Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36282

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
gd-mail-queue	gd-mail-queue	93	GD Mail Queue <= 3.9.3 - Unauthenticated Stored Cross-Site Scripting via Email	LOW	*-3.9.3	4.0	June 29, 2026
wp-members	wp-members	N/A	WP-Members Membership <= 3.4.7.3 - Missing Authorization to Settings Update	LOW	*-3.4.7.3	3.4.8	June 29, 2026
WP Mail Logging	wp-mail-logging	87	WP Mail Logging <= 1.11.1 - Unauthenticated Stored Cross-Site Scripting via Email	LOW	*-1.11.1	1.11.2	June 29, 2026
wp-easycart	wp-easycart	N/A	WP EasyCart <= 5.4.10 - Authenticated (Administrator+) SQL Injection via 'orderby'	LOW	*-5.4.10	5.4.11	June 29, 2026
Ultra Addons for Contact Form 7	ultimate-addons-for-contact-form-7	70	Ultimate Addons for Contact Form 7 <= 3.1.23 - Authenticated(Subscriber+) SQL Injection	LOW	3.1.23	3.1.24	June 29, 2026
stax-addons-for-elementor	stax-addons-for-elementor	N/A	Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 - Missing Authorization in toggle_widget	LOW	*-1.4.3	1.4.4	June 29, 2026
stax-addons-for-elementor	stax-addons-for-elementor	N/A	Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 - Cross-Site Request Forgery via toggle_widget	LOW	*-1.4.3	1.4.4	June 29, 2026
metform	metform	93	Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf shortcode	LOW	*-3.3.1	3.3.2	June 29, 2026
metform	metform	93	Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode	LOW	*-3.3.0	3.3.1	June 29, 2026
metform	metform	93	Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_transaction_id' shortcode	LOW	*-3.3.1	3.3.2	June 29, 2026
metform	metform	93	Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode	LOW	*-3.3.0	3.3.1	June 29, 2026
metform	metform	93	Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode	LOW	*-3.3.1	3.3.2	June 29, 2026
metform	metform	93	Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_thankyou shortcode	LOW	*-3.3.0	3.3.1	June 29, 2026
metform	metform	93	Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode	LOW	*-3.3.1	3.3.2	June 29, 2026
metform	metform	93	Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_first_name shortcode	LOW	*-3.3.0	3.3.1	June 29, 2026
metform	metform	93	Metform Elementor Contact Form Builder <= 3.3.0 - Unauthenticated CSV Injection	LOW	*-3.3.0	3.3.1	June 29, 2026
metform	metform	93	Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_payment_status' shortcode	LOW	*-3.3.1	3.3.2	June 29, 2026
lana-email-logger	lana-email-logger	93	Lana Email Logger <= 1.0.2 - Unauthenticated Stored Cross-Site Scripting via Email Subject	LOW	*-1.0.2	1.1.0	June 29, 2026
ajax-search-for-woocommerce	ajax-search-for-woocommerce	97	FiboSearch - AJAX Search for WooCommerce <= 1.23.0 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	1.23.0	1.24.0	June 29, 2026
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy	easy-digital-downloads	78	Easy Digital Downloads <= 3.1.1.4.2 - Cross-Site Request Forgery via edd_trigger_upgrades	LOW	[*, 3.1.2)	3.1.2	June 29, 2026
download-monitor	download-monitor	93	Download Monitor <= 4.8.3 - Authenticated(Subscriber+) Arbitrary File Upload via upload_file	LOW	[*, 4.8.4)	4.8.4	June 29, 2026
dokan-lite	dokan-lite	93	Dokan <=3.7.19 - Authenticated(Shop Manager+) PHP Object Injection via create_dummy_vendor	LOW	[*, 3.7.20)	3.7.20	June 29, 2026
woocommerce-abandoned-cart	woocommerce-abandoned-cart	N/A	Abandoned Cart Lite for WooCommerce <= 5.15.1 - Authentication Bypass	LOW	*-5.15.1	5.15.2	June 29, 2026
powerpress	powerpress	N/A	PowerPress <= 10.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Feed[title]'	LOW	*-10.2.3	10.2.4	June 29, 2026
getwid	getwid	93	Getwid – Gutenberg Blocks <= 1.8.3 - Improper Authorization via get_remote_templates REST endpoint	LOW	*-1.8.3	1.8.4	June 29, 2026
getwid	getwid	93	Getwid – Gutenberg Blocks <= 1.8.3 - Authenticated(Subscriber+) Server Side Request Forgery	LOW	*-1.8.3	1.8.4	June 29, 2026
wptables	wptables	N/A	WordPress Tables <= 1.3.9 - Reflected Cross-Site Scripting via error_msg	LOW	*-1.3.9		June 29, 2026
