Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36283

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
advanced-custom-fields-pro	advanced-custom-fields-pro	97	Advanced Custom Fields PRO 6.1 - 6.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	6.1-6.1.7	6.1.8	June 30, 2026
wxsync	wxsync	N/A	WxSync <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.8.0	2.8.1	June 30, 2026
wsecure	wsecure	N/A	wSecure Lite <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings	LOW	*-2.5		June 30, 2026
theme-demo-import	theme-demo-import	N/A	Theme Demo Import <= 1.1.3 - Authenticated (Administrator+) Arbitrary File Upload	LOW	*-1.1.3		June 30, 2026
realia	realia	N/A	Realia <= 1.4.0 - Cross-Site Request Forgery to User Email Change	LOW	*-1.4.0		June 30, 2026
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor	kadence-blocks	91	Kadence Blocks <= 3.1.10 - Unauthenticated Arbitrary File Upload	LOW	[*, 3.1.11)	3.1.11	June 30, 2026
EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more	embedpress	69	EmbedPress <= 3.8.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data	LOW	*-3.8.2	3.8.3	June 30, 2026
EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more	embedpress	69	EmbedPress <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-3.8.2	3.8.3	June 30, 2026
canto	canto	91	Canto <= 3.0.4 - Unauthenticated Remote File Inclusion	LOW	*-3.0.4	3.0.5	June 30, 2026
bigbluebutton	bigbluebutton	89	BigBlueButton <= 3.0.0-beta.4 - Reflected Cross-Site Scripting	LOW	* - 3.0.0-beta.4		June 30, 2026
absolute-privacy	absolute-privacy	95	Absolute Privacy <= 2.1 - Cross-Site Request Forgery to User Email/Password Change	LOW	*-2.1		June 30, 2026
user-activity-log	user-activity-log	N/A	User Activity Log <= 1.6.5 - Unauthenticated Data Export to Sensitive Information Disclosure	LOW	*-1.6.5	1.6.6	June 30, 2026
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin	ultimate-member	N/A	Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.6.8 - Cross-Site Request Forgery	LOW	*-2.6.8	2.6.9	June 30, 2026
real-estate-manager	real-estate-manager	N/A	Real Estate Manager <= 7.2 - Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation	LOW	*-7.2		June 30, 2026
profile-builder	profile-builder	N/A	Profile Builder <= 3.9.7 - Missing Authorization to Initial Page Creation	LOW	[*, 3.9.8)	3.9.8	June 30, 2026
pmpro-courses	pmpro-courses	N/A	Paid Memberships Pro - Courses for Membership Add On <= 1.2.3 - Cross-Site Request Forgery to Course Modifications	LOW	[*, 1.2.4)	1.2.4	June 30, 2026
pmpro-courses	pmpro-courses	N/A	Paid Memberships Pro - Courses for Membership Add On <= 1.2.4 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	[*, 1.2.5)	1.2.5	June 30, 2026
pmpro-courses	pmpro-courses	N/A	Paid Memberships Pro - Courses for Membership Add On <= 1.2.3 - Missing Authorization to Authenticated (Subscriber+) Course Modifications	LOW	[*, 1.2.4)	1.2.4	June 30, 2026
jch-optimize	jch-optimize	93	JCH Optimize <= 4.0.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification	LOW	[*, 4.0.1)	4.0.1	June 30, 2026
full-customer	full-customer	93	FULL - Customer <= 2.2.3 - Authenticated(Subscriber+) Improper Authorization to Arbitrary Plugin Installation	LOW	*-2.2.3	2.3	June 30, 2026
full-customer	full-customer	93	FULL - Customer <= 2.2.3 - Authenticated(Subscriber+) Information Disclosure via Health Check	LOW	*-2.2.3	2.3	June 30, 2026
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services	chatbot	66	ChatBot 4.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting in Language Settings	LOW	*-4.7.7	4.7.8	June 30, 2026
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services	chatbot	66	ChatBot <= 4.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder	LOW	*-4.7.7	4.7.8	June 30, 2026
biometric-login-for-woocommerce	biometric-login-for-woocommerce	93	Biometric Login for WooCommerce <= 1.0.3 - Unauthenticated Privilege Escalation	LOW	*-1.0.3	1.0.4	June 30, 2026
