Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36280

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
new-user-approve	new-user-approve	N/A	New User Approve <= 3.2.3 - Missing Authorization	LOW	*-3.2.3	3.2.4	June 29, 2026
my-tickets	my-tickets	N/A	My Tickets – Accessible Event Ticketing <= 2.1.1 - Missing Authorization	LOW	*-2.1.1	2.1.2	June 29, 2026
motta-addons	motta-addons	N/A	Motta Addons < 1.6.1 - Reflected Cross-Site Scripting	LOW	[*, 1.6.1)	1.6.1	June 29, 2026
miraculouscore	miraculouscore	N/A	Miraculous Core < 2.1.2 - Authenticated (Subscriber+) SQL Injection	LOW	[*, 2.1.2)	2.1.2	June 29, 2026
Event Booking Manager for WooCommerce	mage-eventpress	82	Event Booking Manager for WooCommerce <= 5.1.4 - Reflected Cross-Site Scripting	LOW	*-5.1.4	5.1.5	June 29, 2026
lumise	lumise	93	Lumise Product Designer < 2.0.9 - Unauthenticated SQL Injection	LOW	[*, 2.0.9)	2.0.9	June 29, 2026
keep-backup-daily	keep-backup-daily	93	Keep Backup Daily <= 2.1.1 - Authenticated (Admin+) Limited Path Traversal via 'kbd_path' Parameter	LOW	*-2.1.1	2.1.3	June 29, 2026
keep-backup-daily	keep-backup-daily	93	Keep Backup Daily <= 2.1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Backup Title	LOW	*-2.1.2	2.1.3	June 29, 2026
kargo-takip-turkiye	kargo-takip-turkiye	93	Kargo Takip < 0.2.4 - Missing Authorization	LOW	[*, 0.2.4)	0.2.4	June 29, 2026
js-support-ticket	js-support-ticket	93	JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.3 - Authenticated (Subscriber+) SQL Injection	LOW	*-3.0.3	3.0.4	June 29, 2026
jquery-archive-list-widget	jquery-archive-list-widget	93	JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection	LOW	*-6.1.7	6.2.0	June 29, 2026
itracker360	itracker360	93	iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field	LOW	*-2.2.0	2.2.1	June 29, 2026
halfdata-paypal-green-downloads	halfdata-paypal-green-downloads	93	Green Downloads <= 2.08 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-2.08	2.09	June 29, 2026
fusion-builder	fusion-builder	93	Avada (Fusion) Builder < 3.15.0 - Reflected Cross-Site Scripting	LOW	[*, 3.15.0)	3.15.0	June 29, 2026
faq-builder-ays	faq-builder-ays	93	FAQ Builder AYS <= 1.8.2 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.8.2	1.8.3	June 29, 2026
custom-registration-form-builder-with-submission-manager	custom-registration-form-builder-with-submission-manager	93	RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.6 - Missing Authorization	LOW	*-6.0.7.6	6.0.7.7	June 29, 2026
creatorlms	creatorlms	93	Creator LMS – Online Courses and eLearning Plugin <= 1.1.18 - Authenticated (Contributor+) Privilege Escalation	LOW	*-1.1.18	1.1.19	June 29, 2026
computer-repair-shop	computer-repair-shop	93	RepairBuddy <= 4.1132 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via wc_rep_shop_settings_submission AJAX Action	LOW	*-4.1132	4.1133	June 29, 2026
comments-import-export-woocommerce	comments-import-export-woocommerce	93	Comments Import & Export <= 2.4.9 - Missing Authorization	LOW	*-2.4.9	2.5.0	June 29, 2026
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services	chatbot	66	WPBot – AI ChatBot for Live Support, Lead Generation, AI Services <= 7.7.9 - Unauthenticated SQL Injection	LOW	*-7.7.9	7.8.0	June 29, 2026
cf7-insightly	cf7-insightly	93	WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.5 - Missing Authorization	LOW	*-1.1.5	1.1.6	June 29, 2026
bookly-responsive-appointment-booking-tool	bookly-responsive-appointment-booking-tool	93	Online Scheduling and Appointment Booking System – Bookly <= 26.7 - Reflected Cross-Site Scripting	LOW	*-26.7	26.8	June 29, 2026
bit-smtp	bit-smtp	93	Bit SMTP – Easy SMTP Solution with Email Logs <= 1.2.2 - Missing Authorization	LOW	*-1.2.2	1.2.3	June 29, 2026
ays-slider	ays-slider	93	Image Slider by Ays- Responsive Slider and Carousel <= 2.7.1 - Unauthenticated Stored Cross-Site Scripting	LOW	*-2.7.1	2.7.2	June 29, 2026
Autoptimize	autoptimize	87	Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ao_post_preload' Meta Value	LOW	*-3.1.14	3.1.15	June 29, 2026
Autoptimize	autoptimize	87	Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes	LOW	*-3.1.14	3.1.15	June 29, 2026
wc-carta-docente	wc-carta-docente	N/A	ilGhera Carta Docente for WooCommerce <= 1.5.0 - Authenticated (Administrator+) Path Traversal to Arbitrary File Deletion via 'cert' Parameter	LOW	*-1.5.0	1.5.1	June 29, 2026
cm-custom-reports	cm-custom-reports	93	CM Custom Reports <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Labels	LOW	*-1.2.7	1.2.8	June 29, 2026
ft-rockpress	ft-rockpress	93	RockPress <= 1.0.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via AJAX Actions	LOW	*-1.0.17	1.0.18	June 29, 2026
aimogen-pro	aimogen-pro	97	Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call	LOW	*-2.7.5	2.7.6	June 29, 2026
Membership Plugin – Kadence Memberships	restrict-content	N/A	Membership Plugin – Restrict Content <= 3.2.24 - Unvalidated Redirect in Password Reset Flow via rcp_redirect	LOW	*-3.2.24	3.2.25	June 29, 2026
yml-for-yandex-market	yml-for-yandex-market	N/A	YML for Yandex Market < 5.0.26 - Authenticated (Shop Manager+) Remote Code Execution	LOW	[*, 5.0.26)	5.0.26	June 29, 2026
sprout-invoices	sprout-invoices	N/A	Client Invoicing by Sprout Invoices <= 20.8.10 - Missing Authorization	LOW	*-20.8.10	20.8.11	June 29, 2026
