Plugin Score by Kitgenix

Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36194

Across tracked plugins

Affected Plugins

99

With open vulnerabilities

Critical / High

0

Require immediate attention

Recently Updated

0

In the last 30 days

Vulnerability List

Export CSV
Vulnerability list with plugin score and patch status
PluginSlugScoreVulnerabilityCVE IDSeverityAffected VersionsPatchedUpdated
WP Extended – The Ultimate WordPress Toolkit wpextended N/A The Ultimate WordPress Toolkit – WP Extended <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module LOW *-3.2.4 3.2.5 June 29, 2026
import-users-from-csv-with-meta import-users-from-csv-with-meta
93
 Import and export users and customers <= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields LOW *-1.29.7 2.0 June 29, 2026
tour-booking-manager tour-booking-manager N/A WpTravelly <= 2.1.7 - Missing Authorization LOW *-2.1.7 2.1.8 June 29, 2026
jetformbuilder jetformbuilder
93
 JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field LOW *-3.5.6.2 3.5.6.3 June 29, 2026
arforms-form-builder arforms-form-builder
95
 Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution LOW *-1.7.2 June 29, 2026
invelity-products-feeds invelity-products-feeds
91
 Invelity Products Feeds <= 1.2.6 - Cross-Site Request Forgery to Arbitrary File Deletion LOW *-1.2.6 June 29, 2026
wp-webauthn wp-webauthn N/A WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting LOW *-1.3.4 June 29, 2026
postaffiliatepro postaffiliatepro N/A Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field LOW *-1.28.0 June 29, 2026
survey survey N/A Survey <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings LOW *-1.1 June 29, 2026
multi-post-carousel multi-post-carousel N/A Multi Post Carousel by Category <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slides' Shortcode Attribute LOW *-1.4 June 29, 2026
mandatory-fields mandatory-fields
91
 Mandatory Field <= 1.6.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Fields LOW *-1.6.8 June 29, 2026
logo-slider-wp logo-slider-wp
89
 Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode LOW *-4.9.0 June 29, 2026
wpfaqblock wpfaqblock N/A WPFAQBlock– FAQ & Accordion Plugin For Gutenberg <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute LOW *-1.1 June 29, 2026
add-google-social-profiles-to-knowledge-graph-box add-google-social-profiles-to-knowledge-graph-box
95
 Add Google Social Profiles to Knowledge Graph Box <= 1.0 - Cross-Site Request Forgery to Settings Update LOW *-1.0 June 29, 2026
peacefulqode-elementzplus-widgets peacefulqode-elementzplus-widgets N/A PQ Addons – Creative Elementor Widgets <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Attributes LOW *-1.0.0 June 29, 2026
redirect-countdown redirect-countdown N/A Redirect countdown <= 1.0 - Cross-Site Request Forgery to Settings Update LOW *-1.0 June 29, 2026
wp-posts-re-order wp-posts-re-order N/A WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update LOW *-1.0 June 29, 2026
sr-wp-minify-html sr-wp-minify-html N/A SR WP Minify HTML <= 2.1 - Cross-Site Request Forgery to Settings Update LOW *-2.1 June 29, 2026
schema-shortcode schema-shortcode N/A Schema Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode LOW *-1.0 June 29, 2026
comment-genius comment-genius
91
 Comment Genius <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] LOW *-1.2.5 June 29, 2026
post-flagger post-flagger N/A Post Flagger <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slug' Shortcode Attribute LOW *-1.1 June 29, 2026
ivysilani-shortcode ivysilani-shortcode
91
 iVysilani Shortcode <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute LOW *-3.0 June 29, 2026
wp-ng-weather wp-ng-weather N/A WP NG Weather <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes LOW *-1.0.9 June 29, 2026
tour-operator-plugin tour-operator-plugin N/A Tour & Activity Operator Plugin for TourCMS <= 1.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes LOW *-1.7.0 June 29, 2026
company-posts-for-linkedin company-posts-for-linkedin
91
 Company Posts for LinkedIn <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary LinkedIn Post Data Deletion LOW *-1.0.0 June 29, 2026
atomchat atomchat
91
 Group Chat & Video Chat by AtomChat <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update LOW *-1.1.7 1.1.8 June 29, 2026
mimetypes-link-icons mimetypes-link-icons N/A MimeTypes Link Icons <= 3.2.20 - Authenticated (Contributor+) Server-Side Request Forgery via Crafted Links in Post Content LOW *-3.2.20 3.3.0 June 29, 2026
easy-image-gallery easy-image-gallery
91
 Easy Image Gallery <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Shortcode Post Meta LOW *-1.5.3 June 29, 2026
show-posts show-posts N/A Weaver Show Posts <= 1.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Additional Classes to Wrap Posts' Widget Setting LOW *-1.8.1 2.0 June 29, 2026
rexcrawler rexcrawler N/A rexCrawler <= 1.0.15 - Reflected Cross-Site Scripting via 'url' and 'regex' Parameters LOW *-1.0.15 June 29, 2026
surveyjs surveyjs N/A SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting LOW *-2.5.3 June 29, 2026
