Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36189

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
ultimate-faqs	ultimate-faqs	N/A	Ultimate FAQ Accordion Plugin <= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via FAQ Content	LOW	*-2.4.7	2.4.8	June 29, 2026
Download Manager	download-manager	63	Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-3.3.52	3.3.53	June 29, 2026
bnm-blocks	bnm-blocks	93	Post Blocks & Tools <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyle' Block Attribute	LOW	*-1.3.0	1.3.1	June 29, 2026
mw-wp-form	mw-wp-form	N/A	MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys	LOW	*-5.1.1	5.1.2	June 29, 2026
advanced-cf7-db	advanced-cf7-db	95	Advanced CF7 DB <= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion	LOW	*-2.0.9	2.1.0	June 29, 2026
advanced-cf7-db	advanced-cf7-db	95	Advanced CF7 DB <= 2.0.9 - Missing Authorization to Authenticated (Subscriber+) Form Submissions Excel Export	LOW	*-2.0.9	2.1.0	June 29, 2026
prosolution-wp-client	prosolution-wp-client	N/A	ProSolution WP Client <= 1.9.9 - Unauthenticated Arbitrary File Upload via proSol_fileUploadProcess	LOW	*-1.9.9	2.0.0	June 29, 2026
ziggeo	ziggeo	N/A	Ziggeo <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'ziggeo_ajax' AJAX Action	LOW	*-3.1.1	3.1.2	June 29, 2026
wpdirectorykit	wpdirectorykit	N/A	WP Directory Kit <= 1.5.0 - Missing Authorization	LOW	*-1.5.0	1.5.1	June 29, 2026
WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters	wp-google-map-plugin	74	WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 - Unauthenticated SQL Injection	LOW	*-4.9.1	4.9.2	June 29, 2026
wp-businessdirectory	wp-businessdirectory	N/A	WP-BusinessDirectory – Business directory plugin for WordPress <= 4.0.0 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-4.0.0	4.0.1	June 29, 2026
wp-base-booking-of-appointments-services-and-events	wp-base-booking-of-appointments-services-and-events	N/A	WP BASE Booking of Appointments, Services and Events <= 5.9.0 - Unauthenticated Privilege Escalation	LOW	*-5.9.0	6.0.0	June 29, 2026
woocommerce-multi-locations-inventory-management	woocommerce-multi-locations-inventory-management	N/A	MultiLoca <= 4.2.15 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-4.2.15	4.2.16	June 29, 2026
woo-cart-abandonment-recovery	woo-cart-abandonment-recovery	N/A	Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails < 2.1.0 - Authenticated (Shop Manager+) Privilege Escalation	LOW	[*, 2.1.0)	2.1.0	June 29, 2026
sql-chart-builder	sql-chart-builder	N/A	SQL Chart Builder < 2.3.8 - Unauthenticated SQL Injection	LOW	[*, 2.3.8)	2.3.8	June 29, 2026
solene-core	solene-core	N/A	Solene Core <= 2.3.2 - Unauthenticated Local File Inclusion	LOW	*-2.3.2	2.3.4	June 29, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.27 - Unauthenticated SQL Injection	LOW	*-1.6.9.27	1.6.9.29	June 29, 2026
osm	osm	N/A	OSM <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute	LOW	*-6.1.15	6.1.16	June 29, 2026
nextend-smart-slider3-pro	nextend-smart-slider3-pro	N/A	Smart Slider 3 Pro 3.5.1.35 - Backdoor Embedded via Supply Chain Compromise	LOW	3.5.1.35	3.5.1.36	June 29, 2026
mstore-api	mstore-api	N/A	MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update	LOW	*-4.18.3	4.18.4	June 29, 2026
mikado-core	mikado-core	N/A	Mikado Core <= 1.6 - Unauthenticated Local File Inclusion	LOW	*-1.6	1.7.2	June 29, 2026
List category posts	list-category-posts	94	List category posts <= 0.94.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'catlist' Shortcode	LOW	*-0.94.0	0.95.0	June 29, 2026
learning-management-system	learning-management-system	93	Masteriyo LMS – Online Course Builder for eLearning, LMS & Education <= 2.1.5 - Missing Authorization	LOW	*-2.1.5	2.1.6	June 29, 2026
geeky-bot	geeky-bot	93	GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content <= 1.2.0 - Unauthenticated SQL Injection	LOW	*-1.2.0	1.2.1	June 29, 2026
form-maker	form-maker	93	Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.38 - Unauthenticated SQL Injection	LOW	*-1.15.38	1.15.39	June 29, 2026
experto-custom-dashboard	experto-custom-dashboard	93	Experto Dashboard for WooCommerce <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Navigation Font Size' Setting	LOW	*-1.0.4	1.0.5	June 29, 2026
datalogics	datalogics	93	Datalogics Ecommerce Delivery – Datalogics <= 2.6.62 - Unauthenticated Privilege Escalation	LOW	*-2.6.62	2.6.63	June 29, 2026
bookly-responsive-appointment-booking-tool	bookly-responsive-appointment-booking-tool	93	Online Scheduling and Appointment Booking System – Bookly <= 27.0 - Unauthenticated Price Manipulation via 'tips'	LOW	*-27.0	27.1	June 29, 2026
blocksy-companion-pro	blocksy-companion-pro	93	Blocksy Companion Pro < 2.1.29 - Unauthenticated SQL Injection	LOW	[*, 2.1.29)	2.1.29	June 29, 2026
Backup Migration	backup-backup	61	BackupBliss – Backup & Migration with Free Cloud Storage <= 2.1.1 - Unauthenticated Information Exposure	LOW	*-2.1.1	2.1.2	June 29, 2026
ays-popup-box	ays-popup-box	93	Popup Box – Create Countdown, Coupon, Video, Contact Form Popups < 5.5.0 - Unauthenticated Stored Cross-Site Scripting	LOW	[*, 5.5.0)	5.5.0	June 29, 2026
another-wordpress-classifieds-plugin	another-wordpress-classifieds-plugin	97	AWP Classifieds <= 4.4.4 - Missing Authorization	LOW	*-4.4.4	4.4.5	June 29, 2026