nelio-content	nelio-content	N/A	Nelio Content <= 4.3.1 - Authenticated (Contributor+) Server-Side Request Forgery	LOW	*-4.3.1	4.3.2	June 29, 2026
json-content-importer	json-content-importer	93	Get Use APIs – JSON Content Importer < 2.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	[*, 2.0.10)	2.0.10	June 29, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter	LOW	*-1.6.10.0	1.6.10.2	June 29, 2026
instant-popup-builder	instant-popup-builder	93	Instant Popup Builder <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter	LOW	*-1.1.7	1.1.8	June 29, 2026
add-custom-fields-to-media	add-custom-fields-to-media	97	Add Custom Fields to Media <= 2.0.3 - Cross-Site Request Forgery to Custom Field Deletion via 'delete' Parameter	LOW	*-2.0.3	2.0.4	June 29, 2026
simple-draft-list	simple-draft-list	N/A	Draft List <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'display_name' Parameter	LOW	*-2.6.2	2.6.3	June 29, 2026
wpvulnerability	wpvulnerability	N/A	WPVulnerability <= 4.2.1 - Missing Authorization	LOW	*-4.2.1	4.2.1.1	June 29, 2026
SlimStat Analytics	wp-slimstat	N/A	SlimStat Analytics <= 5.3.5 - Unauthenticated Stored Cross-Site Scripting via 'fh'	LOW	*-5.3.5	5.4.0	June 29, 2026
woocommerce-delivery-notes	woocommerce-delivery-notes	N/A	Print Invoice & Delivery Notes for WooCommerce <= 5.9.0 - Missing Authorization	LOW	*-5.9.0	6.0.0	June 29, 2026
woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers	woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers	N/A	Fraud Prevention For WooCommerce and EDD <= 2.3.3 - Missing Authorization to Unauthenticated Arbitrary Content Deletion	LOW	*-2.3.3	2.3.4	June 29, 2026
wishlist-member-x	wishlist-member-x	92	Wishlist Member <= 3.29.0 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-3.29.0		June 29, 2026
wishlist-member-x	wishlist-member-x	92	Wishlist Member <= 3.29.0 - Authenticated (Subscriber+) PHP Object Injection	LOW	*-3.29.0		June 29, 2026
widget-wrangler	widget-wrangler	N/A	Widget Wrangler <= 2.3.9 - Authenticated (Author+) Remote Code Execution	LOW	*-2.3.9		June 29, 2026
webd-woocommerce-advanced-reporting-statistics	webd-woocommerce-advanced-reporting-statistics	N/A	Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting <= 4.1.3 - Unauthenticated SQL Injection	LOW	*-4.1.3	4.1.4	June 29, 2026
userfeedback-lite	userfeedback-lite	N/A	User Feedback <= 1.10.1 - Missing Authorization	LOW	*-1.10.1	1.11.0	June 29, 2026
unlimited-blocks	unlimited-blocks	N/A	Gutenberg Blocks – Unlimited blocks For Gutenberg <= 1.2.8 - Reflected Cross-Site Scripting	LOW	*-1.2.8		June 29, 2026
ultimate-post-kit	ultimate-post-kit	N/A	Ultimate Post Kit Addons for Elementor <= 4.0.21 - Missing Authorization	LOW	*-4.0.21	4.0.22	June 29, 2026
phox-host	phox-host	N/A	Phox Hosting <= 2.0.8 - Reflected Cross-Site Scripting	LOW	*-2.0.8	2.0.9	June 29, 2026
nexa-blocks	nexa-blocks	N/A	Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 1.1.1 - Unauthenticated PHP Object Injection	LOW	*-1.1.1		June 29, 2026
info-cards	info-cards	93	Info Cards <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes	LOW	*-2.0.7	2.0.8	June 29, 2026
WP Ghost (Hide My WP Ghost) – Security & Firewall	hide-my-wp	79	Hide My WP Ghost < 7.0.00 - Unauthenticated Open Redirect	LOW	[*, 7.0.00)	7.0.00	June 29, 2026
gzseo	gzseo	91	GZSEO <= 2.0.14 - Missing Authorization	LOW	*-2.0.14		June 29, 2026
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management	74	EventPrime – Events Calendar, Bookings and Tickets <= 4.2.8.3 - Missing Authorization	LOW	*-4.2.8.3	4.2.8.4	June 29, 2026
Download Manager	download-manager	63	Download Manager <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter	LOW	*-3.3.49	3.3.50	June 29, 2026
contextual-related-posts	contextual-related-posts	93	Contextual Related Posts < 4.2.2 - Missing Authorization	LOW	[*, 4.2.2)	4.2.2	June 29, 2026
cf7-mailchimp	cf7-mailchimp	93	Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.2 - Missing Authorization	LOW	*-1.2.2	1.2.3	June 29, 2026
booking-calendar	booking-calendar	91	Booking calendar, Appointment Booking System <= 3.2.36 - Unauthenticated Stored Cross-Site Scripting	LOW	*-3.2.36		June 29, 2026
betterdocs	betterdocs	93	BetterDocs <= 4.3.10 - Unauthenticated Information Exposure	LOW	*-4.3.10	4.3.11	June 29, 2026
barcode-scanner-lite-pos-to-manage-products-inventory-and-orders	barcode-scanner-lite-pos-to-manage-products-inventory-and-orders	93	Barcode Scanner with Inventory & Order Manager <= 1.11.0 - Cross-Site Request Forgery	LOW	*-1.11.0	1.12.0	June 29, 2026
affs	affs	97	SUMO Affiliates Pro < 11.4.0 - Unauthenticated PHP Object Injection	LOW	[*, 11.4.0)	11.4.0	June 29, 2026
ActivityPub	activitypub	86	ActivityPub < 8.0.2 - Unauthenticated Information Epxosure	LOW	[*, 8.0.2)	8.0.2	June 29, 2026
duplicate-post	duplicate-post	97	Yoast Duplicate Post <= 4.5 - Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite	LOW	*-4.5	4.6	June 29, 2026
writeprint-stylometry	writeprint-stylometry	N/A	Writeprint Stylometry <= 0.1 - Reflected Cross-Site Scripting via 'p' Parameter	LOW	*-0.1		June 29, 2026
crpaid-link-manager	crpaid-link-manager	93	[CR]Paid Link Manager <= 0.5 - Reflected Cross-Site Scripting	LOW	*-0.5	0.6	June 29, 2026
