Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36190

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
Booking for Appointments and Events Calendar – Amelia	ameliabooking	97	Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter	LOW	*-2.1.3	2.2	June 29, 2026
ninja-forms-uploads	ninja-forms-uploads	N/A	Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload	LOW	*-3.3.26	3.3.27	June 29, 2026
woo-idpay-gateway	woo-idpay-gateway	N/A	IDPay Payment Gateway for Woocommerce <= 2.2.5 - Unauthenticated Information Exposure	LOW	*-2.2.5		June 29, 2026
media-library-assistant	media-library-assistant	93	Media Library Assistant <= 3.34 - Authenticated (Contributor+) SQL Injection	LOW	*-3.34	3.35	June 29, 2026
media-library-assistant	media-library-assistant	93	Media Library Assistant <= 3.34 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.34	3.35	June 29, 2026
bricksforge	bricksforge	93	Bricksforge <= 3.1.8.4 - Unauthenticated Information Exposure	LOW	*-3.1.8.4	3.1.8.5	June 29, 2026
Backup Migration	backup-backup	61	Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage	LOW	*-2.0.0	2.1.0	June 29, 2026
wpfunnels	wpfunnels	N/A	WPFunnels <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode	LOW	*-3.7.9	3.8.0	June 29, 2026
wp-user-avatar	wp-user-avatar	N/A	Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields	LOW	*-4.16.11	4.16.12	June 29, 2026
wpforo	wpforo	N/A	wpForo Forum <= 2.4.16 - Authenticated (Subscriber+) Arbitrary File Deletion via Post Body	LOW	*-2.4.16	2.4.17	June 29, 2026
visitors-traffic-real-time-statistics	visitors-traffic-real-time-statistics	N/A	Visitor Traffic Real Time Statistics <= 8.4 - Unauthenticated Stored Cross-Site Scripting	LOW	*-8.4	8.5	June 29, 2026
text-to-speech-tts	text-to-speech-tts	N/A	Text to Speech (TTS) by Mementor <= 1.9.8 - Use of Hardcoded Password to Unauthenticated Remote Database Access	LOW	*-1.9.8	1.9.9	June 29, 2026
listeo-core	listeo-core	91	Listeo-Core - Directory Plugin by Purethemes <= 2.0.27 - Unauthenticated Arbitrary Media Upload	LOW	*-2.0.27	2.0.28	June 29, 2026
social-photo-feed-widget	social-photo-feed-widget	N/A	Widgets for Social Photo Feed <= 1.7.9 - Unauthenticated Stored Cross-Site Scripting via feed_data	LOW	*-1.7.9	1.8.0	June 29, 2026
wp-user-avatar	wp-user-avatar	N/A	Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Missing Authorization to Authenticated (Subscriber+) Membership Payment Bypass	LOW	*-4.16.11	4.16.12	June 29, 2026
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor	kadence-blocks	91	Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 - Missing Authorization to Authenticated (Contributor+) Media Upload	LOW	*-3.6.3	3.6.4	June 29, 2026
WP Travel Engine – Tour Booking Plugin – Tour Operator Software	wp-travel-engine	N/A	WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode	LOW	*-6.7.5	6.7.6	June 29, 2026
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor	elementskit-lite	95	ElementsKit Elementor Addons and Templates <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Simple Tab Widget	LOW	*-3.7.9	3.8.0	June 29, 2026
wc-frontend-manager	wc-frontend-manager	N/A	WCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation	LOW	*-6.7.25	6.7.26	June 29, 2026
shortcodes-ultimate	shortcodes-ultimate	N/A	Shortcodes Ultimate <= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode	LOW	*-7.4.8	7.4.9	June 29, 2026
shortcodes-ultimate	shortcodes-ultimate	N/A	Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode	LOW	*-7.4.7	7.4.8	June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass	LOW	*-1.7.1049	1.7.1050	June 29, 2026
wordpress-simple-paypal-shopping-cart	wordpress-simple-paypal-shopping-cart	N/A	Simple Shopping Cart <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsc_display_product' Shortcode	LOW	*-5.2.4	5.2.5	June 29, 2026
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin	ultimate-member	N/A	Ultimate Member <= 2.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via DOM Gadgets	LOW	*-2.11.1	2.11.2	June 29, 2026
xpro-elementor-addons	xpro-elementor-addons	N/A	Xpro Addons — 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.4.20	1.4.21	June 29, 2026
gutenverse	gutenverse	93	Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad'	LOW	*-3.4.6	3.4.7	June 29, 2026
xpro-elementor-addons	xpro-elementor-addons	N/A	Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Box Widget	LOW	*-1.4.24	1.4.25	June 29, 2026
pie-register	pie-register	N/A	Pie Register – User Registration, Profiles & Content Restriction <= 3.8.4.8 - Missing Authorization to Unauthenticated Registration Form Status Modification	LOW	*-3.8.4.8	3.8.4.9	June 29, 2026
perfmatters	perfmatters	N/A	Perfmatters <= 2.5.9.1 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter	LOW	*-2.5.9.1	2.6.0	June 29, 2026
woc-order-alert	woc-order-alert	N/A	Order Notification for WooCommerce – Get Audio Alert on new Orders < 3.6.3 - Unauthenticated Remote Code Execution	LOW	[*, 3.6.3)	3.6.3	June 29, 2026
mstw-league-manager	mstw-league-manager	N/A	MSTW League Manager <= 2.10 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.10		June 29, 2026
extensions-leaflet-map	extensions-leaflet-map	93	Extensions for Leaflet Map <= 4.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'elevation-track' Shortcode	LOW	*-4.14	4.15	June 29, 2026
