Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36282

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
tutor	tutor	N/A	Tutor LMS – eLearning and online course solution <= 3.9.4 - Authenticated (Subscriber+) Insecure Direct Object Reference	LOW	*-3.9.4	3.9.5	June 29, 2026
totalpoll-lite	totalpoll-lite	N/A	TotalPoll for Polls and Contests <= 4.12.0 - Authenticated (Contributor+) Remote Code Execution	LOW	*-4.12.0		June 29, 2026
theaisle-core	theaisle-core	N/A	The Aisle Core <= 2.0.5 - Unauthenticated Local File Inclusion	LOW	*-2.0.5		June 29, 2026
td-subscription	td-subscription	N/A	tagDiv Opt-In Builder <= 1.7.3 - Reflected Cross-Site Scripting	LOW	*-1.7.3	1.7.4	June 29, 2026
sb-woocommerce-infinite-scroll	sb-woocommerce-infinite-scroll	N/A	WooCommerce Infinite Scroll <= 1.6.2 - Authenticated (Subscriber+) PHP Object Injection	LOW	*-1.6.2		June 29, 2026
post-snippets	post-snippets	N/A	Post Snippets – Custom WordPress Code Snippets Customizer <= 4.0.12 - Authenticated (Contributor+) Remote Code Execution	LOW	*-4.0.12	4.0.13	June 29, 2026
noo-visionary-core	noo-visionary-core	N/A	Visionary Core <= 1.4.9 - Reflected Cross-Site Scripting	LOW	*-1.4.9	1.5.0	June 29, 2026
noo-visionary-core	noo-visionary-core	N/A	Visionary Core <= 1.4.9 - Authenticated (Subscriber+) PHP Object Injection	LOW	*-1.4.9	1.5.0	June 29, 2026
noo-organici-library	noo-organici-library	N/A	Organici Library <= 2.1.2 - Authenticated (Subscriber+) PHP Object Injection	LOW	*-2.1.2	2.1.3	June 29, 2026
noo-organici-library	noo-organici-library	N/A	Organici Library <= 2.1.2 - Reflected Cross-Site Scripting	LOW	*-2.1.2	2.1.3	June 29, 2026
noo-organici-library	noo-organici-library	N/A	Organici Library <= 2.1.2 - Authenticated (Subscriber+) SQL Injection	LOW	*-2.1.2	2.1.3	June 29, 2026
modern-events-calendar	modern-events-calendar	N/A	Modern Events Calendar <= 7.32.0 - Missing Authorization	LOW	*-7.32.0	7.33.0	June 29, 2026
master-addons	master-addons	93	Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits <= 2.1.3 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-2.1.3	2.1.4	June 29, 2026
learnpress-sepay-payment	learnpress-sepay-payment	93	LearnPress – Sepay Payment <= 4.0.0 - Missing Authorization	LOW	*-4.0.0	4.0.1	June 29, 2026
jobica-core	jobica-core	91	Jobica Core <= 1.4.1 - Reflected Cross-Site Scripting	LOW	*-1.4.1	1.4.2	June 29, 2026
jobica-core	jobica-core	91	Jobica Core <= 1.4.1 - Authenticated (Subscriber+) PHP Object Injection	LOW	*-1.4.1	1.4.2	June 29, 2026
jobica-core	jobica-core	91	Jobica Core <= 1.4.2 - Missing Authorization	LOW	*-1.4.2		June 29, 2026
flexmls-idx	flexmls-idx	93	Flexmls® IDX Plugin <= 3.15.9 - Reflected Cross-Site Scripting	LOW	*-3.15.9	3.15.10	June 29, 2026
dokan-lite	dokan-lite	93	Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 4.2.4 - Missing Authorization	LOW	*-4.2.4	4.2.5	June 29, 2026
curly-core	curly-core	93	Curly Core <= 2.1.6 - Unauthenticated Local File Inclusion	LOW	*-2.1.6	2.2.2	June 29, 2026
advanced-custom-post-type	advanced-custom-post-type	95	ACPT (Pro) - Custom Post Types Plugin for WordPress <= 2.0.47 - Unauthenticated Remote Code Execution	LOW	*-2.0.47		June 29, 2026
admin-safety-guard	admin-safety-guard	95	Admin Safety Guard — Login Security & 2FA <= 1.2.9 - Missing Authorization	LOW	*-1.2.9	1.3.0	June 29, 2026
YayMail – WooCommerce Email Customizer	yaymail	N/A	YayMail <= 4.3.3 - Authenticated (Shop manager+) SQL Injection	LOW	*-4.3.3	4.3.4	June 29, 2026
tutor	tutor	N/A	Tutor LMS <= 3.9.7 - Missing Authorization	LOW	*-3.9.7	3.9.8	June 29, 2026
Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)	really-simple-ssl	84	Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.5.7 - Missing Authorization	LOW	*-9.5.7	9.5.8	June 29, 2026
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration	wp-user-frontend	N/A	User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter	LOW	*-4.2.8	4.2.9	June 29, 2026
nex-forms-express-wp-form-builder	nex-forms-express-wp-form-builder	N/A	NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id	LOW	*-9.1.9	9.1.10	June 29, 2026
wicked-folders	wicked-folders	N/A	Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion	LOW	*-4.1.0	4.1.1	June 29, 2026
thim-elementor-kit	thim-elementor-kit	N/A	Thim Kit for Elementor <= 1.3.7 - Missing Authorization to Unauthenticated Private Course Disclosure	LOW	*-1.3.7	1.3.8	June 29, 2026
Ultra Addons for Contact Form 7	ultimate-addons-for-contact-form-7	70	Ultra Addons for Contact Form 7 <= 3.5.36 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.5.36	3.5.37	June 29, 2026
compe-woo-compare-products	compe-woo-compare-products	93	COMPE <= 1.1.4 - Unauthenticated Insecure Direct Object Reference	LOW	*-1.1.4	1.1.5	June 29, 2026
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode	coming-soon	68	Coming Soon Page, Under Construction & Maintenance Mode by SeedProd <= 6.19.8 - Authenticated (Editor+) Server-Side Request Forgery	LOW	*-6.19.8	6.19.9	June 29, 2026