subscriptions-for-woocommerce	subscriptions-for-woocommerce	N/A	Subscriptions for WooCommerce <= 1.9.2 - Missing Authorization to Unauthenticated Arbitrary Subscription Cancellation	LOW	*-1.9.2	1.9.3	June 29, 2026
WP Go Maps (formerly WP Google Maps)	wp-google-maps	66	WP Go Maps (formerly WP Google Maps) <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings	LOW	*-10.0.05	10.0.06	June 29, 2026
woocommerce-products-slider	woocommerce-products-slider	N/A	Product Slider, Product Grid, Product Masonry <= 1.13.61 - Missing Authorization	LOW	*-1.13.61	1.13.62	June 29, 2026
Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools	woocommerce-jetpack	65	Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools < 7.11.3 - Missing Authorization	LOW	[*, 7.11.3)	7.11.3	June 29, 2026
winterlock	winterlock	N/A	Activity Log for WordPress <= 1.2.7 - Missing Authorization	LOW	*-1.2.7	1.2.8	June 29, 2026
us-core	us-core	N/A	UpSolution Core <= 8.41 - Reflected Cross-Site Scripting	LOW	*-8.41	8.42	June 29, 2026
simple-embed-code	simple-embed-code	N/A	Code Embed <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields	LOW	*-2.5.1	2.5.2	June 29, 2026
remoji	remoji	N/A	Remoji – Post/Comment Reaction and Enhancement <= 2.2 - Unauthenticated Stored Cross-Site Scripting	LOW	*-2.2		June 29, 2026
publishpress-authors	publishpress-authors	N/A	Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.10.1 - Missing Authorization	LOW	*-4.10.1	4.11.0	June 29, 2026
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App	post-smtp	87	Post SMTP <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite	LOW	*-3.8.0	3.9.0	June 29, 2026
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App	post-smtp	87	Post SMTP <= 3.8.0 - Unauthenticated Stored Cross-Site Scripting via 'event_type'	LOW	*-3.8.0	3.9.0	June 29, 2026
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery	nextgen-gallery	66	Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 4.0.4 - Authenticated (Author+) Local File Inclusion	LOW	*-4.0.4	4.0.5	June 29, 2026
Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization	nelio-ab-testing	81	Nelio AB Testing <= 8.2.8 - Unauthenticated Information Exposure	LOW	*-8.2.8	8.3.0	June 29, 2026
listeo-core	listeo-core	91	Listeo-Core - Directory Plugin by Purethemes <= 2.0.21 - Reflected Cross-Site Scripting	LOW	*-2.0.21		June 29, 2026
kivicare-clinic-management-system	kivicare-clinic-management-system	93	KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token	LOW	*-4.1.2	4.1.3	June 29, 2026
kivicare-clinic-management-system	kivicare-clinic-management-system	93	KiviCare <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard	LOW	*-4.1.2	4.1.3	June 29, 2026
image-widget	image-widget	93	Image Widget <= 4.4.11 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-4.4.11	4.4.12	June 29, 2026
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management	74	EventPrime – Events Calendar, Bookings and Tickets <= 4.2.8.0 - Unauthenticated PHP Object Injection	LOW	*-4.2.8.0	4.2.8.1	June 29, 2026
et-core-plugin	et-core-plugin	93	XStore Core <= 5.6.4 - Reflected Cross-Site Scripting	LOW	*-5.6.4	5.6.5	June 29, 2026
cp-multi-view-calendar	cp-multi-view-calendar	91	CP Multi View Events Calendar <= 1.4.34 - Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-1.4.34		June 29, 2026
ave-core	ave-core	91	Ave Core <= 2.9.1 - Missing Authorization	LOW	*-2.9.1		June 29, 2026
avalex	avalex	93	avalex – Automatisch sichere Rechtstexte <= 3.1.3 - Missing Authorization	LOW	*-3.1.3	3.1.4	June 29, 2026
a2z-fedex-shipping	a2z-fedex-shipping	95	Automated FedEx live/manual rates with shipping labels – HPOS supported <= 5.1.8 - Missing Authorization	LOW	*-5.1.8		June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure	LOW	*-1.7.1049	1.7.1050	June 29, 2026
product-blocks	product-blocks	N/A	WowStore – Store Builder & Product Blocks for WooCommerce <= 4.4.3 - Unauthenticated SQL Injection via 'search' Parameter	LOW	*-4.4.3	4.4.4	June 29, 2026
wp-easy-pay	wp-easy-pay	N/A	WP Easy Pay – Payment and Donation form Builder for Square <= 4.2.11 - Missing Authorization	LOW	*-4.2.11	4.2.12	June 29, 2026
woozone	woozone	N/A	WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.31 - Authenticated (Subscriber+) SQL Injection	LOW	*-14.0.31		June 29, 2026
woozone	woozone	N/A	WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.31 - Authenticated (Subscriber+) Arbitrary File Deletion	LOW	*-14.0.31		June 29, 2026
StoreCustomizer – A plugin to Customize all WooCommerce Pages	woocustomizer	N/A	StoreCustomizer – A plugin to Customize all WooCommerce Pages <= 2.6.3 - Missing Authorization	LOW	*-2.6.3	2.6.5	June 29, 2026
viabill-woocommerce	viabill-woocommerce	N/A	ViaBill – WooCommerce < 1.1.70 - Missing Authorization to Unauthenticated Settings Change	LOW	[*, 1.1.70)	1.1.70	June 29, 2026
unlimited-elements-for-elementor-premium	unlimited-elements-for-elementor-premium	N/A	Unlimited Elements for Elementor (Premium) <= 1.4.72 - Authenticated (Contributor+) Arbitrary File Upload	LOW	*-1.4.72		June 29, 2026
tutor	tutor	N/A	Tutor LMS – eLearning and online course solution <= 3.9.4 - Authenticated (Subscriber+) Insecure Direct Object Reference	LOW	*-3.9.4	3.9.5	June 29, 2026
totalpoll-lite	totalpoll-lite	N/A	TotalPoll for Polls and Contests <= 4.12.0 - Authenticated (Contributor+) Remote Code Execution	LOW	*-4.12.0		June 29, 2026

