Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36282

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
wp-category-posts-list	wp-category-posts-list	N/A	WP Category Post List Widget <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode	LOW	*-2.0.3		June 30, 2026
woodmart-core	woodmart-core	N/A	Woodmart Core <= 1.0.36 - Authentication Bypass to Privilege Escalation	LOW	*-1.0.36	1.0.37	June 30, 2026
woodmart-core	woodmart-core	N/A	Woodmart Core <= 1.0.36 - PHP Object Injection	LOW	*-1.0.36	1.0.37	June 30, 2026
soundcloud-is-gold	soundcloud-is-gold	N/A	Soundcloud Is Gold <= 2.5.1 - Missing Authorization to Soundcloud User Add	LOW	*-2.5.1		June 30, 2026
pinterest-rss-widget	pinterest-rss-widget	N/A	Pinterest RSS Widget <= 2.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-2.3.1		June 30, 2026
owl-carousel	owl-carousel	N/A	Owl Carousel <= 0.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode	LOW	*-0.5.3		June 30, 2026
notifyvisitors-lead-form	notifyvisitors-lead-form	N/A	NotifyVisitors <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings	LOW	*-1.0		June 30, 2026
locatoraid	locatoraid	91	Locatoraid Store Locator <= 3.9.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-3.9.18	3.9.19	June 30, 2026
letterpress	letterpress	89	LetterPress <= 1.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings	LOW	*-1.2.2		June 30, 2026
injection-guard	injection-guard	93	Injection Guard <= 1.2.1 - Cross-Site Request Forgery via ig_update	LOW	*-1.2.1	1.2.2	June 30, 2026
injection-guard	injection-guard	93	Injection Guard <= 1.2.1 - Missing Authorization via ig_update	LOW	*-1.2.1	1.2.2	June 30, 2026
google-calendar-events	google-calendar-events	93	Simple Calendar <= 3.1.42 - Cross-Site Request Forgery to Transient Cache Clearing	LOW	*-3.1.42	3.1.43	June 30, 2026
gallery-portfolio	gallery-portfolio	91	Portfolio Gallery – Responsive Image Gallery <= 1.4.5 - Missing Authorization to Arbitrary Gallery Deletion	LOW	*-1.4.5	1.4.6	June 30, 2026
forget-about-shortcode-buttons	forget-about-shortcode-buttons	93	Forget About Shortcode Buttons <= 2.1.2 - Missing Authorization via fasc_buttons	LOW	*-2.1.2	2.1.3	June 30, 2026
Essential Addons for Elementor – Popular Elementor Templates & Widgets	essential-addons-for-elementor-lite	85	Essential Addons for Elementor <= 5.7.1 - Unauthenticated Arbitrary Password Reset to Privilege Escalation	LOW	*-5.7.1	5.7.2	June 30, 2026
ebecas	ebecas	91	eBecas <= 3.1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings	LOW	*-3.1.3		June 30, 2026
dyslexiefont	dyslexiefont	91	Dyslexiefont Free <= 1.0.0 - Cross-Site Request Forgery	LOW	*-1.0.0		June 30, 2026
don8	don8	91	Don8 <= 0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings	LOW	*-0.4		June 30, 2026
devbuddy-twitter-feed	devbuddy-twitter-feed	91	DevBuddy Twitter Feed <= 4.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings	LOW	*-4.0.0		June 30, 2026
bulletin-announcements	bulletin-announcements	93	Announcement & Notification Banner – Bulletin <= 3.7.0 - Cross-Site Request Forgery	LOW	*-3.7.0	3.7.1	June 30, 2026
bulletin-announcements	bulletin-announcements	93	Announcement & Notification Banner – Bulletin <= 3.6.0 - Missing Authorization Checks	LOW	*-3.6.0	3.7.0	June 30, 2026
buddyforms	buddyforms	89	Post, Registration and Profile Form Builder – FrontEnd Editor BuddyForms – Easy WordPress Forms <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-2.8.1	2.8.2	June 30, 2026
bookly-responsive-appointment-booking-tool	bookly-responsive-appointment-booking-tool	93	Bookly <= 21.7.1 - Arbitrary File Deletion	LOW	*-21.7.1	21.8	June 30, 2026
add-posts-to-pages	add-posts-to-pages	95	Add Posts to Pages <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.4.1		June 30, 2026