wpbrutalai	wpbrutalai	N/A	WP Brutal AI < 2.0.0 - Cross-Site Request Forgery to SQL Injection	LOW	[*, 2.0.0)	2.0.0	June 29, 2026
wpbrutalai	wpbrutalai	N/A	WP Brutal AI < 2.0.1 - Reflected Cross-Site Scripting	LOW	[*, 2.0.1)	2.0.1	June 29, 2026
wp-inventory-manager	wp-inventory-manager	N/A	WP Inventory Manager <= 2.1.0.13 - Cross-Site Request Forgery via delete_item	LOW	*-2.1.0.13	2.1.0.14	June 29, 2026
visitors-traffic-real-time-statistics	visitors-traffic-real-time-statistics	N/A	Visitor Traffic Real Time Statistics <= 6.7 - Missing Authorization to Information Disclosure	LOW	[*, 6.8)	6.9	June 29, 2026
ultimate-social-media-icons	ultimate-social-media-icons	N/A	Social Media Share Buttons & Social Sharing Icons <= 2.8.1 - Authenticated(Administrator+) Stored Cross-Site Scripting	LOW	*-2.8.1	2.8.2	June 29, 2026
ultimate-product-catalogue	ultimate-product-catalogue	N/A	Ultimate Product Catalog <= 5.2.5 - Authenticated(Administrator+) Stored Cross-Site Scripting	LOW	*-5.2.5	5.2.6	June 29, 2026
ultimate-premium-plugin	ultimate-premium-plugin	N/A	USM Premium <= 16.2 - Authenticated(Administrator+) Stored Cross-Site Scripting	LOW	*-16.2	16.3	June 29, 2026
responsive-css-editor	responsive-css-editor	N/A	Responsive CSS EDITOR <= 1.0 - Authenticated(Administrator+) SQL Injection	LOW	*-1.0		June 29, 2026
kivicare-clinic-management-system	kivicare-clinic-management-system	93	KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Sensitive Information Exposure	LOW	3.2.0	3.2.1	June 29, 2026
kivicare-clinic-management-system	kivicare-clinic-management-system	93	KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Cross-Site Request Forgery	LOW	*-3.2.0	3.2.1	June 29, 2026
kivicare-clinic-management-system	kivicare-clinic-management-system	93	KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Missing Authorization	LOW	*-3.2.0	3.2.1	June 29, 2026
kivicare-clinic-management-system	kivicare-clinic-management-system	93	KiviCare <= 3.2.0 - Reflected Cross-Site Scripting via 'filterType'	LOW	[*, 3.2.1)	3.2.1	June 29, 2026
gsheetconnector-gravity-forms	gsheetconnector-gravity-forms	93	Gravity Forms Google Sheet Connector <= 1.3.4 - Cross-Site Request Forgery via verify_code_integation_new	LOW	*-1.3.4	1.3.5	June 29, 2026
formcraft-form-builder	formcraft-form-builder	93	FormCraft Premium <= 3.9.6 - Authenticated(Administrator+) SQL Injection	LOW	*-3.9.5	3.9.6	June 29, 2026
erp	erp	93	WP ERP <= 1.12.3 - Authenticated (Administrator+) SQL Injection via 'type'	LOW	[*, 1.12.4)	1.12.4	June 29, 2026
erp	erp	93	WP ERP <= 1.12.3 - Reflected Cross-Site Scripting	LOW	[*, 1.12.4)	1.12.4	June 29, 2026
editorial-calendar	editorial-calendar	93	Editorial Calendar <= 3.8.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via edcal_saveoptions AJAX action	LOW	*-3.8.0	3.8.1	June 29, 2026
codecolorer	codecolorer	93	CodeColorer <= 0.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-0.10.0	0.10.1	June 29, 2026
catalyst-connect-client-portal	catalyst-connect-client-portal	93	Catalyst Connect Zoho CRM Client Portal <= 2.0.0 - Reflected Cross-Site Scripting	LOW	*-2.0.0	2.1.0	June 29, 2026
aajoda-testimonials	aajoda-testimonials	95	Aajoda Testimonials <= 2.2.1 - Authenticated(Administrator+) Stored Cross-Site Scripting	LOW	*-2.2.1	2.2.2	June 29, 2026
wp-user-switch	wp-user-switch	N/A	WP User Switch <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass via Cookie	LOW	*-1.0.2	1.0.3	June 29, 2026
wp-hide-post	wp-hide-post	N/A	WP Hide Post <= 2.0.10 - Cross-Site Request Forgery via save_bulk_edit_data	LOW	*-2.0.10		June 29, 2026
woo-smart-wishlist	woo-smart-wishlist	N/A	WPC Smart Wishlist for WooCommerce <= 4.7.1 - Cross-Site Request Forgery via wishlist_add and wishlist_remove	LOW	*-4.7.1	4.7.2	June 29, 2026
kebo-twitter-feed	kebo-twitter-feed	91	Kebo Twitter Feed <= 1.5.12 - Cross-Site Request Forgery via kebo_twitter_menu_render	LOW	*-1.5.12		June 29, 2026
dynamic-visibility-for-elementor	dynamic-visibility-for-elementor	93	Dynamic Visibility for Elementor <= 5.0.5 - Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification	LOW	[*, 5.0.6)	5.0.6	June 29, 2026