addons-for-elementor-builder	addons-for-elementor-builder	97	Vertex Addons for Elementor <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation via 'afeb_activate_required_plugins'	LOW	*-1.6.4	1.7.0	June 29, 2026
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder	user-registration	N/A	User Registration & Membership <= 5.1.2 - Authenticated (Subscriber+) SQL Injection via membership_ids[]	LOW	*-5.1.2	5.1.3	June 29, 2026
beaver-builder-lite-version	beaver-builder-lite-version	93	Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]'	LOW	*-2.10.1.1	2.10.1.2	June 29, 2026
privatecontent-free	privatecontent-free	N/A	PrivateContent Free <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Shortcode Attribute	LOW	*-1.2.0	1.3.0	June 29, 2026
Robo Gallery – Photo & Image Slider	robo-gallery	N/A	Robo Gallery <= 5.1.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'Loading Label' Setting	LOW	*-5.1.3	5.1.4	June 29, 2026
pdfl-io	pdfl-io	N/A	pdfl.io <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute	LOW	*-1.0.5	1.0.6	June 29, 2026
wp-stats-manager	wp-stats-manager	N/A	WP Visitor Statistics (Real Time Traffic) <= 8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'height' Shortcode Attribute	LOW	*-8.4	8.5	June 29, 2026
magic-conversation-for-gravity-forms	magic-conversation-for-gravity-forms	93	Magic Conversation For Gravity Forms <= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-3.0.97	3.0.98	June 29, 2026
bdthemes-element-pack-lite	bdthemes-element-pack-lite	93	Element Pack Addons for Elementor <= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget	LOW	*-8.4.2	8.5.0	June 29, 2026
blog2social	blog2social	93	Blog2Social: Social Media Auto Post & Scheduler <= 8.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter	LOW	*-8.8.3	8.8.4	June 29, 2026
learning-management-system	learning-management-system	93	Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint	LOW	*-2.1.7	2.1.8	June 29, 2026
whole-cart-enquiry	whole-cart-enquiry	N/A	Whole Enquiry Cart for WooCommerce <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'woowhole_success_msg' Parameter	LOW	*-1.2.1		June 29, 2026
dsgvo-google-web-fonts-gdpr	dsgvo-google-web-fonts-gdpr	91	DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter	LOW	*-1.1		June 29, 2026
wp-blockade	wp-blockade	N/A	WP Blockade <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter	LOW	*-0.9.14		June 29, 2026
pz-frontend-manager	pz-frontend-manager	N/A	PZ Frontend Manager <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter	LOW	*-1.0.6		June 29, 2026
am-lottieplayer	am-lottieplayer	95	AM LottiePlayer <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG	LOW	*-3.6.0		June 29, 2026
attendance-manager	attendance-manager	89	Attendance Manager <= 0.6.2 - Authenticated (Subscriber+) SQL Injection via 'attmgr_off' Parameter	LOW	*-0.6.2		June 29, 2026
sports-club-management	sports-club-management	N/A	Sports Club Management <= 1.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' Attribute	LOW	*-1.12.9		June 29, 2026
gerador-de-certificados-devapps	gerador-de-certificados-devapps	91	Gerador de Certificados – DevApps <= 1.3.6 - Authenticated (Administrator+) Arbitrary File Upload	LOW	*-1.3.6		June 29, 2026
columns-bws	columns-bws	91	Columns by BestWebSoft <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute	LOW	*-1.0.3		June 29, 2026
quran-translations-by-edc	quran-translations-by-edc	N/A	Quran Translations <= 1.7 - Cross-Site Request Forgery to Playlist Settings Form	LOW	*-1.7		June 29, 2026
riaxe-product-customizer	riaxe-product-customizer	N/A	Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint	LOW	*-2.4		June 29, 2026
pinterest-site-verification	pinterest-site-verification	N/A	Pinterest Site Verification plugin using Meta Tag <= 1.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'post_var'	LOW	*-1.8		June 29, 2026
wavr	wavr	N/A	Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-0.2.6		June 29, 2026
wowpress	wowpress	N/A	WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.0.0		June 29, 2026
inquiry-form-to-posts-or-pages	inquiry-form-to-posts-or-pages	89	Inquiry form to posts or pages <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field	LOW	*-1.0		June 29, 2026
the-plus-addons-for-elementor-page-builder	the-plus-addons-for-elementor-page-builder	N/A	The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar	LOW	*-6.4.9	6.4.10	June 29, 2026
investi	investi	93	Investi <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute	LOW	*-1.0.26	1.0.27	June 29, 2026
strong-testimonials	strong-testimonials	N/A	Strong Testimonials <= 3.2.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via testimonial_view Shortcode	LOW	*-3.2.21	3.2.22	June 29, 2026
posts-table-filterable	posts-table-filterable	N/A	TableOn – WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute	LOW	*-1.0.4.4	1.0.5	June 29, 2026
userspn	userspn	N/A	Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action	LOW	*-1.1.15	1.1.20	June 29, 2026
ltl-freight-quotes-rl-edition	ltl-freight-quotes-rl-edition	93	LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update	LOW	*-3.3.13	3.3.14	June 29, 2026
mainwp-child-reports	mainwp-child-reports	93	MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API	LOW	*-2.2.6	2.3	June 29, 2026
Prime Slider Addons for Elementor	bdthemes-prime-slider-lite	88	Prime Slider <= 4.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'follow_us_text' Parameter	LOW	*-4.1.10	4.1.11	June 29, 2026