accesspress-anonymous-post	accesspress-anonymous-post	95	AccessPress Anonymous Post <= 2.8.4 - Authenticated (Contributor+) Arbitrary Redirect	LOW	*-2.8.4		June 30, 2026
yith-woocommerce-gift-cards-premium	yith-woocommerce-gift-cards-premium	N/A	YITH WooCommerce Gift Cards Premium <= 3.23.1 - Missing Authorization	LOW	*-3.23.1	3.24.0	June 30, 2026
wp-whydonate	wp-whydonate	N/A	Whydonate – FREE Donate button <= 3.12.14 - Cross-Site Request Forgery	LOW	*-3.12.14	3.12.16	June 30, 2026
wp-replicate-post	wp-replicate-post	N/A	WP Replicate Post <= 4.0.2 - Authenticated (Contributor+) SQL Injection	LOW	*-4.0.2	4.1	June 30, 2026
wp-chinese-conversion	wp-chinese-conversion	N/A	WP Chinese Conversion <= 1.1.16 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.1.16		June 30, 2026
woo-custom-emails	woo-custom-emails	N/A	Woo Custom Emails <= 2.2 - Missing Authorization to Unauthenticated Settings Change	LOW	*-2.2		June 30, 2026
wd-facebook-feed	wd-facebook-feed	N/A	10Web Social Post Feed <= 1.2.8 - Reflected Cross-Site Scripting	LOW	*-1.2.8	1.2.9	June 30, 2026
wcp-contact-form	wcp-contact-form	N/A	WCP Contact Form <= 3.1.0 - Missing Authorization via downloadCsv	LOW	*-3.1.0		June 30, 2026
wcp-contact-form	wcp-contact-form	N/A	WCP Contact Form <= 3.1.0 - Missing Authorization	LOW	*-3.1.0		June 30, 2026
seo-by-10web	seo-by-10web	N/A	SEO By 10Web <= 1.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.2.6	1.2.7	June 30, 2026
order-your-posts-manually	order-your-posts-manually	N/A	Order Your Posts Manually <= 2.2.5 - Authenticated (Administrator+) SQL Injection via 'sortdata'	LOW	*-2.2.5		June 30, 2026
order-your-posts-manually	order-your-posts-manually	N/A	Order Your Posts Manually <= 2.2.5 - Reflected Cross-Site Scripting via '_user_request'	LOW	*-2.2.5		June 30, 2026
order-your-posts-manually	order-your-posts-manually	N/A	Order Your Posts Manually <= 2.2.5 - Reflected Cross-Site Scripting via 'cat_id'	LOW	*-2.2.5		June 30, 2026
Brevo – Email, SMS, Web Push, Chat, and more.	mailin	76	Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.60 - Reflected Cross-Site Scripting via 'lang'	LOW	*-3.1.60	3.1.61	June 30, 2026
mailchimp-subscribe-sm	mailchimp-subscribe-sm	93	MailChimp Subscribe Forms <= 4.0.9.3 - Open Redirect	LOW	*-4.0.9.3	4.0.9.4	June 30, 2026
link-whisper	link-whisper	93	Link Whisper Free <= 0.6.3 - Missing Authorization via init()	LOW	*-0.6.3	0.6.4	June 30, 2026
injection-guard	injection-guard	93	Injection Guard <= 1.2.1 - Cross-Site Request Forgery to Whitelist Update	LOW	*-1.2.1	1.2.2	June 30, 2026
injection-guard	injection-guard	93	Injection Guard <= 1.2.1 - Missing Authorization to Whitelist Update	LOW	*-1.2.1	1.2.2	June 30, 2026
hostel	hostel	93	Hostel <= 1.1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.1.5.1	1.1.5.2	June 30, 2026
google-site-verification-using-meta-tag	google-site-verification-using-meta-tag	91	Google Site Verification plugin using Meta Tag <= 1.2 - Cross-Site Request Forgery	LOW	*-1.2		June 30, 2026
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)	google-analytics-for-wordpress	72	Google Analytics by Monster Insights <= 8.14.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-8.14.0	8.14.1	June 30, 2026
give	give	93	GiveWP <= 2.25.3 - Authenticated (Admin+) PHP Object Injection	LOW	*-2.25.3	2.26.0	June 30, 2026
download-monitor	download-monitor	93	Download Monitor <= 4.7.60 - Sensitive Information Exposure via REST API	LOW	*-4.7.60	4.7.70	June 30, 2026
directorist	directorist	93	Directorist <= 7.5.3 - Authenticated (Administrator+) Local File Inclusion	LOW	*-7.5.3	7.5.4	June 30, 2026
custom-field-suite	custom-field-suite	86	Custom Field Suite <= 2.6.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.6.2.1	2.6.3	June 30, 2026
custom-base-terms	custom-base-terms	93	Custom Base Terms <= 1.0.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'base'	LOW	*-1.0.2.3	1.0.3	June 30, 2026