LOW

new-user-approve

Score: N/A New User Approve <= 3.2.3 - Missing Authorization Affected: *-3.2.3 Patched: 3.2.4 Updated: June 29, 2026

LOW

my-tickets

Score: N/A My Tickets – Accessible Event Ticketing <= 2.1.1 - Missing Authorization Affected: *-2.1.1 Patched: 2.1.2 Updated: June 29, 2026

LOW

motta-addons

Score: N/A Motta Addons < 1.6.1 - Reflected Cross-Site Scripting Affected: [*, 1.6.1) Patched: 1.6.1 Updated: June 29, 2026

LOW

miraculouscore

Score: N/A Miraculous Core < 2.1.2 - Authenticated (Subscriber+) SQL Injection Affected: [*, 2.1.2) Patched: 2.1.2 Updated: June 29, 2026

LOW

Event Booking Manager for WooCommerce

mage-eventpress

Score: 82/100 Event Booking Manager for WooCommerce <= 5.1.4 - Reflected Cross-Site Scripting Affected: *-5.1.4 Patched: 5.1.5 Updated: June 29, 2026

LOW

lumise

Score: 93/100 Lumise Product Designer < 2.0.9 - Unauthenticated SQL Injection Affected: [*, 2.0.9) Patched: 2.0.9 Updated: June 29, 2026

