Plugin Score by Kitgenix

Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36282

Across tracked plugins

Affected Plugins

82

With open vulnerabilities

Critical / High

0

Require immediate attention

Recently Updated

0

In the last 30 days

Vulnerability List

Export CSV
Vulnerability list with plugin score and patch status
PluginSlugScoreVulnerabilityCVE IDSeverityAffected VersionsPatchedUpdated
points-and-rewards-for-woocommerce points-and-rewards-for-woocommerce N/A Points and Rewards for WooCommerce <= 1.5.0 - Cross-Site Request Forgery to Settings Change LOW *-1.5.0 1.6.0 June 30, 2026
peepso-core peepso-core N/A Community by PeepSo <= 6.0.9.0 - Missing Authorization to Sensitive Information Exposure LOW *-6.0.9.0 6.1.0.0 June 30, 2026
mail-integration-365 mail-integration-365
93
 WPO365 | Mail Integration for Office 365 / Outlook <= 1.9.0 - reflected Cross-Site Scripting via error_description LOW *-1.9.0 1.9.1 June 30, 2026
easy-appointments easy-appointments
93
 Easy Appointments <= 3.11.9 - Cross-Site Request Forgery via multiple AJAX actions LOW *-3.11.9 3.11.10 June 30, 2026
cryptocurrency-donation-box cryptocurrency-donation-box
91
 Cryptocurrency Donation Box – Bitcoin & Crypto Donations <= 2.2.7 - Authenticated (Administrator+) SQL Injection LOW *-2.2.7 2.2.8 June 30, 2026
multi-rating multi-rating N/A Multi Rating <= 5.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings LOW *-5.0.6 June 30, 2026
multi-rating multi-rating N/A Multi Rating <= 5.0.6 - Cross-Site Request Forgery to Arbitrary Ratings Value Change LOW *-5.0.6 June 30, 2026
multi-rating multi-rating N/A Multi Rating <= 5.0.6 - Missing Authorization to Arbitrary Ratings Value Change LOW *-5.0.6 June 30, 2026
metform metform
93
 Metform Elementor Contact Form Builder <= 3.3.0 - Missing Authorization LOW *-3.3.0 3.3.2 June 30, 2026
manager-for-icomoon manager-for-icomoon
93
 Manager for Icomoon <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode LOW *-2.1 2.2 June 30, 2026
hostel hostel
93
 Hostel <= 1.1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Manage Bookings LOW *-1.1.5.1 1.1.5.2 June 30, 2026
dx-delete-attached-media dx-delete-attached-media
93
 DX Delete Attached Media <= 2.0.2 - Missing Authorization to Settings Update LOW *-2.0.2 2.0.3 June 30, 2026
advanced-custom-fields-pro advanced-custom-fields-pro
97
 Advanced Custom Fields (Free and Pro) 5.8.10 to 5.12.5 & 6.0.0 to 6.1.5 - Reflected Cross-Site Scripting via 'post_status' LOW 5.8.10-5.12.5, 6.0.0-6.1.5 5.12.6 June 30, 2026
advanced-custom-fields advanced-custom-fields
97
 Advanced Custom Fields (Free and Pro) 5.8.10 to 5.12.5 & 6.0.0 to 6.1.5 - Reflected Cross-Site Scripting via 'post_status' LOW 5.8.10-5.12.5, 6.0.0-6.1.5 5.12.6 June 30, 2026
wppizza wppizza N/A WPPizza <= 3.17.1 - Reflected Cross-Site Scripting LOW *-3.17.1 3.17.2 June 30, 2026
wc-multivendor-membership wc-multivendor-membership N/A WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.10.7 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change LOW *-2.10.7 2.11.0 June 30, 2026
useragent-spy useragent-spy N/A UserAgent-Spy <= 1.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings LOW *-1.3.1 June 30, 2026
tp-education tp-education N/A TP Education <= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes LOW *-4.4 4.5 June 30, 2026
spiffy-calendar spiffy-calendar N/A Spiffy Calendar <= 4.9.3 - Reflected Cross-Site Scripting via page parameter LOW [*, 4.9.4) 4.9.4 June 30, 2026
participants-database participants-database N/A Participants Database <= 2.4.9 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings LOW [*, 2.5) 2.5 June 30, 2026
participants-database participants-database N/A Participants Database <= 2.4.9 - Cross-Site Request Forgery via _process_general LOW *-2.4.9 2.5.0 June 30, 2026
osm osm N/A OSM - OpenStreetMap <= 6.0.5 - Authenticated(Contributor+) Stored Cross-Site Scripting via 'osm_map' Shortcode LOW *-6.0.5 6.0.6 June 30, 2026
library-viewer library-viewer
93
 Library Viewer <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode LOW *-2.0.6 2.0.6.1 June 30, 2026
library-viewer library-viewer
93
 Library Viewer <= 2.0.6 - Open Redirect via 'redirect_to' LOW *-2.0.6 2.0.6.1 June 30, 2026
gallery-photo-gallery gallery-photo-gallery
93
 Photo Gallery by Ays <= 5.1.3 - Reflected Cross-Site Scripting via ays_gpg_settings_tab LOW *-5.1.3 5.1.4 June 30, 2026
fv-wordpress-flowplayer fv-wordpress-flowplayer
93
 FV Flowplayer Video Player <= 7.5.32.7212 - Reflected Cross-Site Scripting via id LOW *-7.5.32.7212 7.5.35.7212 June 30, 2026
cm-pop-up-banners cm-pop-up-banners
93
 CM Pop-Up banners <= 1.5.10 - Authenticated (Subscriber+) SQL Injection via getStatistics LOW *-1.5.10 1.6.0 June 30, 2026
cf7-google-map cf7-google-map
93
 Contact Form 7 extension for Google Map fields <= 1.8.3 - Stored Cross-Site Scripting LOW *-1.8.3 1.8.4 June 30, 2026
bulk-editor bulk-editor
93
 WOLF <= 1.0.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wpbe_update_page_field LOW *-1.0.6 1.0.7 June 30, 2026
bulk-editor bulk-editor
93
 WOLF <= 1.0.6 - Cross-Site Request Forgery via wpbe_update_page_field LOW *-1.0.6 1.0.7 June 30, 2026
albo-pretorio-on-line albo-pretorio-on-line
95