mylinksdump mylinksdump N/A myLinksDump <= 1.6 - Authenticated (Administrator+) SQL Injection via 'sort_by' and 'sort_order' Parameters LOW *-1.6 June 29, 2026
itsukaita itsukaita
91
 itsukaita <= 0.1.2 - Reflected Cross-Site Scripting via 'day_from' Parameter LOW *-0.1.2 June 29, 2026
login-register login-register
91
 login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting LOW *-1.2.0 June 29, 2026
applixir applixir
95
 Reward Video Ad for WordPress <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings LOW *-1.6 June 29, 2026
review-map-by-revukangaroo review-map-by-revukangaroo N/A Review Map by RevuKangaroo <= 1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings LOW *-1.7 June 29, 2026
eds-font-awesome eds-font-awesome
91
 Ed's Font Awesome <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes LOW *-2.0 June 29, 2026
eds-social-share eds-social-share
91
 Ed's Social Share <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes LOW *-2.0 June 29, 2026
element-camp element-camp
91
 ElementCamp <= 2.3.6 - Authenticated (Author+) SQL Injection via 'meta_query[compare]' Parameter LOW *-2.3.6 June 29, 2026
hr-press-lite hr-press-lite
91
 Hr Press Lite <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Employee Information Exposure LOW *-1.0.2 June 29, 2026
post-snippits post-snippits N/A Post Snippits <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update LOW *-1.0 June 29, 2026
ricerca-smart-search ricerca-smart-search N/A Ricerca – advanced search <= 1.1.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin's Settings LOW *-1.1.12 June 29, 2026
fonts-manager-custom-fonts fonts-manager-custom-fonts
89
 Fonts Manager | Custom Fonts <= 1.2 - Unauthenticated SQL Injection via fmcfIdSelectedFnt parameter LOW *-1.2 June 29, 2026
cms-commander-client cms-commander-client
91
 CMS Commander <= 2.288 - Authenticated (Custom+) SQL Injection via 'or_blogname' Parameter LOW *-2.288 June 29, 2026
minhnhut-link-gateway minhnhut-link-gateway N/A MinhNhut Link Gateway <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes LOW *-3.6.1 June 29, 2026
comment-spam-wiper comment-spam-wiper
91
 Comment SPAM Wiper <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting LOW *-1.2.1 June 29, 2026
wikilookup wikilookup N/A Wikilookup <= 1.1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Popup Width' Setting LOW *-1.1.5 June 29, 2026
canto canto
91
 Canto <= 3.1.1 - Missing Authorization to Unauthenticated File Upload LOW *-3.1.1 3.1.2 June 29, 2026
multi-functional-flexi-lightbox multi-functional-flexi-lightbox N/A Multi Functional Flexi Lightbox <= 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via 'message' Parameter LOW *-1.2 June 29, 2026
xhanch-my-advanced-settings xhanch-my-advanced-settings N/A Xhanch - My Advanced Settings <= 1.1.2 - Cross-Site Request Forgery to Settings Update LOW *-1.1.2 June 29, 2026
lobot-slider-administrator lobot-slider-administrator
91
 Lobot Slider Administrator <= 0.6.0 - Cross-Site Request Forgery to Settings Update LOW *-0.6.0 June 29, 2026
any-post-slider any-post-slider
95
 Any Post Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_type' Shortcode Attribute LOW *-1.0.4 June 29, 2026
fusedesk fusedesk
91
 FuseDesk <= 6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute LOW *-6.8 June 29, 2026
go-night-pro go-night-pro
91
 Go Night Pro | WordPress Dark Mode Plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'margin' Shortcode Attribute LOW *-1.1.0 June 29, 2026
appmax appmax
95
 Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint LOW *-1.0.3 June 29, 2026
build-app-online build-app-online
85
 Build App Online <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action LOW *-1.0.23 June 29, 2026
uipress-lite uipress-lite N/A UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update LOW *-3.5.09 June 29, 2026
rest-api-to-miniprogram rest-api-to-miniprogram N/A REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter LOW *-5.1.2 June 29, 2026
performance-monitor performance-monitor N/A Performance Monitor <= 1.0.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter LOW *-1.0.6 June 29, 2026
content-syndication-toolkit content-syndication-toolkit
91
 Content Syndication Toolkit <= 1.3 - Unauthenticated Server-Side Request Forgery via 'url' Parameter LOW *-1.3 June 29, 2026
sherk-custom-post-type-displays sherk-custom-post-type-displays N/A Sherk Custom Post Type Displays <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute LOW *-1.2.1 June 29, 2026
e-shot-form-builder e-shot-form-builder
89
 e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action LOW *-1.0.2 June 29, 2026
punnel-landing-page-builder punnel-landing-page-builder N/A Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action LOW *-1.3.1 June 29, 2026
smarter-analytics smarter-analytics N/A Smarter Analytics <= 2.0 - Missing Authorization to Unauthenticated Plugin Settings Reset via 'reset' Parameter LOW *-2.0 June 29, 2026
integration-with-hubspot-forms integration-with-hubspot-forms
91
 Integration with Hubspot Forms <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes LOW *-1.2.2 June 29, 2026
simple-football-score-board simple-football-score-board N/A Simple Football Scoreboard <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes LOW *-1.0 June 29, 2026