user-activity-tracking-and-log	user-activity-tracking-and-log	N/A	User Activity Tracking and Log <= 4.0.8 - Cross-Site Request Forgery	LOW	*-4.0.8	4.0.9	June 30, 2026
themesflat-addons-for-elementor	themesflat-addons-for-elementor	N/A	Themesflat Addons For Elementor <= 2.0.0 - Unauthenticated PHP Object Injection	LOW	*-2.0.0	2.0.1	June 30, 2026
the-post-grid	the-post-grid	N/A	The Post Grid <= 7.2.7 - Cross-Site Request Forgery	LOW	*-7.2.7	7.2.8	June 30, 2026
sign-up-sheets	sign-up-sheets	N/A	Sign-up Sheets <= 2.2.8 - Cross-Site Request Forgery	LOW	*-2.2.8	2.2.9	June 30, 2026
poeditor	poeditor	N/A	POEditor <= 0.9.7 - Cross-Site Request Forgery	LOW	*-0.9.7	0.9.8	June 30, 2026
Ninja Forms – The Contact Form Builder That Grows With You	ninja-forms	69	Ninja Forms <= 3.6.25 - Authenticated (Administrator+) Stored HTML Injection	LOW	*-3.6.25	3.6.26	June 30, 2026
leyka	leyka	89	Leyka <= 3.30.2 - Reflected Cross-Site Scripting	LOW	*-3.30.2	3.30.3	June 30, 2026
gdpr-cookie-compliance	gdpr-cookie-compliance	93	GDPR Cookie Compliance <= 4.12.4 - Cross-Site Request Forgery to License Modification	LOW	*-4.12.4	4.12.5	June 30, 2026
gallery-photo-gallery	gallery-photo-gallery	93	Photo Gallery by Ays <= 5.2.6 - Cross-Site Request Forgery	LOW	*-5.2.6	5.2.7	June 30, 2026
Booking Package	booking-package	85	Booking Package <= 1.6.01 - Reflected Cross-Site Scripting via 'mode'	LOW	*-1.6.01	1.6.02	June 30, 2026
all-users-messenger	all-users-messenger	95	All Users Messenger <= 1.24 - Authenticated (Subscriber+) Insecure Direct Object Reference to Message Deletion	LOW	*-1.24		June 30, 2026
user-access-manager	user-access-manager	N/A	User Access Manager <= 2.2.16 - IP Spoofing	LOW	*-2.2.16	2.2.18	June 30, 2026
subscribers-text-counter	subscribers-text-counter	N/A	Subscribers Text Counter <= 1.7 - Cross-Site Request Forgery to Settings Update and Cross-Site Scripting	LOW	*-1.7	1.7.1	June 30, 2026
wp-ultimate-csv-importer	wp-ultimate-csv-importer	N/A	WP Ultimate CSV Importer <= 7.9.8 - Arbitrary Usermeta Update to Authenticated (Author+) Privilege Escalation	LOW	*-7.9.8	7.9.9	June 30, 2026
wp-ultimate-csv-importer	wp-ultimate-csv-importer	N/A	WP Ultimate CSV Importer <= 7.9.8 - Sensitive Information Exposure via Directory Listing	LOW	*-7.9.8	7.9.9	June 30, 2026
wp-ultimate-csv-importer	wp-ultimate-csv-importer	N/A	WP Ultimate CSV Importer <= 7.9.8 - Authenticated (Author+) PHP File Creation to Remote Code Execution	LOW	*-7.9.8	7.9.9	June 30, 2026
wp-ultimate-csv-importer	wp-ultimate-csv-importer	N/A	WP Ultimate CSV Importer <= 7.9.8 - Authenticated (Author+) Remote Code Execution	LOW	*-7.9.8	7.9.9	June 30, 2026
simple-blog-card	simple-blog-card	N/A	Simple Blog Card <= 1.31 - Sensitive Information Exposure	LOW	[*, 1.32)	1.32	June 30, 2026
jet-elements	jet-elements	93	JetElements <= 2.6.10 - Authenticated (Contributor+) Remote Code Execution	LOW	*-2.6.10	2.6.11	June 30, 2026
copy-delete-posts	copy-delete-posts	93	Duplicate Post <= 1.4.1 - Cross-Site Request Forgery via 'cdp_action_handling' AJAX action	LOW	*-1.4.1	1.4.2	June 30, 2026
advanced-custom-fields	advanced-custom-fields	97	Advanced Custom Fields 6.1 - 6.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	6.1-6.1.7	6.1.8	June 30, 2026
woo-custom-emails	woo-custom-emails	N/A	Woo Custom Emails <= 2.2 - Reflected Cross-Site Scripting via wcemails_edit	LOW	*-2.2		June 30, 2026
upload-media-by-url	upload-media-by-url	N/A	Upload Media By URL <= 1.0.7 - Cross-Site Request Forgery via 'umbu_download'	LOW	*-1.0.7	1.0.8	June 30, 2026
ultimate-post	ultimate-post	N/A	PostX - Gutenberg Post Grid Blocks <= 3.0.5 - Reflected Cross-Site Scripting via 'postx_type'	LOW	*-3.0.5	3.0.6	June 30, 2026
Simple Ticker	simple-ticker	N/A	Simple Ticker <= 3.05 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-3.05	3.06	June 30, 2026