export-all-urls	export-all-urls	93	Export All URLs < 5.1 - Unauthenticated Information Exposure	LOW	[*, 5.1)	5.1	June 29, 2026
webmention	webmention	N/A	Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery	LOW	*-5.6.2	5.7.0	June 29, 2026
webmention	webmention	N/A	Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery	LOW	*-5.6.2	5.7.0	June 29, 2026
W3 Total Cache	w3-total-cache	69	W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header	LOW	*-2.9.3	2.9.4	June 29, 2026
mw-wp-form	mw-wp-form	N/A	MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir	LOW	*-5.1.0	5.1.1	June 29, 2026
ultimate_vc_addons	ultimate_vc_addons	N/A	Ultimate Addons for WPBakery Page Builder < 3.21.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	[*, 3.21.4)	3.21.4	June 29, 2026
Database for Contact Form 7, WPforms, Elementor forms	contact-form-entries	84	Database for Contact Form 7, WPforms, Elementor forms <= 1.4.9 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode	LOW	*-1.4.9	1.5.0	June 29, 2026
Booking for Appointments and Events Calendar – Amelia	ameliabooking	97	Amelia <= 2.1.2 - Authenticated (Manager+) SQL Injection via 'sort' Parameter	LOW	*-2.1.2	2.1.3	June 29, 2026
shortcodes-ultimate	shortcodes-ultimate	N/A	WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'max_width' Shortcode Attribute	LOW	*-7.4.10	7.5.0	June 29, 2026
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More	wpforms-lite	70	Contact Form by WPForms <= 1.10.0.2 - Cross-Site Request Forgery	LOW	*-1.10.0.2	1.10.0.3	June 29, 2026
simple-membership	simple-membership	N/A	Simple Membership <= 4.7.1 - Missing Authorization	LOW	*-4.7.1	4.7.2	June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Elementor Addons <= 1.7.1056 - Missing Authorization	LOW	*-1.7.1056	1.7.1057	June 29, 2026
kubio	kubio	93	Kubio AI Page Builder <= 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.7.0	2.7.1	June 29, 2026
King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder	king-addons	76	King Addons for Elementor <= 51.1.38 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Widgets	LOW	*-51.1.53	51.1.54	June 29, 2026
query-monitor	query-monitor	N/A	Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI	LOW	*-3.20.3	3.20.4	June 29, 2026
minify-html-markup	minify-html-markup	N/A	Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update	LOW	*-2.1.12	2.1.13	June 29, 2026
profile-builder	profile-builder	N/A	User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field	LOW	*-3.15.5	3.15.6	June 29, 2026
auto-post-scheduler	auto-post-scheduler	91	Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page	LOW	*-1.84		June 29, 2026
ibtana-visual-editor	ibtana-visual-editor	91	Ibtana - WordPress Website Builder <= 1.2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.2.5.7	1.2.5.8	June 29, 2026
truebooker-appointment-booking	truebooker-appointment-booking	N/A	Truebooker - Appointment Booking and Scheduler Plugin <= 1.1.4 - Sensitive Information Exposure via Views Files	LOW	*-1.1.4	1.1.5	June 29, 2026
WooPayments: Integrated WooCommerce Payments	woocommerce-payments	84	WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax	LOW	*-10.5.1	10.6.0	June 29, 2026
Loco Translate	loco-translate	89	Loco Translate <= 2.8.2 - Reflected Cross-Site Scripting via 'update_href' Parameter	LOW	*-2.8.2	2.8.3	June 29, 2026
gravitysmtp	gravitysmtp	93	Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API	LOW	*-2.1.4	2.1.5	June 29, 2026
everest-forms-pro	everest-forms-pro	93	Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field	LOW	*-1.9.12	1.9.13	June 29, 2026
debugger-troubleshooter	debugger-troubleshooter	93	Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation	LOW	*-1.3.2	1.4.0	June 29, 2026
contact-form-by-supsystic	contact-form-by-supsystic	93	Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality	LOW	*-1.7.36	1.8.0	June 29, 2026
wp-lightbox-2	wp-lightbox-2	N/A	WP Lightbox 2 < 3.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	[*, 3.0.7)	3.0.7	June 29, 2026
trx_addons	trx_addons	N/A	ThemeREX Addons < 2.38.5 - Unauthenticated Arbitrary File Upload	LOW	[*, 2.38.5)	2.38.5	June 29, 2026
Shared Files – Frontend File Upload Form & Secure File Sharing	shared-files	78	Shared Files – Frontend File Upload Form & Secure File Sharing < 1.7.58 - Authenticated (Contributor+) Arbitrary File Download	LOW	[*, 1.7.58)	1.7.58	June 29, 2026
responsive-add-ons	responsive-add-ons	N/A	Responsive Plus – Elementor Templates & Starter Sites < 3.4.3 - Unauthenticated Arbitrary Code Execution	LOW	[*, 3.4.3)	3.4.3	June 29, 2026
leadconnector	leadconnector	93	LeadConnector < 3.0.22 - Missing Authorization	LOW	[*, 3.0.22)	3.0.22	June 29, 2026
download-monitor	download-monitor	93	Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id'	LOW	*-5.1.7	5.1.8	June 29, 2026
Twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio	twentig	N/A	Twentig <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'featuredImageSizeWidth'	LOW	*-1.9.7	2.0	June 29, 2026
tourfic	tourfic	N/A	Tourfic <= 2.21.4 - Missing Authorization	LOW	*-2.21.4	2.21.5	June 29, 2026
ai-engine-pro	ai-engine-pro	97	AI Engine (Pro) < 3.4.2 - Missing Authorization	LOW	[*, 3.4.2)	3.4.2	June 29, 2026