checkout-upsell-and-order-bumps	checkout-upsell-and-order-bumps	93	UpsellWP – WooCommerce Upsell and Related Products Offers <= 2.2.4 - Authenticated (Shop manager+) SQL Injection	LOW	*-2.2.4	2.2.5	June 29, 2026
categories-images	categories-images	93	Categories Images <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.3.1	3.3.2	June 29, 2026
nex-forms-express-wp-form-builder	nex-forms-express-wp-form-builder	N/A	NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license	LOW	*-9.1.9	9.1.10	June 29, 2026
subscriptions-for-woocommerce	subscriptions-for-woocommerce	N/A	Subscriptions for WooCommerce <= 1.8.10 - Missing Authorization	LOW	*-1.8.10	1.9.0	June 29, 2026
doofinder-for-woocommerce	doofinder-for-woocommerce	93	Doofinder for WooCommerce <= 2.10.13 - Unauthenticated Information Exposure	LOW	*-2.10.13	2.10.14	June 29, 2026
social-icons-widget-by-wpzoom	social-icons-widget-by-wpzoom	N/A	Social Icons Widget & Block <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation	LOW	*-4.5.8	4.5.9	June 29, 2026
Calculated Fields Form	calculated-fields-form	70	Calculated Fields Form <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings	LOW	*-5.4.5.0	5.4.5.1	June 29, 2026
getgenie	getgenie	93	GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API	LOW	*-4.3.2	4.3.3	June 29, 2026
getgenie	getgenie	93	GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion	LOW	*-4.3.2	4.3.3	June 29, 2026
formidable	formidable	93	Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter	LOW	*-6.28	6.29	June 29, 2026
formidable	formidable	93	Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse	LOW	*-6.28	6.29	June 29, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint	LOW	*-1.6.9.29	1.6.10.0	June 29, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure	LOW	*-1.6.9.29	1.6.10.0	June 29, 2026
payment-gateway-pix-for-woocommerce	payment-gateway-pix-for-woocommerce	N/A	Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload	LOW	*-1.5.0	1.6.0	June 29, 2026
simple-ajax-chat	simple-ajax-chat	N/A	Simple Ajax Chat <= 20260217 - Unauthenticated Stored Cross-Site Scripting via 'c'	LOW	*-20260217	20260301	June 29, 2026
mobile-app-editor	mobile-app-editor	91	Mobile App Editor – WordPress to Android App Builder <= 1.3.1 - Authenticated (Editor+) Arbitrary File Upload	LOW	*-1.3.1		June 29, 2026
Xagio SEO – AI Powered SEO	xagio-seo	64	Xagio SEO – AI Powered SEO <= 7.1.0.30 - Unauthenticated Privilege Escalation	LOW	*-7.1.0.30	7.1.0.31	June 29, 2026
wp-contact-form-7-spam-blocker	wp-contact-form-7-spam-blocker	N/A	Spam Protect for Contact Form 7 < 1.2.10 - Authenticated (Editor+) Remote Code Execution	LOW	[*, 1.2.10)	1.2.10	June 29, 2026
wp-cafe	wp-cafe	N/A	WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution <= 3.0.7 - Missing Authorization	LOW	*-3.0.7	3.0.8	June 29, 2026
Website LLMs.txt	website-llms-txt	94	Website LLMs.txt <= 8.2.6 - Reflected Cross-Site Scripting	LOW	*-8.2.6	8.2.7	June 29, 2026
timetics	timetics	N/A	Timetics – Appointment Booking Calendar & Scheduling System < 1.0.52 - Missing Authorization	LOW	[*, 1.0.52)	1.0.52	June 29, 2026
rsvp	rsvp	N/A	RSVP and Event Management <= 2.7.16 - Unauthenticated Information Exposure	LOW	*-2.7.16	2.7.17	June 29, 2026
revive-so	revive-so	N/A	Revive.so <= 2.0.7 - Missing Authorization	LOW	*-2.0.7	2.0.8	June 29, 2026
reading-progress-bar	reading-progress-bar	N/A	Reading progressbar < 1.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	[*, 1.3.1)	1.3.1	June 29, 2026
penci-data-migrator	penci-data-migrator	N/A	Penci Soledad Data Migrator <= 1.3.1 - Reflected Cross-Site Scripting	LOW	*-1.3.1		June 29, 2026
pagelayer	pagelayer	N/A	PageLayer <= 2.0.8 - Authenticated (Contributor+) Information Exposure	LOW	*-2.0.8	2.0.9	June 29, 2026
metform-pro	metform-pro	91	MetForm Pro <= 3.9.1 - Missing Authorization	LOW	*-3.9.1		June 29, 2026
Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder	gutena-forms	91	Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder < 1.6.1 - Missing Authorization to Authenticated (Contributor+) Settings Update	LOW	[*, 1.6.1)	1.6.1	June 29, 2026
front-editor	front-editor	89	Guest posting / Frontend Posting / Front Editor – WP Front User Submit < 5.0.6 - Unauthenticated Information Exposure	LOW	[*, 5.0.6)	5.0.6	June 29, 2026
everest-forms-pro	everest-forms-pro	93	Everest Forms Pro <= 1.9.12 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.9.12	1.9.13	June 29, 2026
dukapress	dukapress	91	DukaPress <= 3.2.4 - Unauthenticated Stored Cross-Site Scripting	LOW	*-3.2.4		June 29, 2026
divi-booster	divi-booster	93	Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection	LOW	[*, 5.0.2)	5.0.2	June 29, 2026
datalogics	datalogics	93	Datalogics Ecommerce Delivery – Datalogics < 2.6.60 - Unauthenticated Privilege Escalation	LOW	[*, 2.6.60)	2.6.60	June 29, 2026
custom-registration-form-builder-with-submission-manager	custom-registration-form-builder-with-submission-manager	93	RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.1 - Authentication Bypass	LOW	*-6.0.7.1	6.0.7.2	June 29, 2026