simple-share-follow-button	simple-share-follow-button	N/A	Simple Share Follow Button <= 1.03 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.03	1.04	June 30, 2026
order-delivery-date-for-woocommerce	order-delivery-date-for-woocommerce	N/A	Order Delivery Date for WooCommerce <= 3.20.0 - Reflected Cross-Site Scripting via 'orddd_lite_custom_startdate' and 'orddd_lite_custom_enddate'	LOW	*-3.20.0	3.20.1	June 30, 2026
front-editor	front-editor	89	Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor <= 4.4.5 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-4.4.5	4.4.7	June 30, 2026
formcraft-form-builder	formcraft-form-builder	93	FormCraft <= 1.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.2.6	1.2.7	June 30, 2026
Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools	woocommerce-jetpack	65	Booster for WooCommerce 7.0.0 - Authenticated (Shop Manager+) Missing Authorization to Arbitrary Options Update	LOW	7.0.0	7.1.0	June 30, 2026
payment-gateway-stripe-and-woocommerce-integration	payment-gateway-stripe-and-woocommerce-integration	N/A	Stripe Payment Plugin for WooCommerce <= 3.7.7 - Authentication Bypass	LOW	*-3.7.7	3.7.8	June 30, 2026
jobwp	jobwp	93	WordPress Job Board and Recruitment Plugin – JobWP <= 2.0 - Arbitrary File Upload via 'jobwp_upload_resume'	LOW	*-2.0	2.1	June 30, 2026
bus-ticket-booking-with-seat-reservation	bus-ticket-booking-with-seat-reservation	91	Bus Ticket Booking with Seat Reservation <= 5.2.3 - Reflected Cross-Site Scripting	LOW	*-5.2.3	5.2.4	June 30, 2026
wpshopgermany-protectedshops	wpshopgermany-protectedshops	N/A	wpShopGermany - Protected Shops <= 2.0 - Authenticated(Administrator+) Stored Cross-Site Scripting	LOW	[*, 2.1)	2.1	June 30, 2026
ti-woocommerce-wishlist	ti-woocommerce-wishlist	N/A	TI WooCommerce Wishlist <= 2.7.3 - Unauthenticated Blind SQL Injection via Rest API	LOW	[*, 2.7.4)	2.7.4	June 30, 2026
simple-blog-card	simple-blog-card	N/A	Simple Blog Card <= 1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.30	1.31	June 30, 2026
shorten-url	shorten-url	N/A	Short URL <= 1.6.7 - Missing Authorization via multiple AJAX functions	LOW	*-1.6.7	1.6.8	June 30, 2026
shop-as-a-customer-for-woocommerce	shop-as-a-customer-for-woocommerce	N/A	Shop as a Customer for WooCommerce <= 1.2.3 - Authenticated (Shop Manager+) Privilege Escalation	LOW	*-1.2.3	1.2.4	June 30, 2026
shop-as-a-customer-for-woocommerce	shop-as-a-customer-for-woocommerce	N/A	Shop as a Customer for WooCommerce <= 1.1.7 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-1.1.7	1.1.8	June 30, 2026
multiparcels-shipping-for-woocommerce	multiparcels-shipping-for-woocommerce	N/A	MultiParcels Shipping For WooCommerce <= 1.15.1 - Cross-Site Request Forgery	LOW	[*, 1.15.2)	1.15.2	June 30, 2026
multiparcels-shipping-for-woocommerce	multiparcels-shipping-for-woocommerce	N/A	MultiParcels Shipping For WooCommerce <= 1.15.3 - Reflected Cross-Site Scripting	LOW	*-1.15.3	1.15.4	June 30, 2026
media-from-ftp	media-from-ftp	93	Media from FTP <= 11.15 - Improper Privilege Management	LOW	[*, 11.16)	11.16	June 30, 2026
wp-schema-pro	wp-schema-pro	N/A	Schema Pro <= 2.7.8 - Authenticated(Contributor+) Missing Authorization	LOW	*-2.7.8	2.7.9	June 30, 2026
wp-clone-by-wp-academy	wp-clone-by-wp-academy	N/A	Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	LOW	*-2.3.7	2.3.8	June 30, 2026
wp-clone-by-wp-academy	wp-clone-by-wp-academy	N/A	Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	LOW	*-2.3.7	2.3.8	June 30, 2026
ultimate-social-media-plus	ultimate-social-media-plus	N/A	Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	LOW	*-3.5.7	3.5.8	June 30, 2026
ultimate-social-media-plus	ultimate-social-media-plus	N/A	Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	LOW	*-3.5.7	3.5.8	June 30, 2026
ultimate-social-media-icons	ultimate-social-media-icons	N/A	Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	LOW	*-2.8.1	2.8.2	June 30, 2026
