Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36189

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
Image Source Control Lite – Show Image Credits and Captions	image-source-control-isc	89	Image Source Control Lite – Show Image Credits and Captions <= 3.9.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'Image Source' Field	LOW	*-3.9.1	3.9.2	June 29, 2026
Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder	everest-forms	68	Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter	LOW	*-3.4.4	3.4.5	June 29, 2026
wpforo	wpforo	N/A	wpForo Forum <= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Profile Field File Path	LOW	*-3.0.5	3.0.6	June 29, 2026
YayMail – WooCommerce Email Customizer	yaymail	N/A	YayMail – WooCommerce Email Customizer <= 4.3.3 - Authenticated (Shop manager+) PHP Object Injection	LOW	*-4.3.3	4.3.4	June 29, 2026
woocommerce-pdf-invoices-packing-slips	woocommerce-pdf-invoices-packing-slips	N/A	PDF Invoices & Packing Slips for WooCommerce < 5.9.0 - Authenticated (Shop manager+) PHP Object Injection	LOW	[*, 5.9.0)	5.9.0	June 29, 2026
Website LLMs.txt	website-llms-txt	94	Website LLMs.txt <= 8.2.6 - Reflected Cross-Site Scripting	LOW	*-8.2.6	8.2.7	June 29, 2026
tutor	tutor	N/A	Tutor LMS – eLearning and online course solution <= 3.9.7 - Missing Authorization	LOW	*-3.9.7	3.9.8	June 29, 2026
shortpixel-image-optimiser	shortpixel-image-optimiser	N/A	ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF <= 6.4.3 - Authenticated (Author+) PHP Object Injection	LOW	*-6.4.3	6.4.4	June 29, 2026
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction	paid-member-subscriptions	N/A	Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.17.3 - Reflected Cross-Site Scripting	LOW	*-2.17.3	3.0.0	June 29, 2026
Notification for Telegram	notification-for-telegram	97	Notification for Telegram <= 3.5 - Unauthenticated Stored Cross-Site Scripting	LOW	*-3.5	3.5.1	June 29, 2026
modula-best-grid-gallery	modula-best-grid-gallery	N/A	Modula Image Gallery – Photo Grid & Video Gallery <= 2.14.18 - Authenticated (Author+) PHP Object Injection	LOW	*-2.14.18	2.14.19	June 29, 2026
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider	ml-slider	88	Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.106.0 - Authenticated (Editor+) Remote Code Execution	LOW	*-3.106.0	3.107.0	June 29, 2026
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider	ml-slider	88	Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.106.0 - Authenticated (Editor+) PHP Object Injection	LOW	*-3.106.0	3.107.0	June 29, 2026
jupiterx-core	jupiterx-core	93	Jupiter X Core <= 4.14.1 - Missing Authorization	LOW	*-4.14.1	4.14.2	June 29, 2026
inpost-gallery	inpost-gallery	93	InPost Gallery <= 2.1.4.6 - Unauthenticated SQL Injection	LOW	*-2.1.4.6	2.1.5	June 29, 2026
gotmls	gotmls	93	Anti-Malware Security and Brute-Force Firewall <= 4.23.87 - Authenticated (Contributor+) PHP Object Injection	LOW	*-4.23.87	4.23.88	June 29, 2026
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management	74	EventPrime – Events Calendar, Bookings and Tickets <= 4.3.0.0 - Authenticated (Subscriber+) Insecure Direct Object Reference	LOW	*-4.3.0.0	4.3.0.1	June 29, 2026
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy	easy-digital-downloads	78	Easy Digital Downloads – eCommerce Payments and Subscriptions made easy <= 3.6.5 - Missing Authorization	LOW	*-3.6.5	3.6.6	June 29, 2026
download-monitor	download-monitor	93	Download Monitor <= 5.1.9 - Authenticated (Author+) Arbitrary File Download	LOW	*-5.1.9	5.1.10	June 29, 2026
computer-repair-shop	computer-repair-shop	93	RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress <= 4.1132 - Missing Authorization	LOW	*-4.1132	4.1133	June 29, 2026
advanced-product-fields-for-woocommerce	advanced-product-fields-for-woocommerce	97	Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 - Authenticated (Shop manager+) PHP Object Injection	LOW	*-1.6.19	1.6.20	June 29, 2026
activitytime	activitytime	97	WP Sessions Time Monitoring Full Automatic <= 1.1.4 - Authenticated (Subscriber+) SQL Injection	LOW	*-1.1.4	1.1.5	June 29, 2026
embed-calendly-scheduling	embed-calendly-scheduling	93	EMC Scheduling Manager <= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via calendly Shortcode	LOW	*-4.4	4.5	June 29, 2026
contextual-related-posts	contextual-related-posts	93	Contextual Related Posts <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes'	LOW	*-4.2.1	4.2.2	June 29, 2026
custom-post-widget	custom-post-widget	93	Content Blocks (Custom Post Widget) <= 3.3.9 - Authenticated (Author+) Stored Cross-Site Scripting via content_block Shortcode	LOW	*-3.3.9	3.4.1	June 29, 2026
categories-images	categories-images	93	Categories Images <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'z_taxonomy_image' Shortcode	LOW	*-3.3.1	3.3.2	June 29, 2026
cmp-coming-soon-maintenance	cmp-coming-soon-maintenance	93	CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution	LOW	*-4.1.16	4.1.17	June 29, 2026
coblocks	coblocks	93	Page Builder Gutenberg Blocks <= 3.1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via External iCal Feed Data	LOW	*-3.1.16	3.1.17	June 29, 2026
ultimate-flipbox-addon-for-elementor	ultimate-flipbox-addon-for-elementor	N/A	Flipbox Addon for Elementor <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Attributes	LOW	*-2.0.8	2.1.2	June 29, 2026
hostel	hostel	93	Hostel <= 1.1.6 - Reflected Cross-Site Scripting via 'shortcode_id' Parameter	LOW	*-1.1.6	1.1.7	June 29, 2026
youzify	youzify	N/A	Youzify <= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'checkin_place_id' Parameter	LOW	*-1.3.6	1.3.7	June 29, 2026