 Albo Pretorio Online <= 4.6.3 - Reflected Cross-Site Scripting LOW *-4.6.3 4.6.4 June 30, 2026
albo-pretorio-on-line albo-pretorio-on-line
95
 Albo Pretorio Online <= 4.6.3 - Reflected Cross-Site Scripting LOW *-4.6.3 4.6.4 June 30, 2026
wpdirectorykit wpdirectorykit N/A WP Directory Kit <= 1.2.2 - Missing Authorization to Plugin Installation, Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_public_action LOW *-1.2.2 1.2.3 June 30, 2026
WP Fastest Cache – WordPress Cache Plugin wp-fastest-cache
78
 WP Fastest Cache <= 1.1.4 - Authenticated(Administrator+) Blind Server Side Request Forgery via check_url LOW *-1.1.4 1.1.5 June 30, 2026
wp-docs wp-docs N/A WP Docs <= 1.9.9 - Reflected Cross-Site Scripting LOW [*, 2.0.0) 2.0.0 June 30, 2026
woocommerce-product-addon woocommerce-product-addon N/A PPOM for WooCommerce <= 32.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings LOW [*, 32.0.6) 32.0.6 June 30, 2026
otter-blocks otter-blocks N/A Otter - Gutenberg Blocks <= 2.2.5 - Authenticated (Author+) PHAR Deserialization LOW *-2.2.5 2.2.6 June 30, 2026
newsletter-popup newsletter-popup
90
 Newsletter Popup <= 1.2 - Cross-Site Request Forgery to Record Deletion LOW *-1.2 June 30, 2026
newsletter-popup newsletter-popup
90
 Newsletter Popup <= 1.2 - Unauthenticted Stored Cross-Site Scripting via 'nl_data' LOW *-1.2 June 30, 2026
loginizer loginizer
93
 Loginizer <= 1.7.8 - Reflected Cross-Site Scripting via 'limit_session[count]' LOW *-1.7.8 1.7.9 June 30, 2026
login-rebuilder login-rebuilder
93
 Login rebuilder <= 2.8.0 - Authenticated (Administrator+) Stored Cross-Site Scripting LOW *-2.8.0 2.8.1 June 30, 2026
image-optimizer-wd image-optimizer-wd
93
 Image Optimizer by 10web <= 1.0.26 - Authenticated(Administator+) Directory Traversal LOW *-1.0.26 1.0.27 June 30, 2026
holler-box holler-box
93
 HollerBox <= 2.1.3 - Authenticated (edit_popups+) SQL Injection LOW [*, 2.1.4) 2.1.4 June 30, 2026
formassembly-web-forms formassembly-web-forms
93
 WP-FormAssembly <= 2.0.8 - Limited Server Side Request Forgery via 'formassembly' shortcode LOW [*, 2.0.9) 2.0.9 June 30, 2026
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy easy-digital-downloads
78
 Easy Digital Downloads 3.1 - 3.1.1.4.1 - Unauthenticated Arbitrary Password Reset to Privilege Escalation LOW [3.1, 3.1.1.4.2) 3.1.1.4.2 June 30, 2026
custom-404-pro custom-404-pro
91
 Custom 404 Pro <= 3.7.2 - Reflected Cross-Site Scripting via 's' LOW *-3.7.2 3.7.3 June 30, 2026
anywhere-elementor anywhere-elementor
97
 AnyWhere Elementor <= 1.2.7 - Sensitive Information Exposure LOW *-1.2.7 1.2.8 June 30, 2026
add-to-feedly add-to-feedly
95
 Add to Feedly <= 1.2.11 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings LOW *-1.2.11 June 30, 2026
wp-easy-pay wp-easy-pay N/A WP EasyPay <= 4.0.4 - Reflected Cross-Site Scripting LOW *-4.0.4 4.1 June 30, 2026
woocommerce-product-addon woocommerce-product-addon N/A PPOM for WooCommerce <= 32.0.6 - Reflected Cross-Site Scripting LOW *-32.0.6 32.0.7 June 30, 2026
advanced-woo-search advanced-woo-search
97
 Advanced Woo Search <= 2.77 - Authenticated (Admin+) Stored Cross-Site Scripting LOW *-2.77 2.78 June 30, 2026
wpdirectorykit wpdirectorykit N/A WP Directory Kit <= 1.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting via wdk_resultitem LOW *-1.1.9 1.2.0 June 30, 2026
wpdirectorykit wpdirectorykit N/A WP Directory Kit <= 1.2.1 - Cross-Site Request Forgery to Plugin Settings Change/Delete, Demo Import, Directory Kit Modification/Deletion via admin_page_display LOW *-1.2.1 1.2.2 June 30, 2026
wp-responsive-photo-gallery wp-responsive-photo-gallery N/A Photo Gallery Slideshow & Masonry Tiled Gallery <= 1.0.13 - Reflected Cross-Site Scripting LOW *-1.0.13 1.0.14 June 30, 2026
wp-cors wp-cors N/A WP-CORS <= 0.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting LOW *-0.2.1 0.2.2 June 30, 2026
user-ip-and-location user-ip-and-location N/A User IP and Location <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode LOW *-2.2 2.2.1 June 30, 2026
thumbs-rating thumbs-rating N/A Thumbs Rating <= 5.0.0 - Race Condition LOW *-5.0.0 June 30, 2026
search-analytics search-analytics N/A WP Search Analytics <= 1.4.5 - Authenticated (Administrator+) Stored Cross-Site Scripting LOW *-1.4.5 1.4.6 June 30, 2026
plugins-list plugins-list N/A Plugins List <= 2.5 - Authenticated (Author+) Stored Cross-Site Scripting via replace_plugin_list_tags LOW *-2.5 2.5.1 June 30, 2026
mass-email-to-users mass-email-to-users
93
 Mass Email To users <= 1.1.4 - Unauthenticated Reflected Cross-Site Scripting via 'entrant' LOW *-1.1.4 1.1.5 June 30, 2026
maintenance-switch maintenance-switch
91
 Maintenance Switch <= 1.6.2 - Reflected Cross-Site Scripting LOW *-1.6.2 1.6.3 June 30, 2026
jackmail-newsletters jackmail-newsletters
91
 Emails & Newsletters with Jackmail <= 1.2.22 - Authenticated (Subscriber+) CSV Injecton LOW *-1.2.22 June 30, 2026
file-manager file-manager
93
 Bit File Manager <= 5.2.7 - Authenticated (Admin+) PHP Object Injection LOW *-5.2.7 6.0 June 30, 2026
Depicter — Popup & Slider Builder depicter
95
 Depicter Slider <= 1.9.0 - Missing Authorization on 'make' function LOW *-1.9.0 1.9.1 June 30, 2026
cm-on-demand-search-and-replace cm-on-demand-search-and-replace
91