twitter-feeds twitter-feeds N/A Twitter Feeds <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'tweet_title' Shortcode Attribute LOW *-1.0.0 June 29, 2026
task-manager task-manager N/A Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Read LOW *-3.0.2 June 29, 2026
speedup-optimization speedup-optimization N/A Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via 'speedup01_enabled' AJAX Action LOW *-1.5.9 June 29, 2026
task-manager task-manager N/A Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'task_id' Parameter LOW *-3.0.2 June 29, 2026
outgrow outgrow N/A Outgrow <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute LOW *-2.1 June 29, 2026
alfie-the-productfeedtool-wp-plugin alfie-the-productfeedtool-wp-plugin
95
 Alfie – Feed Plugin <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'naam' Parameter LOW *-1.2.1 June 29, 2026
neos-connector-for-fakturama neos-connector-for-fakturama N/A Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update LOW *-0.0.14 June 29, 2026
wordpress-paypal-donation wordpress-paypal-donation N/A WordPress PayPal Donation <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' Shortcode Attribute LOW *-1.01 June 29, 2026
wp-games-embed wp-games-embed N/A WP Games Embed <= 0.1beta - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes LOW * - 0.1beta June 29, 2026
text-toggle text-toggle N/A Text Toggle <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute LOW *-1.1 June 29, 2026
paypal-shortcodes paypal-shortcodes N/A Paypal Shortcodes <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' and 'name' Shortcode Attributes LOW *-0.3 June 29, 2026
sheets2table sheets2table N/A Sheets2Table <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titles' Shortcode Attribute LOW *-0.4.1 June 29, 2026
fyyd-podcast-shortcodes fyyd-podcast-shortcodes
91
 fyyd podcast shortcodes <= 0.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute LOW *-0.3.1 June 29, 2026
ad-short ad-short
95
 Ad Short <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'client' Shortcode Attribute LOW *-2.0.1 June 29, 2026
app-builder app-builder
95
 App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter LOW *-5.5.10 June 29, 2026
ecover-builder-for-dummies ecover-builder-for-dummies
91
 Ecover Builder For Dummies <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute LOW *-1.0 June 29, 2026
show-posts-shortcodes show-posts-shortcodes N/A Show Posts list <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode LOW *-1.1.0 June 29, 2026
wp-random-button wp-random-button N/A WP Random Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute LOW *-1.0 June 29, 2026
quentn-wp quentn-wp N/A Quentn WP <= 1.2.12 - Unauthenticated SQL Injection via 'qntn_wp_access' Cookie LOW *-1.2.12 1.2.13 June 29, 2026
vagaro-booking-widget vagaro-booking-widget N/A Vagaro Booking Widget <= 0.3 - Unauthenticated Stored Cross-Site Scripting via 'vagaro_code' LOW *-0.3 June 29, 2026
wp-chatbot wp-chatbot N/A WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover LOW *-4.9 June 29, 2026
linksy-search-and-replace linksy-search-and-replace
91
 Linksy Search and Replace <= 1.0.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Update via linksy_search_and_replace_item_details LOW *-1.0.4 June 29, 2026
pre-party-browser-hints pre-party-browser-hints N/A Pre* Party Resource Hints <= 1.8.20 - Authenticated (Subscriber+) SQL Injection via 'hint_ids' Parameter LOW *-1.8.20 June 29, 2026
expire-users expire-users
91
 Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator via save_extra_user_profile_fields LOW *-1.2.2 June 29, 2026
scoreboard-for-html5-game-lite scoreboard-for-html5-game-lite N/A Scoreboard for HTML5 Games Lite <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes LOW *-1.2 1.3 June 29, 2026
emailkit emailkit
93
 EmailKit <= 1.6.3 - Authenticated (Administrator+) Path Traversal via 'emailkit-editor-template' REST API Parameter LOW *-1.6.3 1.6.4 June 29, 2026
contact-list contact-list
93
 Contact List <= 3.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_cl_map_iframe' Parameter LOW *-3.0.18 3.0.19 June 29, 2026
injection-guard injection-guard
93
 Injection Guard <= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name LOW *-1.2.9 1.3.0 June 29, 2026
alt-manager alt-manager
97
 Image Alt Text Manager <= 1.8.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Title LOW *-1.8.2 1.8.3 June 29, 2026
kali-forms kali-forms
93
 Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process LOW *-2.4.9 2.4.10 June 29, 2026
yith-woocommerce-wishlist yith-woocommerce-wishlist N/A YITH WooCommerce Wishlist < 4.13.0 - Unauthenticated Insecure Direct Object Reference to Wishlist Rename LOW [*, 4.13.0) 4.13.0 June 29, 2026
wplr-sync wplr-sync N/A Photo Engine (Media Organizer & Lightroom) <= 6.4.9 - Authenticated (Author+) Arbitrary File Upload LOW *-6.4.9 6.5.0 June 29, 2026
wpjam-basic wpjam-basic N/A WPJAM Basic <= 6.9.2 - Authenticated (Subscriber+) Arbitrary File Upload LOW *-6.9.2 6.9.2.1 June 29, 2026
wp-terms-popup wp-terms-popup N/A WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups <= 2.10.0 - Missing Authorization LOW *-2.10.0 2.11.0 June 29, 2026
LOW

