Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36282

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
resume-upload-form	resume-upload-form	N/A	Upload Resume <= 1.2.0 - Captcha Bypass via resume_upload_form	LOW	*-1.2.0		June 29, 2026
responsive-tabs-for-wpbakery	responsive-tabs-for-wpbakery	N/A	Responsive Tabs For WPBakery Page Builder <= 1.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode	LOW	*-1.1		June 29, 2026
mstore-api	mstore-api	N/A	MStore API <= 3.9.2 - Authentication Bypass	LOW	*-3.9.2	3.9.3	June 29, 2026
miniorange-login-with-eve-online-google-facebook	miniorange-login-with-eve-online-google-facebook	93	OAuth Single Sign On – SSO (OAuth Client) <= 6.23.3 - Missing Authorization	LOW	*-6.23.3	6.23.4	June 29, 2026
jetformbuilder	jetformbuilder	93	JetFormBuilder <= 3.0.6 - Cross-Site Request Fogery via 'do_admin_action'	LOW	*-3.0.6	3.0.7	June 29, 2026
google-maps-easy	google-maps-easy	93	Easy Google Maps <= 1.11.7 - Cross-Site Request Forgery via AJAX action	LOW	*-1.11.7	1.11.8	June 29, 2026
google-maps-easy	google-maps-easy	93	Easy Google Maps <= 1.11.7 - Cross-Site Request Forgery	LOW	*-1.11.7	1.11.8	June 29, 2026
flickr-justified-gallery	flickr-justified-gallery	91	Flickr Justified Gallery <= 3.5 - Cross-Site Request Forgery via fjgwpp_settings()	LOW	*-3.5		June 29, 2026
download-theme	download-theme	93	Download Theme <= 1.0.9 - Cross-Site Request Forgery via dtwap_download()	LOW	*-1.0.9	1.1.0	June 29, 2026
download-plugin	download-plugin	93	Download Plugin <= 2.0.4 - Cross-Site Request Forgery	LOW	[*, 2.0.5)	2.0.5	June 29, 2026
conditional-menus	conditional-menus	93	Conditional Menus <= 1.2.0 - Reflected Cross-Site Scripting	LOW	*-1.2.0	1.2.1	June 29, 2026
youtube-playlist-player	youtube-playlist-player	N/A	YouTube Playlist Player <= 4.6.4 - Cross-Site Request Forgery in ytpp_settings	LOW	*-4.6.4	4.6.5	June 29, 2026
WS Form LITE – Drag & Drop Contact Form Builder	ws-form	N/A	WS Form LITE <= 1.9.117 - CAPTCHA Bypass	LOW	*-1.9.117	1.9.118	June 29, 2026
Iptanus File Upload	wp-file-upload	76	WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-4.19.1	4.19.2	June 29, 2026
Iptanus File Upload	wp-file-upload	76	WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Path Traversal	LOW	*-4.19.1	4.19.2	June 29, 2026
wordpress-file-upload-pro	wordpress-file-upload-pro	N/A	WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-4.19.1	4.19.2	June 29, 2026
wordpress-file-upload-pro	wordpress-file-upload-pro	N/A	WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Path Traversal	LOW	*-4.19.1	4.19.2	June 29, 2026
woocommerce-services	woocommerce-services	N/A	WooCommerce Shipping & Tax <= 2.2.4 - Stored Cross-Site Scripting	LOW	[*, 2.2.5)	2.2.5	June 29, 2026
sis-handball	sis-handball	N/A	SIS Handball <= 1.0.45 - Authenticated (Administrator+) SQL Injection via 'orderby'	LOW	*-1.0.45		June 29, 2026
multiple-pages-generator-by-porthas	multiple-pages-generator-by-porthas	N/A	Multiple Page Generator Plugin – MPG <= 3.3.19 - Authenticated (Administrator+) SQL Injection in projects_list and total_projects	LOW	*-3.3.19	3.3.20	June 29, 2026
go_pricing	go_pricing	93	Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-3.3.19	3.4	June 29, 2026
go_pricing	go_pricing	93	Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Improper Authorization to Arbitrary File Upload	LOW	*-3.3.19	3.4	June 29, 2026
go_pricing	go_pricing	93	Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Missing Authorization to Limited Privilege Granting	LOW	*-3.3.19	3.4	June 29, 2026
go_pricing	go_pricing	93	Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Authenticated (Subscriber+) PHP Object Injection	LOW	*-3.3.19	3.4	June 29, 2026
easy-admin-menu	easy-admin-menu	91	Easy Admin Menu <= 1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.3		June 29, 2026
yikes-inc-easy-mailchimp-extender	yikes-inc-easy-mailchimp-extender	N/A	Easy Forms for Mailchimp <= 6.8.8 - Reflected Cross-Site Scripting	LOW	*-6.8.8	6.8.9	June 29, 2026
wp-piwik	wp-piwik	N/A	WP-Piwik <= 1.0.27 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Display Name	LOW	*-1.0.27	1.0.28	June 29, 2026
wp-hijri	wp-hijri	N/A	WP-Hijri <= 1.5.1 - Reflected Cross-Site Scripting	LOW	*-1.5.1	1.5.2	June 29, 2026
wp-coder	wp-coder	N/A	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-2.5.5	2.5.6	June 29, 2026
woocommerce-warranty	woocommerce-warranty	N/A	WooCommerce Warranty Requests <= 2.1.6 - Reflected Cross-Site Scripting	LOW	*-2.1.6	2.1.7	June 29, 2026
woocommerce-follow-up-emails	woocommerce-follow-up-emails	N/A	WooCommerce Follow-Up Emails <= 4.9.40 - Reflected Cross-Site Scripting	LOW	*-4.9.40	4.9.50	June 29, 2026
woocommerce-follow-up-emails	woocommerce-follow-up-emails	N/A	WooCommerce Follow-Up Emails <= 4.9.40 - Cross-Site Request Forgery	LOW	*-4.9.40	4.9.50	June 29, 2026