easy-appointments	easy-appointments	93	Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API	LOW	*-3.12.21	3.12.22	June 29, 2026
pz-linkcard	pz-linkcard	N/A	Pz-LinkCard <= 2.5.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-2.5.8.1		June 29, 2026
Drag and Drop Multiple File Upload for Contact Form 7	drag-and-drop-multiple-file-upload-contact-form-7	93	Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.7 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass	LOW	*-1.3.9.7	1.3.9.8	June 29, 2026
Drag and Drop Multiple File Upload for Contact Form 7	drag-and-drop-multiple-file-upload-contact-form-7	93	Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Limited Arbitrary File Read via mfile Field	LOW	*-1.3.9.6	1.3.9.7	June 29, 2026
customer-area	customer-area	89	WP Customer Area <= 8.3.4 - Authenticated (Subscriber+) Arbitrary File Read/Deletion via ajax_attach_file	LOW	*-8.3.4	8.3.5	June 29, 2026
wpstream	wpstream	N/A	WpStream – Live Streaming, Video on Demand, Pay Per View < 4.11.2 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	[*, 4.11.2)	4.11.2	June 29, 2026
table-rate-shipping-pro	table-rate-shipping-pro	N/A	WowShipping Pro 1.0.6 - Injected Backdoor	LOW	[*, 1.0.8)	1.0.8	June 29, 2026
videozen	videozen	N/A	VideoZen <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'VideoZen available subtitles languages' Field	LOW	*-1.0.1		June 29, 2026
cms-fuer-motorrad-werkstaetten	cms-fuer-motorrad-werkstaetten	89	CMS für Motorrad Werkstätten <= 1.0.0 - Cross-Site Request Forgery	LOW	*-1.0.0		June 29, 2026
canto	canto	91	Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification	LOW	*-3.1.1		June 29, 2026
unlimited-elements-for-elementor	unlimited-elements-for-elementor	N/A	Unlimited Elements For Elementor <= 2.0.6 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal in Repeater JSON/CSV URL with Path Traversal	LOW	*-2.0.6	2.0.7	June 29, 2026
quiz-master-next	quiz-master-next	N/A	Quiz and Survey Master (QSM) <= 11.1.0 - Unauthenticated Shortcode Injection Leading to Arbitrary Quiz Result Disclosure via Quiz Answer Text Input Fields	LOW	*-10.1.0	11.1.1	June 29, 2026
backup	backup	93	JetBackup <= 3.1.19.8 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal in 'fileName' Parameter	LOW	*-3.1.19.8	3.1.20.3	June 29, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID	LOW	*-5.3.2	5.4.0	June 29, 2026
tutor	tutor	N/A	Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter	LOW	*-3.9.8	3.9.9	June 29, 2026
tutor	tutor	N/A	Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order	LOW	*-3.9.8	3.9.9	June 29, 2026
kubio	kubio	93	Kubio AI Page Builder <= 2.7.2 - Missing Authorization to Authenticated (Contributor+) Limited File Upload via Kubio Block Attributes	LOW	*-2.7.2	2.7.3	June 29, 2026
form-maker	form-maker	93	Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter	LOW	*-1.15.40	1.15.41	June 29, 2026
wpforo	wpforo	N/A	wpForo Forum <= 2.4.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post Modification via 'guestposting' Parameter	LOW	*-2.4.16	3.0.0	June 29, 2026
WP Statistics – Simple, privacy-friendly Google Analytics alternative	wp-statistics	90	WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure and Privacy Audit Manipulation	LOW	*-14.16.4	14.16.5	June 29, 2026
WP Statistics – Simple, privacy-friendly Google Analytics alternative	wp-statistics	90	WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter	LOW	*-14.16.4	14.16.5	June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget	LOW	*-1.7.1056	1.7.1057	June 29, 2026
masterstudy-lms-learning-management-system	masterstudy-lms-learning-management-system	93	MasterStudy LMS <= 3.7.25 - Authenticated (Subscriber+) Time-based Blind SQL Injection via 'order' and 'orderby' Parameters	LOW	*-3.7.25	3.7.26	June 29, 2026
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	fluentform	78	Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification	LOW	6.1.21	6.2.0	June 29, 2026
wpzoom-elementor-addons	wpzoom-elementor-addons	N/A	WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.4 - Reflected Cross-Site Scripting	LOW	*-1.3.4	1.3.5	June 29, 2026
wpr-addons-pro	wpr-addons-pro	N/A	Royal Elementor Addons < 1.7.1041 - Unauthenticated Stored Cross-Site Scripting	LOW	[*, 1.6.01)	1.6.01	June 29, 2026
MyRewards	woorewards	N/A	MyRewards <= 5.7.3 - Missing Authorization	LOW	*-5.7.3	5.7.4	June 29, 2026
woocommerce-product-filters	woocommerce-product-filters	N/A	WooCommerce Product Filters < 2.0.6 - Unauthenticated PHP Object Injection	LOW	[*, 2.0.6)	2.0.6	June 29, 2026
woo-redsys-gateway-light	woo-redsys-gateway-light	N/A	Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Missing Authorization	LOW	*-7.0.0	7.0.1	June 29, 2026
user-registration-stripe	user-registration-stripe	N/A	User Registration Stripe <= 1.3.14 - Missing Authorization	LOW	*-1.3.14	1.3.15	June 29, 2026
ultra-addons-for-wpforms	ultra-addons-for-wpforms	N/A	Ultra Addons for WPForms <= 1.0.11 - Missing Authorization	LOW	*-1.0.11	1.0.12	June 29, 2026
shipment-tracker-for-woocommerce	shipment-tracker-for-woocommerce	N/A	Shipment Tracker for Woocommerce <= 1.5.3.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-1.5.3.2	1.5.3.3	June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Elementor Addons < 1.7.1041 - Unauthenticated Stored Cross-Site Scripting	LOW	[*, 1.7.1041)	1.7.1041	June 29, 2026
leco-client-portal	leco-client-portal	93	Client Portal (Pro) <= 5.6.2 - Authenticated (CP Client+) Arbitrary File Download	LOW	*-5.6.2	5.6.3	June 29, 2026
instagram-slider-widget	instagram-slider-widget	93	Social Slider Feed <= 2.3.2 - Unauthenticated Stored Cross-Site Scripting	LOW	*-2.3.2	2.3.3	June 29, 2026