LOW

keep-backup-daily

Score: 93/100 Keep Backup Daily <= 2.1.1 - Authenticated (Admin+) Limited Path Traversal via 'kbd_path' Parameter Affected: *-2.1.1 Patched: 2.1.3 Updated: June 29, 2026

LOW

keep-backup-daily

Score: 93/100 Keep Backup Daily <= 2.1.2 - Authenticated (Admin+) Stored Cross-Site Scripting via Backup Title Affected: *-2.1.2 Patched: 2.1.3 Updated: June 29, 2026

LOW

kargo-takip-turkiye

Score: 93/100 Kargo Takip < 0.2.4 - Missing Authorization Affected: [*, 0.2.4) Patched: 0.2.4 Updated: June 29, 2026

LOW

js-support-ticket

Score: 93/100 JS Help Desk – AI-Powered Support & Ticketing System <= 3.0.3 - Authenticated (Subscriber+) SQL Injection Affected: *-3.0.3 Patched: 3.0.4 Updated: June 29, 2026

LOW

jquery-archive-list-widget

Score: 93/100 JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection Affected: *-6.1.7 Patched: 6.2.0 Updated: June 29, 2026

LOW

itracker360

Score: 93/100 iTracker360 <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'itracker_license' Settings Field Affected: *-2.2.0 Patched: 2.2.1 Updated: June 29, 2026

LOW

halfdata-paypal-green-downloads

Score: 93/100 Green Downloads <= 2.08 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-2.08 Patched: 2.09 Updated: June 29, 2026

LOW

fusion-builder

Score: 93/100 Avada (Fusion) Builder < 3.15.0 - Reflected Cross-Site Scripting Affected: [*, 3.15.0) Patched: 3.15.0 Updated: June 29, 2026

LOW

faq-builder-ays

Score: 93/100 FAQ Builder AYS <= 1.8.2 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.8.2 Patched: 1.8.3 Updated: June 29, 2026

LOW

custom-registration-form-builder-with-submission-manager

Score: 93/100 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.6 - Missing Authorization Affected: *-6.0.7.6 Patched: 6.0.7.7 Updated: June 29, 2026

LOW

creatorlms

Score: 93/100 Creator LMS – Online Courses and eLearning Plugin <= 1.1.18 - Authenticated (Contributor+) Privilege Escalation Affected: *-1.1.18 Patched: 1.1.19 Updated: June 29, 2026

LOW

Score: 93/100 RepairBuddy <= 4.1132 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via wc_rep_shop_settings_submission AJAX Action Affected: *-4.1132 Patched: 4.1133 Updated: June 29, 2026

LOW

comments-import-export-woocommerce

Score: 93/100 Comments Import & Export <= 2.4.9 - Missing Authorization Affected: *-2.4.9 Patched: 2.5.0 Updated: June 29, 2026

LOW

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

chatbot

Score: 66/100 WPBot – AI ChatBot for Live Support, Lead Generation, AI Services <= 7.7.9 - Unauthenticated SQL Injection Affected: *-7.7.9 Patched: 7.8.0 Updated: June 29, 2026

LOW

cf7-insightly

Score: 93/100 WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.5 - Missing Authorization Affected: *-1.1.5 Patched: 1.1.6 Updated: June 29, 2026

LOW

bookly-responsive-appointment-booking-tool

Score: 93/100 Online Scheduling and Appointment Booking System – Bookly <= 26.7 - Reflected Cross-Site Scripting Affected: *-26.7 Patched: 26.8 Updated: June 29, 2026

LOW

bit-smtp

Score: 93/100 Bit SMTP – Easy SMTP Solution with Email Logs <= 1.2.2 - Missing Authorization Affected: *-1.2.2 Patched: 1.2.3 Updated: June 29, 2026

LOW

ays-slider

Score: 93/100 Image Slider by Ays- Responsive Slider and Carousel <= 2.7.1 - Unauthenticated Stored Cross-Site Scripting Affected: *-2.7.1 Patched: 2.7.2 Updated: June 29, 2026

LOW

Autoptimize

autoptimize

Score: 87/100 Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ao_post_preload' Meta Value Affected: *-3.1.14 Patched: 3.1.15 Updated: June 29, 2026

LOW

Autoptimize

autoptimize

Score: 87/100 Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes Affected: *-3.1.14 Patched: 3.1.15 Updated: June 29, 2026

LOW

wc-carta-docente

Score: N/A ilGhera Carta Docente for WooCommerce <= 1.5.0 - Authenticated (Administrator+) Path Traversal to Arbitrary File Deletion via 'cert' Parameter Affected: *-1.5.0 Patched: 1.5.1 Updated: June 29, 2026

LOW

cm-custom-reports

Score: 93/100 CM Custom Reports <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Labels Affected: *-1.2.7 Patched: 1.2.8 Updated: June 29, 2026

LOW

ft-rockpress

Score: 93/100 RockPress <= 1.0.17 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via AJAX Actions Affected: *-1.0.17 Patched: 1.0.18 Updated: June 29, 2026