ultimate-social-media-icons	ultimate-social-media-icons	N/A	Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	LOW	*-2.8.1	2.8.2	June 30, 2026
ultimate-posts-widget	ultimate-posts-widget	N/A	Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	LOW	*-2.2.4	2.2.5	June 30, 2026
ultimate-posts-widget	ultimate-posts-widget	N/A	Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	LOW	*-2.2.4	2.2.5	June 30, 2026
redirect-redirection	redirect-redirection	N/A	Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	LOW	*-1.1.3	1.1.4	June 30, 2026
redirect-redirection	redirect-redirection	N/A	Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	LOW	*-1.1.3	1.1.4	June 30, 2026
pop-up-pop-up	pop-up-pop-up	N/A	Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	LOW	*-1.1.9	1.2.0	June 30, 2026
pop-up-pop-up	pop-up-pop-up	N/A	Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	LOW	*-1.1.9	1.2.0	June 30, 2026
meks-smart-social-widget	meks-smart-social-widget	93	Meks Smart Social Widget <= 1.6 - Missing Authorization to notice dimissal	LOW	*-1.6	1.6.1	June 30, 2026
http-https-remover	http-https-remover	93	Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	LOW	*-3.2.3	3.2.4	June 30, 2026
http-https-remover	http-https-remover	93	Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	LOW	*-3.2.3	3.2.4	June 30, 2026
feedburner-alternative-and-rss-redirect	feedburner-alternative-and-rss-redirect	93	Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	LOW	*-3.7	3.8	June 30, 2026
feedburner-alternative-and-rss-redirect	feedburner-alternative-and-rss-redirect	93	Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	LOW	*-3.7	3.8	June 30, 2026
enhanced-text-widget	enhanced-text-widget	93	Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	LOW	*-1.5.7	1.5.8	June 30, 2026
enhanced-text-widget	enhanced-text-widget	93	Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	LOW	*-1.5.7	1.5.8	June 30, 2026
copy-delete-posts	copy-delete-posts	93	Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	LOW	*-1.3.9	1.4.0	June 30, 2026
copy-delete-posts	copy-delete-posts	93	Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	LOW	*-1.3.9	1.4.0	June 30, 2026
change-wp-admin-login	change-wp-admin-login	93	Change WP Admin Login <= 1.1.3 - Protection Mechanism Failure to Login Page Disclosure	LOW	*-1.1.3	1.1.4	June 30, 2026
cartflows-pro	cartflows-pro	93	CartFlows Pro <= 1.11.12 - Cross-Site Request Forgery	LOW	*-1.11.12	1.11.13	June 30, 2026
bit-assist	bit-assist	93	Bit Assist <= 1.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.1.8	1.1.9	June 30, 2026
Backup Migration	backup-backup	61	Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function	LOW	*-1.2.7	1.2.8	June 30, 2026
Backup Migration	backup-backup	61	Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function	LOW	*-1.2.7	1.2.8	June 30, 2026
assistant	assistant	97	Assistant <= 1.4.3 - Authenticated (Editor+) Server Side Request Forgery	LOW	[*, 1.4.4)	1.4.4	June 30, 2026
accessibe	accessibe	97	Web Accessibility By accessiBe <= 1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.15	1.16	June 30, 2026
wp-tell-a-friend-popup-form	wp-tell-a-friend-popup-form	N/A	wp tell a friend popup form <= 7.1 - Cross-Site Request Forgery via 'TellAFriend_admin'	LOW	*-7.1		June 30, 2026
wp-tell-a-friend-popup-form	wp-tell-a-friend-popup-form	N/A	wp tell a friend popup form <= 7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-7.1		June 30, 2026
wp-discussion-board	wp-discussion-board	N/A	Discussion Board <= 2.4.8 - Authenticated (Subscriber+) Content Injection	LOW	*-2.4.8	2.4.9	June 30, 2026
woosquare	woosquare	N/A	APIExperts Square for WooCommerce <= 4.4.1 - Missing Authorization	LOW	*-4.4.1	4.4.2	June 30, 2026
woo-confirmation-email	woo-confirmation-email	N/A	User Email Verification for WooCommerce <= 3.5.0 - Reflected Cross-Site Scripting	LOW	*-3.5.0		June 30, 2026