brands-for-woocommerce	brands-for-woocommerce	93	Brands for WooCommerce <= 3.7.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-3.7.0.6	3.8.2	June 30, 2026
booking-ultra-pro	booking-ultra-pro	91	Booking Ultra Pro <= 1.1.8 - Reflected Cross-Site Scripting	LOW	*-1.1.8	1.1.9	June 30, 2026
booking-ultra-pro	booking-ultra-pro	91	Booking Ultra Pro <= 1.1.8 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.1.8	1.1.9	June 30, 2026
Backup Migration	backup-backup	61	Backup Migration <= 1.2.8 - Sensitive Information Exposure	LOW	*-1.2.8	1.2.9	June 30, 2026
ap-pricing-tables-lite	ap-pricing-tables-lite	95	AP Pricing Tables Lite <= 1.1.6 - Authenticated (Admin+) SQL Injection	LOW	*-1.1.6		June 30, 2026
zero-spam	zero-spam	N/A	Zero Spam <= 5.4.4 - Authenticated (Administrator+) SQL Injection	LOW	*-5.4.4	5.4.5	June 30, 2026
wpseo-local	wpseo-local	N/A	Yoast SEO: Local <= 14.8 - Cross-Site Request Forgery	LOW	*-14.8	14.9	June 30, 2026
wpseo-local	wpseo-local	N/A	Yoast SEO: Local <= 14.8 - Reflected Cross-Site Scripting	LOW	*-14.8	14.9	June 30, 2026
wp-vertical-image-slider	wp-vertical-image-slider	N/A	wordpress vertical image slider plugin <= 1.2.16 - Reflected Cross-Site Scripting	LOW	*-1.2.16	1.2.17	June 30, 2026
wordpress-seo-premium	wordpress-seo-premium	N/A	Yoast SEO Premium <= 20.4 - Missing Authorization to Zapier Key Reset	LOW	*-20.4	20.5	June 30, 2026
wise-chat	wise-chat	N/A	Wise Chat <= 3.1.3 - Cross-Site Request Forgery	LOW	*-3.1.3	3.1.4	June 30, 2026
vk-blocks-pro	vk-blocks-pro	N/A	VK Blocks <= 1.53.0.1 - Stored (Contributor+) Cross-Site Scripting in Post	LOW	*-1.53.0.1	1.54.0	June 30, 2026
vk-blocks-pro	vk-blocks-pro	N/A	VK Blocks <= 1.53.0.1 - Stored (Contributor+) Cross-Site Scripting in Tag Edit	LOW	*-1.53.0.1	1.54.0	June 30, 2026
vk-blocks	vk-blocks	N/A	VK Blocks <= 1.53.0.1 - Stored (Contributor+) Cross-Site Scripting in Post	LOW	*-1.53.0.1	1.54.0	June 30, 2026
vk-blocks	vk-blocks	N/A	VK Blocks <= 1.53.0.1 - Stored (Contributor+) Cross-Site Scripting in Tag Edit	LOW	*-1.53.0.1	1.54.0	June 30, 2026
vk-all-in-one-expansion-unit	vk-all-in-one-expansion-unit	N/A	VK All in One Expansion Unit <= 9.88.1.0 - Stored (Contributor+) Cross-Site Scripting in CTA Post	LOW	*-9.88.1.0	9.88.2.0	June 30, 2026
vk-all-in-one-expansion-unit	vk-all-in-one-expansion-unit	N/A	VK All in One Expansion Unit <= 9.88.1.0 - Stored (Contributor+) Cross-Site Scripting in Profile Setting	LOW	*-9.88.1.0	9.88.2.0	June 30, 2026
Ultra Addons for Contact Form 7	ultimate-addons-for-contact-form-7	70	Ultimate Addons for Contact Form 7 <= 3.1.23 - Unauthenticated SQL Injection via form_id	LOW	*-3.1.23	3.1.24	June 30, 2026
stopbadbots	stopbadbots	N/A	StopBadBots <= 7.31 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-7.31	7.32	June 30, 2026
salert	salert	N/A	SALERT <= 1.2.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-1.2.1	1.2.2	June 30, 2026
salert	salert	N/A	SALERT <= 1.2.1 - Missing Authorization via salert_save_settings_with_ajax()	LOW	*-1.2.1	1.2.2	June 30, 2026
WP Responsive Tabs horizontal vertical and accordion Tabs	responsive-horizontal-vertical-and-accordion-tabs	95	WP Responsive Tabs horizontal vertical and accordion Tabs <= 1.1.15 - Reflected Cross-Site Scripting	LOW	*-1.1.15	1.1.16	June 30, 2026
radio-station	radio-station	N/A	Radio Station <= 2.4.0.9 - Reflected Cross-Site Scripting	LOW	*-2.4.0.9	2.5.0	June 30, 2026
qubotchat	qubotchat	N/A	QuBotChat <= 1.1.5 - Unauthenticated Self-Based Cross-Site Scripting	LOW	*-1.1.5	1.1.6	June 30, 2026
pro-mime-types	pro-mime-types	N/A	Pro Mime Types <= 1.0.7 - Cross-Site Request Forgery	LOW	*-1.0.7	2.0.0	June 30, 2026