LOW

aimogen-pro

Score: 97/100 Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call Affected: *-2.7.5 Patched: 2.7.6 Updated: June 29, 2026

LOW

Membership Plugin – Kadence Memberships

restrict-content

Score: N/A Membership Plugin – Restrict Content <= 3.2.24 - Unvalidated Redirect in Password Reset Flow via rcp_redirect Affected: *-3.2.24 Patched: 3.2.25 Updated: June 29, 2026

LOW

yml-for-yandex-market

Score: N/A YML for Yandex Market < 5.0.26 - Authenticated (Shop Manager+) Remote Code Execution Affected: [*, 5.0.26) Patched: 5.0.26 Updated: June 29, 2026

LOW

sprout-invoices

Score: N/A Client Invoicing by Sprout Invoices <= 20.8.10 - Missing Authorization Affected: *-20.8.10 Patched: 20.8.11 Updated: June 29, 2026

LOW

nelio-content

Score: N/A Nelio Content <= 4.3.1 - Authenticated (Contributor+) Server-Side Request Forgery Affected: *-4.3.1 Patched: 4.3.2 Updated: June 29, 2026

LOW

json-content-importer

Score: 93/100 Get Use APIs – JSON Content Importer < 2.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: [*, 2.0.10) Patched: 2.0.10 Updated: June 29, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter Affected: *-1.6.10.0 Patched: 1.6.10.2 Updated: June 29, 2026

LOW

instant-popup-builder

Score: 93/100 Instant Popup Builder <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter Affected: *-1.1.7 Patched: 1.1.8 Updated: June 29, 2026

LOW

add-custom-fields-to-media

Score: 97/100 Add Custom Fields to Media <= 2.0.3 - Cross-Site Request Forgery to Custom Field Deletion via 'delete' Parameter Affected: *-2.0.3 Patched: 2.0.4 Updated: June 29, 2026

LOW

simple-draft-list

Score: N/A Draft List <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'display_name' Parameter Affected: *-2.6.2 Patched: 2.6.3 Updated: June 29, 2026

LOW

wpvulnerability

Score: N/A WPVulnerability <= 4.2.1 - Missing Authorization Affected: *-4.2.1 Patched: 4.2.1.1 Updated: June 29, 2026

LOW

SlimStat Analytics

wp-slimstat

Score: N/A SlimStat Analytics <= 5.3.5 - Unauthenticated Stored Cross-Site Scripting via 'fh' Affected: *-5.3.5 Patched: 5.4.0 Updated: June 29, 2026

LOW

woocommerce-delivery-notes

Score: N/A Print Invoice & Delivery Notes for WooCommerce <= 5.9.0 - Missing Authorization Affected: *-5.9.0 Patched: 6.0.0 Updated: June 29, 2026

LOW

woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers

Score: N/A Fraud Prevention For WooCommerce and EDD <= 2.3.3 - Missing Authorization to Unauthenticated Arbitrary Content Deletion Affected: *-2.3.3 Patched: 2.3.4 Updated: June 29, 2026

LOW

wishlist-member-x

Score: 92/100 Wishlist Member <= 3.29.0 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-3.29.0 Patched: Updated: June 29, 2026

LOW

wishlist-member-x

Score: 92/100 Wishlist Member <= 3.29.0 - Authenticated (Subscriber+) PHP Object Injection Affected: *-3.29.0 Patched: Updated: June 29, 2026

LOW

widget-wrangler

Score: N/A Widget Wrangler <= 2.3.9 - Authenticated (Author+) Remote Code Execution Affected: *-2.3.9 Patched: Updated: June 29, 2026

LOW

webd-woocommerce-advanced-reporting-statistics

Score: N/A Advanced Reporting & Statistics for WooCommerce – Orders, Products & Customers Reporting <= 4.1.3 - Unauthenticated SQL Injection Affected: *-4.1.3 Patched: 4.1.4 Updated: June 29, 2026

LOW

userfeedback-lite

Score: N/A User Feedback <= 1.10.1 - Missing Authorization Affected: *-1.10.1 Patched: 1.11.0 Updated: June 29, 2026

LOW

unlimited-blocks

Score: N/A Gutenberg Blocks – Unlimited blocks For Gutenberg <= 1.2.8 - Reflected Cross-Site Scripting Affected: *-1.2.8 Patched: Updated: June 29, 2026

LOW

ultimate-post-kit

Score: N/A Ultimate Post Kit Addons for Elementor <= 4.0.21 - Missing Authorization Affected: *-4.0.21 Patched: 4.0.22 Updated: June 29, 2026

LOW

phox-host

Score: N/A Phox Hosting <= 2.0.8 - Reflected Cross-Site Scripting Affected: *-2.0.8 Patched: 2.0.9 Updated: June 29, 2026

LOW

nexa-blocks

Score: N/A Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE <= 1.1.1 - Unauthenticated PHP Object Injection Affected: *-1.1.1 Patched: Updated: June 29, 2026

LOW

info-cards

Score: 93/100 Info Cards <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes Affected: *-2.0.7 Patched: 2.0.8 Updated: June 29, 2026