 CM On Demand Search And Replace <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting LOW *-1.3.0 1.3.1 June 30, 2026
ajax-thumbnail-rebuild ajax-thumbnail-rebuild
97
 AJAX Thumbnail Rebuild <= 1.13 - Missing Authorization LOW *-1.13 1.14 June 30, 2026
zephyr-project-manager zephyr-project-manager N/A Zephyr Project Manager <= 3.3.9 - Open Redirect LOW *-3.3.9 3.3.10 June 30, 2026
wpdirectorykit wpdirectorykit N/A WP Directory Kit <= 1.1.9 - Open Redirect LOW *-1.1.9 1.2.0 June 30, 2026
themeisle-companion themeisle-companion N/A Orbit Fox by ThemeIsle <= 2.10.23 - Authenticated (Author+) Server-Side Request Forgery via URL LOW [*, 2.10.24) 2.10.24 June 30, 2026
wp-inventory-manager wp-inventory-manager N/A WP Inventory Manager <= 2.1.0.12 - Reflected Cross-Site Scripting via 'message' LOW *-2.1.0.12 2.1.0.13 June 30, 2026
wp-browser-update wp-browser-update N/A WP BrowserUpdate <= 4.5 - Authenticated (Admin+) Stored Cross-Site Scripting LOW *-4.5 4.6 June 30, 2026
wcfm-marketplace-rest-api wcfm-marketplace-rest-api N/A WooCommerce Multivendor Marketplace – REST API <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API LOW *-1.5.3 1.6.0 June 30, 2026
seo-alert seo-alert N/A SEO ALert <= 1.5.9 - Authenticated(Administrator+) Stored Cross-Site Scripting LOW *-1.5.9 June 30, 2026
logo-scheduler-great-for-holidays-events-and-more logo-scheduler-great-for-holidays-events-and-more
93
 Logo Scheduler <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting LOW *-1.2.0 1.2.1 June 30, 2026
image-optimizer-wd image-optimizer-wd
93
 Image Optimizer WD <= 1.0.26 - Reflected Cross-Site Scripting LOW *-1.0.26 1.0.27 June 30, 2026
easy-bet easy-bet
89
 Easy Bet <= 1.0.7 - Authenticated(Contributor+) SQL Injection LOW *-1.0.7 June 30, 2026
clickfunnels clickfunnels
89
 ClickFunnels <= 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode LOW *-3.1.1 June 30, 2026
cf7-hubspot cf7-hubspot
93
 Integration for Contact Form 7 HubSpot <= 1.2.8 - Open Redirect via state parameter LOW *-1.2.8 1.2.9 June 30, 2026
booking-manager booking-manager
93
 Booking Manager <= 2.0.28 - Authenticated (Subscriber+) Server-Side Request Forgery LOW *-2.0.28 2.0.29 June 30, 2026
yet-another-related-posts-plugin yet-another-related-posts-plugin N/A YARPP - Yet Another Related Posts Plugin <= 5.30.2 - Authenticated (Subscriber+) SQL Injection via Shortcode LOW [*, 5.30.3) 5.30.3 June 30, 2026
wp-vertical-image-slider wp-vertical-image-slider N/A wordpress vertical image slider plugin <= 1.2.16 - Reflected Cross-Site Scripting LOW *-1.2.16 1.2.17 June 30, 2026
wp-simple-firewall wp-simple-firewall N/A Shield Security <= 17.0.17 - Unauthenticated Stored Cross-Site Scripting LOW [*, 17.0.18) 17.0.18 June 30, 2026
wp-simple-firewall wp-simple-firewall N/A Shield Security <= 17.0.17 - Missing Authorization LOW [*, 17.0.18) 17.0.18 June 30, 2026
wp-responsive-slider-with-lightbox wp-responsive-slider-with-lightbox N/A Thumbnail Slider With Lightbox <= 1.0.17 - Reflected Cross-Site Scripting LOW *-1.0.17 1.0.18 June 30, 2026
url-params url-params N/A URL Params <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode LOW *-2.4 2.5 June 30, 2026
tiempocom tiempocom N/A Tiempo.com <= 0.1.2 - Cross-Site Request Forgery to Shortcode Deletion LOW *-0.1.2 June 30, 2026
tiempocom tiempocom N/A Tiempo.com <= 0.1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting LOW *-0.1.2 June 30, 2026
tiempocom tiempocom N/A Tiempo.com <= 0.1.2 - Reflected Cross-Site Scripting LOW *-0.1.2 June 30, 2026
stream stream N/A Stream <= 3.9.2 - Missing Authorization via load_alerts_settings LOW [*, 3.9.3) 3.9.3 June 30, 2026
rest-api-to-miniprogram rest-api-to-miniprogram N/A REST API TO MiniProgram <= 4.7.7 - Authenticated (Subscriber+) Media Attachment Deletion LOW *-4.7.7 June 30, 2026
ko-fi-button ko-fi-button
93
 Ko-fi Button <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting LOW *-1.3.2 1.3.3 June 30, 2026
customizer-export-import customizer-export-import
93
 Customizer Export/Import <= 0.9.5 - Authenticated (Administrator+) PHP Object Injection LOW *-0.9.5 0.9.6 June 30, 2026
custom-404-pro custom-404-pro
91
 Custom 404 Pro <= 3.7.2 - Unauthenticated SQL Injection LOW [*, 3.7.3) 3.7.3 June 30, 2026
custom-404-pro custom-404-pro
91
 Custom 404 Pro <= 3.8.0 - Unauthenticated SQL Injection via 's' LOW *-3.8.0 3.8.1 June 30, 2026
Autoptimize autoptimize
87
 Autoptimize <= 3.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Rules LOW *-3.1.6 3.1.7 June 30, 2026
zip-recipes zip-recipes N/A Zip Recipes <= 8.0.6 - Reflected Cross-Site Scripting via 's' parameter LOW [*, 8.0.7) 8.0.7 June 30, 2026
xml-for-google-merchant-center xml-for-google-merchant-center N/A XML for Google Merchant Center <= 3.0.1 - Reflected Cross-Site Scripting via page parameter LOW *-3.0.1 3.0.2 June 30, 2026
wp-stats-manager wp-stats-manager N/A WP Visitor Statistics (Real Time Traffic) <= 6.8.1 - Unauthenticated SQL Injection LOW *-6.8.1 6.9 June 30, 2026
wp-page-numbers wp-page-numbers N/A WP Page Numbers <= 0.5 - Cross-Site Request Forgery via wp_page_numbers_settings LOW *-0.5 June 30, 2026
wp-browser-update wp-browser-update N/A WP BrowserUpdate <= 4.4.1 - Cross-Site Request Forgery via wpbu_administration LOW *-4.4.1 4.5 June 30, 2026
LOW