learnpress	learnpress	93	LearnPress <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute	LOW	*-4.3.3	4.3.4	June 29, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-5.3.0	5.3.1	June 29, 2026
wp-jquery-lightbox	wp-jquery-lightbox	N/A	LightPress Lightbox <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute	LOW	*-2.3.4	2.3.5	June 29, 2026
powerpress	powerpress	N/A	Blubrry PowerPress <= 11.15.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via powerpress and podcast Shortcodes	LOW	*-11.15.15	11.15.16	June 29, 2026
Elementor Website Builder – more than just a page builder	elementor	79	Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API	LOW	*-3.35.5	3.35.6	June 29, 2026
woo-product-feed-pro	woo-product-feed-pro	N/A	Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce 13.4.6 - 13.5.2.1 - Cross-Site Request Forgery to Multiple Administrative Actions	LOW	13.4.6-13.5.2.1	13.5.2.2	June 29, 2026
Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder	everest-forms	68	Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata	LOW	*-3.4.3	3.4.4	June 29, 2026
download-monitor	download-monitor	93	Download Monitor <= 5.1.10 - Cross-Site Request Forgery to Download Path Deletion and Disabling	LOW	*-5.1.10	5.1.11	June 29, 2026
Hustle – Email Marketing, Lead Generation, Optins, Popups	wordpress-popup	91	Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation	LOW	*-7.8.10.2	7.8.11	June 29, 2026
gravityforms	gravityforms	93	Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field	LOW	*-2.9.30	2.9.31	June 29, 2026
gravityforms	gravityforms	93	Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter	LOW	*-2.9.30	2.9.31	June 29, 2026
Smart Slider 3	smart-slider-3	90	Smart Slider 3 <= 3.5.1.33 - Missing Authorization to Authenticated (Contributor+) Slider Data Read and Image Record Manipulation	LOW	*-3.5.1.33	3.5.1.34	June 29, 2026
worpit-admin-dashboard-plugin	worpit-admin-dashboard-plugin	N/A	iControlWP <= 5.5.3 - Unauthenticated Privilege Escalation	LOW	*-5.5.3	5.5.4	June 29, 2026
woo-bulk-editor	woo-bulk-editor	N/A	BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion	LOW	*-1.1.5	1.1.6	June 29, 2026
woo-bulk-editor	woo-bulk-editor	N/A	BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Product Data Modification	LOW	*-1.1.5	1.1.6	June 29, 2026
webappick-product-feed-for-woocommerce	webappick-product-feed-for-woocommerce	N/A	Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels <= 6.6.26 - Authenticated (Shop Manager+) PHP Object Injection	LOW	*-6.6.26	6.6.27	June 29, 2026
Product Table & List Builder for WooCommerce Lite	wc-product-table-lite	N/A	Product Table and List Builder for WooCommerce Lite <= 4.6.3 - Unauthenticated Stored Cross-Site Scripting	LOW	*-4.6.3	4.6.4	June 29, 2026
wc-ajax-product-filter	wc-ajax-product-filter	N/A	WCAPF – WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection	LOW	*-4.2.3	4.3.0	June 29, 2026
under-construction-maintenance-mode	under-construction-maintenance-mode	N/A	Under Construction, Coming Soon & Maintenance Mode <= 2.1.1 - Cross-Site Request Forgery	LOW	*-2.1.1	2.1.2	June 29, 2026
timetics	timetics	N/A	Timetics – Appointment Booking & Scheduling <= 1.0.53 - Missing Authorization	LOW	*-1.0.53	1.0.54	June 29, 2026
thegov-core	thegov-core	N/A	Thegov Core < 2.0.23 - Unauthenticated Local File Inclusion	LOW	[*, 2.0.23)	2.0.23	June 29, 2026
softlab-core	softlab-core	N/A	Softlab Core < 1.2.11 - Unauthenticated Local File Inclusion	LOW	[*, 1.2.11)	1.2.11	June 29, 2026
simple-social-buttons	simple-social-buttons	N/A	Simple Social Media Share Buttons – Social Sharing for Everyone <= 6.2.0 - Cross-Site Request Forgery	LOW	*-6.2.0	6.2.1	June 29, 2026
pagelayer	pagelayer	N/A	Page Builder: Pagelayer <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes	LOW	*-2.0.8	2.0.9	June 29, 2026
ocean-extra	ocean-extra	N/A	Ocean Extra <= 2.5.3 - Missing Authorization	LOW	*-2.5.3	2.5.4	June 29, 2026
ltl-freight-quotes-worldwide-express-edition	ltl-freight-quotes-worldwide-express-edition	93	LTL Freight Quotes – Worldwide Express Edition <= 5.2.1 - Missing Authorization	LOW	*-5.2.1	5.2.2	June 29, 2026
link-whisper	link-whisper	93	Link Whisper Free < 0.9.1 - Missing Authorization to Unauthenticated Settings Change	LOW	[*, 0.9.1)	0.9.1	June 29, 2026
integrio-core	integrio-core	93	Integrio Core < 1.2.8 - Unauthenticated Local File Inclusion	LOW	[*, 1.2.8)	1.2.8	June 29, 2026
event-tickets-manager-for-woocommerce	event-tickets-manager-for-woocommerce	93	Event Tickets Manager for WooCommerce <= 1.5.3 - Missing Authorization	LOW	*-1.5.3	1.5.4	June 29, 2026
awesome-support	awesome-support	93	Awesome Support <= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter	LOW	*-6.3.7	6.3.8	June 29, 2026
apartment-management	apartment-management	88	WPAMS - Apartment Management System for wordpress < 49.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion	LOW	[*, 49.5.3)	49.5.3	June 29, 2026
advanced-members	advanced-members	97	Advanced Members for ACF <= 1.2.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Path Traversal	LOW	*-1.2.5	1.2.6	June 29, 2026
charitable	charitable	93	Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook	LOW	*-1.8.9.7	1.8.10	June 29, 2026
Booking for Appointments and Events Calendar – Amelia	ameliabooking	97	Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter	LOW	*-2.1.3	2.2	June 29, 2026