Advanced Coupons for WooCommerce Coupons & Store Credit	advanced-coupons-for-woocommerce-free	80	Advanced Coupons for WooCommerce Coupons <= 4.7.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-4.7.1.1	4.7.2	June 29, 2026
quick-adsense-reloaded	quick-adsense-reloaded	N/A	Quads Ads Manager for Google AdSense <= 2.0.98.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Ad Metadata Parameters	LOW	*-2.0.98.1	2.0.99	June 29, 2026
pagelayer	pagelayer	N/A	Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email'	LOW	*-2.0.7	2.0.8	June 29, 2026
Ninja Forms – The Contact Form Builder That Grows With You	ninja-forms	69	Ninja Forms <= 3.14.1 - Authenticated (Contributor+) Sensitive Information Disclosure via Block Editor Token	LOW	*-3.14.1	3.14.2	June 29, 2026
SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder	sureforms	N/A	SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id'	LOW	*-2.5.2	2.6.0	June 29, 2026
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin	ultimate-member	N/A	Ultimate Member <= 2.11.2 - Authenticated (Contributor+) Sensitive Information Exposure to Account Takeover via Shortcode Template Tag	LOW	*-2.11.2	2.11.3	June 29, 2026
woocommerce-currency-switcher	woocommerce-currency-switcher	N/A	FOX <= 1.4.5 - Missing Authorization	LOW	*-1.4.5	1.4.6	June 29, 2026
Spectra Gutenberg Blocks – Website Builder for the Block Editor	ultimate-addons-for-gutenberg	N/A	Spectra <= 2.19.22 - Missing Authorization	LOW	*-2.19.22	2.19.23	June 29, 2026
petitioner	petitioner	N/A	Petitioner <= 0.7.3 - Missing Authorization	LOW	*-0.7.3	0.7.4	June 29, 2026
pepro-ultimate-invoice	pepro-ultimate-invoice	N/A	PeproDev Ultimate Invoice < 2.2.6 - Unauthenticated Information Exposure	LOW	[*, 2.2.6)	2.2.6	June 29, 2026
cartflows	cartflows	93	CartFlows <= 2.2.3 - Missing Authorization	LOW	*-2.2.3	2.2.4	June 29, 2026
Smart Slider 3	smart-slider-3	90	Smart Slider 3 <= 3.5.1.33 - Authenticated (Subscriber+) Arbitrary File Read via actionExportAll	LOW	*-3.5.1.33	3.5.1.34	June 29, 2026
the-plus-addons-for-block-editor	the-plus-addons-for-block-editor	N/A	Nexter Blocks <= 4.7.0 - Unauthenticated Information Exposure	LOW	*-4.7.0	4.7.1	June 29, 2026
surecart	surecart	N/A	SureCart <= 4.0.2 - Missing Authorization	LOW	*-4.0.2	4.0.3	June 29, 2026
sunshine-photo-cart	sunshine-photo-cart	N/A	Sunshine Photo Cart < 3.6.2 - Unauthenticated Information Exposure	LOW	[*, 3.6.2)	3.6.2	June 29, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Simply Schedule Appointments <= 1.6.9.27 - Authenticated (Contributor+) SQL Injection	LOW	*-1.6.9.27	1.6.9.29	June 29, 2026
share-this-image	share-this-image	N/A	Share This Image <= 2.12 - Missing Authorization	LOW	*-2.12	2.13	June 29, 2026
seriously-simple-podcasting	seriously-simple-podcasting	N/A	Seriously Simple Podcasting <= 3.14.2 - Missing Authorization	LOW	*-3.14.2	3.14.3	June 29, 2026
Broken Link Checker	broken-link-checker	68	Broken Link Checker <= 2.4.7 - Authenticated (Editor+) SQL Injection	LOW	*-2.4.7	2.4.8	June 29, 2026
Elementor Website Builder – more than just a page builder	elementor	79	Elementor Website Builder <= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template	LOW	*-3.35.7	3.35.8	June 29, 2026
Booking for Appointments and Events Calendar – Amelia	ameliabooking	97	Amelia Booking 8.3 - 9.1.2 - Authenticated (Customer+) Insecure Direct Object Reference to Arbitrary User Password Change	LOW	8.3-9.1.2	9.2	June 29, 2026
formlift	formlift	93	FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Authorization to Unauthenticated Infusionsoft Connection Hijack via OAuth Connection Flow	LOW	*-7.5.21	7.5.22	June 29, 2026
blog2social	blog2social	93	Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action	LOW	*-8.8.2	8.8.3	June 29, 2026
bwl-advanced-faq-manager-lite	bwl-advanced-faq-manager-lite	93	BWL Advanced FAQ Manager Lite <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sbox_id' Shortcode Attribute	LOW	*-1.1.1	1.1.2	June 29, 2026
acf-frontend-form-element	acf-frontend-form-element	97	Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts	LOW	*-3.28.31	3.28.32	June 29, 2026
bakkbone-florist-companion	bakkbone-florist-companion	93	FloristPress for Woo <= 7.8.2 - Reflected Cross-Site Scripting via 'noresults' Parameter	LOW	*-7.8.2	7.8.3	June 29, 2026
learning-management-system	learning-management-system	93	Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator	LOW	*-2.1.6	2.1.7	June 29, 2026
wp-job-portal	wp-job-portal	N/A	WP Job Portal <= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field	LOW	*-2.4.9	2.5.0	June 29, 2026
simple-download-counter	simple-download-counter	N/A	Simple Download Counter <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute	LOW	*-2.3	2.3.1	June 29, 2026
shortpixel-image-optimiser	shortpixel-image-optimiser	N/A	ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title	LOW	*-6.4.3	6.4.4	June 29, 2026
js-support-ticket	js-support-ticket	93	JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.4 - Unauthenticated SQL Injection via 'multiformid' Parameter	LOW	*-3.0.4	3.0.5	June 29, 2026
instantio	instantio	93	Instantio <= 3.3.30 - Unauthenticated Information Exposure	LOW	*-3.3.30	3.3.31	June 29, 2026
Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution	fluent-booking	96	Fluent Booking <= 2.0.01 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters	LOW	*-2.0.01	2.0.05	June 29, 2026