WP Extended – The Ultimate WordPress Toolkit

wpextended

Score: N/A The Ultimate WordPress Toolkit – WP Extended <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module Affected: *-3.2.4 Patched: 3.2.5 Updated: June 29, 2026
LOW

import-users-from-csv-with-meta

import-users-from-csv-with-meta

Score: 93/100 Import and export users and customers <= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields Affected: *-1.29.7 Patched: 2.0 Updated: June 29, 2026
LOW

tour-booking-manager

tour-booking-manager

Score: N/A WpTravelly <= 2.1.7 - Missing Authorization Affected: *-2.1.7 Patched: 2.1.8 Updated: June 29, 2026
LOW

jetformbuilder

jetformbuilder

Score: 93/100 JetFormBuilder <= 3.5.6.2 - Unauthenticated Arbitrary File Read via Media Field Affected: *-3.5.6.2 Patched: 3.5.6.3 Updated: June 29, 2026
LOW

arforms-form-builder

arforms-form-builder

Score: 95/100 Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blind Arbitrary Shortcode Execution Affected: *-1.7.2 Patched: Updated: June 29, 2026
LOW

invelity-products-feeds

invelity-products-feeds

Score: 91/100 Invelity Products Feeds <= 1.2.6 - Cross-Site Request Forgery to Arbitrary File Deletion Affected: *-1.2.6 Patched: Updated: June 29, 2026
LOW

wp-webauthn

wp-webauthn

Score: N/A WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.3.4 Patched: Updated: June 29, 2026
LOW

postaffiliatepro

postaffiliatepro

Score: N/A Post Affiliate Pro <= 1.28.0 - Authenticated (Administrator+) Server-Side Request Forgery via 'Post Affiliate Pro URL' Field Affected: *-1.28.0 Patched: Updated: June 29, 2026
LOW

survey

survey

Score: N/A Survey <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings Affected: *-1.1 Patched: Updated: June 29, 2026
LOW

multi-post-carousel

multi-post-carousel

Score: N/A Multi Post Carousel by Category <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slides' Shortcode Attribute Affected: *-1.4 Patched: Updated: June 29, 2026
LOW

mandatory-fields

mandatory-fields

Score: 91/100 Mandatory Field <= 1.6.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Fields Affected: *-1.6.8 Patched: Updated: June 29, 2026
LOW

logo-slider-wp

logo-slider-wp

Score: 89/100 Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slider' Shortcode Affected: *-4.9.0 Patched: Updated: June 29, 2026
LOW

wpfaqblock

wpfaqblock

Score: N/A WPFAQBlock– FAQ & Accordion Plugin For Gutenberg <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute Affected: *-1.1 Patched: Updated: June 29, 2026
LOW

