauthenticated Information Exposure via get_megamenu_content Function LOW *-3.4.0 3.4.1 July 3, 2026
yaysmtp yaysmtp N/A YaySMTP 2.4.9 - 2.6.3 - Unauthenticated Stored Cross-Site Scripting LOW 2.4.9-2.6.3 2.6.4 July 3, 2026
ltl-freight-quotes-sefl-edition ltl-freight-quotes-sefl-edition
93
LTL Freight Quotes – SEFL Edition <= 3.2.4 - Unauthenticated SQL Injection LOW *-3.2.4 3.2.5 July 3, 2026
small-package-quotes-wwe-edition small-package-quotes-wwe-edition N/A Small Package Quotes – Worldwide Express Edition <= 5.2.18 - Unauthenticated SQL Injection LOW *-5.2.18 5.2.19 July 3, 2026
uber-grid uber-grid N/A WordPress Portfolio Builder – Portfolio Gallery <= 1.1.7 - Missing Authorization to Unauthenticated Portfolio Update LOW *-1.1.7 July 3, 2026
uber-grid uber-grid N/A WordPress Portfolio Builder – Portfolio Gallery <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode LOW *-1.1.7 July 3, 2026
adthrive-ads adthrive-ads
97
Raptive Ads <= 3.6.3 - Reflected Cross-Site Scripting LOW *-3.6.3 3.7.1 July 3, 2026
adthrive-ads adthrive-ads
97
Raptive Ads <= 3.6.3 - Missing Authorization to Unauthenticated Data/Settings Reset LOW *-3.6.3 3.7.1 July 3, 2026
disable-auto-updates disable-auto-updates
91
Disable Auto Updates <= 1.4 - Cross-Site Request Forgery to Auto-update Disable LOW *-1.4 July 3, 2026
debounce-io-email-validator debounce-io-email-validator
93
DeBounce Email Validator <= 5.8.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting LOW *-5.8.0 5.8.1 July 3, 2026
team-builder-for-wpbakery-page-builder team-builder-for-wpbakery-page-builder N/A Team Builder For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-1.0 July 3, 2026
team-builder-for-wpbakery-page-builder team-builder-for-wpbakery-page-builder N/A Team Builder For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 - Authenticated (Contributor+) Local File Inclusion LOW *-1.0 July 3, 2026
admin-form admin-form
95
ADFO – Custom data in admin dashboard <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-1.9.1 July 3, 2026
yayforms yayforms N/A Yay! Forms | Embed Custom Forms, Surveys, and Quizzes Easily <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-1.2.1 1.3 July 3, 2026
apptivo-business-site apptivo-business-site
95
Apptivo Business Site CRM <= 5.3 - Cross-Site Request Forgery to IP Address Block LOW *-5.3 July 3, 2026
trash-duplicate-and-301-redirect trash-duplicate-and-301-redirect N/A Trash Duplicate and 301 Redirect <= 1.9 - Missing Authorization to Unauthenticated Arbitrary Post Deletion LOW *-1.9 1.9.1 July 3, 2026
jma-youtube-playlists-with-schema jma-youtube-playlists-with-schema
91
YouTube Playlists with Schema <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-2.6.1 July 3, 2026
education-addon education-addon
91
Education Addon for Elementor <= 1.3.1 - Authenticated (Contributor+) Insecure Direct Object Reference via naedu_elementor_template Shortcode LOW *-1.3.1 July 3, 2026
pollin pollin N/A Pollin <= 1.01.1 - Reflected Cross-Site Scripting LOW *-1.01.1 July 3, 2026
mobile-friendly-flickr-slideshow mobile-friendly-flickr-slideshow
93
Responsive Flickr Slideshow <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-2.6.1 2.7.0 July 3, 2026
coaching-staffs coaching-staffs
93
Coaching Staffs <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-1.5.1 1.5.2 July 3, 2026
pepro-ultimate-invoice pepro-ultimate-invoice N/A PeproDev Ultimate Invoice <= 2.0.9 - Insecure Direct Object Reference to Unauthenticated Order Information Exposure LOW *-2.0.9 2.1.0 July 3, 2026
ultraembed-advanced-iframe ultraembed-advanced-iframe N/A UltraEmbed – Advanced Iframe Plugin For WordPress with Gutenberg Block Included <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-1.0.3 July 3, 2026
lexicata lexicata
89
Lexicata <= 1.0.16 - Reflected Cross-Site Scripting LOW *-1.0.16 July 3, 2026
umich-oidc-login umich-oidc-login N/A UMich OIDC Login <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW *-1.2.0 July 3, 2026
store-locator-widget store-locator-widget N/A Store Locator Widget <= 2025r1 - Authenticated (Contributor+) Stored Cross-Site Scripting LOW * - 2025r1 2025r2 July 3, 2026
wp-media-category-management wp-media-category-management N/A WP Media Category Management 2.0 - 2.3.3 - Cross-Site Request Forgery to Settings Update LOW 2.0-2.3.3 2.4.0 July 3, 2026
wedesin-html-sitemap wedesin-html-sitemap N/A Digihood HTML Sitemap <= 3.1.1 - Reflected Cross-Site Scripting via 'channel' LOW *-3.1.1 July 3, 2026
LOW