woocommerce-follow-up-emails	woocommerce-follow-up-emails	N/A	WooCommerce Follow-Up Emails <= 4.9.40 - Authenticated Arbitrary File Upload in Template Editing	LOW	*-4.9.40	4.9.50	June 29, 2026
woocommerce-abandoned-cart	woocommerce-abandoned-cart	N/A	Abandoned Cart Lite for WooCommerce <= 5.14.1 - Cross-Site Request Forgery via delete_expired_used_coupon_code	LOW	[*, 5.14.2)	5.14.2	June 29, 2026
woocommerce-abandoned-cart	woocommerce-abandoned-cart	N/A	Abandoned Cart Lite for WooCommerce <= 5.14.1 - Cross-Site Request Forgery via ts_reset_tracking_setting	LOW	[*, 5.14.2)	5.14.2	June 29, 2026
woo-bulk-editor	woo-bulk-editor	N/A	BEAR <= 1.1.3.1 - Cross-Site Request Forgery via Multiple Functions	LOW	*-1.1.3.1	1.1.3.2	June 29, 2026
wip-custom-login	wip-custom-login	N/A	WIP Custom Login <= 1.2.9 - Cross-Site Request Forgery via save_option	LOW	*-1.2.9	1.3.0	June 29, 2026
unlimited-elements-for-elementor	unlimited-elements-for-elementor	N/A	Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 - Arbitrary File Upload in File Manager	LOW	*-1.5.60	1.5.61	June 29, 2026
unlimited-elements-for-elementor	unlimited-elements-for-elementor	N/A	Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.66 - Zip Extraction to Arbitrary File Upload in File Manager	LOW	*-1.5.66	1.5.67	June 29, 2026
unite-gallery-lite	unite-gallery-lite	N/A	Unite Gallery Lite <= 1.7.59 - Authenticated(Administrator+) Local File Inclusion via 'view' parameter	LOW	*-1.7.59	1.7.60	June 29, 2026
supportcandy	supportcandy	N/A	SupportCandy <= 3.1.6 - Authenticated (Admin+) SQL Injection	LOW	*-3.1.6	3.1.7	June 29, 2026
supportcandy	supportcandy	N/A	SupportCandy <= 3.1.6 - Authenticated (Subscriber+) SQL Injection	LOW	*-3.1.6	3.1.7	June 29, 2026
sticky-buttons	sticky-buttons	N/A	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-3.1.0	3.1.1	June 29, 2026
side-menu-lite	side-menu-lite	N/A	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-4.0.1	4.0.2	June 29, 2026
sfwd-lms	sfwd-lms	N/A	LearnDash LMS <= 4.5.3 - Authenticated (Contributor+) SQL Injection	LOW	*-4.5.3	4.5.3.1	June 29, 2026
seo-by-rank-math-pro	seo-by-rank-math-pro	N/A	Rank Math SEO PRO <= 3.0.35 - Reflected Cross-Site Scripting	LOW	*-3.0.35	3.0.36	June 29, 2026
revslider	revslider	N/A	Slider Revolution <= 6.6.12 - Authenticated (Administrator+) Arbitrary File Upload	LOW	*-6.6.12	6.6.13	June 29, 2026
qubotchat	qubotchat	N/A	QuBotChat <= 1.1.5 - Authenticated(Administrator+) Stored Cross-Site Scripting	LOW	*-1.1.5	1.1.6	June 29, 2026
profit-button	profit-button	N/A	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-5.3.0	5.3.1	June 29, 2026
popup-box	popup-box	N/A	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-2.2.1	2.2.2	June 29, 2026
novelist	novelist	N/A	Novelist <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Book Information Fields	LOW	*-1.2.0	1.2.1	June 29, 2026
mwp-skype	mwp-skype	N/A	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-4.0.1	4.0.2	June 29, 2026
mwp-herd-effect	mwp-herd-effect	N/A	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-5.2.1	5.2.2	June 29, 2026
mstore-api	mstore-api	N/A	MStore API <= 3.9.1 - Authentication Bypass	LOW	*-3.9.1	3.9.2	June 29, 2026
mailchimp-subscribe-sm	mailchimp-subscribe-sm	93	MailChimp Subscribe Forms <= 4.0.9.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-4.0.9.1	4.0.9.2	June 29, 2026
leyka	leyka	89	Leyka <= 3.30.2 - Privilege Escalation via Admin Password Reset	LOW	*-3.30.2	3.30.3	June 29, 2026
leyka	leyka	89	Leyka <= 3.30.1 - Reflected Cross-Site Scripting	LOW	*-3.30.1	3.30.2	June 29, 2026
icegram	icegram	93	Icegram Engage <= 3.1.11 - Reflected Cross-Site Scripting	LOW	*-3.1.11	3.1.12	June 29, 2026
front-end-only-users	front-end-only-users	89	Front End Users <= 3.2.24 - Reflected Cross-Site Scripting	LOW	*-3.2.24	3.2.25	June 29, 2026
float-menu	float-menu	93	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-5.0.1	5.0.2	June 29, 2026
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management	74	EventPrime <= 3.0.5 - Reflected Cross-Site Scripting	LOW	*-3.0.5	3.0.6	June 29, 2026
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management	74	EventPrime <= 2.8.6 - Sensitive Information Exposure	LOW	*-2.8.6	3.0.0	June 29, 2026
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management	74	EventPrime <= 2.8.6 - Reflected Cross-Site Scripting	LOW	*-2.8.6	3.0.0	June 29, 2026
Elementor Website Builder – more than just a page builder	elementor	79	Elementor <= 3.13.2 Authenticated(Contributor+) Arbitrary Post Type Creation via save_item	LOW	[*, 3.13.3)	3.13.3	June 29, 2026
easy-captcha	easy-captcha	89	Easy Captcha <= 1.0 - Missing Authorization via easy_captcha_update_settings	LOW	*-1.0		June 29, 2026
easy-captcha	easy-captcha	89	Easy Captcha <= 1.0 - Reflected Cross-Site Scripting	LOW	*-1.0		June 29, 2026
duplicator-pro	duplicator-pro	93	Duplicator Pro <= 4.5.11 - Reflected Cross-Site Scripting	LOW	*-4.5.11	4.5.11.1	June 29, 2026