add-google-social-profiles-to-knowledge-graph-box

add-google-social-profiles-to-knowledge-graph-box

Score: 95/100 Add Google Social Profiles to Knowledge Graph Box <= 1.0 - Cross-Site Request Forgery to Settings Update Affected: *-1.0 Patched: Updated: June 29, 2026
LOW

peacefulqode-elementzplus-widgets

peacefulqode-elementzplus-widgets

Score: N/A PQ Addons – Creative Elementor Widgets <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Attributes Affected: *-1.0.0 Patched: Updated: June 29, 2026
LOW

redirect-countdown

redirect-countdown

Score: N/A Redirect countdown <= 1.0 - Cross-Site Request Forgery to Settings Update Affected: *-1.0 Patched: Updated: June 29, 2026
LOW

wp-posts-re-order

wp-posts-re-order

Score: N/A WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update Affected: *-1.0 Patched: Updated: June 29, 2026
LOW

sr-wp-minify-html

sr-wp-minify-html

Score: N/A SR WP Minify HTML <= 2.1 - Cross-Site Request Forgery to Settings Update Affected: *-2.1 Patched: Updated: June 29, 2026
LOW

schema-shortcode

schema-shortcode

Score: N/A Schema Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.0 Patched: Updated: June 29, 2026
LOW

comment-genius

comment-genius

Score: 91/100 Comment Genius <= 1.2.5 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] Affected: *-1.2.5 Patched: Updated: June 29, 2026
LOW

post-flagger

post-flagger

Score: N/A Post Flagger <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'slug' Shortcode Attribute Affected: *-1.1 Patched: Updated: June 29, 2026
LOW

ivysilani-shortcode

ivysilani-shortcode

Score: 91/100 iVysilani Shortcode <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute Affected: *-3.0 Patched: Updated: June 29, 2026
LOW

wp-ng-weather

wp-ng-weather

Score: N/A WP NG Weather <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0.9 Patched: Updated: June 29, 2026
LOW

tour-operator-plugin

tour-operator-plugin

Score: N/A Tour & Activity Operator Plugin for TourCMS <= 1.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.7.0 Patched: Updated: June 29, 2026
LOW

company-posts-for-linkedin

company-posts-for-linkedin

Score: 91/100 Company Posts for LinkedIn <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary LinkedIn Post Data Deletion Affected: *-1.0.0 Patched: Updated: June 29, 2026
LOW

atomchat

atomchat

Score: 91/100 Group Chat & Video Chat by AtomChat <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update Affected: *-1.1.7 Patched: 1.1.8 Updated: June 29, 2026
LOW

mimetypes-link-icons

mimetypes-link-icons

Score: N/A MimeTypes Link Icons <= 3.2.20 - Authenticated (Contributor+) Server-Side Request Forgery via Crafted Links in Post Content Affected: *-3.2.20 Patched: 3.3.0 Updated: June 29, 2026
LOW

easy-image-gallery

easy-image-gallery

Score: 91/100 Easy Image Gallery <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Shortcode Post Meta Affected: *-1.5.3 Patched: Updated: June 29, 2026
LOW

show-posts

show-posts

Score: N/A Weaver Show Posts <= 1.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Additional Classes to Wrap Posts' Widget Setting Affected: *-1.8.1 Patched: 2.0 Updated: June 29, 2026
LOW

rexcrawler

rexcrawler

Score: N/A rexCrawler <= 1.0.15 - Reflected Cross-Site Scripting via 'url' and 'regex' Parameters Affected: *-1.0.15 Patched: Updated: June 29, 2026
LOW

surveyjs

surveyjs

Score: N/A SurveyJS: Drag & Drop Form Builder <= 2.5.3 - Unauthenticated Stored Cross-Site Scripting Affected: *-2.5.3 Patched: Updated: June 29, 2026
LOW

mylinksdump

mylinksdump

Score: N/A myLinksDump <= 1.6 - Authenticated (Administrator+) SQL Injection via 'sort_by' and 'sort_order' Parameters Affected: *-1.6 Patched: Updated: June 29, 2026
LOW

itsukaita

itsukaita

Score: 91/100 itsukaita <= 0.1.2 - Reflected Cross-Site Scripting via 'day_from' Parameter Affected: *-0.1.2 Patched: Updated: June 29, 2026
LOW

login-register

login-register

Score: 91/100 login_register <= 1.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-1.2.0 Patched: Updated: June 29, 2026
LOW