bulk-editor	bulk-editor	93	WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.7 - Authenticated (Editor+) SQL Injection	LOW	*-1.0.8.7	1.0.9	June 29, 2026
builderpress	builderpress	91	BuilderPress <= 2.0.1 - Unauthenticated Local File Inclusion	LOW	*-2.0.1		June 29, 2026
mystickymenu	mystickymenu	N/A	My Sticky Bar <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action	LOW	*-2.8.6	2.8.7	June 29, 2026
learnpress	learnpress	93	LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Notification Triggering	LOW	*-4.3.2.8	4.3.3	June 29, 2026
wpstream	wpstream	N/A	WpStream < 4.11.2 - Authenticated (Subscriber+) Insecure Direct Object Reference	LOW	[*, 4.11.2)	4.11.2	June 29, 2026
responsive-block-editor-addons	responsive-block-editor-addons	N/A	Responsive Blocks – Page Builder for Blocks & Patterns <= 2.2.0 - Missing Authorization	LOW	*-2.2.0	2.2.1	June 29, 2026
instawp-connect	instawp-connect	93	InstaWP Connect <= 0.1.2.5 - Missing Authorization	LOW	*-0.1.2.5	0.1.2.7	June 29, 2026
advanced-product-fields-for-woocommerce	advanced-product-fields-for-woocommerce	97	Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.18 - Missing Authorization	LOW	*-1.6.18	1.6.19	June 29, 2026
woo-checkout-field-editor-pro	woo-checkout-field-editor-pro	N/A	Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field	LOW	*-2.1.7	2.1.8	June 29, 2026
gravityforms	gravityforms	93	Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title	LOW	*-2.9.28	2.9.29	June 29, 2026
google-analytics-dashboard-for-wp	google-analytics-dashboard-for-wp	93	ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update	LOW	7.1.0-9.0.2	9.0.3	June 29, 2026
google-analytics-dashboard-for-wp	google-analytics-dashboard-for-wp	93	ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation	LOW	8.0.0-9.0.2	9.0.3	June 29, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter	LOW	*-1.6.9.27	1.6.9.29	June 29, 2026
happy-elementor-addons	happy-elementor-addons	93	Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter	LOW	*-3.21.0	3.21.1	June 29, 2026
happy-elementor-addons	happy-elementor-addons	93	Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions	LOW	*-3.21.0	3.21.1	June 29, 2026
jet-booking	jet-booking	93	JetBooking <= 4.0.3 - Unauthenticated SQL Injection via 'check_in_date' Parameter	LOW	*-4.0.3	4.0.3.1	June 29, 2026
WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters	wp-google-map-plugin	74	WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter	LOW	*-4.9.1	4.9.2	June 29, 2026
weforms	weforms	N/A	weForms <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API	LOW	*-1.6.27	1.6.28	June 29, 2026
wp-ulike	wp-ulike	N/A	WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute	LOW	*-5.0.1	5.0.2	June 29, 2026
pojo-accessibility	pojo-accessibility	N/A	Ally – Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path	LOW	*-4.0.3	4.1.0	June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass	LOW	*-1.7.1049	1.7.1050	June 29, 2026
wp-user-avatar	wp-user-avatar	N/A	ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration	LOW	*-4.16.11	4.16.12	June 29, 2026
MC4WP: Mailchimp for WordPress	mailchimp-for-wp	87	MC4WP: Mailchimp for WordPress <= 4.11.1 - Missing Authorization to Unauthenticated Arbitrary Subscription Deletion	LOW	*-4.11.1	4.12.0	June 29, 2026
rometheme-for-elementor	rometheme-for-elementor	N/A	RTMKit <= 1.6.8 - Reflected Cross-Site Scripting via 'themebuilder' Parameter	LOW	*-1.6.8	2.0.0	June 29, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting	LOW	*-5.2.7	5.2.8	June 29, 2026
3d-flipbook-dflip-lite	3d-flipbook-dflip-lite	97	Dear Flipbook <= 2.4.20 - Authenticated (Auhtor+) Stored Cross-Site Scripting via PDF Page Labels	LOW	*-2.4.20	2.4.27	June 29, 2026
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration	wp-user-frontend	N/A	User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.5 - Missing Authorization	LOW	*-4.2.5	4.2.6	June 29, 2026
wp-meta-data-filter-and-taxonomy-filter	wp-meta-data-filter-and-taxonomy-filter	N/A	MDTF – Meta Data and Taxonomies Filter <= 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.3.5	1.3.6	June 29, 2026
WooCommerce	woocommerce	80	WooCommerce < 10.5.3 - Cross-Site Request Forgery	LOW	[*, 10.5.3)	10.5.3	June 29, 2026
wolverine-framework	wolverine-framework	N/A	Wolverine Framework <= 1.9 - Reflected Cross-Site Scripting	LOW	*-1.9		June 29, 2026
ultra-admin	ultra-admin	N/A	Ultra WordPress Admin <= 11.7 - Reflected Cross-Site Scripting	LOW	*-11.7		June 29, 2026
uipress-lite	uipress-lite	N/A	UiPress lite \| Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization	LOW	*-3.5.09		June 29, 2026
totalcontest-lite	totalcontest-lite	N/A	Photo Contest \| Competition \| Video Contest <= 2.9.1 - Authenticated (Author+) PHP Object Injection	LOW	*-2.9.1		June 29, 2026
td-composer	td-composer	N/A	tagDiv Composer <= 5.4.2 - Reflected Cross-Site Scripting	LOW	*-5.4.2	5.4.3	June 29, 2026