custom-post-type-generator	custom-post-type-generator	91	Custom Post Type Generator <= 2.4.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings	LOW	*-2.4.2		June 29, 2026
counter-box	counter-box	93	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-1.2.1	1.2.2	June 29, 2026
Database for Contact Form 7, WPforms, Elementor forms	contact-form-entries	84	Contact Form Entries <= 1.3.0 - Authenticated (Contributor+) SQL Injection via shortcode	LOW	*-1.3.0	1.3.1	June 29, 2026
Database for Contact Form 7, WPforms, Elementor forms	contact-form-entries	84	Contact Form Entries <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via vx-entries shortcode	LOW	*-1.3.0	1.3.1	June 29, 2026
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services	chatbot	66	AI ChatBot <= 4.6.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-4.6.0	4.6.1	June 29, 2026
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services	chatbot	66	AI ChatBot <= 4.5.4 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-4.5.4	4.5.5	June 29, 2026
cf7-zoho	cf7-zoho	93	Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.2.3 - Authenticated (Admin+) SQL Injection	LOW	*-1.2.3	1.2.4	June 29, 2026
calculator-builder	calculator-builder	93	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-1.5.0	1.5.1	June 29, 2026
button-generation	button-generation	93	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-2.3.4	2.3.5	June 29, 2026
bubble-menu	bubble-menu	93	Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter	LOW	*-3.0.3	3.0.4	June 29, 2026
ultimate-dashboard	ultimate-dashboard	N/A	Ultimate Dashboard <= 3.7.5 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings	LOW	[*, 3.7.6)	3.7.6	June 29, 2026
smart-app-banner	smart-app-banner	N/A	Smart App Banner <= 1.1.2 - Cross-Site Request Forgery via wsl_smart_app_banner_options	LOW	[*, 1.1.3)	1.1.3	June 29, 2026
woodiscuz-woocommerce-comments	woodiscuz-woocommerce-comments	N/A	WooDiscuz – WooCommerce Comments <= 2.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.2.9	2.3.0	June 29, 2026
groundhogg	groundhogg	93	Groundhogg <= 2.7.9.8 - Missing Authorization to Admin Account and Ticket Creation	LOW	*-2.7.8.9	2.7.10	June 29, 2026
groundhogg	groundhogg	93	Groundhogg <= 2.7.9.8 - Missing Authorization to Update License	LOW	*-2.7.9.8	2.7.10	June 29, 2026
groundhogg	groundhogg	93	Groundhogg <= 2.7.9.8 - Missing Authorization to Non-Arbitrary File Upload	LOW	*-2.7.9.8	2.7.10	June 29, 2026
groundhogg	groundhogg	93	Groundhogg <= 2.7.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-2.7.9.8	2.7.10	June 29, 2026
groundhogg	groundhogg	93	Groundhogg <= 2.7.9.8 - Cross-Site Request Forgery to Privilege Escalation	LOW	*-2.7.9.8	2.7.10	June 29, 2026
groundhogg	groundhogg	93	Groundhogg <= 2.7.9.8 - Cross-Site Request Forgery to Disable All Plugins	LOW	*-2.7.9.8	2.7.10	June 29, 2026
AI Engine – The Chatbot, AI Framework & MCP for WordPress	ai-engine	82	AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable <= 1.6.82 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	[*, 1.6.83)	1.6.83	June 29, 2026
wp-htaccess-control	wp-htaccess-control	N/A	WP htaccess Control <= 3.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-3.5.1		June 29, 2026
woocommerce-predictive-search	woocommerce-predictive-search	N/A	WooCommerce Predictive Search <= 5.8.0 - Missing Authorization via multiple AJAX actions	LOW	*-5.8.0	5.8.1	June 29, 2026
woocommerce-predictive-search	woocommerce-predictive-search	N/A	WooCommerce Predictive Search <= 5.8.0 - Cross-Site Request Forgery via multiple AJAX actions	LOW	*-5.8.0	5.8.1	June 29, 2026
wishsuite	wishsuite	N/A	WishSuite <= 1.3.4 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.3.4	1.3.5	June 29, 2026
wesecur-security	wesecur-security	N/A	WeSecur Security <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.2.1		June 29, 2026
UpdraftPlus: WP Backup & Migration Plugin	updraftplus	69	UpdraftPlus <= 1.23.3 - Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage	LOW	*-1.23.3	1.23.4	June 29, 2026
stop-referrer-spam	stop-referrer-spam	N/A	Stop Referrer Spam <= 1.3.0 - Cross-Site Request Forgery via processParameters	LOW	*-1.3.0	1.3.1	June 29, 2026
seo-change-monitor	seo-change-monitor	N/A	SEO Change Monitor <= 1.2 - Authenticated (Subscriber+) SQL Injection	LOW	*-1.2	1.3	June 29, 2026
scripts-n-styles	scripts-n-styles	N/A	Scripts n Styles <= 3.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-3.5.3	3.5.4	June 29, 2026
performance-lab	performance-lab	97	Performance Lab <= 2.2.0 - Cross-Site Request Forgery via dismiss-wp-pointer	LOW	*-2.2.0	2.3.0	June 29, 2026
nuajik-cdn	nuajik-cdn	N/A	nuajik CDN <= 0.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-0.1.0		June 29, 2026
jazz-popups	jazz-popups	89	Jazz Popups <= 1.8.7 - Cross-Site Request Forgery	LOW	*-1.8.7		June 29, 2026
jazz-popups	jazz-popups	89	Jazz Popups <= 1.8.7 - Reflected Cross-Site Scripting via 'wpjazzpopup_switchonoff'	LOW	*-1.8.7		June 29, 2026