LOW

advanced-custom-fields-pro

Score: 97/100 Advanced Custom Fields PRO 6.1 - 6.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: 6.1-6.1.7 Patched: 6.1.8 Updated: June 30, 2026

LOW

wxsync

Score: N/A WxSync <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.8.0 Patched: 2.8.1 Updated: June 30, 2026

LOW

wsecure

Score: N/A wSecure Lite <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected: *-2.5 Patched: Updated: June 30, 2026

LOW

theme-demo-import

Score: N/A Theme Demo Import <= 1.1.3 - Authenticated (Administrator+) Arbitrary File Upload Affected: *-1.1.3 Patched: Updated: June 30, 2026

LOW

realia

Score: N/A Realia <= 1.4.0 - Cross-Site Request Forgery to User Email Change Affected: *-1.4.0 Patched: Updated: June 30, 2026

LOW

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

kadence-blocks

Score: 91/100 Kadence Blocks <= 3.1.10 - Unauthenticated Arbitrary File Upload Affected: [*, 3.1.11) Patched: 3.1.11 Updated: June 30, 2026

LOW

EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more

embedpress

Score: 69/100 EmbedPress <= 3.8.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Delete via admin_post_remove and remove_private_data Affected: *-3.8.2 Patched: 3.8.3 Updated: June 30, 2026

LOW

EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more

embedpress

Score: 69/100 EmbedPress <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-3.8.2 Patched: 3.8.3 Updated: June 30, 2026

LOW

canto

Score: 91/100 Canto <= 3.0.4 - Unauthenticated Remote File Inclusion Affected: *-3.0.4 Patched: 3.0.5 Updated: June 30, 2026

LOW

bigbluebutton

Score: 89/100 BigBlueButton <= 3.0.0-beta.4 - Reflected Cross-Site Scripting Affected: * - 3.0.0-beta.4 Patched: Updated: June 30, 2026

LOW

absolute-privacy

Score: 95/100 Absolute Privacy <= 2.1 - Cross-Site Request Forgery to User Email/Password Change Affected: *-2.1 Patched: Updated: June 30, 2026

LOW

user-activity-log

Score: N/A User Activity Log <= 1.6.5 - Unauthenticated Data Export to Sensitive Information Disclosure Affected: *-1.6.5 Patched: 1.6.6 Updated: June 30, 2026

LOW

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

ultimate-member

Score: N/A Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.6.8 - Cross-Site Request Forgery Affected: *-2.6.8 Patched: 2.6.9 Updated: June 30, 2026

LOW

real-estate-manager

Score: N/A Real Estate Manager <= 7.2 - Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation Affected: *-7.2 Patched: Updated: June 30, 2026

LOW

profile-builder

Score: N/A Profile Builder <= 3.9.7 - Missing Authorization to Initial Page Creation Affected: [*, 3.9.8) Patched: 3.9.8 Updated: June 30, 2026

LOW

pmpro-courses

Score: N/A Paid Memberships Pro - Courses for Membership Add On <= 1.2.3 - Cross-Site Request Forgery to Course Modifications Affected: [*, 1.2.4) Patched: 1.2.4 Updated: June 30, 2026

LOW

pmpro-courses

Score: N/A Paid Memberships Pro - Courses for Membership Add On <= 1.2.4 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: [*, 1.2.5) Patched: 1.2.5 Updated: June 30, 2026

LOW

pmpro-courses

Score: N/A Paid Memberships Pro - Courses for Membership Add On <= 1.2.3 - Missing Authorization to Authenticated (Subscriber+) Course Modifications Affected: [*, 1.2.4) Patched: 1.2.4 Updated: June 30, 2026

LOW

jch-optimize

Score: 93/100 JCH Optimize <= 4.0.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification Affected: [*, 4.0.1) Patched: 4.0.1 Updated: June 30, 2026

LOW

full-customer

Score: 93/100 FULL - Customer <= 2.2.3 - Authenticated(Subscriber+) Improper Authorization to Arbitrary Plugin Installation Affected: *-2.2.3 Patched: 2.3 Updated: June 30, 2026

LOW

full-customer

Score: 93/100 FULL - Customer <= 2.2.3 - Authenticated(Subscriber+) Information Disclosure via Health Check Affected: *-2.2.3 Patched: 2.3 Updated: June 30, 2026

LOW

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

chatbot

Score: 66/100 ChatBot 4.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting in Language Settings Affected: *-4.7.7 Patched: 4.7.8 Updated: June 30, 2026

LOW

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

chatbot

Score: 66/100 ChatBot <= 4.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting in FAQ Builder Affected: *-4.7.7 Patched: 4.7.8 Updated: June 30, 2026

LOW

biometric-login-for-woocommerce

Score: 93/100 Biometric Login for WooCommerce <= 1.0.3 - Unauthenticated Privilege Escalation Affected: *-1.0.3 Patched: 1.0.4 Updated: June 30, 2026

LOW

user-activity-tracking-and-log

Score: N/A User Activity Tracking and Log <= 4.0.8 - Cross-Site Request Forgery Affected: *-4.0.8 Patched: 4.0.9 Updated: June 30, 2026

LOW

themesflat-addons-for-elementor

Score: N/A Themesflat Addons For Elementor <= 2.0.0 - Unauthenticated PHP Object Injection Affected: *-2.0.0 Patched: 2.0.1 Updated: June 30, 2026

LOW

the-post-grid

Score: N/A The Post Grid <= 7.2.7 - Cross-Site Request Forgery Affected: *-7.2.7 Patched: 7.2.8 Updated: June 30, 2026

LOW

sign-up-sheets

Score: N/A Sign-up Sheets <= 2.2.8 - Cross-Site Request Forgery Affected: *-2.2.8 Patched: 2.2.9 Updated: June 30, 2026

LOW

poeditor

Score: N/A POEditor <= 0.9.7 - Cross-Site Request Forgery Affected: *-0.9.7 Patched: 0.9.8 Updated: June 30, 2026