LOW

tutor

Score: N/A Tutor LMS – eLearning and online course solution <= 3.9.4 - Authenticated (Subscriber+) Insecure Direct Object Reference Affected: *-3.9.4 Patched: 3.9.5 Updated: June 29, 2026

LOW

totalpoll-lite

Score: N/A TotalPoll for Polls and Contests <= 4.12.0 - Authenticated (Contributor+) Remote Code Execution Affected: *-4.12.0 Patched: Updated: June 29, 2026

LOW

theaisle-core

Score: N/A The Aisle Core <= 2.0.5 - Unauthenticated Local File Inclusion Affected: *-2.0.5 Patched: Updated: June 29, 2026

LOW

td-subscription

Score: N/A tagDiv Opt-In Builder <= 1.7.3 - Reflected Cross-Site Scripting Affected: *-1.7.3 Patched: 1.7.4 Updated: June 29, 2026

LOW

sb-woocommerce-infinite-scroll

Score: N/A WooCommerce Infinite Scroll <= 1.6.2 - Authenticated (Subscriber+) PHP Object Injection Affected: *-1.6.2 Patched: Updated: June 29, 2026

LOW

post-snippets

Score: N/A Post Snippets – Custom WordPress Code Snippets Customizer <= 4.0.12 - Authenticated (Contributor+) Remote Code Execution Affected: *-4.0.12 Patched: 4.0.13 Updated: June 29, 2026

LOW

noo-visionary-core

Score: N/A Visionary Core <= 1.4.9 - Reflected Cross-Site Scripting Affected: *-1.4.9 Patched: 1.5.0 Updated: June 29, 2026