LOW

Booking for Appointments and Events Calendar – Amelia

ameliabooking

Score: 97/100 Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter Affected: *-2.1.3 Patched: 2.2 Updated: June 29, 2026

LOW

ninja-forms-uploads

Score: N/A Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload Affected: *-3.3.26 Patched: 3.3.27 Updated: June 29, 2026

LOW

woo-idpay-gateway

Score: N/A IDPay Payment Gateway for Woocommerce <= 2.2.5 - Unauthenticated Information Exposure Affected: *-2.2.5 Patched: Updated: June 29, 2026

LOW

media-library-assistant

Score: 93/100 Media Library Assistant <= 3.34 - Authenticated (Contributor+) SQL Injection Affected: *-3.34 Patched: 3.35 Updated: June 29, 2026

LOW

media-library-assistant

Score: 93/100 Media Library Assistant <= 3.34 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.34 Patched: 3.35 Updated: June 29, 2026

LOW

bricksforge

Score: 93/100 Bricksforge <= 3.1.8.4 - Unauthenticated Information Exposure Affected: *-3.1.8.4 Patched: 3.1.8.5 Updated: June 29, 2026

LOW

Backup Migration

backup-backup

Score: 61/100 Backup Migration <= 2.0.0 - Missing Authorization to Unauthenticated Backup Upload to Offline Storage Affected: *-2.0.0 Patched: 2.1.0 Updated: June 29, 2026

LOW

wpfunnels

Score: N/A WPFunnels <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode Affected: *-3.7.9 Patched: 3.8.0 Updated: June 29, 2026

LOW

Score: N/A Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields Affected: *-4.16.11 Patched: 4.16.12 Updated: June 29, 2026