LOW

WP Ghost (Hide My WP Ghost) – Security & Firewall

hide-my-wp

Score: 79/100 Hide My WP Ghost < 7.0.00 - Unauthenticated Open Redirect Affected: [*, 7.0.00) Patched: 7.0.00 Updated: June 29, 2026

LOW

gzseo

Score: 91/100 GZSEO <= 2.0.14 - Missing Authorization Affected: *-2.0.14 Patched: Updated: June 29, 2026

LOW

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

Score: 74/100 EventPrime – Events Calendar, Bookings and Tickets <= 4.2.8.3 - Missing Authorization Affected: *-4.2.8.3 Patched: 4.2.8.4 Updated: June 29, 2026

LOW

Download Manager

download-manager

Score: 63/100 Download Manager <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter Affected: *-3.3.49 Patched: 3.3.50 Updated: June 29, 2026

LOW

contextual-related-posts

Score: 93/100 Contextual Related Posts < 4.2.2 - Missing Authorization Affected: [*, 4.2.2) Patched: 4.2.2 Updated: June 29, 2026

LOW

cf7-mailchimp

Score: 93/100 Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.2 - Missing Authorization Affected: *-1.2.2 Patched: 1.2.3 Updated: June 29, 2026

LOW

booking-calendar

Score: 91/100 Booking calendar, Appointment Booking System <= 3.2.36 - Unauthenticated Stored Cross-Site Scripting Affected: *-3.2.36 Patched: Updated: June 29, 2026

LOW

betterdocs

Score: 93/100 BetterDocs <= 4.3.10 - Unauthenticated Information Exposure Affected: *-4.3.10 Patched: 4.3.11 Updated: June 29, 2026

LOW

barcode-scanner-lite-pos-to-manage-products-inventory-and-orders

Score: 93/100 Barcode Scanner with Inventory & Order Manager <= 1.11.0 - Cross-Site Request Forgery Affected: *-1.11.0 Patched: 1.12.0 Updated: June 29, 2026

LOW

affs

Score: 97/100 SUMO Affiliates Pro < 11.4.0 - Unauthenticated PHP Object Injection Affected: [*, 11.4.0) Patched: 11.4.0 Updated: June 29, 2026

LOW

ActivityPub

activitypub

Score: 86/100 ActivityPub < 8.0.2 - Unauthenticated Information Epxosure Affected: [*, 8.0.2) Patched: 8.0.2 Updated: June 29, 2026

LOW

duplicate-post

Score: 97/100 Yoast Duplicate Post <= 4.5 - Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite Affected: *-4.5 Patched: 4.6 Updated: June 29, 2026

LOW

writeprint-stylometry

Score: N/A Writeprint Stylometry <= 0.1 - Reflected Cross-Site Scripting via 'p' Parameter Affected: *-0.1 Patched: Updated: June 29, 2026

LOW

crpaid-link-manager

Score: 93/100 [CR]Paid Link Manager <= 0.5 - Reflected Cross-Site Scripting Affected: *-0.5 Patched: 0.6 Updated: June 29, 2026

LOW

subscriptions-for-woocommerce

Score: N/A Subscriptions for WooCommerce <= 1.9.2 - Missing Authorization to Unauthenticated Arbitrary Subscription Cancellation Affected: *-1.9.2 Patched: 1.9.3 Updated: June 29, 2026

LOW

WP Go Maps (formerly WP Google Maps)

wp-google-maps

Score: 66/100 WP Go Maps (formerly WP Google Maps) <= 10.0.05 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via admin_post_wpgmza_save_settings Affected: *-10.0.05 Patched: 10.0.06 Updated: June 29, 2026

LOW

woocommerce-products-slider

Score: N/A Product Slider, Product Grid, Product Masonry <= 1.13.61 - Missing Authorization Affected: *-1.13.61 Patched: 1.13.62 Updated: June 29, 2026

LOW

Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools

woocommerce-jetpack

Score: 65/100 Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools < 7.11.3 - Missing Authorization Affected: [*, 7.11.3) Patched: 7.11.3 Updated: June 29, 2026

LOW

winterlock

Score: N/A Activity Log for WordPress <= 1.2.7 - Missing Authorization Affected: *-1.2.7 Patched: 1.2.8 Updated: June 29, 2026

LOW

us-core

Score: N/A UpSolution Core <= 8.41 - Reflected Cross-Site Scripting Affected: *-8.41 Patched: 8.42 Updated: June 29, 2026

LOW

simple-embed-code

Score: N/A Code Embed <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields Affected: *-2.5.1 Patched: 2.5.2 Updated: June 29, 2026

LOW

remoji

Score: N/A Remoji – Post/Comment Reaction and Enhancement <= 2.2 - Unauthenticated Stored Cross-Site Scripting Affected: *-2.2 Patched: Updated: June 29, 2026

LOW

publishpress-authors

Score: N/A Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.10.1 - Missing Authorization Affected: *-4.10.1 Patched: 4.11.0 Updated: June 29, 2026

LOW

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

Score: 87/100 Post SMTP <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite Affected: *-3.8.0 Patched: 3.9.0 Updated: June 29, 2026