LOW

noo-visionary-core

Score: N/A Visionary Core <= 1.4.9 - Authenticated (Subscriber+) PHP Object Injection Affected: *-1.4.9 Patched: 1.5.0 Updated: June 29, 2026

LOW

noo-organici-library

Score: N/A Organici Library <= 2.1.2 - Authenticated (Subscriber+) PHP Object Injection Affected: *-2.1.2 Patched: 2.1.3 Updated: June 29, 2026

LOW

noo-organici-library

Score: N/A Organici Library <= 2.1.2 - Reflected Cross-Site Scripting Affected: *-2.1.2 Patched: 2.1.3 Updated: June 29, 2026

LOW

noo-organici-library

Score: N/A Organici Library <= 2.1.2 - Authenticated (Subscriber+) SQL Injection Affected: *-2.1.2 Patched: 2.1.3 Updated: June 29, 2026

LOW

modern-events-calendar

Score: N/A Modern Events Calendar <= 7.32.0 - Missing Authorization Affected: *-7.32.0 Patched: 7.33.0 Updated: June 29, 2026

LOW

Score: 93/100 Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits <= 2.1.3 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-2.1.3 Patched: 2.1.4 Updated: June 29, 2026

LOW

learnpress-sepay-payment

Score: 93/100 LearnPress – Sepay Payment <= 4.0.0 - Missing Authorization Affected: *-4.0.0 Patched: 4.0.1 Updated: June 29, 2026

LOW

jobica-core

Score: 91/100 Jobica Core <= 1.4.1 - Reflected Cross-Site Scripting Affected: *-1.4.1 Patched: 1.4.2 Updated: June 29, 2026

LOW

jobica-core

Score: 91/100 Jobica Core <= 1.4.1 - Authenticated (Subscriber+) PHP Object Injection Affected: *-1.4.1 Patched: 1.4.2 Updated: June 29, 2026

LOW

jobica-core

Score: 91/100 Jobica Core <= 1.4.2 - Missing Authorization Affected: *-1.4.2 Patched: Updated: June 29, 2026

LOW

flexmls-idx

Score: 93/100 Flexmls® IDX Plugin <= 3.15.9 - Reflected Cross-Site Scripting Affected: *-3.15.9 Patched: 3.15.10 Updated: June 29, 2026

LOW

dokan-lite

Score: 93/100 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 4.2.4 - Missing Authorization Affected: *-4.2.4 Patched: 4.2.5 Updated: June 29, 2026

LOW

curly-core

Score: 93/100 Curly Core <= 2.1.6 - Unauthenticated Local File Inclusion Affected: *-2.1.6 Patched: 2.2.2 Updated: June 29, 2026

LOW

advanced-custom-post-type

Score: 95/100 ACPT (Pro) - Custom Post Types Plugin for WordPress <= 2.0.47 - Unauthenticated Remote Code Execution Affected: *-2.0.47 Patched: Updated: June 29, 2026

LOW

admin-safety-guard

Score: 95/100 Admin Safety Guard — Login Security & 2FA <= 1.2.9 - Missing Authorization Affected: *-1.2.9 Patched: 1.3.0 Updated: June 29, 2026

LOW

YayMail – WooCommerce Email Customizer

yaymail

Score: N/A YayMail <= 4.3.3 - Authenticated (Shop manager+) SQL Injection Affected: *-4.3.3 Patched: 4.3.4 Updated: June 29, 2026

LOW

tutor

Score: N/A Tutor LMS <= 3.9.7 - Missing Authorization Affected: *-3.9.7 Patched: 3.9.8 Updated: June 29, 2026

LOW

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)

really-simple-ssl

Score: 84/100 Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.5.7 - Missing Authorization Affected: *-9.5.7 Patched: 9.5.8 Updated: June 29, 2026

LOW

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

wp-user-frontend

Score: N/A User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Post Modification via 'post_id' Parameter Affected: *-4.2.8 Patched: 4.2.9 Updated: June 29, 2026

LOW

nex-forms-express-wp-form-builder

Score: N/A NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id Affected: *-9.1.9 Patched: 9.1.10 Updated: June 29, 2026

LOW

wicked-folders

Score: N/A Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion Affected: *-4.1.0 Patched: 4.1.1 Updated: June 29, 2026

LOW

thim-elementor-kit

Score: N/A Thim Kit for Elementor <= 1.3.7 - Missing Authorization to Unauthenticated Private Course Disclosure Affected: *-1.3.7 Patched: 1.3.8 Updated: June 29, 2026

LOW

Ultra Addons for Contact Form 7

ultimate-addons-for-contact-form-7

Score: 70/100 Ultra Addons for Contact Form 7 <= 3.5.36 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.5.36 Patched: 3.5.37 Updated: June 29, 2026

LOW

compe-woo-compare-products

Score: 93/100 COMPE <= 1.1.4 - Unauthenticated Insecure Direct Object Reference Affected: *-1.1.4 Patched: 1.1.5 Updated: June 29, 2026