happy-helpdesk-support-ticket-system	happy-helpdesk-support-ticket-system	93	HAPPY – Helpdesk Support Ticket System <= 1.0.10 - Missing Authorization	LOW	*-1.0.10	1.0.11	June 29, 2026
groundhogg	groundhogg	93	Groundhogg — CRM, Newsletters, and Marketing Automation <= 4.4 - Authenticated (Sales Representative+) Arbitrary File Deletion	LOW	*-4.4	4.4.1	June 29, 2026
events-for-geodirectory	events-for-geodirectory	93	Events Calendar for GeoDirectory <= 2.3.25 - Authenticated (Contributor+) PHP Object Injection	LOW	*-2.3.25	2.3.26	June 29, 2026
eltd-listing	eltd-listing	93	Elated Listing <= 1.4 - Missing Authorization	LOW	*-1.4	1.5	June 29, 2026
bBlocks – Essential Gutenberg Blocks & Patterns Collection	b-blocks	90	bBlocks – Essential Gutenberg Blocks & Patterns Collection <= 2.0.31 - Authenticated (Contributor+) Privilege Escalation	LOW	*-2.0.31	2.0.32	June 29, 2026
academy-pro	academy-pro	97	Academy LMS Pro < 3.5.2 - Authenticated (Custom+) Arbitrary File Upload	LOW	[*, 3.5.2)	3.5.2	June 29, 2026
real-time-auto-find-and-replace	real-time-auto-find-and-replace	N/A	Better Find and Replace – AI-Powered Suggestions <= 1.7.9 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Title	LOW	*-1.7.9	1.8.0	June 29, 2026
onesignal-free-web-push-notifications	onesignal-free-web-push-notifications	N/A	OneSignal – Web Push Notifications <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Post Meta Deletion via 'post_id'	LOW	*-3.8.0	3.8.1	June 29, 2026
directorypress	directorypress	93	DirectoryPress – Business Directory And Classified Ad Listing <= 3.6.26 - Unauthenticated SQL Injection via 'packages'	LOW	*-3.6.26	3.6.27	June 29, 2026
ultimate-post	ultimate-post	N/A	Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.5 - Missing Authorization to Limited Post Meta Modification	LOW	*-5.0.5	5.0.6	June 29, 2026
career-section	career-section	93	Career Section <= 1.6 - Cross-Site Request Forgery to Arbitrary File Deletion	LOW	*-1.6	1.7	June 29, 2026
prismatic	prismatic	N/A	Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode	LOW	*-3.7.3	3.7.4	June 29, 2026
betterdocs	betterdocs	93	BetterDocs <= 4.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-4.3.8	4.3.9	June 29, 2026
Email Encoder – Protect Email Addresses and Phone Numbers	email-encoder-bundle	91	Email Encoder – Protect Email Addresses and Phone Numbers <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode	LOW	*-2.4.4	2.4.5	June 29, 2026
addons-for-elementor	addons-for-elementor	93	Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings	LOW	*-9.0		June 29, 2026
addons-for-elementor	addons-for-elementor	93	Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter	LOW	*-9.0		June 29, 2026
WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters	wp-google-map-plugin	74	WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'put_wpgm' Shortcode	LOW	*-4.8.7	4.8.8	June 29, 2026
open-brain	open-brain	N/A	OPEN-BRAIN <= 0.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting	LOW	*-0.5.0		June 29, 2026
customer-reviews-woocommerce	customer-reviews-woocommerce	93	Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch'	LOW	*-5.101.0	5.102.0	June 29, 2026
basic-google-maps-placemarks	basic-google-maps-placemarks	93	Basic Google Maps Placemarks <= 1.10.7 - Missing Authorization to Unauthenticated Default Map Coordinate Update	LOW	*-1.10.7	1.10.8	June 29, 2026
custom-new-user-notification	custom-new-user-notification	91	Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting	LOW	*-1.2.0		June 29, 2026
online-accessibility	online-accessibility	N/A	Accessibility Suite by Ability, Inc <= 4.20 - Authenticated (Subscriber+) SQL Injection via 'scan_id' Parameter	LOW	*-4.20		June 29, 2026
riaxe-product-customizer	riaxe-product-customizer	N/A	Riaxe Product Customizer <= 2.1.2 - Unauthenticated SQL Injection via 'options' Parameter Keys in product_data	LOW	*-2.1.2		June 29, 2026
riaxe-product-customizer	riaxe-product-customizer	N/A	Riaxe Product Customizer <= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter	LOW	*-2.1.2		June 29, 2026
riaxe-product-customizer	riaxe-product-customizer	N/A	Riaxe Product Customizer <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action	LOW	*-2.1.2		June 29, 2026
acymailing	acymailing	97	AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation	LOW	9.11.0-10.8.1	10.8.2	June 29, 2026
woo-redsys-gateway-light	woo-redsys-gateway-light	N/A	Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation	LOW	*-7.0.0	7.0.1	June 29, 2026
codecolorer	codecolorer	93	CodeColorer <= 0.10.1 - Unauthenticated Stored Cross-Site Scripting via 'class' attribute in 'cc' Comment Shortcode	LOW	*-0.10.1	0.10.2	June 29, 2026
wp-docs	wp-docs	N/A	WP Docs <= 2.2.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'wpdocs_options[icon_size]'	LOW	*-2.2.9	2.3.0	June 29, 2026
shortcodes-ultimate	shortcodes-ultimate	N/A	WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_box Shortcode	LOW	*-7.4.9	7.5.0	June 29, 2026
wp-youtube-lyte	wp-youtube-lyte	N/A	WP YouTube Lyte <= 1.7.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via lyte Shortcode	LOW	*-1.7.29	1.7.30	June 29, 2026
barcode-scanner-lite-pos-to-manage-products-inventory-and-orders	barcode-scanner-lite-pos-to-manage-products-inventory-and-orders	93	Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication	LOW	*-1.11.0	1.12.0	June 29, 2026
wp-user-avatar	wp-user-avatar	N/A	ProfilePress <= 4.16.12 - Missing Authorization to Authenticated (Subscriber+) Inactive Membership Plan Subscription	LOW	*-4.16.12	4.16.13	June 29, 2026
youtube-showcase	youtube-showcase	N/A	Video Gallery – YouTube Gallery & Responsive Video Playlist <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.5.1	3.5.2	June 29, 2026