LOW

resume-upload-form

Score: N/A Upload Resume <= 1.2.0 - Captcha Bypass via resume_upload_form Affected: *-1.2.0 Patched: Updated: June 29, 2026

LOW

responsive-tabs-for-wpbakery

Score: N/A Responsive Tabs For WPBakery Page Builder <= 1.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode Affected: *-1.1 Patched: Updated: June 29, 2026

LOW

mstore-api

Score: N/A MStore API <= 3.9.2 - Authentication Bypass Affected: *-3.9.2 Patched: 3.9.3 Updated: June 29, 2026

LOW

miniorange-login-with-eve-online-google-facebook

Score: 93/100 OAuth Single Sign On – SSO (OAuth Client) <= 6.23.3 - Missing Authorization Affected: *-6.23.3 Patched: 6.23.4 Updated: June 29, 2026

LOW

jetformbuilder

Score: 93/100 JetFormBuilder <= 3.0.6 - Cross-Site Request Fogery via 'do_admin_action' Affected: *-3.0.6 Patched: 3.0.7 Updated: June 29, 2026

LOW

google-maps-easy

Score: 93/100 Easy Google Maps <= 1.11.7 - Cross-Site Request Forgery via AJAX action Affected: *-1.11.7 Patched: 1.11.8 Updated: June 29, 2026