LOW

wpforo

Score: N/A wpForo Forum <= 2.4.16 - Authenticated (Subscriber+) Arbitrary File Deletion via Post Body Affected: *-2.4.16 Patched: 2.4.17 Updated: June 29, 2026

LOW

visitors-traffic-real-time-statistics

Score: N/A Visitor Traffic Real Time Statistics <= 8.4 - Unauthenticated Stored Cross-Site Scripting Affected: *-8.4 Patched: 8.5 Updated: June 29, 2026

LOW

text-to-speech-tts

Score: N/A Text to Speech (TTS) by Mementor <= 1.9.8 - Use of Hardcoded Password to Unauthenticated Remote Database Access Affected: *-1.9.8 Patched: 1.9.9 Updated: June 29, 2026

LOW

listeo-core

Score: 91/100 Listeo-Core - Directory Plugin by Purethemes <= 2.0.27 - Unauthenticated Arbitrary Media Upload Affected: *-2.0.27 Patched: 2.0.28 Updated: June 29, 2026

LOW

social-photo-feed-widget

Score: N/A Widgets for Social Photo Feed <= 1.7.9 - Unauthenticated Stored Cross-Site Scripting via feed_data Affected: *-1.7.9 Patched: 1.8.0 Updated: June 29, 2026

LOW

wp-user-avatar

Score: N/A Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Missing Authorization to Authenticated (Subscriber+) Membership Payment Bypass Affected: *-4.16.11 Patched: 4.16.12 Updated: June 29, 2026

LOW

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

kadence-blocks

Score: 91/100 Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 - Missing Authorization to Authenticated (Contributor+) Media Upload Affected: *-3.6.3 Patched: 3.6.4 Updated: June 29, 2026

LOW

WP Travel Engine – Tour Booking Plugin – Tour Operator Software

wp-travel-engine

Score: N/A WP Travel Engine - Travel and Tour Booking Plugin <= 6.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via wte_trip_tax Shortcode Affected: *-6.7.5 Patched: 6.7.6 Updated: June 29, 2026

LOW

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

elementskit-lite

Score: 95/100 ElementsKit Elementor Addons and Templates <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Simple Tab Widget Affected: *-3.7.9 Patched: 3.8.0 Updated: June 29, 2026

LOW

wc-frontend-manager

Score: N/A WCFM - WooCommerce Frontend Manager <= 6.7.25 - Insecure Direct Object References to Autenticated (Vendor+) Arbitrary Post/Product Manipulation Affected: *-6.7.25 Patched: 6.7.26 Updated: June 29, 2026

LOW

shortcodes-ultimate

Score: N/A Shortcodes Ultimate <= 7.4.8 - authenticated (Contributor+) Stored Cross-Site Scripting via 'su_carousel' Shortcode Affected: *-7.4.8 Patched: 7.4.9 Updated: June 29, 2026

LOW

shortcodes-ultimate

Score: N/A Shortcodes Ultimate <= 7.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'su_lightbox' Shortcode Affected: *-7.4.7 Patched: 7.4.8 Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass Affected: *-1.7.1049 Patched: 1.7.1050 Updated: June 29, 2026

LOW

wordpress-simple-paypal-shopping-cart

Score: N/A Simple Shopping Cart <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsc_display_product' Shortcode Affected: *-5.2.4 Patched: 5.2.5 Updated: June 29, 2026

LOW

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

ultimate-member

Score: N/A Ultimate Member <= 2.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via DOM Gadgets Affected: *-2.11.1 Patched: 2.11.2 Updated: June 29, 2026

LOW

xpro-elementor-addons

Score: N/A Xpro Addons — 140+ Widgets for Elementor <= 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.4.20 Patched: 1.4.21 Updated: June 29, 2026

LOW

gutenverse

Score: 93/100 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'imageLoad' Affected: *-3.4.6 Patched: 3.4.7 Updated: June 29, 2026

LOW

xpro-elementor-addons

Score: N/A Xpro Addons — 140+ Widgets for Elementor <= 1.4.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Box Widget Affected: *-1.4.24 Patched: 1.4.25 Updated: June 29, 2026

LOW

pie-register

Score: N/A Pie Register – User Registration, Profiles & Content Restriction <= 3.8.4.8 - Missing Authorization to Unauthenticated Registration Form Status Modification Affected: *-3.8.4.8 Patched: 3.8.4.9 Updated: June 29, 2026

LOW

perfmatters

Score: N/A Perfmatters <= 2.5.9.1 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter Affected: *-2.5.9.1 Patched: 2.6.0 Updated: June 29, 2026

LOW

woc-order-alert

Score: N/A Order Notification for WooCommerce – Get Audio Alert on new Orders < 3.6.3 - Unauthenticated Remote Code Execution Affected: [*, 3.6.3) Patched: 3.6.3 Updated: June 29, 2026