htaccess-login-block

htaccess-login-block

Score: 91/100 .htaccess Login block <= 0.9a - Reflected Cross-Site Scripting Affected: * - 0.9a Patched: Updated: July 3, 2026
LOW

gpx-viewer

gpx-viewer

Score: 93/100 GPX Viewer <= 2.2.11 - Authenticated (Editor+) Path Traversal Affected: *-2.2.11 Patched: 2.2.12 Updated: July 3, 2026
LOW

google-maps-gpx-viewer

google-maps-gpx-viewer

Score: 91/100 Google Maps GPX Viewer <= 3.6 - Reflected Cross-Site Scripting Affected: *-3.6 Patched: Updated: July 3, 2026
LOW

fontsampler

fontsampler

Score: 91/100 Fontsampler <= 0.4.14 - Reflected Cross-Site Scripting Affected: *-0.4.14 Patched: Updated: July 3, 2026
LOW

flickr-slideshow-wrapper

flickr-slideshow-wrapper

Score: 91/100 flickr-slideshow-wrapper <= 5.4.6 - Reflected Cross-Site Scripting Affected: *-5.4.6 Patched: Updated: July 3, 2026
LOW

flashfader

flashfader

Score: 91/100 Flashfader <= 1.1.1 - Reflected Cross-Site Scripting Affected: *-1.1.1 Patched: Updated: July 3, 2026
LOW

flagged-content

flagged-content

Score: 91/100 Flagged Content <= 1.0.2 - Reflected Cross-Site Scripting Affected: *-1.0.2 Patched: Updated: July 3, 2026
LOW

file-icons

file-icons

Score: 91/100 File Icons <= 2.1 - Reflected Cross-Site Scripting Affected: *-2.1 Patched: Updated: July 3, 2026
LOW

easy-form

easy-form

Score: 93/100 Easy Form by AYS <= 2.6.9 - Reflected Cross-Site Scripting Affected: *-2.6.9 Patched: 2.7.0 Updated: July 3, 2026
LOW

doctor-appointment-booking

doctor-appointment-booking

Score: 89/100 Doctor Appointment Booking <= 1.0.0 - Authenticated (Subscriber+) SQL Injection Affected: *-1.0.0 Patched: Updated: July 3, 2026
LOW

doctor-appointment-booking

doctor-appointment-booking

Score: 89/100 Doctor Appointment Booking <= 1.0.0 - Authenticated (Subscriber+) Local File Inclusion Affected: *-1.0.0 Patched: Updated: July 3, 2026
LOW