LOW

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

coming-soon

Score: 68/100 Coming Soon Page, Under Construction & Maintenance Mode by SeedProd <= 6.19.8 - Authenticated (Editor+) Server-Side Request Forgery Affected: *-6.19.8 Patched: 6.19.9 Updated: June 29, 2026

LOW

checkout-upsell-and-order-bumps

Score: 93/100 UpsellWP – WooCommerce Upsell and Related Products Offers <= 2.2.4 - Authenticated (Shop manager+) SQL Injection Affected: *-2.2.4 Patched: 2.2.5 Updated: June 29, 2026

LOW

categories-images

Score: 93/100 Categories Images <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.3.1 Patched: 3.3.2 Updated: June 29, 2026

LOW

nex-forms-express-wp-form-builder

Score: N/A NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license Affected: *-9.1.9 Patched: 9.1.10 Updated: June 29, 2026

LOW

subscriptions-for-woocommerce

Score: N/A Subscriptions for WooCommerce <= 1.8.10 - Missing Authorization Affected: *-1.8.10 Patched: 1.9.0 Updated: June 29, 2026

LOW

doofinder-for-woocommerce

Score: 93/100 Doofinder for WooCommerce <= 2.10.13 - Unauthenticated Information Exposure Affected: *-2.10.13 Patched: 2.10.14 Updated: June 29, 2026

LOW

social-icons-widget-by-wpzoom

Score: N/A Social Icons Widget & Block <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation Affected: *-4.5.8 Patched: 4.5.9 Updated: June 29, 2026

LOW

Calculated Fields Form

calculated-fields-form

Score: 70/100 Calculated Fields Form <= 5.4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Form Settings Affected: *-5.4.5.0 Patched: 5.4.5.1 Updated: June 29, 2026

LOW

getgenie

Score: 93/100 GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API Affected: *-4.3.2 Patched: 4.3.3 Updated: June 29, 2026

LOW

getgenie

Score: 93/100 GetGenie <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Post Overwrite/Deletion Affected: *-4.3.2 Patched: 4.3.3 Updated: June 29, 2026

LOW

formidable

Score: 93/100 Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter Affected: *-6.28 Patched: 6.29 Updated: June 29, 2026

LOW

formidable

Score: 93/100 Formidable Forms <= 6.28 - Missing Authorization to Unauthenticated Payment Integrity Bypass via PaymentIntent Reuse Affected: *-6.28 Patched: 6.29 Updated: June 29, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint Affected: *-1.6.9.29 Patched: 1.6.10.0 Updated: June 29, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Appointment Booking Calendar <= 1.6.9.29 - Insecure Direct Object Reference to Authenticated (Staff+) Sensitive Information Exposure Affected: *-1.6.9.29 Patched: 1.6.10.0 Updated: June 29, 2026

LOW

payment-gateway-pix-for-woocommerce

Score: N/A Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload Affected: *-1.5.0 Patched: 1.6.0 Updated: June 29, 2026

LOW

simple-ajax-chat

Score: N/A Simple Ajax Chat <= 20260217 - Unauthenticated Stored Cross-Site Scripting via 'c' Affected: *-20260217 Patched: 20260301 Updated: June 29, 2026

LOW

mobile-app-editor

Score: 91/100 Mobile App Editor – WordPress to Android App Builder <= 1.3.1 - Authenticated (Editor+) Arbitrary File Upload Affected: *-1.3.1 Patched: Updated: June 29, 2026

LOW

Xagio SEO – AI Powered SEO

xagio-seo

Score: 64/100 Xagio SEO – AI Powered SEO <= 7.1.0.30 - Unauthenticated Privilege Escalation Affected: *-7.1.0.30 Patched: 7.1.0.31 Updated: June 29, 2026

LOW

wp-contact-form-7-spam-blocker

Score: N/A Spam Protect for Contact Form 7 < 1.2.10 - Authenticated (Editor+) Remote Code Execution Affected: [*, 1.2.10) Patched: 1.2.10 Updated: June 29, 2026

LOW

wp-cafe

Score: N/A WPCafe – Restaurant Menu, Online Food Ordering and Reservation Booking Solution <= 3.0.7 - Missing Authorization Affected: *-3.0.7 Patched: 3.0.8 Updated: June 29, 2026

LOW

Website LLMs.txt

website-llms-txt

Score: 94/100 Website LLMs.txt <= 8.2.6 - Reflected Cross-Site Scripting Affected: *-8.2.6 Patched: 8.2.7 Updated: June 29, 2026

LOW

timetics

Score: N/A Timetics – Appointment Booking Calendar & Scheduling System < 1.0.52 - Missing Authorization Affected: [*, 1.0.52) Patched: 1.0.52 Updated: June 29, 2026