LOW

google-maps-easy

Score: 93/100 Easy Google Maps <= 1.11.7 - Cross-Site Request Forgery Affected: *-1.11.7 Patched: 1.11.8 Updated: June 29, 2026

LOW

flickr-justified-gallery

Score: 91/100 Flickr Justified Gallery <= 3.5 - Cross-Site Request Forgery via fjgwpp_settings() Affected: *-3.5 Patched: Updated: June 29, 2026

LOW

download-theme

Score: 93/100 Download Theme <= 1.0.9 - Cross-Site Request Forgery via dtwap_download() Affected: *-1.0.9 Patched: 1.1.0 Updated: June 29, 2026

LOW

download-plugin

Score: 93/100 Download Plugin <= 2.0.4 - Cross-Site Request Forgery Affected: [*, 2.0.5) Patched: 2.0.5 Updated: June 29, 2026

LOW

conditional-menus

Score: 93/100 Conditional Menus <= 1.2.0 - Reflected Cross-Site Scripting Affected: *-1.2.0 Patched: 1.2.1 Updated: June 29, 2026

LOW

youtube-playlist-player

Score: N/A YouTube Playlist Player <= 4.6.4 - Cross-Site Request Forgery in ytpp_settings Affected: *-4.6.4 Patched: 4.6.5 Updated: June 29, 2026

LOW

WS Form LITE – Drag & Drop Contact Form Builder

ws-form

Score: N/A WS Form LITE <= 1.9.117 - CAPTCHA Bypass Affected: *-1.9.117 Patched: 1.9.118 Updated: June 29, 2026

LOW

Iptanus File Upload

wp-file-upload

Score: 76/100 WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-4.19.1 Patched: 4.19.2 Updated: June 29, 2026

LOW

Iptanus File Upload

wp-file-upload

Score: 76/100 WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Path Traversal Affected: *-4.19.1 Patched: 4.19.2 Updated: June 29, 2026

LOW

wordpress-file-upload-pro

Score: N/A WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-4.19.1 Patched: 4.19.2 Updated: June 29, 2026

LOW

wordpress-file-upload-pro

Score: N/A WordPress File Upload / WordPress File Upload Pro <= 4.19.1 - Authenticated (Administrator+) Path Traversal Affected: *-4.19.1 Patched: 4.19.2 Updated: June 29, 2026

LOW

woocommerce-services

Score: N/A WooCommerce Shipping & Tax <= 2.2.4 - Stored Cross-Site Scripting Affected: [*, 2.2.5) Patched: 2.2.5 Updated: June 29, 2026

LOW

sis-handball

Score: N/A SIS Handball <= 1.0.45 - Authenticated (Administrator+) SQL Injection via 'orderby' Affected: *-1.0.45 Patched: Updated: June 29, 2026

LOW

multiple-pages-generator-by-porthas

Score: N/A Multiple Page Generator Plugin – MPG <= 3.3.19 - Authenticated (Administrator+) SQL Injection in projects_list and total_projects Affected: *-3.3.19 Patched: 3.3.20 Updated: June 29, 2026

LOW

Score: 93/100 Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-3.3.19 Patched: 3.4 Updated: June 29, 2026

LOW

go_pricing

Score: 93/100 Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Improper Authorization to Arbitrary File Upload Affected: *-3.3.19 Patched: 3.4 Updated: June 29, 2026

LOW

go_pricing

Score: 93/100 Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Missing Authorization to Limited Privilege Granting Affected: *-3.3.19 Patched: 3.4 Updated: June 29, 2026

LOW

go_pricing

Score: 93/100 Go Pricing - WordPress Responsive Pricing Tables <= 3.3.19 - Authenticated (Subscriber+) PHP Object Injection Affected: *-3.3.19 Patched: 3.4 Updated: June 29, 2026

LOW

easy-admin-menu

Score: 91/100 Easy Admin Menu <= 1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.3 Patched: Updated: June 29, 2026

LOW

yikes-inc-easy-mailchimp-extender

Score: N/A Easy Forms for Mailchimp <= 6.8.8 - Reflected Cross-Site Scripting Affected: *-6.8.8 Patched: 6.8.9 Updated: June 29, 2026

LOW

wp-piwik

Score: N/A WP-Piwik <= 1.0.27 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Display Name Affected: *-1.0.27 Patched: 1.0.28 Updated: June 29, 2026

LOW

wp-hijri

Score: N/A WP-Hijri <= 1.5.1 - Reflected Cross-Site Scripting Affected: *-1.5.1 Patched: 1.5.2 Updated: June 29, 2026

LOW

wp-coder

Score: N/A Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-2.5.5 Patched: 2.5.6 Updated: June 29, 2026