LOW

ultimate-faqs

Score: N/A Ultimate FAQ Accordion Plugin <= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting via FAQ Content Affected: *-2.4.7 Patched: 2.4.8 Updated: June 29, 2026

LOW

Download Manager

download-manager

Score: 63/100 Download Manager <= 3.3.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-3.3.52 Patched: 3.3.53 Updated: June 29, 2026

LOW

bnm-blocks

Score: 93/100 Post Blocks & Tools <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyle' Block Attribute Affected: *-1.3.0 Patched: 1.3.1 Updated: June 29, 2026

LOW

mw-wp-form

Score: N/A MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys Affected: *-5.1.1 Patched: 5.1.2 Updated: June 29, 2026

LOW

advanced-cf7-db

Score: 95/100 Advanced CF7 DB <= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion Affected: *-2.0.9 Patched: 2.1.0 Updated: June 29, 2026

LOW

advanced-cf7-db

Score: 95/100 Advanced CF7 DB <= 2.0.9 - Missing Authorization to Authenticated (Subscriber+) Form Submissions Excel Export Affected: *-2.0.9 Patched: 2.1.0 Updated: June 29, 2026

LOW

prosolution-wp-client

Score: N/A ProSolution WP Client <= 1.9.9 - Unauthenticated Arbitrary File Upload via proSol_fileUploadProcess Affected: *-1.9.9 Patched: 2.0.0 Updated: June 29, 2026