points-and-rewards-for-woocommerce

points-and-rewards-for-woocommerce

Score: N/A Points and Rewards for WooCommerce <= 1.5.0 - Cross-Site Request Forgery to Settings Change Affected: *-1.5.0 Patched: 1.6.0 Updated: June 30, 2026
LOW

peepso-core

peepso-core

Score: N/A Community by PeepSo <= 6.0.9.0 - Missing Authorization to Sensitive Information Exposure Affected: *-6.0.9.0 Patched: 6.1.0.0 Updated: June 30, 2026
LOW

mail-integration-365

mail-integration-365

Score: 93/100 WPO365 | Mail Integration for Office 365 / Outlook <= 1.9.0 - reflected Cross-Site Scripting via error_description Affected: *-1.9.0 Patched: 1.9.1 Updated: June 30, 2026
LOW

easy-appointments

easy-appointments

Score: 93/100 Easy Appointments <= 3.11.9 - Cross-Site Request Forgery via multiple AJAX actions Affected: *-3.11.9 Patched: 3.11.10 Updated: June 30, 2026
LOW

cryptocurrency-donation-box

cryptocurrency-donation-box

Score: 91/100 Cryptocurrency Donation Box – Bitcoin & Crypto Donations <= 2.2.7 - Authenticated (Administrator+) SQL Injection Affected: *-2.2.7 Patched: 2.2.8 Updated: June 30, 2026
LOW

multi-rating

multi-rating

Score: N/A Multi Rating <= 5.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings Affected: *-5.0.6 Patched: Updated: June 30, 2026
LOW

multi-rating

multi-rating

Score: N/A Multi Rating <= 5.0.6 - Cross-Site Request Forgery to Arbitrary Ratings Value Change Affected: *-5.0.6 Patched: Updated: June 30, 2026
LOW