db-tables-importexport

db-tables-importexport

Score: 91/100 DB Tables Import/Export <= 1.0.1 - Reflected Cross-Site Scripting Affected: *-1.0.1 Patched: Updated: July 3, 2026
LOW

css-live

css-live

Score: 91/100 Live css <= 1.3 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.3 Patched: Updated: July 3, 2026
LOW

chatlive

chatlive

Score: 91/100 CHATLIVE <= 2.0.1 - Unauthenticated SQL Injection Affected: *-2.0.1 Patched: Updated: July 3, 2026
LOW

buddyforms

buddyforms

Score: 89/100 Frontend Content Forms for User Submissions (UGC) <= 2.8.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buddyforms_nav' Shortcode Affected: *-2.8.15 Patched: 2.8.16 Updated: July 3, 2026
LOW

booking-ultra-pro

booking-ultra-pro

Score: 91/100 Booking Ultra Pro <= 1.1.19 - Reflected Cross-Site Scripting Affected: *-1.1.19 Patched: 1.1.20 Updated: July 3, 2026
LOW

all-in-menu

all-in-menu

Score: 95/100 All In Menu <= 1.1.5 - Authenticated (Subscriber+) SQL Injection Affected: *-1.1.5 Patched: Updated: July 3, 2026
LOW

affiliate-links-manager

affiliate-links-manager

Score: 95/100 Affiliate Links Manager <= 1.0 - Reflected Cross-Site Scripting Affected: *-1.0 Patched: Updated: July 3, 2026
LOW

adsensei-b30

adsensei-b30

Score: 95/100 Adsmonetizer <= 3.2.4 - Reflected Cross-Site Scripting Affected: *-3.2.4 Patched: Updated: July 3, 2026
LOW

a1post-bg-shipping-for-woocommerce

a1post-bg-shipping-for-woocommerce

Score: 97/100 A1POST.BG Shipping for WooCommerce <= 1.5 - Cross-Site Request Forgery to Privilege Escalation Affected: *-1.5 Patched: 1.5.1 Updated: July 3, 2026
LOW

17track

17track

Score: 95/100 17TRACK for WooCommerce <= 1.2.10 - Reflected Cross-Site Scripting Affected: *-1.2.10 Patched: Updated: July 3, 2026
LOW

header-footer

header-footer

Score: 93/100 Head, Footer and Post Injections <= 3.3.0 - Authenticated (Administrator+) PHP Code Injection in Multisite Environments Affected: *-3.3.0 Patched: 3.3.1 Updated: July 3, 2026
LOW

wpexperts-square-for-give

wpexperts-square-for-give

Score: N/A WPExperts Square For GiveWP <= 1.3.1 - Authenticated (Subscriber+) SQL Injection Affected: *-1.3.1 Patched: 1.3.2 Updated: July 3, 2026
LOW

ulp-duplicate-post-sql-timebased

ulp-duplicate-post-sql-timebased

Score: N/A Indeed Ultimate Learning Pro <= 3.9 - Authenticated (Administrator+) SQL Injection via post_id Parameter Affected: *-3.9 Patched: 3.9.1 Updated: July 3, 2026
LOW

wp-appbox

wp-appbox

Score: N/A WP-Appbox <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via appbox Shortcode Affected: *-4.5.4 Patched: 4.5.5 Updated: July 3, 2026
LOW

pie-calendar

pie-calendar

Score: N/A Events Calendar Made Simple – Pie Calendar <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via piecal Shortcode Affected: *-1.2.5 Patched: 1.2.6 Updated: July 3, 2026
LOW

booking-system

booking-system

Score: 91/100 Pinpoint Booking System – #1 WordPress Booking Plugin <= 2.9.9.5.4 - Authenticated (Subscriber+) SQL Injection Affected: *-2.9.9.5.4 Patched: 2.9.9.6.0 Updated: July 3, 2026
LOW

c9-admin-dashboard

c9-admin-dashboard

Score: 91/100 C9 Admin Dashboard <= 1.3.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload Affected: *-1.3.5 Patched: Updated: July 3, 2026
LOW

tcbd-tooltip

tcbd-tooltip

Score: N/A TCBD Tooltip <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0 Patched: Updated: July 3, 2026
LOW

newpost-catch

newpost-catch

Score: 93/100 Newpost Catch <= 1.3.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via npc Shortcode Affected: *-1.3.19 Patched: 1.3.20 Updated: July 3, 2026
LOW