LOW

Image Source Control Lite – Show Image Credits and Captions

image-source-control-isc

Score: 89/100 Image Source Control Lite – Show Image Credits and Captions <= 3.9.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'Image Source' Field Affected: *-3.9.1 Patched: 3.9.2 Updated: June 29, 2026

LOW

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

everest-forms

Score: 68/100 Everest Forms <= 3.4.4 - Unauthenticated Arbitrary File Read and Deletion via Upload Field 'old_files' Parameter Affected: *-3.4.4 Patched: 3.4.5 Updated: June 29, 2026

LOW

wpforo

Score: N/A wpForo Forum <= 3.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Custom Profile Field File Path Affected: *-3.0.5 Patched: 3.0.6 Updated: June 29, 2026

LOW

YayMail – WooCommerce Email Customizer

yaymail

Score: N/A YayMail – WooCommerce Email Customizer <= 4.3.3 - Authenticated (Shop manager+) PHP Object Injection Affected: *-4.3.3 Patched: 4.3.4 Updated: June 29, 2026

LOW

woocommerce-pdf-invoices-packing-slips

Score: N/A PDF Invoices & Packing Slips for WooCommerce < 5.9.0 - Authenticated (Shop manager+) PHP Object Injection Affected: [*, 5.9.0) Patched: 5.9.0 Updated: June 29, 2026

LOW

Website LLMs.txt

website-llms-txt

Score: 94/100 Website LLMs.txt <= 8.2.6 - Reflected Cross-Site Scripting Affected: *-8.2.6 Patched: 8.2.7 Updated: June 29, 2026

LOW

tutor

Score: N/A Tutor LMS – eLearning and online course solution <= 3.9.7 - Missing Authorization Affected: *-3.9.7 Patched: 3.9.8 Updated: June 29, 2026