LOW

ziggeo

Score: N/A Ziggeo <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via 'ziggeo_ajax' AJAX Action Affected: *-3.1.1 Patched: 3.1.2 Updated: June 29, 2026

LOW

wpdirectorykit

Score: N/A WP Directory Kit <= 1.5.0 - Missing Authorization Affected: *-1.5.0 Patched: 1.5.1 Updated: June 29, 2026

LOW

WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters

wp-google-map-plugin

Score: 74/100 WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters <= 4.9.1 - Unauthenticated SQL Injection Affected: *-4.9.1 Patched: 4.9.2 Updated: June 29, 2026

LOW

wp-businessdirectory

Score: N/A WP-BusinessDirectory – Business directory plugin for WordPress <= 4.0.0 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-4.0.0 Patched: 4.0.1 Updated: June 29, 2026

LOW

wp-base-booking-of-appointments-services-and-events

Score: N/A WP BASE Booking of Appointments, Services and Events <= 5.9.0 - Unauthenticated Privilege Escalation Affected: *-5.9.0 Patched: 6.0.0 Updated: June 29, 2026

LOW

woocommerce-multi-locations-inventory-management

Score: N/A MultiLoca <= 4.2.15 - Authenticated (Subscriber+) Privilege Escalation Affected: *-4.2.15 Patched: 4.2.16 Updated: June 29, 2026

LOW

Score: N/A Cart Abandonment Recovery for WooCommerce – Recover Lost Sales with Automated Emails < 2.1.0 - Authenticated (Shop Manager+) Privilege Escalation Affected: [*, 2.1.0) Patched: 2.1.0 Updated: June 29, 2026

LOW

sql-chart-builder

Score: N/A SQL Chart Builder < 2.3.8 - Unauthenticated SQL Injection Affected: [*, 2.3.8) Patched: 2.3.8 Updated: June 29, 2026

LOW

solene-core

Score: N/A Solene Core <= 2.3.2 - Unauthenticated Local File Inclusion Affected: *-2.3.2 Patched: 2.3.4 Updated: June 29, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.27 - Unauthenticated SQL Injection Affected: *-1.6.9.27 Patched: 1.6.9.29 Updated: June 29, 2026

LOW

osm

Score: N/A OSM <= 6.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'marker_name' Shortcode Attribute Affected: *-6.1.15 Patched: 6.1.16 Updated: June 29, 2026

LOW

nextend-smart-slider3-pro

Score: N/A Smart Slider 3 Pro 3.5.1.35 - Backdoor Embedded via Supply Chain Compromise Affected: 3.5.1.35 Patched: 3.5.1.36 Updated: June 29, 2026

LOW

mstore-api

Score: N/A MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update Affected: *-4.18.3 Patched: 4.18.4 Updated: June 29, 2026

LOW

mikado-core

Score: N/A Mikado Core <= 1.6 - Unauthenticated Local File Inclusion Affected: *-1.6 Patched: 1.7.2 Updated: June 29, 2026

LOW

List category posts

list-category-posts

Score: 94/100 List category posts <= 0.94.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'catlist' Shortcode Affected: *-0.94.0 Patched: 0.95.0 Updated: June 29, 2026

LOW

learning-management-system

Score: 93/100 Masteriyo LMS – Online Course Builder for eLearning, LMS & Education <= 2.1.5 - Missing Authorization Affected: *-2.1.5 Patched: 2.1.6 Updated: June 29, 2026

LOW

geeky-bot

Score: 93/100 GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content <= 1.2.0 - Unauthenticated SQL Injection Affected: *-1.2.0 Patched: 1.2.1 Updated: June 29, 2026

LOW

form-maker

Score: 93/100 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.38 - Unauthenticated SQL Injection Affected: *-1.15.38 Patched: 1.15.39 Updated: June 29, 2026

LOW

experto-custom-dashboard

Score: 93/100 Experto Dashboard for WooCommerce <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Navigation Font Size' Setting Affected: *-1.0.4 Patched: 1.0.5 Updated: June 29, 2026

LOW

datalogics

Score: 93/100 Datalogics Ecommerce Delivery – Datalogics <= 2.6.62 - Unauthenticated Privilege Escalation Affected: *-2.6.62 Patched: 2.6.63 Updated: June 29, 2026

LOW

bookly-responsive-appointment-booking-tool

Score: 93/100 Online Scheduling and Appointment Booking System – Bookly <= 27.0 - Unauthenticated Price Manipulation via 'tips' Affected: *-27.0 Patched: 27.1 Updated: June 29, 2026

LOW

blocksy-companion-pro

Score: 93/100 Blocksy Companion Pro < 2.1.29 - Unauthenticated SQL Injection Affected: [*, 2.1.29) Patched: 2.1.29 Updated: June 29, 2026