pro-mime-types	pro-mime-types	N/A	Pro Mime Types - Manage file media types <= 1.0.7 - Cross-Site Request Forgery via pmt_settings_section_callback_tab_1	LOW	[*, 2.0.0)	2.0.0	June 30, 2026
post-snippets	post-snippets	N/A	Post Snippets <= 4.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'snippet_content'	LOW	*-4.0.2	4.0.3	June 30, 2026
my-wp	my-wp	N/A	My WP Customize Admin/Frontend <= 1.21.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings	LOW	[*, 1.21.1)	1.21.1	June 30, 2026
menu-ordering-reservations	menu-ordering-reservations	93	Menu - Ordering - Reservations <= 2.3.6 - Reflected Cross-Site Scripting via 'redirect'	LOW	[*, 2.3.7)	2.3.7	June 30, 2026
gtmetrix-for-wordpress	gtmetrix-for-wordpress	93	GTmetrix for WordPress <= 0.4.6 - Reflected Cross-Site Scripting via 'report_id' and 'event_id'	LOW	*-0.4.6	0.4.7	June 30, 2026
google-analytics-dashboard-for-wp	google-analytics-dashboard-for-wp	93	ExactMetrics <= 7.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-7.14.1	7.14.2	June 30, 2026
easy-hide-login	easy-hide-login	93	Easy Hide Login <= 1.0.8 - Cross-Site Request Forgery	LOW	*-1.0.8	1.0.9	June 30, 2026
easy-hide-login	easy-hide-login	93	Easy Hide Login <= 1.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.0.7	1.0.8	June 30, 2026
easy-form	easy-form	93	Easy Form by AYS <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.2.0	1.2.1	June 30, 2026
cm-on-demand-search-and-replace	cm-on-demand-search-and-replace	91	CM On Demand Search And Replace <= 1.3.0 - Cross-Site Request Forgery	LOW	*-1.3.0	1.3.1	June 30, 2026
circle-image-slider-with-lightbox	circle-image-slider-with-lightbox	93	Team Circle Image Slider With Lightbox <= 1.0.17 - Reflected Cross-Site Scripting	LOW	*-1.0.17	1.0.18	June 30, 2026
block-referer-spam	block-referer-spam	93	Block Referer Spam <= 1.1.9.4 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.1.9.4	1.1.9.5	June 30, 2026
zero-spam	zero-spam	N/A	Zero Spam for WordPress <= 5.4.4 - Authenticated(Administrator+) SQL Injection	LOW	[*, 5.4.5)	5.4.5	June 30, 2026
wp-abstracts-manuscripts-manager	wp-abstracts-manuscripts-manager	N/A	WP Abstracts <= 2.6.1 - Reflected Cross-Site Scripting	LOW	*-2.6.1	2.6.2	June 30, 2026
Web Stories	web-stories	85	Web Stories for WordPress <= 1.31.0 - Insufficient Authorization	LOW	[*, 1.32.0)	1.32.0	June 30, 2026
snow-monkey-forms	snow-monkey-forms	N/A	Snow Monkey Forms <= 5.1.1 - Directory Traversal via 'view' REST endpiont	LOW	*-5.1.1	5.1.2	June 30, 2026
shortpixel-adaptive-images	shortpixel-adaptive-images	N/A	ShortPixel Adaptive Images <= 3.7.1 - Cross-Site Request Forgery via shortpixel_ai_handle_page_action	LOW	[*, 3.7.2)	3.7.2	June 30, 2026
mw-wp-form	mw-wp-form	N/A	MW WP Form <= 4.4.2 - Directory Traversal via _file_upload	LOW	[*, 4.4.3)	4.4.3	June 30, 2026
manager-for-icomoon	manager-for-icomoon	93	Manager for Icomoon <= 2.0 - Unauthenticated Arbitrary File Upload via 'upload'	LOW	*-2.0	2.1	June 30, 2026
WP Ghost (Hide My WP Ghost) – Security & Firewall	hide-my-wp	79	Hide My WP Ghost – Security Plugin <= 5.0.18 - IP Address Spoofing to Protection Mechanism Bypass	LOW	*-5.0.18	5.0.20	June 30, 2026
Download Manager	download-manager	63	Download Manager <= 3.2.70 - Insufficient Authorization to Information Disclosure	LOW	*-3.2.70	3.2.71	June 30, 2026
wp-job-portal	wp-job-portal	N/A	WP Job Portal <= 2.0.1 - Missing Authorization to Settings Modification	LOW	*-2.0.1	2.0.2	June 30, 2026
wp-job-portal	wp-job-portal	N/A	WP Job Portal <= 2.0.1 - Cross-Site Request Forgery to Settings Modification	LOW	*-2.0.1	2.0.2	June 30, 2026
tk-google-fonts	tk-google-fonts	N/A	TK Google Fonts GDPR Compliant <= 2.2.7 - Authorization Bypass	LOW	*-2.2.7	2.2.8	June 30, 2026
points-and-rewards-for-woocommerce	points-and-rewards-for-woocommerce	N/A	Points and Rewards for WooCommerce <= 1.5.0 - Missing Authorization	LOW	*-1.5.0	1.6.0	June 30, 2026