LOW

shortpixel-image-optimiser

Score: N/A ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF <= 6.4.3 - Authenticated (Author+) PHP Object Injection Affected: *-6.4.3 Patched: 6.4.4 Updated: June 29, 2026

LOW

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

paid-member-subscriptions

Score: N/A Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.17.3 - Reflected Cross-Site Scripting Affected: *-2.17.3 Patched: 3.0.0 Updated: June 29, 2026

LOW

Notification for Telegram

notification-for-telegram

Score: 97/100 Notification for Telegram <= 3.5 - Unauthenticated Stored Cross-Site Scripting Affected: *-3.5 Patched: 3.5.1 Updated: June 29, 2026

LOW

modula-best-grid-gallery

Score: N/A Modula Image Gallery – Photo Grid & Video Gallery <= 2.14.18 - Authenticated (Author+) PHP Object Injection Affected: *-2.14.18 Patched: 2.14.19 Updated: June 29, 2026

LOW

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

ml-slider

Score: 88/100 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.106.0 - Authenticated (Editor+) Remote Code Execution Affected: *-3.106.0 Patched: 3.107.0 Updated: June 29, 2026

LOW

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

ml-slider

Score: 88/100 Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider <= 3.106.0 - Authenticated (Editor+) PHP Object Injection Affected: *-3.106.0 Patched: 3.107.0 Updated: June 29, 2026

LOW

jupiterx-core

Score: 93/100 Jupiter X Core <= 4.14.1 - Missing Authorization Affected: *-4.14.1 Patched: 4.14.2 Updated: June 29, 2026

LOW

inpost-gallery

Score: 93/100 InPost Gallery <= 2.1.4.6 - Unauthenticated SQL Injection Affected: *-2.1.4.6 Patched: 2.1.5 Updated: June 29, 2026

LOW

gotmls

Score: 93/100 Anti-Malware Security and Brute-Force Firewall <= 4.23.87 - Authenticated (Contributor+) PHP Object Injection Affected: *-4.23.87 Patched: 4.23.88 Updated: June 29, 2026

LOW

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

Score: 74/100 EventPrime – Events Calendar, Bookings and Tickets <= 4.3.0.0 - Authenticated (Subscriber+) Insecure Direct Object Reference Affected: *-4.3.0.0 Patched: 4.3.0.1 Updated: June 29, 2026

LOW

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

easy-digital-downloads

Score: 78/100 Easy Digital Downloads – eCommerce Payments and Subscriptions made easy <= 3.6.5 - Missing Authorization Affected: *-3.6.5 Patched: 3.6.6 Updated: June 29, 2026

LOW

download-monitor

Score: 93/100 Download Monitor <= 5.1.9 - Authenticated (Author+) Arbitrary File Download Affected: *-5.1.9 Patched: 5.1.10 Updated: June 29, 2026

LOW

computer-repair-shop

Score: 93/100 RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress <= 4.1132 - Missing Authorization Affected: *-4.1132 Patched: 4.1133 Updated: June 29, 2026

LOW

advanced-product-fields-for-woocommerce

Score: 97/100 Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 - Authenticated (Shop manager+) PHP Object Injection Affected: *-1.6.19 Patched: 1.6.20 Updated: June 29, 2026

LOW

activitytime

Score: 97/100 WP Sessions Time Monitoring Full Automatic <= 1.1.4 - Authenticated (Subscriber+) SQL Injection Affected: *-1.1.4 Patched: 1.1.5 Updated: June 29, 2026

LOW

embed-calendly-scheduling

Score: 93/100 EMC Scheduling Manager <= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via calendly Shortcode Affected: *-4.4 Patched: 4.5 Updated: June 29, 2026

LOW

contextual-related-posts

Score: 93/100 Contextual Related Posts <= 4.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'other_attributes' Affected: *-4.2.1 Patched: 4.2.2 Updated: June 29, 2026

LOW

custom-post-widget

Score: 93/100 Content Blocks (Custom Post Widget) <= 3.3.9 - Authenticated (Author+) Stored Cross-Site Scripting via content_block Shortcode Affected: *-3.3.9 Patched: 3.4.1 Updated: June 29, 2026

LOW

categories-images

Score: 93/100 Categories Images <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'z_taxonomy_image' Shortcode Affected: *-3.3.1 Patched: 3.3.2 Updated: June 29, 2026

LOW

cmp-coming-soon-maintenance

Score: 93/100 CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.16 - Missing Authorization to Authenticated (Administrator+) Arbitrary File Upload and Remote Code Execution Affected: *-4.1.16 Patched: 4.1.17 Updated: June 29, 2026

LOW

coblocks

Score: 93/100 Page Builder Gutenberg Blocks <= 3.1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via External iCal Feed Data Affected: *-3.1.16 Patched: 3.1.17 Updated: June 29, 2026

LOW

ultimate-flipbox-addon-for-elementor

Score: N/A Flipbox Addon for Elementor <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Attributes Affected: *-2.0.8 Patched: 2.1.2 Updated: June 29, 2026

LOW

hostel

Score: 93/100 Hostel <= 1.1.6 - Reflected Cross-Site Scripting via 'shortcode_id' Parameter Affected: *-1.1.6 Patched: 1.1.7 Updated: June 29, 2026