LOW

Backup Migration

backup-backup

Score: 61/100 BackupBliss – Backup & Migration with Free Cloud Storage <= 2.1.1 - Unauthenticated Information Exposure Affected: *-2.1.1 Patched: 2.1.2 Updated: June 29, 2026

LOW

ays-popup-box

Score: 93/100 Popup Box – Create Countdown, Coupon, Video, Contact Form Popups < 5.5.0 - Unauthenticated Stored Cross-Site Scripting Affected: [*, 5.5.0) Patched: 5.5.0 Updated: June 29, 2026

LOW

another-wordpress-classifieds-plugin

Score: 97/100 AWP Classifieds <= 4.4.4 - Missing Authorization Affected: *-4.4.4 Patched: 4.4.5 Updated: June 29, 2026

LOW

addons-for-elementor-builder

Score: 97/100 Vertex Addons for Elementor <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation via 'afeb_activate_required_plugins' Affected: *-1.6.4 Patched: 1.7.0 Updated: June 29, 2026

LOW

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Score: N/A User Registration & Membership <= 5.1.2 - Authenticated (Subscriber+) SQL Injection via membership_ids[] Affected: *-5.1.2 Patched: 5.1.3 Updated: June 29, 2026

LOW

beaver-builder-lite-version

Score: 93/100 Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'settings[js]' Affected: *-2.10.1.1 Patched: 2.10.1.2 Updated: June 29, 2026

LOW

privatecontent-free

Score: N/A PrivateContent Free <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Shortcode Attribute Affected: *-1.2.0 Patched: 1.3.0 Updated: June 29, 2026

LOW

Robo Gallery – Photo & Image Slider

robo-gallery

Score: N/A Robo Gallery <= 5.1.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'Loading Label' Setting Affected: *-5.1.3 Patched: 5.1.4 Updated: June 29, 2026

LOW

pdfl-io

Score: N/A pdfl.io <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute Affected: *-1.0.5 Patched: 1.0.6 Updated: June 29, 2026

LOW

wp-stats-manager

Score: N/A WP Visitor Statistics (Real Time Traffic) <= 8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'height' Shortcode Attribute Affected: *-8.4 Patched: 8.5 Updated: June 29, 2026

LOW

magic-conversation-for-gravity-forms

Score: 93/100 Magic Conversation For Gravity Forms <= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-3.0.97 Patched: 3.0.98 Updated: June 29, 2026

LOW

bdthemes-element-pack-lite

Score: 93/100 Element Pack Addons for Elementor <= 8.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG Image Widget Affected: *-8.4.2 Patched: 8.5.0 Updated: June 29, 2026

LOW

blog2social

Score: 93/100 Blog2Social: Social Media Auto Post & Scheduler <= 8.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter Affected: *-8.8.3 Patched: 8.8.4 Updated: June 29, 2026

LOW

learning-management-system

Score: 93/100 Masteriyo LMS <= 2.1.7 - Unauthenticated Authorization Bypass to Arbitrary Order Completion via Stripe Webhook Endpoint Affected: *-2.1.7 Patched: 2.1.8 Updated: June 29, 2026

LOW

whole-cart-enquiry

Score: N/A Whole Enquiry Cart for WooCommerce <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'woowhole_success_msg' Parameter Affected: *-1.2.1 Patched: Updated: June 29, 2026

LOW

dsgvo-google-web-fonts-gdpr

Score: 91/100 DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter Affected: *-1.1 Patched: Updated: June 29, 2026

LOW

wp-blockade

Score: N/A WP Blockade <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter Affected: *-0.9.14 Patched: Updated: June 29, 2026

LOW

pz-frontend-manager

Score: N/A PZ Frontend Manager <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter Affected: *-1.0.6 Patched: Updated: June 29, 2026

LOW

am-lottieplayer

Score: 95/100 AM LottiePlayer <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Affected: *-3.6.0 Patched: Updated: June 29, 2026

LOW

attendance-manager

Score: 89/100 Attendance Manager <= 0.6.2 - Authenticated (Subscriber+) SQL Injection via 'attmgr_off' Parameter Affected: *-0.6.2 Patched: Updated: June 29, 2026

LOW

sports-club-management

Score: N/A Sports Club Management <= 1.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'before' Attribute Affected: *-1.12.9 Patched: Updated: June 29, 2026

LOW

gerador-de-certificados-devapps

Score: 91/100 Gerador de Certificados – DevApps <= 1.3.6 - Authenticated (Administrator+) Arbitrary File Upload Affected: *-1.3.6 Patched: Updated: June 29, 2026

LOW

columns-bws

Score: 91/100 Columns by BestWebSoft <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute Affected: *-1.0.3 Patched: Updated: June 29, 2026

LOW

quran-translations-by-edc

Score: N/A Quran Translations <= 1.7 - Cross-Site Request Forgery to Playlist Settings Form Affected: *-1.7 Patched: Updated: June 29, 2026