LOW

Ninja Forms – The Contact Form Builder That Grows With You

ninja-forms

Score: 69/100 Ninja Forms <= 3.6.25 - Authenticated (Administrator+) Stored HTML Injection Affected: *-3.6.25 Patched: 3.6.26 Updated: June 30, 2026

LOW

leyka

Score: 89/100 Leyka <= 3.30.2 - Reflected Cross-Site Scripting Affected: *-3.30.2 Patched: 3.30.3 Updated: June 30, 2026

LOW

gdpr-cookie-compliance

Score: 93/100 GDPR Cookie Compliance <= 4.12.4 - Cross-Site Request Forgery to License Modification Affected: *-4.12.4 Patched: 4.12.5 Updated: June 30, 2026

LOW

gallery-photo-gallery

Score: 93/100 Photo Gallery by Ays <= 5.2.6 - Cross-Site Request Forgery Affected: *-5.2.6 Patched: 5.2.7 Updated: June 30, 2026

LOW

Booking Package

booking-package

Score: 85/100 Booking Package <= 1.6.01 - Reflected Cross-Site Scripting via 'mode' Affected: *-1.6.01 Patched: 1.6.02 Updated: June 30, 2026

LOW

all-users-messenger

Score: 95/100 All Users Messenger <= 1.24 - Authenticated (Subscriber+) Insecure Direct Object Reference to Message Deletion Affected: *-1.24 Patched: Updated: June 30, 2026

LOW

user-access-manager

Score: N/A User Access Manager <= 2.2.16 - IP Spoofing Affected: *-2.2.16 Patched: 2.2.18 Updated: June 30, 2026

LOW

subscribers-text-counter

Score: N/A Subscribers Text Counter <= 1.7 - Cross-Site Request Forgery to Settings Update and Cross-Site Scripting Affected: *-1.7 Patched: 1.7.1 Updated: June 30, 2026

LOW

wp-ultimate-csv-importer

Score: N/A WP Ultimate CSV Importer <= 7.9.8 - Arbitrary Usermeta Update to Authenticated (Author+) Privilege Escalation Affected: *-7.9.8 Patched: 7.9.9 Updated: June 30, 2026

LOW

wp-ultimate-csv-importer

Score: N/A WP Ultimate CSV Importer <= 7.9.8 - Sensitive Information Exposure via Directory Listing Affected: *-7.9.8 Patched: 7.9.9 Updated: June 30, 2026

LOW

wp-ultimate-csv-importer

Score: N/A WP Ultimate CSV Importer <= 7.9.8 - Authenticated (Author+) PHP File Creation to Remote Code Execution Affected: *-7.9.8 Patched: 7.9.9 Updated: June 30, 2026

LOW

wp-ultimate-csv-importer

Score: N/A WP Ultimate CSV Importer <= 7.9.8 - Authenticated (Author+) Remote Code Execution Affected: *-7.9.8 Patched: 7.9.9 Updated: June 30, 2026

LOW

simple-blog-card

Score: N/A Simple Blog Card <= 1.31 - Sensitive Information Exposure Affected: [*, 1.32) Patched: 1.32 Updated: June 30, 2026

LOW

jet-elements

Score: 93/100 JetElements <= 2.6.10 - Authenticated (Contributor+) Remote Code Execution Affected: *-2.6.10 Patched: 2.6.11 Updated: June 30, 2026

LOW

copy-delete-posts

Score: 93/100 Duplicate Post <= 1.4.1 - Cross-Site Request Forgery via 'cdp_action_handling' AJAX action Affected: *-1.4.1 Patched: 1.4.2 Updated: June 30, 2026

LOW

advanced-custom-fields

Score: 97/100 Advanced Custom Fields 6.1 - 6.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: 6.1-6.1.7 Patched: 6.1.8 Updated: June 30, 2026

LOW

woo-custom-emails

Score: N/A Woo Custom Emails <= 2.2 - Reflected Cross-Site Scripting via wcemails_edit Affected: *-2.2 Patched: Updated: June 30, 2026

LOW

upload-media-by-url

Score: N/A Upload Media By URL <= 1.0.7 - Cross-Site Request Forgery via 'umbu_download' Affected: *-1.0.7 Patched: 1.0.8 Updated: June 30, 2026

LOW

ultimate-post

Score: N/A PostX - Gutenberg Post Grid Blocks <= 3.0.5 - Reflected Cross-Site Scripting via 'postx_type' Affected: *-3.0.5 Patched: 3.0.6 Updated: June 30, 2026

LOW

Simple Ticker

simple-ticker

Score: N/A Simple Ticker <= 3.05 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-3.05 Patched: 3.06 Updated: June 30, 2026

LOW

simple-share-follow-button

Score: N/A Simple Share Follow Button <= 1.03 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.03 Patched: 1.04 Updated: June 30, 2026