constant-contact-forms	constant-contact-forms	93	Constant Contact Forms <= 1.14.0 - Missing Authorization via constant_contact_optin_ajax_handler	LOW	*-1.14.0	2.0.0	June 29, 2026
change-woocommerce-add-to-cart-button-text	change-woocommerce-add-to-cart-button-text	91	Change WooCommerce Add To Cart Button Text <= 1.3 - Missing Authorization via rexvs_settings_submit	LOW	*-1.3		June 29, 2026
cart2cart-magento-to-woocommerce-migration	cart2cart-magento-to-woocommerce-migration	91	Cart2Cart: Magento to WooCommerce Migration <= 2.0.0 - Missing Authorization via setToken	LOW	*-2.0.0		June 29, 2026
b2bking-wholesale-for-woocommerce	b2bking-wholesale-for-woocommerce	93	B2BKing <= 4.6.00 - Missing Authorization to Authenticated(Subscriber+) Price Modification	LOW	*-4.6.00	4.6.20	June 29, 2026
b2bking-wholesale-for-woocommerce	b2bking-wholesale-for-woocommerce	93	B2BKing <= 4.6.00 - Missing Authorization to Authenticated(Subscriber+) Information Disclosure	LOW	*-4.6.00	4.6.20	June 29, 2026
wp-inventory-manager	wp-inventory-manager	N/A	WP Inventory Manager <= 2.1.0.13 - Cross-Site Request Forgery via delete_item	LOW	*-2.1.0.13	2.1.0.14	June 29, 2026
woocommerce-box-office	woocommerce-box-office	N/A	WooCommerce Box Office <= 1.1.50 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.1.50	1.1.51	June 29, 2026
woocommerce-box-office	woocommerce-box-office	N/A	WooCommerce Box Office <= 1.1.51 - Missing Authorization	LOW	*-1.1.51	1.1.52	June 29, 2026
woo-confirmation-email	woo-confirmation-email	N/A	User Email Verification for WooCommerce <= 3.5.0 - Authentication Bypass	LOW	*-3.5.0		June 29, 2026
vk-blocks	vk-blocks	N/A	VK Blocks <= 1.57.0.5 - Authenticated(Contributor+) Settings Update	LOW	*-1.57.0.5	1.57.0.10	June 29, 2026
vk-blocks	vk-blocks	N/A	VK Blocks <= 1.57.0.5 - Authenticated(Contributor+) Settings Update	LOW	*-1.57.0.5	1.58.0.0	June 29, 2026
uncanny-learndash-toolkit	uncanny-learndash-toolkit	N/A	Uncanny Toolkit for LearnDash <= 3.6.4.3 - Missing Authorization via review-banner-visibility REST route	LOW	*-3.6.4.3	3.6.4.4	June 29, 2026
ultimate-social-media-icons	ultimate-social-media-icons	N/A	Social Media & Share Icons <= 2.8.1 - Missing Authorization via handle_installation	LOW	*-2.8.1	2.8.2	June 29, 2026
spamreferrerblock	spamreferrerblock	N/A	Download SpamReferrerBlock <= 2.22 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.22		June 29, 2026
spamreferrerblock	spamreferrerblock	N/A	SpamReferrerBlock <= 2.22 - Cross-Site Request Forgery	LOW	*-2.22		June 29, 2026
premium-addons-pro	premium-addons-pro	N/A	Premium Addons PRO <= 2.8.24 - Reflected Cross-Site Scripting	LOW	*-2.8.24	2.8.25	June 29, 2026
photo-gallery	photo-gallery	N/A	Photo Gallery <= 1.8.15 - Missing Authorization	LOW	[*, 1.8.16)	1.8.16	June 29, 2026
paypal-payment-button-by-vcita	paypal-payment-button-by-vcita	N/A	Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.9.1	3.10.0	June 29, 2026
paypal-payment-button-by-vcita	paypal-payment-button-by-vcita	N/A	Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.10.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-3.10.0	3.20.0	June 29, 2026
page-builder-by-azexo	page-builder-by-azexo	N/A	Page Builder by AZEXO <= 1.27.133 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.27.133		June 29, 2026
page-builder-by-azexo	page-builder-by-azexo	N/A	Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save	LOW	*-1.27.133		June 29, 2026
page-builder-by-azexo	page-builder-by-azexo	N/A	Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery to Post Creation/Modification/Deletion	LOW	*-1.27.133		June 29, 2026
page-builder-by-azexo	page-builder-by-azexo	N/A	Page Builder by AZEXO <= 1.27.133 - Missing Authorization to Post Creation	LOW	*-1.27.133		June 29, 2026
meeting-scheduler-by-vcita	meeting-scheduler-by-vcita	93	Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.6 - Missing Authorization to Settings Update and Arbitrary File Upload	LOW	*-4.4.6	4.5	June 29, 2026
meeting-scheduler-by-vcita	meeting-scheduler-by-vcita	93	Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.2 - Missing Authorization on REST-API	LOW	*-4.4.2	4.4.3	June 29, 2026