LOW

mstw-league-manager

Score: N/A MSTW League Manager <= 2.10 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.10 Patched: Updated: June 29, 2026

LOW

extensions-leaflet-map

Score: 93/100 Extensions for Leaflet Map <= 4.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'elevation-track' Shortcode Affected: *-4.14 Patched: 4.15 Updated: June 29, 2026

LOW

export-all-urls

Score: 93/100 Export All URLs < 5.1 - Unauthenticated Information Exposure Affected: [*, 5.1) Patched: 5.1 Updated: June 29, 2026

LOW

webmention

Score: N/A Webmention <= 5.6.2 - Authenticated (Subscriber+) Server-Side Request Forgery Affected: *-5.6.2 Patched: 5.7.0 Updated: June 29, 2026

LOW

webmention

Score: N/A Webmention <= 5.6.2 - Unauthenticated Blind Server-Side Request Forgery Affected: *-5.6.2 Patched: 5.7.0 Updated: June 29, 2026

LOW

W3 Total Cache

w3-total-cache

Score: 69/100 W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header Affected: *-2.9.3 Patched: 2.9.4 Updated: June 29, 2026

LOW

mw-wp-form

Score: N/A MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir Affected: *-5.1.0 Patched: 5.1.1 Updated: June 29, 2026

LOW

ultimate_vc_addons

Score: N/A Ultimate Addons for WPBakery Page Builder < 3.21.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: [*, 3.21.4) Patched: 3.21.4 Updated: June 29, 2026

LOW

Database for Contact Form 7, WPforms, Elementor forms

contact-form-entries

Score: 84/100 Database for Contact Form 7, WPforms, Elementor forms <= 1.4.9 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode Affected: *-1.4.9 Patched: 1.5.0 Updated: June 29, 2026

LOW

Booking for Appointments and Events Calendar – Amelia

ameliabooking

Score: 97/100 Amelia <= 2.1.2 - Authenticated (Manager+) SQL Injection via 'sort' Parameter Affected: *-2.1.2 Patched: 2.1.3 Updated: June 29, 2026

LOW

shortcodes-ultimate

Score: N/A WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'max_width' Shortcode Attribute Affected: *-7.4.10 Patched: 7.5.0 Updated: June 29, 2026

LOW

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

Score: 70/100 Contact Form by WPForms <= 1.10.0.2 - Cross-Site Request Forgery Affected: *-1.10.0.2 Patched: 1.10.0.3 Updated: June 29, 2026

LOW

simple-membership

Score: N/A Simple Membership <= 4.7.1 - Missing Authorization Affected: *-4.7.1 Patched: 4.7.2 Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Elementor Addons <= 1.7.1056 - Missing Authorization Affected: *-1.7.1056 Patched: 1.7.1057 Updated: June 29, 2026

LOW

kubio

Score: 93/100 Kubio AI Page Builder <= 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.7.0 Patched: 2.7.1 Updated: June 29, 2026

LOW

King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder

king-addons

Score: 76/100 King Addons for Elementor <= 51.1.38 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Widgets Affected: *-51.1.53 Patched: 51.1.54 Updated: June 29, 2026

LOW

query-monitor

Score: N/A Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI Affected: *-3.20.3 Patched: 3.20.4 Updated: June 29, 2026

LOW

minify-html-markup

Score: N/A Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update Affected: *-2.1.12 Patched: 2.1.13 Updated: June 29, 2026

LOW

profile-builder

Score: N/A User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field Affected: *-3.15.5 Patched: 3.15.6 Updated: June 29, 2026

LOW

auto-post-scheduler

Score: 91/100 Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page Affected: *-1.84 Patched: Updated: June 29, 2026

LOW

ibtana-visual-editor

Score: 91/100 Ibtana - WordPress Website Builder <= 1.2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.2.5.7 Patched: 1.2.5.8 Updated: June 29, 2026

LOW

truebooker-appointment-booking

Score: N/A Truebooker - Appointment Booking and Scheduler Plugin <= 1.1.4 - Sensitive Information Exposure via Views Files Affected: *-1.1.4 Patched: 1.1.5 Updated: June 29, 2026

LOW

WooPayments: Integrated WooCommerce Payments

woocommerce-payments

Score: 84/100 WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax Affected: *-10.5.1 Patched: 10.6.0 Updated: June 29, 2026

LOW

Loco Translate

loco-translate

Score: 89/100 Loco Translate <= 2.8.2 - Reflected Cross-Site Scripting via 'update_href' Parameter Affected: *-2.8.2 Patched: 2.8.3 Updated: June 29, 2026

LOW

gravitysmtp

Score: 93/100 Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API Affected: *-2.1.4 Patched: 2.1.5 Updated: June 29, 2026

LOW

everest-forms-pro

Score: 93/100 Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field Affected: *-1.9.12 Patched: 1.9.13 Updated: June 29, 2026