LOW

woocommerce-warranty

Score: N/A WooCommerce Warranty Requests <= 2.1.6 - Reflected Cross-Site Scripting Affected: *-2.1.6 Patched: 2.1.7 Updated: June 29, 2026

LOW

woocommerce-follow-up-emails

Score: N/A WooCommerce Follow-Up Emails <= 4.9.40 - Reflected Cross-Site Scripting Affected: *-4.9.40 Patched: 4.9.50 Updated: June 29, 2026

LOW

woocommerce-follow-up-emails

Score: N/A WooCommerce Follow-Up Emails <= 4.9.40 - Cross-Site Request Forgery Affected: *-4.9.40 Patched: 4.9.50 Updated: June 29, 2026

LOW

woocommerce-follow-up-emails

Score: N/A WooCommerce Follow-Up Emails <= 4.9.40 - Authenticated Arbitrary File Upload in Template Editing Affected: *-4.9.40 Patched: 4.9.50 Updated: June 29, 2026

LOW

woocommerce-abandoned-cart

Score: N/A Abandoned Cart Lite for WooCommerce <= 5.14.1 - Cross-Site Request Forgery via delete_expired_used_coupon_code Affected: [*, 5.14.2) Patched: 5.14.2 Updated: June 29, 2026

LOW

woocommerce-abandoned-cart

Score: N/A Abandoned Cart Lite for WooCommerce <= 5.14.1 - Cross-Site Request Forgery via ts_reset_tracking_setting Affected: [*, 5.14.2) Patched: 5.14.2 Updated: June 29, 2026

LOW

woo-bulk-editor

Score: N/A BEAR <= 1.1.3.1 - Cross-Site Request Forgery via Multiple Functions Affected: *-1.1.3.1 Patched: 1.1.3.2 Updated: June 29, 2026

LOW

wip-custom-login

Score: N/A WIP Custom Login <= 1.2.9 - Cross-Site Request Forgery via save_option Affected: *-1.2.9 Patched: 1.3.0 Updated: June 29, 2026

LOW

unlimited-elements-for-elementor

Score: N/A Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.60 - Arbitrary File Upload in File Manager Affected: *-1.5.60 Patched: 1.5.61 Updated: June 29, 2026

LOW

unlimited-elements-for-elementor

Score: N/A Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.66 - Zip Extraction to Arbitrary File Upload in File Manager Affected: *-1.5.66 Patched: 1.5.67 Updated: June 29, 2026

LOW

unite-gallery-lite

Score: N/A Unite Gallery Lite <= 1.7.59 - Authenticated(Administrator+) Local File Inclusion via 'view' parameter Affected: *-1.7.59 Patched: 1.7.60 Updated: June 29, 2026

LOW

supportcandy

Score: N/A SupportCandy <= 3.1.6 - Authenticated (Admin+) SQL Injection Affected: *-3.1.6 Patched: 3.1.7 Updated: June 29, 2026

LOW

supportcandy

Score: N/A SupportCandy <= 3.1.6 - Authenticated (Subscriber+) SQL Injection Affected: *-3.1.6 Patched: 3.1.7 Updated: June 29, 2026

LOW

sticky-buttons

Score: N/A Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-3.1.0 Patched: 3.1.1 Updated: June 29, 2026

LOW

side-menu-lite

Score: N/A Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-4.0.1 Patched: 4.0.2 Updated: June 29, 2026

LOW

sfwd-lms

Score: N/A LearnDash LMS <= 4.5.3 - Authenticated (Contributor+) SQL Injection Affected: *-4.5.3 Patched: 4.5.3.1 Updated: June 29, 2026

LOW

seo-by-rank-math-pro

Score: N/A Rank Math SEO PRO <= 3.0.35 - Reflected Cross-Site Scripting Affected: *-3.0.35 Patched: 3.0.36 Updated: June 29, 2026

LOW

revslider

Score: N/A Slider Revolution <= 6.6.12 - Authenticated (Administrator+) Arbitrary File Upload Affected: *-6.6.12 Patched: 6.6.13 Updated: June 29, 2026

LOW

qubotchat

Score: N/A QuBotChat <= 1.1.5 - Authenticated(Administrator+) Stored Cross-Site Scripting Affected: *-1.1.5 Patched: 1.1.6 Updated: June 29, 2026

LOW

profit-button

Score: N/A Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-5.3.0 Patched: 5.3.1 Updated: June 29, 2026

LOW

popup-box

Score: N/A Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-2.2.1 Patched: 2.2.2 Updated: June 29, 2026

LOW

novelist

Score: N/A Novelist <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Book Information Fields Affected: *-1.2.0 Patched: 1.2.1 Updated: June 29, 2026

LOW

mwp-skype

Score: N/A Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-4.0.1 Patched: 4.0.2 Updated: June 29, 2026

LOW

mwp-herd-effect

Score: N/A Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-5.2.1 Patched: 5.2.2 Updated: June 29, 2026