applixir

applixir

Score: 95/100 Reward Video Ad for WordPress <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings Affected: *-1.6 Patched: Updated: June 29, 2026
LOW

review-map-by-revukangaroo

review-map-by-revukangaroo

Score: N/A Review Map by RevuKangaroo <= 1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings Affected: *-1.7 Patched: Updated: June 29, 2026
LOW

eds-font-awesome

eds-font-awesome

Score: 91/100 Ed's Font Awesome <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-2.0 Patched: Updated: June 29, 2026
LOW

eds-social-share

eds-social-share

Score: 91/100 Ed's Social Share <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-2.0 Patched: Updated: June 29, 2026
LOW

element-camp

element-camp

Score: 91/100 ElementCamp <= 2.3.6 - Authenticated (Author+) SQL Injection via 'meta_query[compare]' Parameter Affected: *-2.3.6 Patched: Updated: June 29, 2026
LOW

hr-press-lite

hr-press-lite

Score: 91/100 Hr Press Lite <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Employee Information Exposure Affected: *-1.0.2 Patched: Updated: June 29, 2026
LOW

post-snippits

post-snippits

Score: N/A Post Snippits <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update Affected: *-1.0 Patched: Updated: June 29, 2026
LOW

ricerca-smart-search

ricerca-smart-search

Score: N/A Ricerca – advanced search <= 1.1.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin's Settings Affected: *-1.1.12 Patched: Updated: June 29, 2026
LOW

fonts-manager-custom-fonts

fonts-manager-custom-fonts

Score: 89/100 Fonts Manager | Custom Fonts <= 1.2 - Unauthenticated SQL Injection via fmcfIdSelectedFnt parameter Affected: *-1.2 Patched: Updated: June 29, 2026
LOW

cms-commander-client

cms-commander-client

Score: 91/100 CMS Commander <= 2.288 - Authenticated (Custom+) SQL Injection via 'or_blogname' Parameter Affected: *-2.288 Patched: Updated: June 29, 2026
LOW

minhnhut-link-gateway

minhnhut-link-gateway

Score: N/A MinhNhut Link Gateway <= 3.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-3.6.1 Patched: Updated: June 29, 2026
LOW

comment-spam-wiper

comment-spam-wiper

Score: 91/100 Comment SPAM Wiper <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'API Key' Setting Affected: *-1.2.1 Patched: Updated: June 29, 2026
LOW

wikilookup

wikilookup

Score: N/A Wikilookup <= 1.1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Popup Width' Setting Affected: *-1.1.5 Patched: Updated: June 29, 2026
LOW

canto

canto

Score: 91/100 Canto <= 3.1.1 - Missing Authorization to Unauthenticated File Upload Affected: *-3.1.1 Patched: 3.1.2 Updated: June 29, 2026
LOW

multi-functional-flexi-lightbox

multi-functional-flexi-lightbox

Score: N/A Multi Functional Flexi Lightbox <= 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via 'message' Parameter Affected: *-1.2 Patched: Updated: June 29, 2026
LOW

xhanch-my-advanced-settings

xhanch-my-advanced-settings

Score: N/A Xhanch - My Advanced Settings <= 1.1.2 - Cross-Site Request Forgery to Settings Update Affected: *-1.1.2 Patched: Updated: June 29, 2026
LOW

lobot-slider-administrator

lobot-slider-administrator

Score: 91/100 Lobot Slider Administrator <= 0.6.0 - Cross-Site Request Forgery to Settings Update Affected: *-0.6.0 Patched: Updated: June 29, 2026
LOW

any-post-slider

any-post-slider

Score: 95/100 Any Post Slider <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_type' Shortcode Attribute Affected: *-1.0.4 Patched: Updated: June 29, 2026
LOW

fusedesk

fusedesk

Score: 91/100 FuseDesk <= 6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'emailtext' Shortcode Attribute Affected: *-6.8 Patched: Updated: June 29, 2026
LOW

go-night-pro

go-night-pro

Score: 91/100 Go Night Pro | WordPress Dark Mode Plugin <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'margin' Shortcode Attribute Affected: *-1.1.0 Patched: Updated: June 29, 2026
LOW

appmax

appmax

Score: 95/100 Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint Affected: *-1.0.3 Patched: Updated: June 29, 2026
LOW

build-app-online

build-app-online

Score: 85/100 Build App Online <= 1.0.23 - Missing Authorization to Arbitrary Post Author Modification via 'build-app-online-update-vendor-product' AJAX Action Affected: *-1.0.23 Patched: Updated: June 29, 2026
LOW

uipress-lite

uipress-lite

Score: N/A UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update Affected: *-3.5.09 Patched: Updated: June 29, 2026
LOW