LOW

order-delivery-date-for-woocommerce

Score: N/A Order Delivery Date for WooCommerce <= 3.20.0 - Reflected Cross-Site Scripting via 'orddd_lite_custom_startdate' and 'orddd_lite_custom_enddate' Affected: *-3.20.0 Patched: 3.20.1 Updated: June 30, 2026

LOW

front-editor

Score: 89/100 Guest posting / Frontend Posting wordpress plugin – WP Front User Submit / Front Editor <= 4.4.5 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-4.4.5 Patched: 4.4.7 Updated: June 30, 2026

LOW

formcraft-form-builder

Score: 93/100 FormCraft <= 1.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.2.6 Patched: 1.2.7 Updated: June 30, 2026

LOW

Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools

woocommerce-jetpack

Score: 65/100 Booster for WooCommerce 7.0.0 - Authenticated (Shop Manager+) Missing Authorization to Arbitrary Options Update Affected: 7.0.0 Patched: 7.1.0 Updated: June 30, 2026

LOW

payment-gateway-stripe-and-woocommerce-integration

Score: N/A Stripe Payment Plugin for WooCommerce <= 3.7.7 - Authentication Bypass Affected: *-3.7.7 Patched: 3.7.8 Updated: June 30, 2026

LOW

jobwp

Score: 93/100 WordPress Job Board and Recruitment Plugin – JobWP <= 2.0 - Arbitrary File Upload via 'jobwp_upload_resume' Affected: *-2.0 Patched: 2.1 Updated: June 30, 2026

LOW

bus-ticket-booking-with-seat-reservation

Score: 91/100 Bus Ticket Booking with Seat Reservation <= 5.2.3 - Reflected Cross-Site Scripting Affected: *-5.2.3 Patched: 5.2.4 Updated: June 30, 2026

LOW

wpshopgermany-protectedshops

Score: N/A wpShopGermany - Protected Shops <= 2.0 - Authenticated(Administrator+) Stored Cross-Site Scripting Affected: [*, 2.1) Patched: 2.1 Updated: June 30, 2026

LOW

ti-woocommerce-wishlist

Score: N/A TI WooCommerce Wishlist <= 2.7.3 - Unauthenticated Blind SQL Injection via Rest API Affected: [*, 2.7.4) Patched: 2.7.4 Updated: June 30, 2026

LOW

simple-blog-card

Score: N/A Simple Blog Card <= 1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.30 Patched: 1.31 Updated: June 30, 2026

LOW

shorten-url

Score: N/A Short URL <= 1.6.7 - Missing Authorization via multiple AJAX functions Affected: *-1.6.7 Patched: 1.6.8 Updated: June 30, 2026

LOW

shop-as-a-customer-for-woocommerce

Score: N/A Shop as a Customer for WooCommerce <= 1.2.3 - Authenticated (Shop Manager+) Privilege Escalation Affected: *-1.2.3 Patched: 1.2.4 Updated: June 30, 2026

LOW

shop-as-a-customer-for-woocommerce

Score: N/A Shop as a Customer for WooCommerce <= 1.1.7 - Authenticated (Subscriber+) Privilege Escalation Affected: *-1.1.7 Patched: 1.1.8 Updated: June 30, 2026

LOW

multiparcels-shipping-for-woocommerce

Score: N/A MultiParcels Shipping For WooCommerce <= 1.15.1 - Cross-Site Request Forgery Affected: [*, 1.15.2) Patched: 1.15.2 Updated: June 30, 2026

LOW

multiparcels-shipping-for-woocommerce

Score: N/A MultiParcels Shipping For WooCommerce <= 1.15.3 - Reflected Cross-Site Scripting Affected: *-1.15.3 Patched: 1.15.4 Updated: June 30, 2026

LOW

media-from-ftp

Score: 93/100 Media from FTP <= 11.15 - Improper Privilege Management Affected: [*, 11.16) Patched: 11.16 Updated: June 30, 2026

LOW

wp-schema-pro

Score: N/A Schema Pro <= 2.7.8 - Authenticated(Contributor+) Missing Authorization Affected: *-2.7.8 Patched: 2.7.9 Updated: June 30, 2026

LOW

wp-clone-by-wp-academy

Score: N/A Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function Affected: *-2.3.7 Patched: 2.3.8 Updated: June 30, 2026

LOW

wp-clone-by-wp-academy

Score: N/A Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function Affected: *-2.3.7 Patched: 2.3.8 Updated: June 30, 2026

LOW

ultimate-social-media-plus

Score: N/A Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function Affected: *-3.5.7 Patched: 3.5.8 Updated: June 30, 2026

LOW

ultimate-social-media-plus

Score: N/A Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function Affected: *-3.5.7 Patched: 3.5.8 Updated: June 30, 2026

LOW

ultimate-social-media-icons

Score: N/A Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function Affected: *-2.8.1 Patched: 2.8.2 Updated: June 30, 2026