LOW

rsvp

Score: N/A RSVP and Event Management <= 2.7.16 - Unauthenticated Information Exposure Affected: *-2.7.16 Patched: 2.7.17 Updated: June 29, 2026

LOW

revive-so

Score: N/A Revive.so <= 2.0.7 - Missing Authorization Affected: *-2.0.7 Patched: 2.0.8 Updated: June 29, 2026

LOW

reading-progress-bar

Score: N/A Reading progressbar < 1.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: [*, 1.3.1) Patched: 1.3.1 Updated: June 29, 2026

LOW

penci-data-migrator

Score: N/A Penci Soledad Data Migrator <= 1.3.1 - Reflected Cross-Site Scripting Affected: *-1.3.1 Patched: Updated: June 29, 2026

LOW

pagelayer

Score: N/A PageLayer <= 2.0.8 - Authenticated (Contributor+) Information Exposure Affected: *-2.0.8 Patched: 2.0.9 Updated: June 29, 2026

LOW

metform-pro

Score: 91/100 MetForm Pro <= 3.9.1 - Missing Authorization Affected: *-3.9.1 Patched: Updated: June 29, 2026

LOW

Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder

gutena-forms

Score: 91/100 Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder < 1.6.1 - Missing Authorization to Authenticated (Contributor+) Settings Update Affected: [*, 1.6.1) Patched: 1.6.1 Updated: June 29, 2026

LOW

front-editor

Score: 89/100 Guest posting / Frontend Posting / Front Editor – WP Front User Submit < 5.0.6 - Unauthenticated Information Exposure Affected: [*, 5.0.6) Patched: 5.0.6 Updated: June 29, 2026

LOW

everest-forms-pro

Score: 93/100 Everest Forms Pro <= 1.9.12 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.9.12 Patched: 1.9.13 Updated: June 29, 2026

LOW

dukapress

Score: 91/100 DukaPress <= 3.2.4 - Unauthenticated Stored Cross-Site Scripting Affected: *-3.2.4 Patched: Updated: June 29, 2026

LOW

divi-booster

Score: 93/100 Divi Booster < 5.0.2 - Unauthenticated PHP Object Injection Affected: [*, 5.0.2) Patched: 5.0.2 Updated: June 29, 2026

LOW

datalogics

Score: 93/100 Datalogics Ecommerce Delivery – Datalogics < 2.6.60 - Unauthenticated Privilege Escalation Affected: [*, 2.6.60) Patched: 2.6.60 Updated: June 29, 2026

LOW

custom-registration-form-builder-with-submission-manager

Score: 93/100 RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.7.1 - Authentication Bypass Affected: *-6.0.7.1 Patched: 6.0.7.2 Updated: June 29, 2026

LOW

bulk-editor

Score: 93/100 WOLF – WordPress Posts Bulk Editor and Manager Professional <= 1.0.8.7 - Authenticated (Editor+) SQL Injection Affected: *-1.0.8.7 Patched: 1.0.9 Updated: June 29, 2026

LOW

builderpress

Score: 91/100 BuilderPress <= 2.0.1 - Unauthenticated Local File Inclusion Affected: *-2.0.1 Patched: Updated: June 29, 2026

LOW

mystickymenu

Score: N/A My Sticky Bar <= 2.8.6 - Unauthenticated SQL Injection via 'stickymenu_contact_lead_form' Action Affected: *-2.8.6 Patched: 2.8.7 Updated: June 29, 2026

LOW

learnpress

Score: 93/100 LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Notification Triggering Affected: *-4.3.2.8 Patched: 4.3.3 Updated: June 29, 2026

LOW

wpstream

Score: N/A WpStream < 4.11.2 - Authenticated (Subscriber+) Insecure Direct Object Reference Affected: [*, 4.11.2) Patched: 4.11.2 Updated: June 29, 2026

LOW

responsive-block-editor-addons

Score: N/A Responsive Blocks – Page Builder for Blocks & Patterns <= 2.2.0 - Missing Authorization Affected: *-2.2.0 Patched: 2.2.1 Updated: June 29, 2026

LOW

instawp-connect

Score: 93/100 InstaWP Connect <= 0.1.2.5 - Missing Authorization Affected: *-0.1.2.5 Patched: 0.1.2.7 Updated: June 29, 2026

LOW

advanced-product-fields-for-woocommerce

Score: 97/100 Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.18 - Missing Authorization Affected: *-1.6.18 Patched: 1.6.19 Updated: June 29, 2026

LOW

woo-checkout-field-editor-pro

Score: N/A Checkout Field Editor (Checkout Manager) for WooCommerce <= 2.1.7 - Unauthenticated Stored Cross-Site Scripting via Block Checkout Custom Radio Field Affected: *-2.1.7 Patched: 2.1.8 Updated: June 29, 2026

LOW

gravityforms

Score: 93/100 Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title Affected: *-2.9.28 Patched: 2.9.29 Updated: June 29, 2026