meeting-scheduler-by-vcita	meeting-scheduler-by-vcita	93	Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 - Missing Authorization to Account Logout	LOW	*-4.2.10	4.3.0	June 29, 2026
meeting-scheduler-by-vcita	meeting-scheduler-by-vcita	93	Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.0 - Unauthenticated Stored Cross-Site Scripting	LOW	*-4.3.0	4.3.1	June 29, 2026
meeting-scheduler-by-vcita	meeting-scheduler-by-vcita	93	Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5 - Cross-Site Request Forgery to Account Logout	LOW	*-4.5	4.5.2	June 29, 2026
lead-capturing-call-to-actions-by-vcita	lead-capturing-call-to-actions-by-vcita	89	Contact Form and Calls To Action by vcita <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.6.4	2.7.0	June 29, 2026
kanban	kanban	86	Kanban Boards for WordPress <= 2.5.20 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.5.20	2.5.21	June 29, 2026
kanban	kanban	86	Kanban Boards for WordPress <= 2.5.20 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.5.20	2.5.21	June 29, 2026
js-jobs	js-jobs	81	JS Job Manager <= 2.0.0 - Cross-Site Request Forgery via multiple functions	LOW	*-2.0.0	2.0.1	June 29, 2026
extended-post-status	extended-post-status	93	Extended Post Status <= 1.0.19 - Missing Authorization via wp_insert_post_data	LOW	*-1.0.19	1.0.20	June 29, 2026
event-registration-calendar-by-vcita	event-registration-calendar-by-vcita	89	Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.3.1	1.4.0	June 29, 2026
event-registration-calendar-by-vcita	event-registration-calendar-by-vcita	89	Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.10.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-1.3.1		June 29, 2026
erp	erp	93	WP ERP <= 1.12.3 - Reflected Cross-Site Scripting	LOW	*-1.12.3	1.12.4	June 29, 2026
crm-customer-relationship-management-by-vcita	crm-customer-relationship-management-by-vcita	93	CRM and Lead Management by vcita <= 2.7.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-2.7.0	2.7.1	June 29, 2026
crm-customer-relationship-management-by-vcita	crm-customer-relationship-management-by-vcita	93	CRM and Lead Management by vcita <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.6.2	2.7.0	June 29, 2026
cookie-consent-box	cookie-consent-box	93	GDPR Cookie Consent Notice Box <= 1.1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.1.6	1.1.7	June 29, 2026
contact-form-with-a-meeting-scheduler-by-vcita	contact-form-with-a-meeting-scheduler-by-vcita	93	Contact Form Builder by vcita <= 4.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-4.9.1	4.10.1	June 29, 2026
contact-form-with-a-meeting-scheduler-by-vcita	contact-form-with-a-meeting-scheduler-by-vcita	93	Contact Form and Calls To Action by vcita <= 4.10.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-4.10.5	4.10.6	June 29, 2026
contact-form-with-a-meeting-scheduler-by-vcita	contact-form-with-a-meeting-scheduler-by-vcita	93	Contact Form Builder by vcita <= 4.10.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-4.10.3	4.10.5	June 29, 2026
cartflows	cartflows	93	CartFlows <= 1.11.11 - Insecure Direct Object Reference to Arbitrary Post Deletion	LOW	[*, 1.11.12)	1.11.12	June 29, 2026
advanced-free-flat-shipping-woocommerce	advanced-free-flat-shipping-woocommerce	97	Advanced Flat rate shipping Woocommerce <= 1.6.4.4 - Cross-Site Request Forgery via enableDisable and deletePost	LOW	*-1.6.4.4	1.6.4.6	June 29, 2026
accessibility-help-button	accessibility-help-button	97	Call Now Accessibility Button <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.1	1.2	June 29, 2026
wpforo	wpforo	N/A	wpForo Forum <= 2.1.7 - Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents	LOW	*-2.1.7	2.1.8	June 29, 2026
wpdirectorykit	wpdirectorykit	N/A	WP Directory Kit <= 1.2.3 - Reflected Cross-Site Scripting via 'search'	LOW	*-1.2.3	1.2.4	June 29, 2026
web-directory-free	web-directory-free	N/A	Web Directory Free <= 1.6.8 - Authenticated (Contributor+) SQL Injection via post_id	LOW	*-1.6.8	1.6.9	June 29, 2026