LOW

wp-category-posts-list

Score: N/A WP Category Post List Widget <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected: *-2.0.3 Patched: Updated: June 30, 2026

LOW

woodmart-core

Score: N/A Woodmart Core <= 1.0.36 - Authentication Bypass to Privilege Escalation Affected: *-1.0.36 Patched: 1.0.37 Updated: June 30, 2026

LOW

woodmart-core

Score: N/A Woodmart Core <= 1.0.36 - PHP Object Injection Affected: *-1.0.36 Patched: 1.0.37 Updated: June 30, 2026

LOW

soundcloud-is-gold

Score: N/A Soundcloud Is Gold <= 2.5.1 - Missing Authorization to Soundcloud User Add Affected: *-2.5.1 Patched: Updated: June 30, 2026

LOW

pinterest-rss-widget

Score: N/A Pinterest RSS Widget <= 2.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-2.3.1 Patched: Updated: June 30, 2026

LOW

owl-carousel

Score: N/A Owl Carousel <= 0.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected: *-0.5.3 Patched: Updated: June 30, 2026

LOW

notifyvisitors-lead-form

Score: N/A NotifyVisitors <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

locatoraid

Score: 91/100 Locatoraid Store Locator <= 3.9.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-3.9.18 Patched: 3.9.19 Updated: June 30, 2026

LOW

letterpress

Score: 89/100 LetterPress <= 1.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected: *-1.2.2 Patched: Updated: June 30, 2026

LOW

injection-guard

Score: 93/100 Injection Guard <= 1.2.1 - Cross-Site Request Forgery via ig_update Affected: *-1.2.1 Patched: 1.2.2 Updated: June 30, 2026

LOW

injection-guard

Score: 93/100 Injection Guard <= 1.2.1 - Missing Authorization via ig_update Affected: *-1.2.1 Patched: 1.2.2 Updated: June 30, 2026

LOW

google-calendar-events

Score: 93/100 Simple Calendar <= 3.1.42 - Cross-Site Request Forgery to Transient Cache Clearing Affected: *-3.1.42 Patched: 3.1.43 Updated: June 30, 2026

LOW

gallery-portfolio

Score: 91/100 Portfolio Gallery – Responsive Image Gallery <= 1.4.5 - Missing Authorization to Arbitrary Gallery Deletion Affected: *-1.4.5 Patched: 1.4.6 Updated: June 30, 2026

LOW

forget-about-shortcode-buttons

Score: 93/100 Forget About Shortcode Buttons <= 2.1.2 - Missing Authorization via fasc_buttons Affected: *-2.1.2 Patched: 2.1.3 Updated: June 30, 2026

LOW

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Score: 85/100 Essential Addons for Elementor <= 5.7.1 - Unauthenticated Arbitrary Password Reset to Privilege Escalation Affected: *-5.7.1 Patched: 5.7.2 Updated: June 30, 2026

LOW

ebecas

Score: 91/100 eBecas <= 3.1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected: *-3.1.3 Patched: Updated: June 30, 2026

LOW

dyslexiefont

Score: 91/100 Dyslexiefont Free <= 1.0.0 - Cross-Site Request Forgery Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

don8

Score: 91/100 Don8 <= 0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected: *-0.4 Patched: Updated: June 30, 2026

LOW

devbuddy-twitter-feed

Score: 91/100 DevBuddy Twitter Feed <= 4.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings Affected: *-4.0.0 Patched: Updated: June 30, 2026

LOW

bulletin-announcements

Score: 93/100 Announcement & Notification Banner – Bulletin <= 3.7.0 - Cross-Site Request Forgery Affected: *-3.7.0 Patched: 3.7.1 Updated: June 30, 2026

LOW

bulletin-announcements

Score: 93/100 Announcement & Notification Banner – Bulletin <= 3.6.0 - Missing Authorization Checks Affected: *-3.6.0 Patched: 3.7.0 Updated: June 30, 2026

LOW

Score: 89/100 Post, Registration and Profile Form Builder – FrontEnd Editor BuddyForms – Easy WordPress Forms <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-2.8.1 Patched: 2.8.2 Updated: June 30, 2026

LOW

bookly-responsive-appointment-booking-tool

Score: 93/100 Bookly <= 21.7.1 - Arbitrary File Deletion Affected: *-21.7.1 Patched: 21.8 Updated: June 30, 2026

LOW

add-posts-to-pages

Score: 95/100 Add Posts to Pages <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.4.1 Patched: Updated: June 30, 2026

LOW

accesspress-anonymous-post

Score: 95/100 AccessPress Anonymous Post <= 2.8.4 - Authenticated (Contributor+) Arbitrary Redirect Affected: *-2.8.4 Patched: Updated: June 30, 2026

LOW

yith-woocommerce-gift-cards-premium

Score: N/A YITH WooCommerce Gift Cards Premium <= 3.23.1 - Missing Authorization Affected: *-3.23.1 Patched: 3.24.0 Updated: June 30, 2026

LOW

wp-whydonate

Score: N/A Whydonate – FREE Donate button <= 3.12.14 - Cross-Site Request Forgery Affected: *-3.12.14 Patched: 3.12.16 Updated: June 30, 2026

LOW

wp-replicate-post

Score: N/A WP Replicate Post <= 4.0.2 - Authenticated (Contributor+) SQL Injection Affected: *-4.0.2 Patched: 4.1 Updated: June 30, 2026

LOW

wp-chinese-conversion

Score: N/A WP Chinese Conversion <= 1.1.16 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.1.16 Patched: Updated: June 30, 2026

LOW

woo-custom-emails

Score: N/A Woo Custom Emails <= 2.2 - Missing Authorization to Unauthenticated Settings Change Affected: *-2.2 Patched: Updated: June 30, 2026

LOW

wd-facebook-feed

Score: N/A 10Web Social Post Feed <= 1.2.8 - Reflected Cross-Site Scripting Affected: *-1.2.8 Patched: 1.2.9 Updated: June 30, 2026