LOW

google-analytics-dashboard-for-wp

Score: 93/100 ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update Affected: 7.1.0-9.0.2 Patched: 9.0.3 Updated: June 29, 2026

LOW

google-analytics-dashboard-for-wp

Score: 93/100 ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation Affected: 8.0.0-9.0.2 Patched: 9.0.3 Updated: June 29, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Appointment Booking Calendar <= 1.6.9.27 - Unauthenticated SQL Injection via 'append_where_sql' Parameter Affected: *-1.6.9.27 Patched: 1.6.9.29 Updated: June 29, 2026

LOW

happy-elementor-addons

Score: 93/100 Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter Affected: *-3.21.0 Patched: 3.21.1 Updated: June 29, 2026

LOW

happy-elementor-addons

Score: 93/100 Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Stored Cross-Site Scripting via Template Conditions Affected: *-3.21.0 Patched: 3.21.1 Updated: June 29, 2026

LOW

jet-booking

Score: 93/100 JetBooking <= 4.0.3 - Unauthenticated SQL Injection via 'check_in_date' Parameter Affected: *-4.0.3 Patched: 4.0.3.1 Updated: June 29, 2026

LOW

WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters

wp-google-map-plugin

Score: 74/100 WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter Affected: *-4.9.1 Patched: 4.9.2 Updated: June 29, 2026

LOW

weforms

Score: N/A weForms <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value via REST API Affected: *-1.6.27 Patched: 1.6.28 Updated: June 29, 2026

LOW

wp-ulike

Score: N/A WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute Affected: *-5.0.1 Patched: 5.0.2 Updated: June 29, 2026

LOW

pojo-accessibility

Score: N/A Ally – Web Accessibility & Usability <= 4.0.3 - Unauthenticated SQL Injection via URL Path Affected: *-4.0.3 Patched: 4.1.0 Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Addons for Elementor <= 1.7.1049 - Authenticated (Author+) Arbitrary File Upload via main.php Upload Bypass Affected: *-1.7.1049 Patched: 1.7.1050 Updated: June 29, 2026

LOW

wp-user-avatar

Score: N/A ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration Affected: *-4.16.11 Patched: 4.16.12 Updated: June 29, 2026

LOW

MC4WP: Mailchimp for WordPress

mailchimp-for-wp

Score: 87/100 MC4WP: Mailchimp for WordPress <= 4.11.1 - Missing Authorization to Unauthenticated Arbitrary Subscription Deletion Affected: *-4.11.1 Patched: 4.12.0 Updated: June 29, 2026

LOW

rometheme-for-elementor

Score: N/A RTMKit <= 1.6.8 - Reflected Cross-Site Scripting via 'themebuilder' Parameter Affected: *-1.6.8 Patched: 2.0.0 Updated: June 29, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting Affected: *-5.2.7 Patched: 5.2.8 Updated: June 29, 2026

LOW

3d-flipbook-dflip-lite

Score: 97/100 Dear Flipbook <= 2.4.20 - Authenticated (Auhtor+) Stored Cross-Site Scripting via PDF Page Labels Affected: *-2.4.20 Patched: 2.4.27 Updated: June 29, 2026

LOW

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

wp-user-frontend

Score: N/A User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.2.5 - Missing Authorization Affected: *-4.2.5 Patched: 4.2.6 Updated: June 29, 2026

LOW

wp-meta-data-filter-and-taxonomy-filter

Score: N/A MDTF – Meta Data and Taxonomies Filter <= 1.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.3.5 Patched: 1.3.6 Updated: June 29, 2026

LOW

WooCommerce

woocommerce

Score: 80/100 WooCommerce < 10.5.3 - Cross-Site Request Forgery Affected: [*, 10.5.3) Patched: 10.5.3 Updated: June 29, 2026

LOW

wolverine-framework

Score: N/A Wolverine Framework <= 1.9 - Reflected Cross-Site Scripting Affected: *-1.9 Patched: Updated: June 29, 2026

LOW

ultra-admin

Score: N/A Ultra WordPress Admin <= 11.7 - Reflected Cross-Site Scripting Affected: *-11.7 Patched: Updated: June 29, 2026

LOW

uipress-lite

Score: N/A UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization Affected: *-3.5.09 Patched: Updated: June 29, 2026

LOW

totalcontest-lite

Score: N/A Photo Contest | Competition | Video Contest <= 2.9.1 - Authenticated (Author+) PHP Object Injection Affected: *-2.9.1 Patched: Updated: June 29, 2026

LOW

td-composer

Score: N/A tagDiv Composer <= 5.4.2 - Reflected Cross-Site Scripting Affected: *-5.4.2 Patched: 5.4.3 Updated: June 29, 2026

Showing 2101 to 2200 of 36282 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 29, 2026 at 21:55 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List