LOW

ultimate-social-media-icons

Score: N/A Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function Affected: *-2.8.1 Patched: 2.8.2 Updated: June 30, 2026

LOW

ultimate-posts-widget

Score: N/A Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function Affected: *-2.2.4 Patched: 2.2.5 Updated: June 30, 2026

LOW

ultimate-posts-widget

Score: N/A Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function Affected: *-2.2.4 Patched: 2.2.5 Updated: June 30, 2026

LOW

redirect-redirection

Score: N/A Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function Affected: *-1.1.3 Patched: 1.1.4 Updated: June 30, 2026

LOW

redirect-redirection

Score: N/A Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function Affected: *-1.1.3 Patched: 1.1.4 Updated: June 30, 2026

LOW

pop-up-pop-up

Score: N/A Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function Affected: *-1.1.9 Patched: 1.2.0 Updated: June 30, 2026

LOW

pop-up-pop-up

Score: N/A Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function Affected: *-1.1.9 Patched: 1.2.0 Updated: June 30, 2026

LOW

meks-smart-social-widget

Score: 93/100 Meks Smart Social Widget <= 1.6 - Missing Authorization to notice dimissal Affected: *-1.6 Patched: 1.6.1 Updated: June 30, 2026

LOW

http-https-remover

Score: 93/100 Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function Affected: *-3.2.3 Patched: 3.2.4 Updated: June 30, 2026

LOW

http-https-remover

Score: 93/100 Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function Affected: *-3.2.3 Patched: 3.2.4 Updated: June 30, 2026

LOW

feedburner-alternative-and-rss-redirect

Score: 93/100 Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function Affected: *-3.7 Patched: 3.8 Updated: June 30, 2026

LOW

feedburner-alternative-and-rss-redirect

Score: 93/100 Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function Affected: *-3.7 Patched: 3.8 Updated: June 30, 2026

LOW

enhanced-text-widget

Score: 93/100 Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function Affected: *-1.5.7 Patched: 1.5.8 Updated: June 30, 2026

LOW

enhanced-text-widget

Score: 93/100 Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function Affected: *-1.5.7 Patched: 1.5.8 Updated: June 30, 2026

LOW

copy-delete-posts

Score: 93/100 Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function Affected: *-1.3.9 Patched: 1.4.0 Updated: June 30, 2026

LOW

copy-delete-posts

Score: 93/100 Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function Affected: *-1.3.9 Patched: 1.4.0 Updated: June 30, 2026

LOW

change-wp-admin-login

Score: 93/100 Change WP Admin Login <= 1.1.3 - Protection Mechanism Failure to Login Page Disclosure Affected: *-1.1.3 Patched: 1.1.4 Updated: June 30, 2026

LOW

cartflows-pro

Score: 93/100 CartFlows Pro <= 1.11.12 - Cross-Site Request Forgery Affected: *-1.11.12 Patched: 1.11.13 Updated: June 30, 2026

LOW

bit-assist

Score: 93/100 Bit Assist <= 1.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.1.8 Patched: 1.1.9 Updated: June 30, 2026

LOW

Backup Migration

backup-backup

Score: 61/100 Inisev Plugins (Various Versions) - Cross-Site Request Forgery on handle_installation function Affected: *-1.2.7 Patched: 1.2.8 Updated: June 30, 2026

LOW

Backup Migration

backup-backup

Score: 61/100 Inisev Plugins (Various Versions) - Missing Authorization on handle_installation function Affected: *-1.2.7 Patched: 1.2.8 Updated: June 30, 2026

LOW

assistant

Score: 97/100 Assistant <= 1.4.3 - Authenticated (Editor+) Server Side Request Forgery Affected: [*, 1.4.4) Patched: 1.4.4 Updated: June 30, 2026

LOW

accessibe

Score: 97/100 Web Accessibility By accessiBe <= 1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.15 Patched: 1.16 Updated: June 30, 2026

LOW

wp-tell-a-friend-popup-form

Score: N/A wp tell a friend popup form <= 7.1 - Cross-Site Request Forgery via 'TellAFriend_admin' Affected: *-7.1 Patched: Updated: June 30, 2026

LOW

wp-tell-a-friend-popup-form

Score: N/A wp tell a friend popup form <= 7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-7.1 Patched: Updated: June 30, 2026

LOW

wp-discussion-board

Score: N/A Discussion Board <= 2.4.8 - Authenticated (Subscriber+) Content Injection Affected: *-2.4.8 Patched: 2.4.9 Updated: June 30, 2026

LOW

woosquare

Score: N/A APIExperts Square for WooCommerce <= 4.4.1 - Missing Authorization Affected: *-4.4.1 Patched: 4.4.2 Updated: June 30, 2026

LOW

woo-confirmation-email

Score: N/A User Email Verification for WooCommerce <= 3.5.0 - Reflected Cross-Site Scripting Affected: *-3.5.0 Patched: Updated: June 30, 2026

Showing 24201 to 24300 of 36283 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 06:59 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List