LOW

youzify

Score: N/A Youzify <= 1.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'checkin_place_id' Parameter Affected: *-1.3.6 Patched: 1.3.7 Updated: June 29, 2026

LOW

easy-appointments

Score: 93/100 Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API Affected: *-3.12.21 Patched: 3.12.22 Updated: June 29, 2026

LOW

pz-linkcard

Score: N/A Pz-LinkCard <= 2.5.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-2.5.8.1 Patched: Updated: June 29, 2026

LOW

Drag and Drop Multiple File Upload for Contact Form 7

drag-and-drop-multiple-file-upload-contact-form-7

Score: 93/100 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.7 - Unauthenticated Arbitrary File Upload via Non-ASCII Filename Blacklist Bypass Affected: *-1.3.9.7 Patched: 1.3.9.8 Updated: June 29, 2026

LOW

Drag and Drop Multiple File Upload for Contact Form 7

drag-and-drop-multiple-file-upload-contact-form-7

Score: 93/100 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.6 - Unauthenticated Limited Arbitrary File Read via mfile Field Affected: *-1.3.9.6 Patched: 1.3.9.7 Updated: June 29, 2026

LOW

customer-area

Score: 89/100 WP Customer Area <= 8.3.4 - Authenticated (Subscriber+) Arbitrary File Read/Deletion via ajax_attach_file Affected: *-8.3.4 Patched: 8.3.5 Updated: June 29, 2026

LOW

wpstream

Score: N/A WpStream – Live Streaming, Video on Demand, Pay Per View < 4.11.2 - Authenticated (Subscriber+) Arbitrary File Upload Affected: [*, 4.11.2) Patched: 4.11.2 Updated: June 29, 2026

LOW

table-rate-shipping-pro

Score: N/A WowShipping Pro 1.0.6 - Injected Backdoor Affected: [*, 1.0.8) Patched: 1.0.8 Updated: June 29, 2026

LOW

videozen

Score: N/A VideoZen <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'VideoZen available subtitles languages' Field Affected: *-1.0.1 Patched: Updated: June 29, 2026

LOW

cms-fuer-motorrad-werkstaetten

Score: 89/100 CMS für Motorrad Werkstätten <= 1.0.0 - Cross-Site Request Forgery Affected: *-1.0.0 Patched: Updated: June 29, 2026

LOW

canto

Score: 91/100 Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification Affected: *-3.1.1 Patched: Updated: June 29, 2026

LOW

unlimited-elements-for-elementor

Score: N/A Unlimited Elements For Elementor <= 2.0.6 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal in Repeater JSON/CSV URL with Path Traversal Affected: *-2.0.6 Patched: 2.0.7 Updated: June 29, 2026

LOW

quiz-master-next

Score: N/A Quiz and Survey Master (QSM) <= 11.1.0 - Unauthenticated Shortcode Injection Leading to Arbitrary Quiz Result Disclosure via Quiz Answer Text Input Fields Affected: *-10.1.0 Patched: 11.1.1 Updated: June 29, 2026

LOW

backup

Score: 93/100 JetBackup <= 3.1.19.8 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal in 'fileName' Parameter Affected: *-3.1.19.8 Patched: 3.1.20.3 Updated: June 29, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID Affected: *-5.3.2 Patched: 5.4.0 Updated: June 29, 2026

LOW

tutor

Score: N/A Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter Affected: *-3.9.8 Patched: 3.9.9 Updated: June 29, 2026

LOW

tutor

Score: N/A Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order Affected: *-3.9.8 Patched: 3.9.9 Updated: June 29, 2026

LOW

kubio

Score: 93/100 Kubio AI Page Builder <= 2.7.2 - Missing Authorization to Authenticated (Contributor+) Limited File Upload via Kubio Block Attributes Affected: *-2.7.2 Patched: 2.7.3 Updated: June 29, 2026

LOW

form-maker

Score: 93/100 Form Maker by 10Web <= 1.15.40 - Authenticated (Administrator+) SQL Injection via 'ip_search' Parameter Affected: *-1.15.40 Patched: 1.15.41 Updated: June 29, 2026

LOW

wpforo

Score: N/A wpForo Forum <= 2.4.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post Modification via 'guestposting' Parameter Affected: *-2.4.16 Patched: 3.0.0 Updated: June 29, 2026

LOW

WP Statistics – Simple, privacy-friendly Google Analytics alternative

wp-statistics

Score: 90/100 WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure and Privacy Audit Manipulation Affected: *-14.16.4 Patched: 14.16.5 Updated: June 29, 2026

LOW

WP Statistics – Simple, privacy-friendly Google Analytics alternative

wp-statistics

Score: 90/100 WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter Affected: *-14.16.4 Patched: 14.16.5 Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via Instagram Feed Widget Affected: *-1.7.1056 Patched: 1.7.1057 Updated: June 29, 2026

LOW

masterstudy-lms-learning-management-system

Score: 93/100 MasterStudy LMS <= 3.7.25 - Authenticated (Subscriber+) Time-based Blind SQL Injection via 'order' and 'orderby' Parameters Affected: *-3.7.25 Patched: 3.7.26 Updated: June 29, 2026