3d-photo-gallery

3d-photo-gallery

Score: 95/100 3D Photo Gallery <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-1.3 Patched: Updated: July 3, 2026
LOW

amo-team-showcase

amo-team-showcase

Score: 95/100 AMO Team Showcase <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via amoteam_skills Shortcode Affected: *-1.1.4 Patched: Updated: July 3, 2026
LOW

c9-blocks

c9-blocks

Score: 89/100 C9 Blocks <= 1.7.7 - Unauthenticated Full Path Disclosure Affected: *-1.7.7 Patched: Updated: July 3, 2026
LOW

wpupper-share-buttons

wpupper-share-buttons

Score: N/A WPUpper Share Buttons <= 3.51 - Cross-Site Request Forgery to Custom CSS Update Affected: *-3.51 Patched: 3.52 Updated: July 3, 2026
LOW

pie-register

pie-register

Score: N/A Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction <= 3.8.4 - Sensitive Information Exposure via Log Files Affected: *-3.8.4 Patched: 3.8.4.1 Updated: July 3, 2026
LOW

mini-course-generator

mini-course-generator

Score: 93/100 Mini Course Generator | Embed mini-courses and interactive content <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0.5 Patched: 1.0.6 Updated: July 3, 2026
LOW

ziggeo

ziggeo

Score: N/A Ziggeo <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.1 Patched: 3.1.1 Updated: July 3, 2026
LOW

wp-e-customers

wp-e-customers

Score: N/A WP e-Customers Beta <= 0.0.1 - Reflected Cross-Site Scripting Affected: *-0.0.1 Patched: Updated: July 3, 2026
LOW

wp-click-info

wp-click-info

Score: N/A WP Click Info <= 2.7.4 - Reflected Cross-Site Scripting Affected: *-2.7.4 Patched: Updated: July 3, 2026
LOW

wowpth

wowpth

Score: N/A WoWPth <= 2.0 - Reflected Cross-Site Scripting Affected: *-2.0 Patched: Updated: July 3, 2026
LOW

wowpth

wowpth

Score: N/A WoWPth <= 2.0 - Reflected Cross-Site Scripting Affected: *-2.0 Patched: Updated: July 3, 2026
LOW

wooexim

wooexim

Score: N/A WOOEXIM – WooCommerce Export Import Plugin <= 5.0.0 - Reflected Cross-Site Scripting Affected: *-5.0.0 Patched: Updated: July 3, 2026
LOW

schedule

schedule

Score: N/A Schedule <= 1.0.0 - Reflected Cross-Site Scripting Affected: *-1.0.0 Patched: Updated: July 3, 2026
LOW

maps-for-wp

maps-for-wp

Score: 91/100 Maps for WP <= 1.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2.4 Patched: 1.2.5 Updated: July 3, 2026
LOW

limit-bio

limit-bio

Score: 89/100 Limit Bio <= 1.0 - Reflected Cross-Site Scripting Affected: *-1.0 Patched: Updated: July 3, 2026
LOW

limit-bio

limit-bio

Score: 89/100 Limit Bio <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-1.0 Patched: Updated: July 3, 2026
LOW

igumbi-online-booking

igumbi-online-booking

Score: 93/100 igumbi Online Booking <= 1.40 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.40 Patched: 1.41 Updated: July 3, 2026
LOW