multi-rating

multi-rating

Score: N/A Multi Rating <= 5.0.6 - Missing Authorization to Arbitrary Ratings Value Change Affected: *-5.0.6 Patched: Updated: June 30, 2026
LOW

metform

metform

Score: 93/100 Metform Elementor Contact Form Builder <= 3.3.0 - Missing Authorization Affected: *-3.3.0 Patched: 3.3.2 Updated: June 30, 2026
LOW

manager-for-icomoon

manager-for-icomoon

Score: 93/100 Manager for Icomoon <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-2.1 Patched: 2.2 Updated: June 30, 2026
LOW

hostel

hostel

Score: 93/100 Hostel <= 1.1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Manage Bookings Affected: *-1.1.5.1 Patched: 1.1.5.2 Updated: June 30, 2026
LOW

dx-delete-attached-media

dx-delete-attached-media

Score: 93/100 DX Delete Attached Media <= 2.0.2 - Missing Authorization to Settings Update Affected: *-2.0.2 Patched: 2.0.3 Updated: June 30, 2026
LOW

advanced-custom-fields-pro

advanced-custom-fields-pro

Score: 97/100 Advanced Custom Fields (Free and Pro) 5.8.10 to 5.12.5 & 6.0.0 to 6.1.5 - Reflected Cross-Site Scripting via 'post_status' Affected: 5.8.10-5.12.5, 6.0.0-6.1.5 Patched: 5.12.6 Updated: June 30, 2026
LOW

advanced-custom-fields

advanced-custom-fields

Score: 97/100 Advanced Custom Fields (Free and Pro) 5.8.10 to 5.12.5 & 6.0.0 to 6.1.5 - Reflected Cross-Site Scripting via 'post_status' Affected: 5.8.10-5.12.5, 6.0.0-6.1.5 Patched: 5.12.6 Updated: June 30, 2026
LOW

wppizza

wppizza

Score: N/A WPPizza <= 3.17.1 - Reflected Cross-Site Scripting Affected: *-3.17.1 Patched: 3.17.2 Updated: June 30, 2026
LOW

wc-multivendor-membership

wc-multivendor-membership

Score: N/A WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.10.7 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Password Change Affected: *-2.10.7 Patched: 2.11.0 Updated: June 30, 2026
LOW

useragent-spy

useragent-spy

Score: N/A UserAgent-Spy <= 1.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings Affected: *-1.3.1 Patched: Updated: June 30, 2026
LOW

tp-education

tp-education

Score: N/A TP Education <= 4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcodes Affected: *-4.4 Patched: 4.5 Updated: June 30, 2026
LOW

spiffy-calendar

spiffy-calendar

Score: N/A Spiffy Calendar <= 4.9.3 - Reflected Cross-Site Scripting via page parameter Affected: [*, 4.9.4) Patched: 4.9.4 Updated: June 30, 2026
LOW

participants-database

participants-database

Score: N/A Participants Database <= 2.4.9 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings Affected: [*, 2.5) Patched: 2.5 Updated: June 30, 2026
LOW

participants-database

participants-database

Score: N/A Participants Database <= 2.4.9 - Cross-Site Request Forgery via _process_general Affected: *-2.4.9 Patched: 2.5.0 Updated: June 30, 2026
LOW

osm

osm

Score: N/A OSM - OpenStreetMap <= 6.0.5 - Authenticated(Contributor+) Stored Cross-Site Scripting via 'osm_map' Shortcode Affected: *-6.0.5 Patched: 6.0.6 Updated: June 30, 2026
LOW

library-viewer

library-viewer

Score: 93/100 Library Viewer <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-2.0.6 Patched: 2.0.6.1 Updated: June 30, 2026
LOW

library-viewer

library-viewer

Score: 93/100 Library Viewer <= 2.0.6 - Open Redirect via 'redirect_to' Affected: *-2.0.6 Patched: 2.0.6.1 Updated: June 30, 2026
LOW

gallery-photo-gallery

gallery-photo-gallery

Score: 93/100 Photo Gallery by Ays <= 5.1.3 - Reflected Cross-Site Scripting via ays_gpg_settings_tab Affected: *-5.1.3 Patched: 5.1.4 Updated: June 30, 2026
LOW

fv-wordpress-flowplayer

fv-wordpress-flowplayer

Score: 93/100 FV Flowplayer Video Player <= 7.5.32.7212 - Reflected Cross-Site Scripting via id Affected: *-7.5.32.7212 Patched: 7.5.35.7212 Updated: June 30, 2026
LOW

cm-pop-up-banners

cm-pop-up-banners

Score: 93/100 CM Pop-Up banners <= 1.5.10 - Authenticated (Subscriber+) SQL Injection via getStatistics Affected: *-1.5.10 Patched: 1.6.0 Updated: June 30, 2026
LOW

cf7-google-map

cf7-google-map

Score: 93/100 Contact Form 7 extension for Google Map fields <= 1.8.3 - Stored Cross-Site Scripting Affected: *-1.8.3 Patched: 1.8.4 Updated: June 30, 2026
LOW

bulk-editor

bulk-editor

Score: 93/100 WOLF <= 1.0.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via wpbe_update_page_field Affected: *-1.0.6 Patched: 1.0.7 Updated: June 30, 2026
LOW

bulk-editor

bulk-editor

Score: 93/100 WOLF <= 1.0.6 - Cross-Site Request Forgery via wpbe_update_page_field Affected: *-1.0.6 Patched: 1.0.7 Updated: June 30, 2026
LOW