LOW

wcp-contact-form

Score: N/A WCP Contact Form <= 3.1.0 - Missing Authorization via downloadCsv Affected: *-3.1.0 Patched: Updated: June 30, 2026

LOW

wcp-contact-form

Score: N/A WCP Contact Form <= 3.1.0 - Missing Authorization Affected: *-3.1.0 Patched: Updated: June 30, 2026

LOW

seo-by-10web

Score: N/A SEO By 10Web <= 1.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.2.6 Patched: 1.2.7 Updated: June 30, 2026

LOW

order-your-posts-manually

Score: N/A Order Your Posts Manually <= 2.2.5 - Authenticated (Administrator+) SQL Injection via 'sortdata' Affected: *-2.2.5 Patched: Updated: June 30, 2026

LOW

order-your-posts-manually

Score: N/A Order Your Posts Manually <= 2.2.5 - Reflected Cross-Site Scripting via '_user_request' Affected: *-2.2.5 Patched: Updated: June 30, 2026

LOW

order-your-posts-manually

Score: N/A Order Your Posts Manually <= 2.2.5 - Reflected Cross-Site Scripting via 'cat_id' Affected: *-2.2.5 Patched: Updated: June 30, 2026

LOW

Brevo – Email, SMS, Web Push, Chat, and more.

mailin

Score: 76/100 Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.60 - Reflected Cross-Site Scripting via 'lang' Affected: *-3.1.60 Patched: 3.1.61 Updated: June 30, 2026

LOW

mailchimp-subscribe-sm

Score: 93/100 MailChimp Subscribe Forms <= 4.0.9.3 - Open Redirect Affected: *-4.0.9.3 Patched: 4.0.9.4 Updated: June 30, 2026

LOW

link-whisper

Score: 93/100 Link Whisper Free <= 0.6.3 - Missing Authorization via init() Affected: *-0.6.3 Patched: 0.6.4 Updated: June 30, 2026

LOW

injection-guard

Score: 93/100 Injection Guard <= 1.2.1 - Cross-Site Request Forgery to Whitelist Update Affected: *-1.2.1 Patched: 1.2.2 Updated: June 30, 2026

LOW

injection-guard

Score: 93/100 Injection Guard <= 1.2.1 - Missing Authorization to Whitelist Update Affected: *-1.2.1 Patched: 1.2.2 Updated: June 30, 2026

LOW

hostel

Score: 93/100 Hostel <= 1.1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.1.5.1 Patched: 1.1.5.2 Updated: June 30, 2026

LOW

google-site-verification-using-meta-tag

Score: 91/100 Google Site Verification plugin using Meta Tag <= 1.2 - Cross-Site Request Forgery Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

google-analytics-for-wordpress

Score: 72/100 Google Analytics by Monster Insights <= 8.14.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-8.14.0 Patched: 8.14.1 Updated: June 30, 2026

LOW

give

Score: 93/100 GiveWP <= 2.25.3 - Authenticated (Admin+) PHP Object Injection Affected: *-2.25.3 Patched: 2.26.0 Updated: June 30, 2026

LOW

download-monitor

Score: 93/100 Download Monitor <= 4.7.60 - Sensitive Information Exposure via REST API Affected: *-4.7.60 Patched: 4.7.70 Updated: June 30, 2026

LOW

directorist

Score: 93/100 Directorist <= 7.5.3 - Authenticated (Administrator+) Local File Inclusion Affected: *-7.5.3 Patched: 7.5.4 Updated: June 30, 2026

LOW

custom-field-suite

Score: 86/100 Custom Field Suite <= 2.6.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.6.2.1 Patched: 2.6.3 Updated: June 30, 2026

LOW

custom-base-terms

Score: 93/100 Custom Base Terms <= 1.0.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'base' Affected: *-1.0.2.3 Patched: 1.0.3 Updated: June 30, 2026

LOW

brands-for-woocommerce

Score: 93/100 Brands for WooCommerce <= 3.7.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-3.7.0.6 Patched: 3.8.2 Updated: June 30, 2026

LOW

booking-ultra-pro

Score: 91/100 Booking Ultra Pro <= 1.1.8 - Reflected Cross-Site Scripting Affected: *-1.1.8 Patched: 1.1.9 Updated: June 30, 2026

LOW

booking-ultra-pro

Score: 91/100 Booking Ultra Pro <= 1.1.8 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.1.8 Patched: 1.1.9 Updated: June 30, 2026

LOW

Backup Migration

backup-backup

Score: 61/100 Backup Migration <= 1.2.8 - Sensitive Information Exposure Affected: *-1.2.8 Patched: 1.2.9 Updated: June 30, 2026

LOW

ap-pricing-tables-lite

Score: 95/100 AP Pricing Tables Lite <= 1.1.6 - Authenticated (Admin+) SQL Injection Affected: *-1.1.6 Patched: Updated: June 30, 2026

LOW

zero-spam

Score: N/A Zero Spam <= 5.4.4 - Authenticated (Administrator+) SQL Injection Affected: *-5.4.4 Patched: 5.4.5 Updated: June 30, 2026