rest-api-to-miniprogram

rest-api-to-miniprogram

Score: N/A REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter Affected: *-5.1.2 Patched: Updated: June 29, 2026
LOW

performance-monitor

performance-monitor

Score: N/A Performance Monitor <= 1.0.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter Affected: *-1.0.6 Patched: Updated: June 29, 2026
LOW

content-syndication-toolkit

content-syndication-toolkit

Score: 91/100 Content Syndication Toolkit <= 1.3 - Unauthenticated Server-Side Request Forgery via 'url' Parameter Affected: *-1.3 Patched: Updated: June 29, 2026
LOW

sherk-custom-post-type-displays

sherk-custom-post-type-displays

Score: N/A Sherk Custom Post Type Displays <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute Affected: *-1.2.1 Patched: Updated: June 29, 2026
LOW

e-shot-form-builder

e-shot-form-builder

Score: 89/100 e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via API Token via 'eshot_form_builder_get_account_data' AJAX Action Affected: *-1.0.2 Patched: Updated: June 29, 2026
LOW

punnel-landing-page-builder

punnel-landing-page-builder

Score: N/A Punnel <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update via 'punnel_save_config' AJAX Action Affected: *-1.3.1 Patched: Updated: June 29, 2026
LOW

smarter-analytics

smarter-analytics

Score: N/A Smarter Analytics <= 2.0 - Missing Authorization to Unauthenticated Plugin Settings Reset via 'reset' Parameter Affected: *-2.0 Patched: Updated: June 29, 2026
LOW

integration-with-hubspot-forms

integration-with-hubspot-forms

Score: 91/100 Integration with Hubspot Forms <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.2.2 Patched: Updated: June 29, 2026
LOW

simple-football-score-board

simple-football-score-board

Score: N/A Simple Football Scoreboard <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0 Patched: Updated: June 29, 2026
LOW

twitter-feeds

twitter-feeds

Score: N/A Twitter Feeds <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'tweet_title' Shortcode Attribute Affected: *-1.0.0 Patched: Updated: June 29, 2026
LOW

task-manager

task-manager

Score: N/A Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Read Affected: *-3.0.2 Patched: Updated: June 29, 2026
LOW

speedup-optimization

speedup-optimization

Score: N/A Speedup Optimization <= 1.5.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update via 'speedup01_enabled' AJAX Action Affected: *-1.5.9 Patched: Updated: June 29, 2026
LOW

task-manager

task-manager

Score: N/A Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'task_id' Parameter Affected: *-3.0.2 Patched: Updated: June 29, 2026
LOW

outgrow

outgrow

Score: N/A Outgrow <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'outgrow' Shortcode 'id' Attribute Affected: *-2.1 Patched: Updated: June 29, 2026
LOW

alfie-the-productfeedtool-wp-plugin

alfie-the-productfeedtool-wp-plugin

Score: 95/100 Alfie – Feed Plugin <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'naam' Parameter Affected: *-1.2.1 Patched: Updated: June 29, 2026
LOW

neos-connector-for-fakturama

neos-connector-for-fakturama

Score: N/A Neos Connector for Fakturama <= 0.0.14 - Cross-Site Request Forgery to Settings Update Affected: *-0.0.14 Patched: Updated: June 29, 2026
LOW

wordpress-paypal-donation

wordpress-paypal-donation

Score: N/A WordPress PayPal Donation <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' Shortcode Attribute Affected: *-1.01 Patched: Updated: June 29, 2026
LOW

wp-games-embed

wp-games-embed

Score: N/A WP Games Embed <= 0.1beta - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: * - 0.1beta Patched: Updated: June 29, 2026
LOW

text-toggle

text-toggle

Score: N/A Text Toggle <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute Affected: *-1.1 Patched: Updated: June 29, 2026
LOW

paypal-shortcodes

paypal-shortcodes

Score: N/A Paypal Shortcodes <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'amount' and 'name' Shortcode Attributes Affected: *-0.3 Patched: Updated: June 29, 2026
LOW

sheets2table

sheets2table

Score: N/A Sheets2Table <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'titles' Shortcode Attribute Affected: *-0.4.1 Patched: Updated: June 29, 2026
LOW

fyyd-podcast-shortcodes

fyyd-podcast-shortcodes

Score: 91/100 fyyd podcast shortcodes <= 0.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute Affected: *-0.3.1 Patched: Updated: June 29, 2026
LOW

ad-short

ad-short

Score: 95/100 Ad Short <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'client' Shortcode Attribute Affected: *-2.0.1 Patched: Updated: June 29, 2026
LOW