LOW

riaxe-product-customizer

Score: N/A Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint Affected: *-2.4 Patched: Updated: June 29, 2026

LOW

pinterest-site-verification

Score: N/A Pinterest Site Verification plugin using Meta Tag <= 1.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'post_var' Affected: *-1.8 Patched: Updated: June 29, 2026

LOW

wavr

Score: N/A Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-0.2.6 Patched: Updated: June 29, 2026

LOW

wowpress

Score: N/A WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0.0 Patched: Updated: June 29, 2026

LOW

inquiry-form-to-posts-or-pages

Score: 89/100 Inquiry form to posts or pages <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Form Header Field Affected: *-1.0 Patched: Updated: June 29, 2026

LOW

the-plus-addons-for-elementor-page-builder

Score: N/A The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar Affected: *-6.4.9 Patched: 6.4.10 Updated: June 29, 2026

LOW

investi

Score: 93/100 Investi <= 1.0.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'maximum-num-years' Shortcode Attribute Affected: *-1.0.26 Patched: 1.0.27 Updated: June 29, 2026

LOW

strong-testimonials

Score: N/A Strong Testimonials <= 3.2.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via testimonial_view Shortcode Affected: *-3.2.21 Patched: 3.2.22 Updated: June 29, 2026

LOW

posts-table-filterable

Score: N/A TableOn – WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute Affected: *-1.0.4.4 Patched: 1.0.5 Updated: June 29, 2026

LOW

userspn

Score: N/A Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action Affected: *-1.1.15 Patched: 1.1.20 Updated: June 29, 2026

LOW

ltl-freight-quotes-rl-edition

Score: 93/100 LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update Affected: *-3.3.13 Patched: 3.3.14 Updated: June 29, 2026

LOW

mainwp-child-reports

Score: 93/100 MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API Affected: *-2.2.6 Patched: 2.3 Updated: June 29, 2026

LOW

Prime Slider Addons for Elementor

bdthemes-prime-slider-lite

Score: 88/100 Prime Slider <= 4.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'follow_us_text' Parameter Affected: *-4.1.10 Patched: 4.1.11 Updated: June 29, 2026

LOW

learnpress

Score: 93/100 LearnPress <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute Affected: *-4.3.3 Patched: 4.3.4 Updated: June 29, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-5.3.0 Patched: 5.3.1 Updated: June 29, 2026

LOW

wp-jquery-lightbox

Score: N/A LightPress Lightbox <= 2.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'group' Shortcode Attribute Affected: *-2.3.4 Patched: 2.3.5 Updated: June 29, 2026

LOW

powerpress

Score: N/A Blubrry PowerPress <= 11.15.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via powerpress and podcast Shortcodes Affected: *-11.15.15 Patched: 11.15.16 Updated: June 29, 2026

LOW

Elementor Website Builder – more than just a page builder

elementor

Score: 79/100 Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Affected: *-3.35.5 Patched: 3.35.6 Updated: June 29, 2026

LOW

woo-product-feed-pro

Score: N/A Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce 13.4.6 - 13.5.2.1 - Cross-Site Request Forgery to Multiple Administrative Actions Affected: 13.4.6-13.5.2.1 Patched: 13.5.2.2 Updated: June 29, 2026

LOW

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

everest-forms

Score: 68/100 Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata Affected: *-3.4.3 Patched: 3.4.4 Updated: June 29, 2026

LOW

download-monitor

Score: 93/100 Download Monitor <= 5.1.10 - Cross-Site Request Forgery to Download Path Deletion and Disabling Affected: *-5.1.10 Patched: 5.1.11 Updated: June 29, 2026

LOW

Hustle – Email Marketing, Lead Generation, Optins, Popups

wordpress-popup

Score: 91/100 Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation Affected: *-7.8.10.2 Patched: 7.8.11 Updated: June 29, 2026

LOW

gravityforms

Score: 93/100 Gravity Forms <= 2.9.30 - Unauthenticated Stored Cross-Site Scripting via Credit Card 'Card Type' Sub-Field Affected: *-2.9.30 Patched: 2.9.31 Updated: June 29, 2026

LOW

gravityforms

Score: 93/100 Gravity Forms <= 2.9.30 - Reflected Cross-Site Scripting via 'form_ids' Parameter Affected: *-2.9.30 Patched: 2.9.31 Updated: June 29, 2026

LOW

Smart Slider 3

smart-slider-3

Score: 90/100 Smart Slider 3 <= 3.5.1.33 - Missing Authorization to Authenticated (Contributor+) Slider Data Read and Image Record Manipulation Affected: *-3.5.1.33 Patched: 3.5.1.34 Updated: June 29, 2026