albo-pretorio-on-line

albo-pretorio-on-line

Score: 95/100 Albo Pretorio Online <= 4.6.3 - Reflected Cross-Site Scripting Affected: *-4.6.3 Patched: 4.6.4 Updated: June 30, 2026
LOW

albo-pretorio-on-line

albo-pretorio-on-line

Score: 95/100 Albo Pretorio Online <= 4.6.3 - Reflected Cross-Site Scripting Affected: *-4.6.3 Patched: 4.6.4 Updated: June 30, 2026
LOW

wpdirectorykit

wpdirectorykit

Score: N/A WP Directory Kit <= 1.2.2 - Missing Authorization to Plugin Installation, Settings Change/Delete, Demo Import, Directory Kit Deletion via wdk_public_action Affected: *-1.2.2 Patched: 1.2.3 Updated: June 30, 2026
LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.4 - Authenticated(Administrator+) Blind Server Side Request Forgery via check_url Affected: *-1.1.4 Patched: 1.1.5 Updated: June 30, 2026
LOW

wp-docs

wp-docs

Score: N/A WP Docs <= 1.9.9 - Reflected Cross-Site Scripting Affected: [*, 2.0.0) Patched: 2.0.0 Updated: June 30, 2026
LOW

woocommerce-product-addon

woocommerce-product-addon

Score: N/A PPOM for WooCommerce <= 32.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings Affected: [*, 32.0.6) Patched: 32.0.6 Updated: June 30, 2026
LOW

otter-blocks

otter-blocks

Score: N/A Otter - Gutenberg Blocks <= 2.2.5 - Authenticated (Author+) PHAR Deserialization Affected: *-2.2.5 Patched: 2.2.6 Updated: June 30, 2026
LOW

newsletter-popup

newsletter-popup

Score: 90/100 Newsletter Popup <= 1.2 - Cross-Site Request Forgery to Record Deletion Affected: *-1.2 Patched: Updated: June 30, 2026
LOW

newsletter-popup

newsletter-popup

Score: 90/100 Newsletter Popup <= 1.2 - Unauthenticted Stored Cross-Site Scripting via 'nl_data' Affected: *-1.2 Patched: Updated: June 30, 2026
LOW

loginizer

loginizer

Score: 93/100 Loginizer <= 1.7.8 - Reflected Cross-Site Scripting via 'limit_session[count]' Affected: *-1.7.8 Patched: 1.7.9 Updated: June 30, 2026
LOW

login-rebuilder

login-rebuilder

Score: 93/100 Login rebuilder <= 2.8.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.8.0 Patched: 2.8.1 Updated: June 30, 2026
LOW

image-optimizer-wd

image-optimizer-wd

Score: 93/100 Image Optimizer by 10web <= 1.0.26 - Authenticated(Administator+) Directory Traversal Affected: *-1.0.26 Patched: 1.0.27 Updated: June 30, 2026
LOW

holler-box

holler-box

Score: 93/100 HollerBox <= 2.1.3 - Authenticated (edit_popups+) SQL Injection Affected: [*, 2.1.4) Patched: 2.1.4 Updated: June 30, 2026
LOW

formassembly-web-forms

formassembly-web-forms

Score: 93/100 WP-FormAssembly <= 2.0.8 - Limited Server Side Request Forgery via 'formassembly' shortcode Affected: [*, 2.0.9) Patched: 2.0.9 Updated: June 30, 2026
LOW

custom-404-pro

custom-404-pro

Score: 91/100 Custom 404 Pro <= 3.7.2 - Reflected Cross-Site Scripting via 's' Affected: *-3.7.2 Patched: 3.7.3 Updated: June 30, 2026
LOW

anywhere-elementor

anywhere-elementor

Score: 97/100 AnyWhere Elementor <= 1.2.7 - Sensitive Information Exposure Affected: *-1.2.7 Patched: 1.2.8 Updated: June 30, 2026
LOW

add-to-feedly

add-to-feedly

Score: 95/100 Add to Feedly <= 1.2.11 - Authenticated(Administrator+) Stored Cross-Site Scripting via plugin settings Affected: *-1.2.11 Patched: Updated: June 30, 2026
LOW

wp-easy-pay

wp-easy-pay

Score: N/A WP EasyPay <= 4.0.4 - Reflected Cross-Site Scripting Affected: *-4.0.4 Patched: 4.1 Updated: June 30, 2026
LOW

woocommerce-product-addon

woocommerce-product-addon

Score: N/A PPOM for WooCommerce <= 32.0.6 - Reflected Cross-Site Scripting Affected: *-32.0.6 Patched: 32.0.7 Updated: June 30, 2026
LOW

advanced-woo-search

advanced-woo-search

Score: 97/100 Advanced Woo Search <= 2.77 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-2.77 Patched: 2.78 Updated: June 30, 2026
LOW

wpdirectorykit

wpdirectorykit

Score: N/A WP Directory Kit <= 1.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting via wdk_resultitem Affected: *-1.1.9 Patched: 1.2.0 Updated: June 30, 2026
LOW

wpdirectorykit

wpdirectorykit

Score: N/A WP Directory Kit <= 1.2.1 - Cross-Site Request Forgery to Plugin Settings Change/Delete, Demo Import, Directory Kit Modification/Deletion via admin_page_display Affected: *-1.2.1 Patched: 1.2.2 Updated: June 30, 2026
LOW