LOW

mstore-api

Score: N/A MStore API <= 3.9.1 - Authentication Bypass Affected: *-3.9.1 Patched: 3.9.2 Updated: June 29, 2026

LOW

mailchimp-subscribe-sm

Score: 93/100 MailChimp Subscribe Forms <= 4.0.9.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-4.0.9.1 Patched: 4.0.9.2 Updated: June 29, 2026

LOW

leyka

Score: 89/100 Leyka <= 3.30.2 - Privilege Escalation via Admin Password Reset Affected: *-3.30.2 Patched: 3.30.3 Updated: June 29, 2026

LOW

leyka

Score: 89/100 Leyka <= 3.30.1 - Reflected Cross-Site Scripting Affected: *-3.30.1 Patched: 3.30.2 Updated: June 29, 2026

LOW

icegram

Score: 93/100 Icegram Engage <= 3.1.11 - Reflected Cross-Site Scripting Affected: *-3.1.11 Patched: 3.1.12 Updated: June 29, 2026

LOW

front-end-only-users

Score: 89/100 Front End Users <= 3.2.24 - Reflected Cross-Site Scripting Affected: *-3.2.24 Patched: 3.2.25 Updated: June 29, 2026

LOW

float-menu

Score: 93/100 Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-5.0.1 Patched: 5.0.2 Updated: June 29, 2026

LOW

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

Score: 74/100 EventPrime <= 3.0.5 - Reflected Cross-Site Scripting Affected: *-3.0.5 Patched: 3.0.6 Updated: June 29, 2026

LOW

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

Score: 74/100 EventPrime <= 2.8.6 - Sensitive Information Exposure Affected: *-2.8.6 Patched: 3.0.0 Updated: June 29, 2026

LOW

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

Score: 74/100 EventPrime <= 2.8.6 - Reflected Cross-Site Scripting Affected: *-2.8.6 Patched: 3.0.0 Updated: June 29, 2026

LOW

Elementor Website Builder – more than just a page builder

elementor

Score: 79/100 Elementor <= 3.13.2 Authenticated(Contributor+) Arbitrary Post Type Creation via save_item Affected: [*, 3.13.3) Patched: 3.13.3 Updated: June 29, 2026

LOW

easy-captcha

Score: 89/100 Easy Captcha <= 1.0 - Missing Authorization via easy_captcha_update_settings Affected: *-1.0 Patched: Updated: June 29, 2026

LOW

easy-captcha

Score: 89/100 Easy Captcha <= 1.0 - Reflected Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 29, 2026

LOW

duplicator-pro

Score: 93/100 Duplicator Pro <= 4.5.11 - Reflected Cross-Site Scripting Affected: *-4.5.11 Patched: 4.5.11.1 Updated: June 29, 2026

LOW

custom-post-type-generator

Score: 91/100 Custom Post Type Generator <= 2.4.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings Affected: *-2.4.2 Patched: Updated: June 29, 2026

LOW

counter-box

Score: 93/100 Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-1.2.1 Patched: 1.2.2 Updated: June 29, 2026

LOW

Database for Contact Form 7, WPforms, Elementor forms

contact-form-entries

Score: 84/100 Contact Form Entries <= 1.3.0 - Authenticated (Contributor+) SQL Injection via shortcode Affected: *-1.3.0 Patched: 1.3.1 Updated: June 29, 2026

LOW

Database for Contact Form 7, WPforms, Elementor forms

contact-form-entries

Score: 84/100 Contact Form Entries <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via vx-entries shortcode Affected: *-1.3.0 Patched: 1.3.1 Updated: June 29, 2026

LOW

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

chatbot

Score: 66/100 AI ChatBot <= 4.6.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-4.6.0 Patched: 4.6.1 Updated: June 29, 2026

LOW

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

chatbot

Score: 66/100 AI ChatBot <= 4.5.4 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-4.5.4 Patched: 4.5.5 Updated: June 29, 2026

LOW

cf7-zoho

Score: 93/100 Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.2.3 - Authenticated (Admin+) SQL Injection Affected: *-1.2.3 Patched: 1.2.4 Updated: June 29, 2026

LOW

calculator-builder

Score: 93/100 Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-1.5.0 Patched: 1.5.1 Updated: June 29, 2026

LOW

button-generation

Score: 93/100 Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-2.3.4 Patched: 2.3.5 Updated: June 29, 2026

LOW

bubble-menu

Score: 93/100 Multiple Wow-Company Plugins (Various Versions) -- Reflected Cross-Site Scripting via 'page' parameter Affected: *-3.0.3 Patched: 3.0.4 Updated: June 29, 2026

LOW

ultimate-dashboard

Score: N/A Ultimate Dashboard <= 3.7.5 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings Affected: [*, 3.7.6) Patched: 3.7.6 Updated: June 29, 2026