LOW

debugger-troubleshooter

Score: 93/100 Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation Affected: *-1.3.2 Patched: 1.4.0 Updated: June 29, 2026

LOW

contact-form-by-supsystic

Score: 93/100 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality Affected: *-1.7.36 Patched: 1.8.0 Updated: June 29, 2026

LOW

wp-lightbox-2

Score: N/A WP Lightbox 2 < 3.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: [*, 3.0.7) Patched: 3.0.7 Updated: June 29, 2026

LOW

trx_addons

Score: N/A ThemeREX Addons < 2.38.5 - Unauthenticated Arbitrary File Upload Affected: [*, 2.38.5) Patched: 2.38.5 Updated: June 29, 2026

LOW

Shared Files – Frontend File Upload Form & Secure File Sharing

shared-files

Score: 78/100 Shared Files – Frontend File Upload Form & Secure File Sharing < 1.7.58 - Authenticated (Contributor+) Arbitrary File Download Affected: [*, 1.7.58) Patched: 1.7.58 Updated: June 29, 2026

LOW

responsive-add-ons

Score: N/A Responsive Plus – Elementor Templates & Starter Sites < 3.4.3 - Unauthenticated Arbitrary Code Execution Affected: [*, 3.4.3) Patched: 3.4.3 Updated: June 29, 2026

LOW

leadconnector

Score: 93/100 LeadConnector < 3.0.22 - Missing Authorization Affected: [*, 3.0.22) Patched: 3.0.22 Updated: June 29, 2026

LOW

download-monitor

Score: 93/100 Download Monitor <= 5.1.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Order Completion via 'token' and 'order_id' Affected: *-5.1.7 Patched: 5.1.8 Updated: June 29, 2026

LOW

Twentig Supercharged Block Editor – Blocks, Patterns, Starter Sites, Portfolio

twentig

Score: N/A Twentig <= 1.9.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'featuredImageSizeWidth' Affected: *-1.9.7 Patched: 2.0 Updated: June 29, 2026

LOW

tourfic

Score: N/A Tourfic <= 2.21.4 - Missing Authorization Affected: *-2.21.4 Patched: 2.21.5 Updated: June 29, 2026

LOW

ai-engine-pro

Score: 97/100 AI Engine (Pro) < 3.4.2 - Missing Authorization Affected: [*, 3.4.2) Patched: 3.4.2 Updated: June 29, 2026

LOW

Advanced Coupons for WooCommerce Coupons & Store Credit

advanced-coupons-for-woocommerce-free

Score: 80/100 Advanced Coupons for WooCommerce Coupons <= 4.7.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-4.7.1.1 Patched: 4.7.2 Updated: June 29, 2026

LOW

quick-adsense-reloaded

Score: N/A Quads Ads Manager for Google AdSense <= 2.0.98.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Ad Metadata Parameters Affected: *-2.0.98.1 Patched: 2.0.99 Updated: June 29, 2026

LOW

pagelayer

Score: N/A Pagelayer <= 2.0.7 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via 'email' Affected: *-2.0.7 Patched: 2.0.8 Updated: June 29, 2026

LOW

Ninja Forms – The Contact Form Builder That Grows With You

ninja-forms

Score: 69/100 Ninja Forms <= 3.14.1 - Authenticated (Contributor+) Sensitive Information Disclosure via Block Editor Token Affected: *-3.14.1 Patched: 3.14.2 Updated: June 29, 2026

LOW

SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder

sureforms

Score: N/A SureForms <= 2.5.2 - Unauthenticated Payment Amount Validation Bypass via 'form_id' Affected: *-2.5.2 Patched: 2.6.0 Updated: June 29, 2026

LOW

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

ultimate-member

Score: N/A Ultimate Member <= 2.11.2 - Authenticated (Contributor+) Sensitive Information Exposure to Account Takeover via Shortcode Template Tag Affected: *-2.11.2 Patched: 2.11.3 Updated: June 29, 2026

LOW

woocommerce-currency-switcher

Score: N/A FOX <= 1.4.5 - Missing Authorization Affected: *-1.4.5 Patched: 1.4.6 Updated: June 29, 2026

LOW

Spectra Gutenberg Blocks – Website Builder for the Block Editor

ultimate-addons-for-gutenberg

Score: N/A Spectra <= 2.19.22 - Missing Authorization Affected: *-2.19.22 Patched: 2.19.23 Updated: June 29, 2026

LOW

petitioner

Score: N/A Petitioner <= 0.7.3 - Missing Authorization Affected: *-0.7.3 Patched: 0.7.4 Updated: June 29, 2026

LOW

pepro-ultimate-invoice

Score: N/A PeproDev Ultimate Invoice < 2.2.6 - Unauthenticated Information Exposure Affected: [*, 2.2.6) Patched: 2.2.6 Updated: June 29, 2026