wp-responsive-photo-gallery

wp-responsive-photo-gallery

Score: N/A Photo Gallery Slideshow & Masonry Tiled Gallery <= 1.0.13 - Reflected Cross-Site Scripting Affected: *-1.0.13 Patched: 1.0.14 Updated: June 30, 2026
LOW

wp-cors

wp-cors

Score: N/A WP-CORS <= 0.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-0.2.1 Patched: 0.2.2 Updated: June 30, 2026
LOW

user-ip-and-location

user-ip-and-location

Score: N/A User IP and Location <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-2.2 Patched: 2.2.1 Updated: June 30, 2026
LOW

thumbs-rating

thumbs-rating

Score: N/A Thumbs Rating <= 5.0.0 - Race Condition Affected: *-5.0.0 Patched: Updated: June 30, 2026
LOW

search-analytics

search-analytics

Score: N/A WP Search Analytics <= 1.4.5 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.4.5 Patched: 1.4.6 Updated: June 30, 2026
LOW

plugins-list

plugins-list

Score: N/A Plugins List <= 2.5 - Authenticated (Author+) Stored Cross-Site Scripting via replace_plugin_list_tags Affected: *-2.5 Patched: 2.5.1 Updated: June 30, 2026
LOW

mass-email-to-users

mass-email-to-users

Score: 93/100 Mass Email To users <= 1.1.4 - Unauthenticated Reflected Cross-Site Scripting via 'entrant' Affected: *-1.1.4 Patched: 1.1.5 Updated: June 30, 2026
LOW

maintenance-switch

maintenance-switch

Score: 91/100 Maintenance Switch <= 1.6.2 - Reflected Cross-Site Scripting Affected: *-1.6.2 Patched: 1.6.3 Updated: June 30, 2026
LOW

jackmail-newsletters

jackmail-newsletters

Score: 91/100 Emails & Newsletters with Jackmail <= 1.2.22 - Authenticated (Subscriber+) CSV Injecton Affected: *-1.2.22 Patched: Updated: June 30, 2026
LOW

file-manager

file-manager

Score: 93/100 Bit File Manager <= 5.2.7 - Authenticated (Admin+) PHP Object Injection Affected: *-5.2.7 Patched: 6.0 Updated: June 30, 2026
LOW

Depicter — Popup & Slider Builder

depicter

Score: 95/100 Depicter Slider <= 1.9.0 - Missing Authorization on 'make' function Affected: *-1.9.0 Patched: 1.9.1 Updated: June 30, 2026
LOW

cm-on-demand-search-and-replace

cm-on-demand-search-and-replace

Score: 91/100 CM On Demand Search And Replace <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.3.0 Patched: 1.3.1 Updated: June 30, 2026
LOW

ajax-thumbnail-rebuild

ajax-thumbnail-rebuild

Score: 97/100 AJAX Thumbnail Rebuild <= 1.13 - Missing Authorization Affected: *-1.13 Patched: 1.14 Updated: June 30, 2026
LOW

zephyr-project-manager

zephyr-project-manager

Score: N/A Zephyr Project Manager <= 3.3.9 - Open Redirect Affected: *-3.3.9 Patched: 3.3.10 Updated: June 30, 2026
LOW

wpdirectorykit

wpdirectorykit

Score: N/A WP Directory Kit <= 1.1.9 - Open Redirect Affected: *-1.1.9 Patched: 1.2.0 Updated: June 30, 2026
LOW

themeisle-companion

themeisle-companion

Score: N/A Orbit Fox by ThemeIsle <= 2.10.23 - Authenticated (Author+) Server-Side Request Forgery via URL Affected: [*, 2.10.24) Patched: 2.10.24 Updated: June 30, 2026
LOW

wp-inventory-manager

wp-inventory-manager

Score: N/A WP Inventory Manager <= 2.1.0.12 - Reflected Cross-Site Scripting via 'message' Affected: *-2.1.0.12 Patched: 2.1.0.13 Updated: June 30, 2026
LOW

wp-browser-update

wp-browser-update

Score: N/A WP BrowserUpdate <= 4.5 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-4.5 Patched: 4.6 Updated: June 30, 2026
LOW

wcfm-marketplace-rest-api

wcfm-marketplace-rest-api

Score: N/A WooCommerce Multivendor Marketplace – REST API <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API Affected: *-1.5.3 Patched: 1.6.0 Updated: June 30, 2026
LOW

seo-alert

seo-alert

Score: N/A SEO ALert <= 1.5.9 - Authenticated(Administrator+) Stored Cross-Site Scripting Affected: *-1.5.9 Patched: Updated: June 30, 2026
LOW

logo-scheduler-great-for-holidays-events-and-more

logo-scheduler-great-for-holidays-events-and-more

Score: 93/100 Logo Scheduler <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.2.0 Patched: 1.2.1 Updated: June 30, 2026
LOW

image-optimizer-wd

image-optimizer-wd

Score: 93/100 Image Optimizer WD <= 1.0.26 - Reflected Cross-Site Scripting Affected: *-1.0.26 Patched: 1.0.27 Updated: June 30, 2026
LOW

easy-bet

easy-bet

Score: 89/100 Easy Bet <= 1.0.7 - Authenticated(Contributor+) SQL Injection Affected: *-1.0.7 Patched: Updated: June 30, 2026
LOW

clickfunnels

clickfunnels

Score: 89/100 ClickFunnels <= 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-3.1.1 Patched: Updated: June 30, 2026
LOW