LOW

smart-app-banner

Score: N/A Smart App Banner <= 1.1.2 - Cross-Site Request Forgery via wsl_smart_app_banner_options Affected: [*, 1.1.3) Patched: 1.1.3 Updated: June 29, 2026

LOW

woodiscuz-woocommerce-comments

Score: N/A WooDiscuz – WooCommerce Comments <= 2.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.2.9 Patched: 2.3.0 Updated: June 29, 2026

LOW

groundhogg

Score: 93/100 Groundhogg <= 2.7.9.8 - Missing Authorization to Admin Account and Ticket Creation Affected: *-2.7.8.9 Patched: 2.7.10 Updated: June 29, 2026

LOW

groundhogg

Score: 93/100 Groundhogg <= 2.7.9.8 - Missing Authorization to Update License Affected: *-2.7.9.8 Patched: 2.7.10 Updated: June 29, 2026

LOW

groundhogg

Score: 93/100 Groundhogg <= 2.7.9.8 - Missing Authorization to Non-Arbitrary File Upload Affected: *-2.7.9.8 Patched: 2.7.10 Updated: June 29, 2026

LOW

groundhogg

Score: 93/100 Groundhogg <= 2.7.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-2.7.9.8 Patched: 2.7.10 Updated: June 29, 2026

LOW

groundhogg

Score: 93/100 Groundhogg <= 2.7.9.8 - Cross-Site Request Forgery to Privilege Escalation Affected: *-2.7.9.8 Patched: 2.7.10 Updated: June 29, 2026

LOW

groundhogg

Score: 93/100 Groundhogg <= 2.7.9.8 - Cross-Site Request Forgery to Disable All Plugins Affected: *-2.7.9.8 Patched: 2.7.10 Updated: June 29, 2026

LOW

AI Engine – The Chatbot, AI Framework & MCP for WordPress

ai-engine

Score: 82/100 AI Engine: ChatGPT Chatbot, Content Generator, GPT 3 & 4, Ultra-Customizable <= 1.6.82 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: [*, 1.6.83) Patched: 1.6.83 Updated: June 29, 2026

LOW

wp-htaccess-control

Score: N/A WP htaccess Control <= 3.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-3.5.1 Patched: Updated: June 29, 2026

LOW

woocommerce-predictive-search

Score: N/A WooCommerce Predictive Search <= 5.8.0 - Missing Authorization via multiple AJAX actions Affected: *-5.8.0 Patched: 5.8.1 Updated: June 29, 2026

LOW

woocommerce-predictive-search

Score: N/A WooCommerce Predictive Search <= 5.8.0 - Cross-Site Request Forgery via multiple AJAX actions Affected: *-5.8.0 Patched: 5.8.1 Updated: June 29, 2026

LOW

wishsuite

Score: N/A WishSuite <= 1.3.4 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.3.4 Patched: 1.3.5 Updated: June 29, 2026

LOW

wesecur-security

Score: N/A WeSecur Security <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.2.1 Patched: Updated: June 29, 2026

LOW

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

Score: 69/100 UpdraftPlus <= 1.23.3 - Cross-Site Request Forgery to Cross-Site Scripting via action_authenticate_storage Affected: *-1.23.3 Patched: 1.23.4 Updated: June 29, 2026

LOW

stop-referrer-spam

Score: N/A Stop Referrer Spam <= 1.3.0 - Cross-Site Request Forgery via processParameters Affected: *-1.3.0 Patched: 1.3.1 Updated: June 29, 2026

LOW

seo-change-monitor

Score: N/A SEO Change Monitor <= 1.2 - Authenticated (Subscriber+) SQL Injection Affected: *-1.2 Patched: 1.3 Updated: June 29, 2026

LOW

scripts-n-styles

Score: N/A Scripts n Styles <= 3.5.3 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-3.5.3 Patched: 3.5.4 Updated: June 29, 2026

LOW

performance-lab

Score: 97/100 Performance Lab <= 2.2.0 - Cross-Site Request Forgery via dismiss-wp-pointer Affected: *-2.2.0 Patched: 2.3.0 Updated: June 29, 2026

LOW

nuajik-cdn

Score: N/A nuajik CDN <= 0.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-0.1.0 Patched: Updated: June 29, 2026

LOW

jazz-popups

Score: 89/100 Jazz Popups <= 1.8.7 - Cross-Site Request Forgery Affected: *-1.8.7 Patched: Updated: June 29, 2026

LOW

jazz-popups

Score: 89/100 Jazz Popups <= 1.8.7 - Reflected Cross-Site Scripting via 'wpjazzpopup_switchonoff' Affected: *-1.8.7 Patched: Updated: June 29, 2026

Showing 25001 to 25100 of 36282 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 29, 2026 at 21:47 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List