LOW

gd-mail-queue

Score: 93/100 GD Mail Queue <= 3.9.3 - Unauthenticated Stored Cross-Site Scripting via Email Affected: *-3.9.3 Patched: 4.0 Updated: June 29, 2026

LOW

wp-members

Score: N/A WP-Members Membership <= 3.4.7.3 - Missing Authorization to Settings Update Affected: *-3.4.7.3 Patched: 3.4.8 Updated: June 29, 2026

LOW

WP Mail Logging

wp-mail-logging

Score: 87/100 WP Mail Logging <= 1.11.1 - Unauthenticated Stored Cross-Site Scripting via Email Affected: *-1.11.1 Patched: 1.11.2 Updated: June 29, 2026

LOW

wp-easycart

Score: N/A WP EasyCart <= 5.4.10 - Authenticated (Administrator+) SQL Injection via 'orderby' Affected: *-5.4.10 Patched: 5.4.11 Updated: June 29, 2026

LOW

Ultra Addons for Contact Form 7

ultimate-addons-for-contact-form-7

Score: 70/100 Ultimate Addons for Contact Form 7 <= 3.1.23 - Authenticated(Subscriber+) SQL Injection Affected: 3.1.23 Patched: 3.1.24 Updated: June 29, 2026

LOW

stax-addons-for-elementor

Score: N/A Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 - Missing Authorization in toggle_widget Affected: *-1.4.3 Patched: 1.4.4 Updated: June 29, 2026

LOW

stax-addons-for-elementor

Score: N/A Elementor Addons, Widgets and Enhancements – Stax <= 1.4.3 - Cross-Site Request Forgery via toggle_widget Affected: *-1.4.3 Patched: 1.4.4 Updated: June 29, 2026

LOW

metform

Score: 93/100 Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf shortcode Affected: *-3.3.1 Patched: 3.3.2 Updated: June 29, 2026

LOW

metform

Score: 93/100 Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf shortcode Affected: *-3.3.0 Patched: 3.3.1 Updated: June 29, 2026

LOW

Score: 93/100 Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_transaction_id' shortcode Affected: *-3.3.1 Patched: 3.3.2 Updated: June 29, 2026

LOW

metform

Score: 93/100 Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_last_name shortcode Affected: *-3.3.0 Patched: 3.3.1 Updated: June 29, 2026

LOW

metform

Score: 93/100 Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_thankyou shortcode Affected: *-3.3.1 Patched: 3.3.2 Updated: June 29, 2026

LOW

metform

Score: 93/100 Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_thankyou shortcode Affected: *-3.3.0 Patched: 3.3.1 Updated: June 29, 2026

LOW

metform

Score: 93/100 Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode Affected: *-3.3.1 Patched: 3.3.2 Updated: June 29, 2026

LOW

metform

Score: 93/100 Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_first_name shortcode Affected: *-3.3.0 Patched: 3.3.1 Updated: June 29, 2026

LOW

metform

Score: 93/100 Metform Elementor Contact Form Builder <= 3.3.0 - Unauthenticated CSV Injection Affected: *-3.3.0 Patched: 3.3.1 Updated: June 29, 2026

LOW

metform

Score: 93/100 Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_payment_status' shortcode Affected: *-3.3.1 Patched: 3.3.2 Updated: June 29, 2026

LOW

lana-email-logger

Score: 93/100 Lana Email Logger <= 1.0.2 - Unauthenticated Stored Cross-Site Scripting via Email Subject Affected: *-1.0.2 Patched: 1.1.0 Updated: June 29, 2026

LOW

ajax-search-for-woocommerce

Score: 97/100 FiboSearch - AJAX Search for WooCommerce <= 1.23.0 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: 1.23.0 Patched: 1.24.0 Updated: June 29, 2026

LOW

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

easy-digital-downloads

Score: 78/100 Easy Digital Downloads <= 3.1.1.4.2 - Cross-Site Request Forgery via edd_trigger_upgrades Affected: [*, 3.1.2) Patched: 3.1.2 Updated: June 29, 2026

LOW

download-monitor

Score: 93/100 Download Monitor <= 4.8.3 - Authenticated(Subscriber+) Arbitrary File Upload via upload_file Affected: [*, 4.8.4) Patched: 4.8.4 Updated: June 29, 2026

LOW

dokan-lite

Score: 93/100 Dokan <=3.7.19 - Authenticated(Shop Manager+) PHP Object Injection via create_dummy_vendor Affected: [*, 3.7.20) Patched: 3.7.20 Updated: June 29, 2026

LOW

woocommerce-abandoned-cart

Score: N/A Abandoned Cart Lite for WooCommerce <= 5.15.1 - Authentication Bypass Affected: *-5.15.1 Patched: 5.15.2 Updated: June 29, 2026

LOW

powerpress

Score: N/A PowerPress <= 10.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Feed[title]' Affected: *-10.2.3 Patched: 10.2.4 Updated: June 29, 2026

LOW

getwid

Score: 93/100 Getwid – Gutenberg Blocks <= 1.8.3 - Improper Authorization via get_remote_templates REST endpoint Affected: *-1.8.3 Patched: 1.8.4 Updated: June 29, 2026

LOW

getwid

Score: 93/100 Getwid – Gutenberg Blocks <= 1.8.3 - Authenticated(Subscriber+) Server Side Request Forgery Affected: *-1.8.3 Patched: 1.8.4 Updated: June 29, 2026

LOW

wptables

Score: N/A WordPress Tables <= 1.3.9 - Reflected Cross-Site Scripting via error_msg Affected: *-1.3.9 Patched: Updated: June 29, 2026

LOW

wpbrutalai

Score: N/A WP Brutal AI < 2.0.0 - Cross-Site Request Forgery to SQL Injection Affected: [*, 2.0.0) Patched: 2.0.0 Updated: June 29, 2026

LOW

wpbrutalai

Score: N/A WP Brutal AI < 2.0.1 - Reflected Cross-Site Scripting Affected: [*, 2.0.1) Patched: 2.0.1 Updated: June 29, 2026