app-builder

app-builder

Score: 95/100 App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter Affected: *-5.5.10 Patched: Updated: June 29, 2026
LOW

ecover-builder-for-dummies

ecover-builder-for-dummies

Score: 91/100 Ecover Builder For Dummies <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute Affected: *-1.0 Patched: Updated: June 29, 2026
LOW

show-posts-shortcodes

show-posts-shortcodes

Score: N/A Show Posts list <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.1.0 Patched: Updated: June 29, 2026
LOW

wp-random-button

wp-random-button

Score: N/A WP Random Button <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'cat' Shortcode Attribute Affected: *-1.0 Patched: Updated: June 29, 2026
LOW

quentn-wp

quentn-wp

Score: N/A Quentn WP <= 1.2.12 - Unauthenticated SQL Injection via 'qntn_wp_access' Cookie Affected: *-1.2.12 Patched: 1.2.13 Updated: June 29, 2026
LOW

vagaro-booking-widget

vagaro-booking-widget

Score: N/A Vagaro Booking Widget <= 0.3 - Unauthenticated Stored Cross-Site Scripting via 'vagaro_code' Affected: *-0.3 Patched: Updated: June 29, 2026
LOW

wp-chatbot

wp-chatbot

Score: N/A WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover Affected: *-4.9 Patched: Updated: June 29, 2026
LOW

linksy-search-and-replace

linksy-search-and-replace

Score: 91/100 Linksy Search and Replace <= 1.0.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Update via linksy_search_and_replace_item_details Affected: *-1.0.4 Patched: Updated: June 29, 2026
LOW

pre-party-browser-hints

pre-party-browser-hints

Score: N/A Pre* Party Resource Hints <= 1.8.20 - Authenticated (Subscriber+) SQL Injection via 'hint_ids' Parameter Affected: *-1.8.20 Patched: Updated: June 29, 2026
LOW

expire-users

expire-users

Score: 91/100 Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator via save_extra_user_profile_fields Affected: *-1.2.2 Patched: Updated: June 29, 2026
LOW

scoreboard-for-html5-game-lite

scoreboard-for-html5-game-lite

Score: N/A Scoreboard for HTML5 Games Lite <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.2 Patched: 1.3 Updated: June 29, 2026
LOW

emailkit

emailkit

Score: 93/100 EmailKit <= 1.6.3 - Authenticated (Administrator+) Path Traversal via 'emailkit-editor-template' REST API Parameter Affected: *-1.6.3 Patched: 1.6.4 Updated: June 29, 2026
LOW

contact-list

contact-list

Score: 93/100 Contact List <= 3.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_cl_map_iframe' Parameter Affected: *-3.0.18 Patched: 3.0.19 Updated: June 29, 2026
LOW

injection-guard

injection-guard

Score: 93/100 Injection Guard <= 1.2.9 - Unauthenticated Stored Cross-Site Scripting via Query Parameter Name Affected: *-1.2.9 Patched: 1.3.0 Updated: June 29, 2026
LOW

alt-manager

alt-manager

Score: 97/100 Image Alt Text Manager <= 1.8.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Title Affected: *-1.8.2 Patched: 1.8.3 Updated: June 29, 2026
LOW

kali-forms

kali-forms

Score: 93/100 Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process Affected: *-2.4.9 Patched: 2.4.10 Updated: June 29, 2026
LOW

yith-woocommerce-wishlist

yith-woocommerce-wishlist

Score: N/A YITH WooCommerce Wishlist < 4.13.0 - Unauthenticated Insecure Direct Object Reference to Wishlist Rename Affected: [*, 4.13.0) Patched: 4.13.0 Updated: June 29, 2026
LOW

wplr-sync

wplr-sync

Score: N/A Photo Engine (Media Organizer & Lightroom) <= 6.4.9 - Authenticated (Author+) Arbitrary File Upload Affected: *-6.4.9 Patched: 6.5.0 Updated: June 29, 2026
LOW

wpjam-basic

wpjam-basic

Score: N/A WPJAM Basic <= 6.9.2 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-6.9.2 Patched: 6.9.2.1 Updated: June 29, 2026
LOW

wp-terms-popup

wp-terms-popup

Score: N/A WP Terms Popup – Terms and Conditions and Privacy Policy WordPress Popups <= 2.10.0 - Missing Authorization Affected: *-2.10.0 Patched: 2.11.0 Updated: June 29, 2026

Showing 1801 to 1900 of 36194 results

Download: CSV JSON
Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 29, 2026 at 17:37 UTC.