LOW

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

Score: 87/100 Post SMTP <= 3.8.0 - Unauthenticated Stored Cross-Site Scripting via 'event_type' Affected: *-3.8.0 Patched: 3.9.0 Updated: June 29, 2026

LOW

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

nextgen-gallery

Score: 66/100 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 4.0.4 - Authenticated (Author+) Local File Inclusion Affected: *-4.0.4 Patched: 4.0.5 Updated: June 29, 2026

LOW

Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization

nelio-ab-testing

Score: 81/100 Nelio AB Testing <= 8.2.8 - Unauthenticated Information Exposure Affected: *-8.2.8 Patched: 8.3.0 Updated: June 29, 2026

LOW

listeo-core

Score: 91/100 Listeo-Core - Directory Plugin by Purethemes <= 2.0.21 - Reflected Cross-Site Scripting Affected: *-2.0.21 Patched: Updated: June 29, 2026

LOW

kivicare-clinic-management-system

Score: 93/100 KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token Affected: *-4.1.2 Patched: 4.1.3 Updated: June 29, 2026

LOW

kivicare-clinic-management-system

Score: 93/100 KiviCare <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard Affected: *-4.1.2 Patched: 4.1.3 Updated: June 29, 2026

LOW

image-widget

Score: 93/100 Image Widget <= 4.4.11 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-4.4.11 Patched: 4.4.12 Updated: June 29, 2026

LOW

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

Score: 74/100 EventPrime – Events Calendar, Bookings and Tickets <= 4.2.8.0 - Unauthenticated PHP Object Injection Affected: *-4.2.8.0 Patched: 4.2.8.1 Updated: June 29, 2026

LOW

et-core-plugin

Score: 93/100 XStore Core <= 5.6.4 - Reflected Cross-Site Scripting Affected: *-5.6.4 Patched: 5.6.5 Updated: June 29, 2026

LOW

cp-multi-view-calendar

Score: 91/100 CP Multi View Events Calendar <= 1.4.34 - Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-1.4.34 Patched: Updated: June 29, 2026

LOW

ave-core

Score: 91/100 Ave Core <= 2.9.1 - Missing Authorization Affected: *-2.9.1 Patched: Updated: June 29, 2026

LOW

avalex

Score: 93/100 avalex – Automatisch sichere Rechtstexte <= 3.1.3 - Missing Authorization Affected: *-3.1.3 Patched: 3.1.4 Updated: June 29, 2026

LOW

a2z-fedex-shipping

Score: 95/100 Automated FedEx live/manual rates with shipping labels – HPOS supported <= 5.1.8 - Missing Authorization Affected: *-5.1.8 Patched: Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure Affected: *-1.7.1049 Patched: 1.7.1050 Updated: June 29, 2026

LOW

product-blocks

Score: N/A WowStore – Store Builder & Product Blocks for WooCommerce <= 4.4.3 - Unauthenticated SQL Injection via 'search' Parameter Affected: *-4.4.3 Patched: 4.4.4 Updated: June 29, 2026

LOW

wp-easy-pay

Score: N/A WP Easy Pay – Payment and Donation form Builder for Square <= 4.2.11 - Missing Authorization Affected: *-4.2.11 Patched: 4.2.12 Updated: June 29, 2026

LOW

woozone

Score: N/A WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.31 - Authenticated (Subscriber+) SQL Injection Affected: *-14.0.31 Patched: Updated: June 29, 2026

LOW

woozone

Score: N/A WooCommerce Amazon Affiliates - Wordpress Plugin <= 14.0.31 - Authenticated (Subscriber+) Arbitrary File Deletion Affected: *-14.0.31 Patched: Updated: June 29, 2026

LOW

StoreCustomizer – A plugin to Customize all WooCommerce Pages

woocustomizer

Score: N/A StoreCustomizer – A plugin to Customize all WooCommerce Pages <= 2.6.3 - Missing Authorization Affected: *-2.6.3 Patched: 2.6.5 Updated: June 29, 2026

LOW

viabill-woocommerce

Score: N/A ViaBill – WooCommerce < 1.1.70 - Missing Authorization to Unauthenticated Settings Change Affected: [*, 1.1.70) Patched: 1.1.70 Updated: June 29, 2026

LOW

unlimited-elements-for-elementor-premium

Score: N/A Unlimited Elements for Elementor (Premium) <= 1.4.72 - Authenticated (Contributor+) Arbitrary File Upload Affected: *-1.4.72 Patched: Updated: June 29, 2026

LOW

tutor

Score: N/A Tutor LMS – eLearning and online course solution <= 3.9.4 - Authenticated (Subscriber+) Insecure Direct Object Reference Affected: *-3.9.4 Patched: 3.9.5 Updated: June 29, 2026

LOW

totalpoll-lite

Score: N/A TotalPoll for Polls and Contests <= 4.12.0 - Authenticated (Contributor+) Remote Code Execution Affected: *-4.12.0 Patched: Updated: June 29, 2026

Showing 2001 to 2100 of 36280 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 29, 2026 at 20:12 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List