LOW

wp-inventory-manager

Score: N/A WP Inventory Manager <= 2.1.0.13 - Cross-Site Request Forgery via delete_item Affected: *-2.1.0.13 Patched: 2.1.0.14 Updated: June 29, 2026

LOW

visitors-traffic-real-time-statistics

Score: N/A Visitor Traffic Real Time Statistics <= 6.7 - Missing Authorization to Information Disclosure Affected: [*, 6.8) Patched: 6.9 Updated: June 29, 2026

LOW

ultimate-social-media-icons

Score: N/A Social Media Share Buttons & Social Sharing Icons <= 2.8.1 - Authenticated(Administrator+) Stored Cross-Site Scripting Affected: *-2.8.1 Patched: 2.8.2 Updated: June 29, 2026

LOW

ultimate-product-catalogue

Score: N/A Ultimate Product Catalog <= 5.2.5 - Authenticated(Administrator+) Stored Cross-Site Scripting Affected: *-5.2.5 Patched: 5.2.6 Updated: June 29, 2026

LOW

ultimate-premium-plugin

Score: N/A USM Premium <= 16.2 - Authenticated(Administrator+) Stored Cross-Site Scripting Affected: *-16.2 Patched: 16.3 Updated: June 29, 2026

LOW

responsive-css-editor

Score: N/A Responsive CSS EDITOR <= 1.0 - Authenticated(Administrator+) SQL Injection Affected: *-1.0 Patched: Updated: June 29, 2026

LOW

kivicare-clinic-management-system

Score: 93/100 KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Sensitive Information Exposure Affected: 3.2.0 Patched: 3.2.1 Updated: June 29, 2026

LOW

kivicare-clinic-management-system

Score: 93/100 KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Cross-Site Request Forgery Affected: *-3.2.0 Patched: 3.2.1 Updated: June 29, 2026

LOW

kivicare-clinic-management-system

Score: 93/100 KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Missing Authorization Affected: *-3.2.0 Patched: 3.2.1 Updated: June 29, 2026

LOW

kivicare-clinic-management-system

Score: 93/100 KiviCare <= 3.2.0 - Reflected Cross-Site Scripting via 'filterType' Affected: [*, 3.2.1) Patched: 3.2.1 Updated: June 29, 2026

LOW

gsheetconnector-gravity-forms

Score: 93/100 Gravity Forms Google Sheet Connector <= 1.3.4 - Cross-Site Request Forgery via verify_code_integation_new Affected: *-1.3.4 Patched: 1.3.5 Updated: June 29, 2026

LOW

formcraft-form-builder

Score: 93/100 FormCraft Premium <= 3.9.6 - Authenticated(Administrator+) SQL Injection Affected: *-3.9.5 Patched: 3.9.6 Updated: June 29, 2026

LOW

erp

Score: 93/100 WP ERP <= 1.12.3 - Authenticated (Administrator+) SQL Injection via 'type' Affected: [*, 1.12.4) Patched: 1.12.4 Updated: June 29, 2026

LOW

erp

Score: 93/100 WP ERP <= 1.12.3 - Reflected Cross-Site Scripting Affected: [*, 1.12.4) Patched: 1.12.4 Updated: June 29, 2026

LOW

editorial-calendar

Score: 93/100 Editorial Calendar <= 3.8.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via edcal_saveoptions AJAX action Affected: *-3.8.0 Patched: 3.8.1 Updated: June 29, 2026

LOW

codecolorer

Score: 93/100 CodeColorer <= 0.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-0.10.0 Patched: 0.10.1 Updated: June 29, 2026

LOW

catalyst-connect-client-portal

Score: 93/100 Catalyst Connect Zoho CRM Client Portal <= 2.0.0 - Reflected Cross-Site Scripting Affected: *-2.0.0 Patched: 2.1.0 Updated: June 29, 2026

LOW

aajoda-testimonials

Score: 95/100 Aajoda Testimonials <= 2.2.1 - Authenticated(Administrator+) Stored Cross-Site Scripting Affected: *-2.2.1 Patched: 2.2.2 Updated: June 29, 2026

LOW

wp-user-switch

Score: N/A WP User Switch <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass via Cookie Affected: *-1.0.2 Patched: 1.0.3 Updated: June 29, 2026

LOW

wp-hide-post

Score: N/A WP Hide Post <= 2.0.10 - Cross-Site Request Forgery via save_bulk_edit_data Affected: *-2.0.10 Patched: Updated: June 29, 2026

LOW

woo-smart-wishlist

Score: N/A WPC Smart Wishlist for WooCommerce <= 4.7.1 - Cross-Site Request Forgery via wishlist_add and wishlist_remove Affected: *-4.7.1 Patched: 4.7.2 Updated: June 29, 2026

LOW

kebo-twitter-feed

Score: 91/100 Kebo Twitter Feed <= 1.5.12 - Cross-Site Request Forgery via kebo_twitter_menu_render Affected: *-1.5.12 Patched: Updated: June 29, 2026

LOW

dynamic-visibility-for-elementor

Score: 93/100 Dynamic Visibility for Elementor <= 5.0.5 - Missing Authorization to Authenticated(Subscriber+) Post Visibility Modification Affected: [*, 5.0.6) Patched: 5.0.6 Updated: June 29, 2026