LOW

wpseo-local

Score: N/A Yoast SEO: Local <= 14.8 - Cross-Site Request Forgery Affected: *-14.8 Patched: 14.9 Updated: June 30, 2026

LOW

wpseo-local

Score: N/A Yoast SEO: Local <= 14.8 - Reflected Cross-Site Scripting Affected: *-14.8 Patched: 14.9 Updated: June 30, 2026

LOW

wp-vertical-image-slider

Score: N/A wordpress vertical image slider plugin <= 1.2.16 - Reflected Cross-Site Scripting Affected: *-1.2.16 Patched: 1.2.17 Updated: June 30, 2026

LOW

wordpress-seo-premium

Score: N/A Yoast SEO Premium <= 20.4 - Missing Authorization to Zapier Key Reset Affected: *-20.4 Patched: 20.5 Updated: June 30, 2026

LOW

wise-chat

Score: N/A Wise Chat <= 3.1.3 - Cross-Site Request Forgery Affected: *-3.1.3 Patched: 3.1.4 Updated: June 30, 2026

LOW

vk-blocks-pro

Score: N/A VK Blocks <= 1.53.0.1 - Stored (Contributor+) Cross-Site Scripting in Post Affected: *-1.53.0.1 Patched: 1.54.0 Updated: June 30, 2026

LOW

vk-blocks-pro

Score: N/A VK Blocks <= 1.53.0.1 - Stored (Contributor+) Cross-Site Scripting in Tag Edit Affected: *-1.53.0.1 Patched: 1.54.0 Updated: June 30, 2026

LOW

vk-blocks

Score: N/A VK Blocks <= 1.53.0.1 - Stored (Contributor+) Cross-Site Scripting in Post Affected: *-1.53.0.1 Patched: 1.54.0 Updated: June 30, 2026

LOW

vk-blocks

Score: N/A VK Blocks <= 1.53.0.1 - Stored (Contributor+) Cross-Site Scripting in Tag Edit Affected: *-1.53.0.1 Patched: 1.54.0 Updated: June 30, 2026

LOW

vk-all-in-one-expansion-unit

Score: N/A VK All in One Expansion Unit <= 9.88.1.0 - Stored (Contributor+) Cross-Site Scripting in CTA Post Affected: *-9.88.1.0 Patched: 9.88.2.0 Updated: June 30, 2026

LOW

vk-all-in-one-expansion-unit

Score: N/A VK All in One Expansion Unit <= 9.88.1.0 - Stored (Contributor+) Cross-Site Scripting in Profile Setting Affected: *-9.88.1.0 Patched: 9.88.2.0 Updated: June 30, 2026

LOW

Ultra Addons for Contact Form 7

ultimate-addons-for-contact-form-7

Score: 70/100 Ultimate Addons for Contact Form 7 <= 3.1.23 - Unauthenticated SQL Injection via form_id Affected: *-3.1.23 Patched: 3.1.24 Updated: June 30, 2026

LOW

stopbadbots

Score: N/A StopBadBots <= 7.31 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-7.31 Patched: 7.32 Updated: June 30, 2026

LOW

salert

Score: N/A SALERT <= 1.2.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-1.2.1 Patched: 1.2.2 Updated: June 30, 2026

LOW

salert

Score: N/A SALERT <= 1.2.1 - Missing Authorization via salert_save_settings_with_ajax() Affected: *-1.2.1 Patched: 1.2.2 Updated: June 30, 2026

LOW

WP Responsive Tabs horizontal vertical and accordion Tabs

responsive-horizontal-vertical-and-accordion-tabs

Score: 95/100 WP Responsive Tabs horizontal vertical and accordion Tabs <= 1.1.15 - Reflected Cross-Site Scripting Affected: *-1.1.15 Patched: 1.1.16 Updated: June 30, 2026

LOW

radio-station

Score: N/A Radio Station <= 2.4.0.9 - Reflected Cross-Site Scripting Affected: *-2.4.0.9 Patched: 2.5.0 Updated: June 30, 2026

LOW

qubotchat

Score: N/A QuBotChat <= 1.1.5 - Unauthenticated Self-Based Cross-Site Scripting Affected: *-1.1.5 Patched: 1.1.6 Updated: June 30, 2026

LOW

pro-mime-types

Score: N/A Pro Mime Types <= 1.0.7 - Cross-Site Request Forgery Affected: *-1.0.7 Patched: 2.0.0 Updated: June 30, 2026

LOW

pro-mime-types

Score: N/A Pro Mime Types - Manage file media types <= 1.0.7 - Cross-Site Request Forgery via pmt_settings_section_callback_tab_1 Affected: [*, 2.0.0) Patched: 2.0.0 Updated: June 30, 2026

LOW

post-snippets

Score: N/A Post Snippets <= 4.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'snippet_content' Affected: *-4.0.2 Patched: 4.0.3 Updated: June 30, 2026

LOW

my-wp

Score: N/A My WP Customize Admin/Frontend <= 1.21.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings Affected: [*, 1.21.1) Patched: 1.21.1 Updated: June 30, 2026