LOW

cartflows

Score: 93/100 CartFlows <= 2.2.3 - Missing Authorization Affected: *-2.2.3 Patched: 2.2.4 Updated: June 29, 2026

LOW

Smart Slider 3

smart-slider-3

Score: 90/100 Smart Slider 3 <= 3.5.1.33 - Authenticated (Subscriber+) Arbitrary File Read via actionExportAll Affected: *-3.5.1.33 Patched: 3.5.1.34 Updated: June 29, 2026

LOW

the-plus-addons-for-block-editor

Score: N/A Nexter Blocks <= 4.7.0 - Unauthenticated Information Exposure Affected: *-4.7.0 Patched: 4.7.1 Updated: June 29, 2026

LOW

surecart

Score: N/A SureCart <= 4.0.2 - Missing Authorization Affected: *-4.0.2 Patched: 4.0.3 Updated: June 29, 2026

LOW

sunshine-photo-cart

Score: N/A Sunshine Photo Cart < 3.6.2 - Unauthenticated Information Exposure Affected: [*, 3.6.2) Patched: 3.6.2 Updated: June 29, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Simply Schedule Appointments <= 1.6.9.27 - Authenticated (Contributor+) SQL Injection Affected: *-1.6.9.27 Patched: 1.6.9.29 Updated: June 29, 2026

LOW

share-this-image

Score: N/A Share This Image <= 2.12 - Missing Authorization Affected: *-2.12 Patched: 2.13 Updated: June 29, 2026

LOW

seriously-simple-podcasting

Score: N/A Seriously Simple Podcasting <= 3.14.2 - Missing Authorization Affected: *-3.14.2 Patched: 3.14.3 Updated: June 29, 2026

LOW

Broken Link Checker

broken-link-checker

Score: 68/100 Broken Link Checker <= 2.4.7 - Authenticated (Editor+) SQL Injection Affected: *-2.4.7 Patched: 2.4.8 Updated: June 29, 2026

LOW

Elementor Website Builder – more than just a page builder

elementor

Score: 79/100 Elementor Website Builder <= 3.35.7 - Incorrect Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template Affected: *-3.35.7 Patched: 3.35.8 Updated: June 29, 2026

LOW

Booking for Appointments and Events Calendar – Amelia

ameliabooking

Score: 97/100 Amelia Booking 8.3 - 9.1.2 - Authenticated (Customer+) Insecure Direct Object Reference to Arbitrary User Password Change Affected: 8.3-9.1.2 Patched: 9.2 Updated: June 29, 2026

LOW

formlift

Score: 93/100 FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Authorization to Unauthenticated Infusionsoft Connection Hijack via OAuth Connection Flow Affected: *-7.5.21 Patched: 7.5.22 Updated: June 29, 2026

LOW

blog2social

Score: 93/100 Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action Affected: *-8.8.2 Patched: 8.8.3 Updated: June 29, 2026

LOW

bwl-advanced-faq-manager-lite

Score: 93/100 BWL Advanced FAQ Manager Lite <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sbox_id' Shortcode Attribute Affected: *-1.1.1 Patched: 1.1.2 Updated: June 29, 2026

LOW

acf-frontend-form-element

Score: 97/100 Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts Affected: *-3.28.31 Patched: 3.28.32 Updated: June 29, 2026

LOW

bakkbone-florist-companion

Score: 93/100 FloristPress for Woo <= 7.8.2 - Reflected Cross-Site Scripting via 'noresults' Parameter Affected: *-7.8.2 Patched: 7.8.3 Updated: June 29, 2026

LOW

learning-management-system

Score: 93/100 Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator Affected: *-2.1.6 Patched: 2.1.7 Updated: June 29, 2026

LOW

wp-job-portal

Score: N/A WP Job Portal <= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field Affected: *-2.4.9 Patched: 2.5.0 Updated: June 29, 2026

LOW

simple-download-counter

Score: N/A Simple Download Counter <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'text' Shortcode Attribute Affected: *-2.3 Patched: 2.3.1 Updated: June 29, 2026

LOW

shortpixel-image-optimiser

Score: N/A ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title Affected: *-6.4.3 Patched: 6.4.4 Updated: June 29, 2026

LOW

js-support-ticket

Score: 93/100 JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.4 - Unauthenticated SQL Injection via 'multiformid' Parameter Affected: *-3.0.4 Patched: 3.0.5 Updated: June 29, 2026

LOW

instantio

Score: 93/100 Instantio <= 3.3.30 - Unauthenticated Information Exposure Affected: *-3.3.30 Patched: 3.3.31 Updated: June 29, 2026

LOW

Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution

fluent-booking

Score: 96/100 Fluent Booking <= 2.0.01 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters Affected: *-2.0.01 Patched: 2.0.05 Updated: June 29, 2026

Showing 1601 to 1700 of 36190 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 29, 2026 at 14:52 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List