LOW

constant-contact-forms

Score: 93/100 Constant Contact Forms <= 1.14.0 - Missing Authorization via constant_contact_optin_ajax_handler Affected: *-1.14.0 Patched: 2.0.0 Updated: June 29, 2026

LOW

change-woocommerce-add-to-cart-button-text

Score: 91/100 Change WooCommerce Add To Cart Button Text <= 1.3 - Missing Authorization via rexvs_settings_submit Affected: *-1.3 Patched: Updated: June 29, 2026

LOW

cart2cart-magento-to-woocommerce-migration

Score: 91/100 Cart2Cart: Magento to WooCommerce Migration <= 2.0.0 - Missing Authorization via setToken Affected: *-2.0.0 Patched: Updated: June 29, 2026

LOW

b2bking-wholesale-for-woocommerce

Score: 93/100 B2BKing <= 4.6.00 - Missing Authorization to Authenticated(Subscriber+) Price Modification Affected: *-4.6.00 Patched: 4.6.20 Updated: June 29, 2026

LOW

b2bking-wholesale-for-woocommerce

Score: 93/100 B2BKing <= 4.6.00 - Missing Authorization to Authenticated(Subscriber+) Information Disclosure Affected: *-4.6.00 Patched: 4.6.20 Updated: June 29, 2026

LOW

wp-inventory-manager

Score: N/A WP Inventory Manager <= 2.1.0.13 - Cross-Site Request Forgery via delete_item Affected: *-2.1.0.13 Patched: 2.1.0.14 Updated: June 29, 2026

LOW

woocommerce-box-office

Score: N/A WooCommerce Box Office <= 1.1.50 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.1.50 Patched: 1.1.51 Updated: June 29, 2026

LOW

woocommerce-box-office

Score: N/A WooCommerce Box Office <= 1.1.51 - Missing Authorization Affected: *-1.1.51 Patched: 1.1.52 Updated: June 29, 2026

LOW

woo-confirmation-email

Score: N/A User Email Verification for WooCommerce <= 3.5.0 - Authentication Bypass Affected: *-3.5.0 Patched: Updated: June 29, 2026

LOW

vk-blocks

Score: N/A VK Blocks <= 1.57.0.5 - Authenticated(Contributor+) Settings Update Affected: *-1.57.0.5 Patched: 1.57.0.10 Updated: June 29, 2026

LOW

vk-blocks

Score: N/A VK Blocks <= 1.57.0.5 - Authenticated(Contributor+) Settings Update Affected: *-1.57.0.5 Patched: 1.58.0.0 Updated: June 29, 2026

LOW

uncanny-learndash-toolkit

Score: N/A Uncanny Toolkit for LearnDash <= 3.6.4.3 - Missing Authorization via review-banner-visibility REST route Affected: *-3.6.4.3 Patched: 3.6.4.4 Updated: June 29, 2026

LOW

ultimate-social-media-icons

Score: N/A Social Media & Share Icons <= 2.8.1 - Missing Authorization via handle_installation Affected: *-2.8.1 Patched: 2.8.2 Updated: June 29, 2026

LOW

spamreferrerblock

Score: N/A Download SpamReferrerBlock <= 2.22 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.22 Patched: Updated: June 29, 2026

LOW

spamreferrerblock

Score: N/A SpamReferrerBlock <= 2.22 - Cross-Site Request Forgery Affected: *-2.22 Patched: Updated: June 29, 2026

LOW

premium-addons-pro

Score: N/A Premium Addons PRO <= 2.8.24 - Reflected Cross-Site Scripting Affected: *-2.8.24 Patched: 2.8.25 Updated: June 29, 2026

LOW

photo-gallery

Score: N/A Photo Gallery <= 1.8.15 - Missing Authorization Affected: [*, 1.8.16) Patched: 1.8.16 Updated: June 29, 2026

LOW

paypal-payment-button-by-vcita

Score: N/A Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.9.1 Patched: 3.10.0 Updated: June 29, 2026

LOW

paypal-payment-button-by-vcita

Score: N/A Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.10.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-3.10.0 Patched: 3.20.0 Updated: June 29, 2026

LOW

page-builder-by-azexo

Score: N/A Page Builder by AZEXO <= 1.27.133 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.27.133 Patched: Updated: June 29, 2026

LOW

page-builder-by-azexo

Score: N/A Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery to Stored Cross-Site Scripting via azh_save Affected: *-1.27.133 Patched: Updated: June 29, 2026

LOW

page-builder-by-azexo

Score: N/A Page Builder by AZEXO <= 1.27.133 - Cross-Site Request Forgery to Post Creation/Modification/Deletion Affected: *-1.27.133 Patched: Updated: June 29, 2026

LOW

page-builder-by-azexo

Score: N/A Page Builder by AZEXO <= 1.27.133 - Missing Authorization to Post Creation Affected: *-1.27.133 Patched: Updated: June 29, 2026