autoship-cloud

autoship-cloud

Score: 91/100 Autoship Cloud for WooCommerce Subscription Products <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.8.0 Patched: 2.8.1 Updated: July 3, 2026
LOW

custom-post-widget

custom-post-widget

Score: 93/100 Content Blocks (Custom Post Widget) <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter Affected: *-3.3.5 Patched: 3.3.6 Updated: July 3, 2026
LOW

ultimate-classified-listings

ultimate-classified-listings

Score: N/A Ultimate Classified Listings <= 1.4 Authenticated (Administrator+) Stored Cross-Site Scripting via Title Parameter Affected: *-1.4 Patched: 1.5 Updated: July 3, 2026
LOW

ultimate-classified-listings

ultimate-classified-listings

Score: N/A Ultimate Classified Listings <= 1.5 - Cross-Site Request Forgery to Account Takeover Affected: *-1.5 Patched: 1.6 Updated: July 3, 2026
LOW

gift-voucher

gift-voucher

Score: 93/100 Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) <= 4.4.9 - Missing Authorization to Unauthenticated Price, Date, and Note Updates Affected: *-4.4.9 Patched: 4.5.0 Updated: July 3, 2026
LOW

bandsintown

bandsintown

Score: 93/100 Bandsintown Events <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.3.1 Patched: 1.3.2 Updated: July 3, 2026
LOW

cookie-notice-bar

cookie-notice-bar

Score: 91/100 Cookie Notice Bar <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.3.0 Patched: Updated: July 3, 2026
LOW

legoeso-pdf-manager

legoeso-pdf-manager

Score: 91/100 Legoeso PDF Manager <= 1.2.2 - Authenticated (Author+) SQL Injection via checkedVals Parameter Affected: *-1.2.2 Patched: Updated: July 3, 2026
LOW

ravpage

ravpage

Score: N/A Ravpage <= 2.31 - PHP Object Injection Affected: *-2.31 Patched: 2.33 Updated: July 3, 2026
LOW

prime-addons-for-elementor

prime-addons-for-elementor

Score: N/A Prime Addons for Elementor <= 2.0.1 - Authenticated (Contributor+) Insecure Direct Object Reference via pae_global_block Shortcode Affected: *-2.0.1 Patched: 2.0.2 Updated: July 3, 2026
LOW

mrlegend-typedjs

mrlegend-typedjs

Score: 91/100 Typed JS: A typewriter style animation <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via typespeed Parameter Affected: *-1.2.0 Patched: Updated: July 3, 2026
LOW

wpappninja

wpappninja

Score: N/A WPMobile.App <= 11.56 - Open Redirect via 'redirect' Parameter Affected: *-11.56 Patched: 11.57 Updated: July 3, 2026
LOW

modal-window

modal-window

Score: 93/100 Modal Window <= 6.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via iframeBox Shortcode Affected: *-6.1.5 Patched: 6.1.6 Updated: July 3, 2026
LOW

unlimited-elements-for-elementor

unlimited-elements-for-elementor

Score: N/A Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.140 - Authenticated (Contributor+) Stored Cross-Site Scripting via Transparent Split Hero Widget Affected: *-1.5.140 Patched: 1.5.141 Updated: July 3, 2026
LOW

woo-exfood

woo-exfood

Score: N/A WooCommerce Food - Restaurant Menu & Food ordering <= 3.3.2 - Unauthenticated Arbitrary Shortcode Execution via ids Affected: *-3.3.2 Patched: 3.3.3 Updated: July 3, 2026
LOW

social-warfare

social-warfare

Score: N/A Social Sharing Plugin – Social Warfare <= 4.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-4.5.5 Patched: 4.5.6 Updated: July 3, 2026
LOW

ltl-freight-quotes-globaltranz-edition

ltl-freight-quotes-globaltranz-edition

Score: 93/100 LTL Freight Quotes – GlobalTranz Edition <= 2.3.12 - Missing Authorization to Unauthenticated Settings Update Affected: *-2.3.12 Patched: 2.3.13 Updated: July 3, 2026
LOW