cf7-hubspot

cf7-hubspot

Score: 93/100 Integration for Contact Form 7 HubSpot <= 1.2.8 - Open Redirect via state parameter Affected: *-1.2.8 Patched: 1.2.9 Updated: June 30, 2026
LOW

booking-manager

booking-manager

Score: 93/100 Booking Manager <= 2.0.28 - Authenticated (Subscriber+) Server-Side Request Forgery Affected: *-2.0.28 Patched: 2.0.29 Updated: June 30, 2026
LOW

yet-another-related-posts-plugin

yet-another-related-posts-plugin

Score: N/A YARPP - Yet Another Related Posts Plugin <= 5.30.2 - Authenticated (Subscriber+) SQL Injection via Shortcode Affected: [*, 5.30.3) Patched: 5.30.3 Updated: June 30, 2026
LOW

wp-vertical-image-slider

wp-vertical-image-slider

Score: N/A wordpress vertical image slider plugin <= 1.2.16 - Reflected Cross-Site Scripting Affected: *-1.2.16 Patched: 1.2.17 Updated: June 30, 2026
LOW

wp-simple-firewall

wp-simple-firewall

Score: N/A Shield Security <= 17.0.17 - Unauthenticated Stored Cross-Site Scripting Affected: [*, 17.0.18) Patched: 17.0.18 Updated: June 30, 2026
LOW

wp-simple-firewall

wp-simple-firewall

Score: N/A Shield Security <= 17.0.17 - Missing Authorization Affected: [*, 17.0.18) Patched: 17.0.18 Updated: June 30, 2026
LOW

wp-responsive-slider-with-lightbox

wp-responsive-slider-with-lightbox

Score: N/A Thumbnail Slider With Lightbox <= 1.0.17 - Reflected Cross-Site Scripting Affected: *-1.0.17 Patched: 1.0.18 Updated: June 30, 2026
LOW

url-params

url-params

Score: N/A URL Params <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-2.4 Patched: 2.5 Updated: June 30, 2026
LOW

tiempocom

tiempocom

Score: N/A Tiempo.com <= 0.1.2 - Cross-Site Request Forgery to Shortcode Deletion Affected: *-0.1.2 Patched: Updated: June 30, 2026
LOW

tiempocom

tiempocom

Score: N/A Tiempo.com <= 0.1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-0.1.2 Patched: Updated: June 30, 2026
LOW

tiempocom

tiempocom

Score: N/A Tiempo.com <= 0.1.2 - Reflected Cross-Site Scripting Affected: *-0.1.2 Patched: Updated: June 30, 2026
LOW

stream

stream

Score: N/A Stream <= 3.9.2 - Missing Authorization via load_alerts_settings Affected: [*, 3.9.3) Patched: 3.9.3 Updated: June 30, 2026
LOW

rest-api-to-miniprogram

rest-api-to-miniprogram

Score: N/A REST API TO MiniProgram <= 4.7.7 - Authenticated (Subscriber+) Media Attachment Deletion Affected: *-4.7.7 Patched: Updated: June 30, 2026
LOW

ko-fi-button

ko-fi-button

Score: 93/100 Ko-fi Button <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.3.2 Patched: 1.3.3 Updated: June 30, 2026
LOW

customizer-export-import

customizer-export-import

Score: 93/100 Customizer Export/Import <= 0.9.5 - Authenticated (Administrator+) PHP Object Injection Affected: *-0.9.5 Patched: 0.9.6 Updated: June 30, 2026
LOW

custom-404-pro

custom-404-pro

Score: 91/100 Custom 404 Pro <= 3.7.2 - Unauthenticated SQL Injection Affected: [*, 3.7.3) Patched: 3.7.3 Updated: June 30, 2026
LOW

custom-404-pro

custom-404-pro

Score: 91/100 Custom 404 Pro <= 3.8.0 - Unauthenticated SQL Injection via 's' Affected: *-3.8.0 Patched: 3.8.1 Updated: June 30, 2026
LOW

Autoptimize

autoptimize

Score: 87/100 Autoptimize <= 3.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting via Critical CSS Rules Affected: *-3.1.6 Patched: 3.1.7 Updated: June 30, 2026
LOW

zip-recipes

zip-recipes

Score: N/A Zip Recipes <= 8.0.6 - Reflected Cross-Site Scripting via 's' parameter Affected: [*, 8.0.7) Patched: 8.0.7 Updated: June 30, 2026
LOW

xml-for-google-merchant-center

xml-for-google-merchant-center

Score: N/A XML for Google Merchant Center <= 3.0.1 - Reflected Cross-Site Scripting via page parameter Affected: *-3.0.1 Patched: 3.0.2 Updated: June 30, 2026
LOW

wp-stats-manager

wp-stats-manager

Score: N/A WP Visitor Statistics (Real Time Traffic) <= 6.8.1 - Unauthenticated SQL Injection Affected: *-6.8.1 Patched: 6.9 Updated: June 30, 2026
LOW

wp-page-numbers

wp-page-numbers

Score: N/A WP Page Numbers <= 0.5 - Cross-Site Request Forgery via wp_page_numbers_settings Affected: *-0.5 Patched: Updated: June 30, 2026
LOW

wp-browser-update

wp-browser-update

Score: N/A WP BrowserUpdate <= 4.4.1 - Cross-Site Request Forgery via wpbu_administration Affected: *-4.4.1 Patched: 4.5 Updated: June 30, 2026

Showing 25301 to 25400 of 36282 results

Download: CSV JSON
Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 02:12 UTC.