LOW

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

Score: 78/100 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 6.1.21 - Insecure Direct Object Reference in Stripe SCA Confirmation to Unauthenticated Payment Status Modification Affected: 6.1.21 Patched: 6.2.0 Updated: June 29, 2026

LOW

wpzoom-elementor-addons

Score: N/A WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.4 - Reflected Cross-Site Scripting Affected: *-1.3.4 Patched: 1.3.5 Updated: June 29, 2026

LOW

wpr-addons-pro

Score: N/A Royal Elementor Addons < 1.7.1041 - Unauthenticated Stored Cross-Site Scripting Affected: [*, 1.6.01) Patched: 1.6.01 Updated: June 29, 2026

LOW

MyRewards

woorewards

Score: N/A MyRewards <= 5.7.3 - Missing Authorization Affected: *-5.7.3 Patched: 5.7.4 Updated: June 29, 2026

LOW

woocommerce-product-filters

Score: N/A WooCommerce Product Filters < 2.0.6 - Unauthenticated PHP Object Injection Affected: [*, 2.0.6) Patched: 2.0.6 Updated: June 29, 2026

LOW

woo-redsys-gateway-light

Score: N/A Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Missing Authorization Affected: *-7.0.0 Patched: 7.0.1 Updated: June 29, 2026

LOW

user-registration-stripe

Score: N/A User Registration Stripe <= 1.3.14 - Missing Authorization Affected: *-1.3.14 Patched: 1.3.15 Updated: June 29, 2026

LOW

ultra-addons-for-wpforms

Score: N/A Ultra Addons for WPForms <= 1.0.11 - Missing Authorization Affected: *-1.0.11 Patched: 1.0.12 Updated: June 29, 2026

LOW

shipment-tracker-for-woocommerce

Score: N/A Shipment Tracker for Woocommerce <= 1.5.3.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-1.5.3.2 Patched: 1.5.3.3 Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Elementor Addons < 1.7.1041 - Unauthenticated Stored Cross-Site Scripting Affected: [*, 1.7.1041) Patched: 1.7.1041 Updated: June 29, 2026

LOW

leco-client-portal

Score: 93/100 Client Portal (Pro) <= 5.6.2 - Authenticated (CP Client+) Arbitrary File Download Affected: *-5.6.2 Patched: 5.6.3 Updated: June 29, 2026

LOW

instagram-slider-widget

Score: 93/100 Social Slider Feed <= 2.3.2 - Unauthenticated Stored Cross-Site Scripting Affected: *-2.3.2 Patched: 2.3.3 Updated: June 29, 2026

LOW

happy-helpdesk-support-ticket-system

Score: 93/100 HAPPY – Helpdesk Support Ticket System <= 1.0.10 - Missing Authorization Affected: *-1.0.10 Patched: 1.0.11 Updated: June 29, 2026

LOW

groundhogg

Score: 93/100 Groundhogg — CRM, Newsletters, and Marketing Automation <= 4.4 - Authenticated (Sales Representative+) Arbitrary File Deletion Affected: *-4.4 Patched: 4.4.1 Updated: June 29, 2026

LOW

events-for-geodirectory

Score: 93/100 Events Calendar for GeoDirectory <= 2.3.25 - Authenticated (Contributor+) PHP Object Injection Affected: *-2.3.25 Patched: 2.3.26 Updated: June 29, 2026

LOW

eltd-listing

Score: 93/100 Elated Listing <= 1.4 - Missing Authorization Affected: *-1.4 Patched: 1.5 Updated: June 29, 2026

LOW

bBlocks – Essential Gutenberg Blocks & Patterns Collection

b-blocks

Score: 90/100 bBlocks – Essential Gutenberg Blocks & Patterns Collection <= 2.0.31 - Authenticated (Contributor+) Privilege Escalation Affected: *-2.0.31 Patched: 2.0.32 Updated: June 29, 2026

LOW

academy-pro

Score: 97/100 Academy LMS Pro < 3.5.2 - Authenticated (Custom+) Arbitrary File Upload Affected: [*, 3.5.2) Patched: 3.5.2 Updated: June 29, 2026

LOW

real-time-auto-find-and-replace

Score: N/A Better Find and Replace – AI-Powered Suggestions <= 1.7.9 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Image Title Affected: *-1.7.9 Patched: 1.8.0 Updated: June 29, 2026

LOW

onesignal-free-web-push-notifications

Score: N/A OneSignal – Web Push Notifications <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Post Meta Deletion via 'post_id' Affected: *-3.8.0 Patched: 3.8.1 Updated: June 29, 2026

LOW

directorypress

Score: 93/100 DirectoryPress – Business Directory And Classified Ad Listing <= 3.6.26 - Unauthenticated SQL Injection via 'packages' Affected: *-3.6.26 Patched: 3.6.27 Updated: June 29, 2026

LOW

ultimate-post

Score: N/A Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.5 - Missing Authorization to Limited Post Meta Modification Affected: *-5.0.5 Patched: 5.0.6 Updated: June 29, 2026

LOW

career-section

Score: 93/100 Career Section <= 1.6 - Cross-Site Request Forgery to Arbitrary File Deletion Affected: *-1.6 Patched: 1.7 Updated: June 29, 2026