LOW

worpit-admin-dashboard-plugin

Score: N/A iControlWP <= 5.5.3 - Unauthenticated Privilege Escalation Affected: *-5.5.3 Patched: 5.5.4 Updated: June 29, 2026

LOW

woo-bulk-editor

Score: N/A BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion Affected: *-1.1.5 Patched: 1.1.6 Updated: June 29, 2026

LOW

woo-bulk-editor

Score: N/A BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Product Data Modification Affected: *-1.1.5 Patched: 1.1.6 Updated: June 29, 2026

LOW

webappick-product-feed-for-woocommerce

Score: N/A Product Feed Manager for WooCommerce – CTX Feed – Support 220+ Shopping & Social Channels <= 6.6.26 - Authenticated (Shop Manager+) PHP Object Injection Affected: *-6.6.26 Patched: 6.6.27 Updated: June 29, 2026

LOW

Product Table & List Builder for WooCommerce Lite

wc-product-table-lite

Score: N/A Product Table and List Builder for WooCommerce Lite <= 4.6.3 - Unauthenticated Stored Cross-Site Scripting Affected: *-4.6.3 Patched: 4.6.4 Updated: June 29, 2026

LOW

wc-ajax-product-filter

Score: N/A WCAPF – WooCommerce Ajax Product Filter <= 4.2.3 - Unauthenticated Time-Based SQL Injection Affected: *-4.2.3 Patched: 4.3.0 Updated: June 29, 2026

LOW

under-construction-maintenance-mode

Score: N/A Under Construction, Coming Soon & Maintenance Mode <= 2.1.1 - Cross-Site Request Forgery Affected: *-2.1.1 Patched: 2.1.2 Updated: June 29, 2026

LOW

timetics

Score: N/A Timetics – Appointment Booking & Scheduling <= 1.0.53 - Missing Authorization Affected: *-1.0.53 Patched: 1.0.54 Updated: June 29, 2026

LOW

thegov-core

Score: N/A Thegov Core < 2.0.23 - Unauthenticated Local File Inclusion Affected: [*, 2.0.23) Patched: 2.0.23 Updated: June 29, 2026

LOW

softlab-core

Score: N/A Softlab Core < 1.2.11 - Unauthenticated Local File Inclusion Affected: [*, 1.2.11) Patched: 1.2.11 Updated: June 29, 2026

LOW

simple-social-buttons

Score: N/A Simple Social Media Share Buttons – Social Sharing for Everyone <= 6.2.0 - Cross-Site Request Forgery Affected: *-6.2.0 Patched: 6.2.1 Updated: June 29, 2026

LOW

pagelayer

Score: N/A Page Builder: Pagelayer <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes Affected: *-2.0.8 Patched: 2.0.9 Updated: June 29, 2026

LOW

ocean-extra

Score: N/A Ocean Extra <= 2.5.3 - Missing Authorization Affected: *-2.5.3 Patched: 2.5.4 Updated: June 29, 2026

LOW

ltl-freight-quotes-worldwide-express-edition

Score: 93/100 LTL Freight Quotes – Worldwide Express Edition <= 5.2.1 - Missing Authorization Affected: *-5.2.1 Patched: 5.2.2 Updated: June 29, 2026

LOW

link-whisper

Score: 93/100 Link Whisper Free < 0.9.1 - Missing Authorization to Unauthenticated Settings Change Affected: [*, 0.9.1) Patched: 0.9.1 Updated: June 29, 2026

LOW

integrio-core

Score: 93/100 Integrio Core < 1.2.8 - Unauthenticated Local File Inclusion Affected: [*, 1.2.8) Patched: 1.2.8 Updated: June 29, 2026

LOW

event-tickets-manager-for-woocommerce

Score: 93/100 Event Tickets Manager for WooCommerce <= 1.5.3 - Missing Authorization Affected: *-1.5.3 Patched: 1.5.4 Updated: June 29, 2026

LOW

awesome-support

Score: 93/100 Awesome Support <= 6.3.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter Affected: *-6.3.7 Patched: 6.3.8 Updated: June 29, 2026

LOW

apartment-management

Score: 88/100 WPAMS - Apartment Management System for wordpress < 49.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion Affected: [*, 49.5.3) Patched: 49.5.3 Updated: June 29, 2026

LOW

advanced-members

Score: 97/100 Advanced Members for ACF <= 1.2.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Path Traversal Affected: *-1.2.5 Patched: 1.2.6 Updated: June 29, 2026

LOW

charitable

Score: 93/100 Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook Affected: *-1.8.9.7 Patched: 1.8.10 Updated: June 29, 2026

LOW

Booking for Appointments and Events Calendar – Amelia

ameliabooking

Score: 97/100 Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter Affected: *-2.1.3 Patched: 2.2 Updated: June 29, 2026

Showing 1501 to 1600 of 36189 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 29, 2026 at 13:24 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List