ltl-freight-quotes-globaltranz-edition

ltl-freight-quotes-globaltranz-edition

Score: 93/100 LTL Freight Quotes – GlobalTranz Edition <= 2.3.11 - Unauthenticated SQL Injection Affected: *-2.3.11 Patched: 2.3.12 Updated: July 3, 2026
LOW

lenix-elementor-leads-addon

lenix-elementor-leads-addon

Score: 93/100 Lenix Elementor Leads addon <= 1.8.2 - Unauthenticated Stored Cross-Site Scripting via URL Form Field Affected: *-1.8.2 Patched: 1.8.3 Updated: July 3, 2026
LOW

embed-any-document

embed-any-document

Score: 93/100 Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files <= 2.7.5 - Authenticated (Contributor+) Blind Server-Side Request Forgery via embeddoc Shortcode Affected: *-2.7.5 Patched: 2.7.6 Updated: July 3, 2026
LOW

easy-login-woocommerce

easy-login-woocommerce

Score: 93/100 Login/Signup Popup ( Inline Form + Woocommerce ) <= 2.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via xoo_el_action Shortcode Affected: *-2.8.5 Patched: 2.8.6 Updated: July 3, 2026
LOW

yaysmtp

yaysmtp

Score: N/A YaySMTP 2.4.9 - 2.6.3 - Unauthenticated Stored Cross-Site Scripting Affected: 2.4.9-2.6.3 Patched: 2.6.4 Updated: July 3, 2026
LOW

ltl-freight-quotes-sefl-edition

ltl-freight-quotes-sefl-edition

Score: 93/100 LTL Freight Quotes – SEFL Edition <= 3.2.4 - Unauthenticated SQL Injection Affected: *-3.2.4 Patched: 3.2.5 Updated: July 3, 2026
LOW

small-package-quotes-wwe-edition

small-package-quotes-wwe-edition

Score: N/A Small Package Quotes – Worldwide Express Edition <= 5.2.18 - Unauthenticated SQL Injection Affected: *-5.2.18 Patched: 5.2.19 Updated: July 3, 2026
LOW

uber-grid

uber-grid

Score: N/A WordPress Portfolio Builder – Portfolio Gallery <= 1.1.7 - Missing Authorization to Unauthenticated Portfolio Update Affected: *-1.1.7 Patched: Updated: July 3, 2026
LOW

uber-grid

uber-grid

Score: N/A WordPress Portfolio Builder – Portfolio Gallery <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.1.7 Patched: Updated: July 3, 2026
LOW

adthrive-ads

adthrive-ads

Score: 97/100 Raptive Ads <= 3.6.3 - Reflected Cross-Site Scripting Affected: *-3.6.3 Patched: 3.7.1 Updated: July 3, 2026
LOW

adthrive-ads

adthrive-ads

Score: 97/100 Raptive Ads <= 3.6.3 - Missing Authorization to Unauthenticated Data/Settings Reset Affected: *-3.6.3 Patched: 3.7.1 Updated: July 3, 2026
LOW

disable-auto-updates

disable-auto-updates

Score: 91/100 Disable Auto Updates <= 1.4 - Cross-Site Request Forgery to Auto-update Disable Affected: *-1.4 Patched: Updated: July 3, 2026
LOW

debounce-io-email-validator

debounce-io-email-validator

Score: 93/100 DeBounce Email Validator <= 5.8.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-5.8.0 Patched: 5.8.1 Updated: July 3, 2026
LOW

team-builder-for-wpbakery-page-builder

team-builder-for-wpbakery-page-builder

Score: N/A Team Builder For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0 Patched: Updated: July 3, 2026
LOW