LOW

menu-ordering-reservations

Score: 93/100 Menu - Ordering - Reservations <= 2.3.6 - Reflected Cross-Site Scripting via 'redirect' Affected: [*, 2.3.7) Patched: 2.3.7 Updated: June 30, 2026

LOW

gtmetrix-for-wordpress

Score: 93/100 GTmetrix for WordPress <= 0.4.6 - Reflected Cross-Site Scripting via 'report_id' and 'event_id' Affected: *-0.4.6 Patched: 0.4.7 Updated: June 30, 2026

LOW

google-analytics-dashboard-for-wp

Score: 93/100 ExactMetrics <= 7.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-7.14.1 Patched: 7.14.2 Updated: June 30, 2026

LOW

easy-hide-login

Score: 93/100 Easy Hide Login <= 1.0.8 - Cross-Site Request Forgery Affected: *-1.0.8 Patched: 1.0.9 Updated: June 30, 2026

LOW

easy-hide-login

Score: 93/100 Easy Hide Login <= 1.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.0.7 Patched: 1.0.8 Updated: June 30, 2026

LOW

easy-form

Score: 93/100 Easy Form by AYS <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.2.0 Patched: 1.2.1 Updated: June 30, 2026

LOW

cm-on-demand-search-and-replace

Score: 91/100 CM On Demand Search And Replace <= 1.3.0 - Cross-Site Request Forgery Affected: *-1.3.0 Patched: 1.3.1 Updated: June 30, 2026

LOW

circle-image-slider-with-lightbox

Score: 93/100 Team Circle Image Slider With Lightbox <= 1.0.17 - Reflected Cross-Site Scripting Affected: *-1.0.17 Patched: 1.0.18 Updated: June 30, 2026

LOW

block-referer-spam

Score: 93/100 Block Referer Spam <= 1.1.9.4 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.1.9.4 Patched: 1.1.9.5 Updated: June 30, 2026

LOW

zero-spam

Score: N/A Zero Spam for WordPress <= 5.4.4 - Authenticated(Administrator+) SQL Injection Affected: [*, 5.4.5) Patched: 5.4.5 Updated: June 30, 2026

LOW

wp-abstracts-manuscripts-manager

Score: N/A WP Abstracts <= 2.6.1 - Reflected Cross-Site Scripting Affected: *-2.6.1 Patched: 2.6.2 Updated: June 30, 2026

LOW

Web Stories

web-stories

Score: 85/100 Web Stories for WordPress <= 1.31.0 - Insufficient Authorization Affected: [*, 1.32.0) Patched: 1.32.0 Updated: June 30, 2026

LOW

snow-monkey-forms

Score: N/A Snow Monkey Forms <= 5.1.1 - Directory Traversal via 'view' REST endpiont Affected: *-5.1.1 Patched: 5.1.2 Updated: June 30, 2026

LOW

shortpixel-adaptive-images

Score: N/A ShortPixel Adaptive Images <= 3.7.1 - Cross-Site Request Forgery via shortpixel_ai_handle_page_action Affected: [*, 3.7.2) Patched: 3.7.2 Updated: June 30, 2026

LOW

mw-wp-form

Score: N/A MW WP Form <= 4.4.2 - Directory Traversal via _file_upload Affected: [*, 4.4.3) Patched: 4.4.3 Updated: June 30, 2026

LOW

manager-for-icomoon

Score: 93/100 Manager for Icomoon <= 2.0 - Unauthenticated Arbitrary File Upload via 'upload' Affected: *-2.0 Patched: 2.1 Updated: June 30, 2026

LOW

WP Ghost (Hide My WP Ghost) – Security & Firewall

hide-my-wp

Score: 79/100 Hide My WP Ghost – Security Plugin <= 5.0.18 - IP Address Spoofing to Protection Mechanism Bypass Affected: *-5.0.18 Patched: 5.0.20 Updated: June 30, 2026

LOW

Download Manager

download-manager

Score: 63/100 Download Manager <= 3.2.70 - Insufficient Authorization to Information Disclosure Affected: *-3.2.70 Patched: 3.2.71 Updated: June 30, 2026

LOW

wp-job-portal

Score: N/A WP Job Portal <= 2.0.1 - Missing Authorization to Settings Modification Affected: *-2.0.1 Patched: 2.0.2 Updated: June 30, 2026

LOW

wp-job-portal

Score: N/A WP Job Portal <= 2.0.1 - Cross-Site Request Forgery to Settings Modification Affected: *-2.0.1 Patched: 2.0.2 Updated: June 30, 2026

LOW

tk-google-fonts

Score: N/A TK Google Fonts GDPR Compliant <= 2.2.7 - Authorization Bypass Affected: *-2.2.7 Patched: 2.2.8 Updated: June 30, 2026

LOW

points-and-rewards-for-woocommerce

Score: N/A Points and Rewards for WooCommerce <= 1.5.0 - Missing Authorization Affected: *-1.5.0 Patched: 1.6.0 Updated: June 30, 2026

Showing 25201 to 25300 of 36282 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 00:48 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List