LOW

prismatic

Score: N/A Prismatic <= 3.7.3 - Unauthenticated Stored Cross-Site Scripting via 'prismatic_encoded' Pseudo-Shortcode Affected: *-3.7.3 Patched: 3.7.4 Updated: June 29, 2026

LOW

betterdocs

Score: 93/100 BetterDocs <= 4.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-4.3.8 Patched: 4.3.9 Updated: June 29, 2026

LOW

Email Encoder – Protect Email Addresses and Phone Numbers

email-encoder-bundle

Score: 91/100 Email Encoder – Protect Email Addresses and Phone Numbers <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via eeb_mailto Shortcode Affected: *-2.4.4 Patched: 2.4.5 Updated: June 29, 2026

LOW

addons-for-elementor

Score: 93/100 Livemesh Addons by Elementor <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings Affected: *-9.0 Patched: Updated: June 29, 2026

LOW

addons-for-elementor

Score: 93/100 Livemesh Addons by Elementor <= 9.0 - Authenticated (Contributor+) Local File Inclusion via Widget Template Parameter Affected: *-9.0 Patched: Updated: June 29, 2026

LOW

WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters

wp-google-map-plugin

Score: 74/100 WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'put_wpgm' Shortcode Affected: *-4.8.7 Patched: 4.8.8 Updated: June 29, 2026

LOW

open-brain

Score: N/A OPEN-BRAIN <= 0.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting Affected: *-0.5.0 Patched: Updated: June 29, 2026

LOW

customer-reviews-woocommerce

Score: 93/100 Customer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch' Affected: *-5.101.0 Patched: 5.102.0 Updated: June 29, 2026

LOW

basic-google-maps-placemarks

Score: 93/100 Basic Google Maps Placemarks <= 1.10.7 - Missing Authorization to Unauthenticated Default Map Coordinate Update Affected: *-1.10.7 Patched: 1.10.8 Updated: June 29, 2026

LOW

custom-new-user-notification

Score: 91/100 Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting Affected: *-1.2.0 Patched: Updated: June 29, 2026

LOW

online-accessibility

Score: N/A Accessibility Suite by Ability, Inc <= 4.20 - Authenticated (Subscriber+) SQL Injection via 'scan_id' Parameter Affected: *-4.20 Patched: Updated: June 29, 2026

LOW

riaxe-product-customizer

Score: N/A Riaxe Product Customizer <= 2.1.2 - Unauthenticated SQL Injection via 'options' Parameter Keys in product_data Affected: *-2.1.2 Patched: Updated: June 29, 2026

LOW

riaxe-product-customizer

Score: N/A Riaxe Product Customizer <= 2.1.2 - Unauthenticated Arbitrary User Deletion via 'user_id' Parameter Affected: *-2.1.2 Patched: Updated: June 29, 2026

LOW

riaxe-product-customizer

Score: N/A Riaxe Product Customizer <= 2.1.2 - Missing Authorization to Unauthenticated Arbitrary Options Update to Privilege Escalation via 'install-imprint' AJAX Action Affected: *-2.1.2 Patched: Updated: June 29, 2026

LOW

acymailing

Score: 97/100 AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation Affected: 9.11.0-10.8.1 Patched: 10.8.2 Updated: June 29, 2026

LOW

woo-redsys-gateway-light

Score: N/A Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation Affected: *-7.0.0 Patched: 7.0.1 Updated: June 29, 2026

LOW

codecolorer

Score: 93/100 CodeColorer <= 0.10.1 - Unauthenticated Stored Cross-Site Scripting via 'class' attribute in 'cc' Comment Shortcode Affected: *-0.10.1 Patched: 0.10.2 Updated: June 29, 2026

LOW

wp-docs

Score: N/A WP Docs <= 2.2.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'wpdocs_options[icon_size]' Affected: *-2.2.9 Patched: 2.3.0 Updated: June 29, 2026

LOW

shortcodes-ultimate

Score: N/A WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via su_box Shortcode Affected: *-7.4.9 Patched: 7.5.0 Updated: June 29, 2026

LOW

wp-youtube-lyte

Score: N/A WP YouTube Lyte <= 1.7.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via lyte Shortcode Affected: *-1.7.29 Patched: 1.7.30 Updated: June 29, 2026

LOW

barcode-scanner-lite-pos-to-manage-products-inventory-and-orders

Score: 93/100 Barcode Scanner (+Mobile App) <= 1.11.0 - Unauthenticated Privilege Escalation via Insecure Token Authentication Affected: *-1.11.0 Patched: 1.12.0 Updated: June 29, 2026

LOW

wp-user-avatar

Score: N/A ProfilePress <= 4.16.12 - Missing Authorization to Authenticated (Subscriber+) Inactive Membership Plan Subscription Affected: *-4.16.12 Patched: 4.16.13 Updated: June 29, 2026

LOW

youtube-showcase

Score: N/A Video Gallery – YouTube Gallery & Responsive Video Playlist <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.5.1 Patched: 3.5.2 Updated: June 29, 2026

Showing 1301 to 1400 of 36189 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 29, 2026 at 10:33 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List