team-builder-for-wpbakery-page-builder

team-builder-for-wpbakery-page-builder

Score: N/A Team Builder For WPBakery Page Builder(Formerly Visual Composer) <= 1.0 - Authenticated (Contributor+) Local File Inclusion Affected: *-1.0 Patched: Updated: July 3, 2026
LOW

admin-form

admin-form

Score: 95/100 ADFO – Custom data in admin dashboard <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.9.1 Patched: Updated: July 3, 2026
LOW

yayforms

yayforms

Score: N/A Yay! Forms | Embed Custom Forms, Surveys, and Quizzes Easily <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2.1 Patched: 1.3 Updated: July 3, 2026
LOW

apptivo-business-site

apptivo-business-site

Score: 95/100 Apptivo Business Site CRM <= 5.3 - Cross-Site Request Forgery to IP Address Block Affected: *-5.3 Patched: Updated: July 3, 2026
LOW

trash-duplicate-and-301-redirect

trash-duplicate-and-301-redirect

Score: N/A Trash Duplicate and 301 Redirect <= 1.9 - Missing Authorization to Unauthenticated Arbitrary Post Deletion Affected: *-1.9 Patched: 1.9.1 Updated: July 3, 2026
LOW

jma-youtube-playlists-with-schema

jma-youtube-playlists-with-schema

Score: 91/100 YouTube Playlists with Schema <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.6.1 Patched: Updated: July 3, 2026
LOW

education-addon

education-addon

Score: 91/100 Education Addon for Elementor <= 1.3.1 - Authenticated (Contributor+) Insecure Direct Object Reference via naedu_elementor_template Shortcode Affected: *-1.3.1 Patched: Updated: July 3, 2026
LOW

pollin

pollin

Score: N/A Pollin <= 1.01.1 - Reflected Cross-Site Scripting Affected: *-1.01.1 Patched: Updated: July 3, 2026
LOW

mobile-friendly-flickr-slideshow

mobile-friendly-flickr-slideshow

Score: 93/100 Responsive Flickr Slideshow <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.6.1 Patched: 2.7.0 Updated: July 3, 2026
LOW

coaching-staffs

coaching-staffs

Score: 93/100 Coaching Staffs <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.5.1 Patched: 1.5.2 Updated: July 3, 2026
LOW

pepro-ultimate-invoice

pepro-ultimate-invoice

Score: N/A PeproDev Ultimate Invoice <= 2.0.9 - Insecure Direct Object Reference to Unauthenticated Order Information Exposure Affected: *-2.0.9 Patched: 2.1.0 Updated: July 3, 2026
LOW

ultraembed-advanced-iframe

ultraembed-advanced-iframe

Score: N/A UltraEmbed – Advanced Iframe Plugin For WordPress with Gutenberg Block Included <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0.3 Patched: Updated: July 3, 2026
LOW

lexicata

lexicata

Score: 89/100 Lexicata <= 1.0.16 - Reflected Cross-Site Scripting Affected: *-1.0.16 Patched: Updated: July 3, 2026
LOW

umich-oidc-login

umich-oidc-login

Score: N/A UMich OIDC Login <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2.0 Patched: Updated: July 3, 2026
LOW

store-locator-widget

store-locator-widget

Score: N/A Store Locator Widget <= 2025r1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: * - 2025r1 Patched: 2025r2 Updated: July 3, 2026
LOW

wp-media-category-management

wp-media-category-management

Score: N/A WP Media Category Management 2.0 - 2.3.3 - Cross-Site Request Forgery to Settings Update Affected: 2.0-2.3.3 Patched: 2.4.0 Updated: July 3, 2026
LOW

wedesin-html-sitemap

wedesin-html-sitemap

Score: N/A Digihood HTML Sitemap <= 3.1.1 - Reflected Cross-Site Scripting via 'channel' Affected: *-3.1.1 Patched: Updated: July 3, 2026

Showing 11901 to 12000 of 36406 results

Download: CSV JSON
Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: July 3, 2026 at 11:16 UTC.