LOW

meeting-scheduler-by-vcita

Score: 93/100 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.6 - Missing Authorization to Settings Update and Arbitrary File Upload Affected: *-4.4.6 Patched: 4.5 Updated: June 29, 2026

LOW

meeting-scheduler-by-vcita

Score: 93/100 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.4.2 - Missing Authorization on REST-API Affected: *-4.4.2 Patched: 4.4.3 Updated: June 29, 2026

LOW

meeting-scheduler-by-vcita

Score: 93/100 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.2.10 - Missing Authorization to Account Logout Affected: *-4.2.10 Patched: 4.3.0 Updated: June 29, 2026

LOW

meeting-scheduler-by-vcita

Score: 93/100 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.3.0 - Unauthenticated Stored Cross-Site Scripting Affected: *-4.3.0 Patched: 4.3.1 Updated: June 29, 2026

LOW

meeting-scheduler-by-vcita

Score: 93/100 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5 - Cross-Site Request Forgery to Account Logout Affected: *-4.5 Patched: 4.5.2 Updated: June 29, 2026

LOW

lead-capturing-call-to-actions-by-vcita

Score: 89/100 Contact Form and Calls To Action by vcita <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.6.4 Patched: 2.7.0 Updated: June 29, 2026

LOW

kanban

Score: 86/100 Kanban Boards for WordPress <= 2.5.20 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.5.20 Patched: 2.5.21 Updated: June 29, 2026

LOW

kanban

Score: 86/100 Kanban Boards for WordPress <= 2.5.20 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.5.20 Patched: 2.5.21 Updated: June 29, 2026

LOW

js-jobs

Score: 81/100 JS Job Manager <= 2.0.0 - Cross-Site Request Forgery via multiple functions Affected: *-2.0.0 Patched: 2.0.1 Updated: June 29, 2026

LOW

extended-post-status

Score: 93/100 Extended Post Status <= 1.0.19 - Missing Authorization via wp_insert_post_data Affected: *-1.0.19 Patched: 1.0.20 Updated: June 29, 2026

LOW

event-registration-calendar-by-vcita

Score: 89/100 Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.3.1 Patched: 1.4.0 Updated: June 29, 2026

LOW

event-registration-calendar-by-vcita

Score: 89/100 Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.10.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-1.3.1 Patched: Updated: June 29, 2026

LOW

erp

Score: 93/100 WP ERP <= 1.12.3 - Reflected Cross-Site Scripting Affected: *-1.12.3 Patched: 1.12.4 Updated: June 29, 2026

LOW

crm-customer-relationship-management-by-vcita

Score: 93/100 CRM and Lead Management by vcita <= 2.7.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-2.7.0 Patched: 2.7.1 Updated: June 29, 2026

LOW

crm-customer-relationship-management-by-vcita

Score: 93/100 CRM and Lead Management by vcita <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.6.2 Patched: 2.7.0 Updated: June 29, 2026

LOW

cookie-consent-box

Score: 93/100 GDPR Cookie Consent Notice Box <= 1.1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.1.6 Patched: 1.1.7 Updated: June 29, 2026

LOW

contact-form-with-a-meeting-scheduler-by-vcita

Score: 93/100 Contact Form Builder by vcita <= 4.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-4.9.1 Patched: 4.10.1 Updated: June 29, 2026

LOW

contact-form-with-a-meeting-scheduler-by-vcita

Score: 93/100 Contact Form and Calls To Action by vcita <= 4.10.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-4.10.5 Patched: 4.10.6 Updated: June 29, 2026

LOW

contact-form-with-a-meeting-scheduler-by-vcita

Score: 93/100 Contact Form Builder by vcita <= 4.10.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-4.10.3 Patched: 4.10.5 Updated: June 29, 2026

LOW

cartflows

Score: 93/100 CartFlows <= 1.11.11 - Insecure Direct Object Reference to Arbitrary Post Deletion Affected: [*, 1.11.12) Patched: 1.11.12 Updated: June 29, 2026

LOW

advanced-free-flat-shipping-woocommerce

Score: 97/100 Advanced Flat rate shipping Woocommerce <= 1.6.4.4 - Cross-Site Request Forgery via enableDisable and deletePost Affected: *-1.6.4.4 Patched: 1.6.4.6 Updated: June 29, 2026

LOW

accessibility-help-button

Score: 97/100 Call Now Accessibility Button <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.1 Patched: 1.2 Updated: June 29, 2026

LOW

wpforo

Score: N/A wpForo Forum <= 2.1.7 - Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents Affected: *-2.1.7 Patched: 2.1.8 Updated: June 29, 2026

LOW

wpdirectorykit

Score: N/A WP Directory Kit <= 1.2.3 - Reflected Cross-Site Scripting via 'search' Affected: *-1.2.3 Patched: 1.2.4 Updated: June 29, 2026

LOW

web-directory-free

Score: N/A Web Directory Free <= 1.6.8 - Authenticated (Contributor+) SQL Injection via post_id Affected: *-1.6.8 Patched: 1.6.9 Updated: June 29, 2026

Showing 24801 to 24900 of 36282 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 29, 2026 at 21:46 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List