Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36282

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
article-directory-redux	article-directory-redux	95	Article Directory Redux <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.0.2		June 30, 2026
affiliate-links	affiliate-links	97	Affiliate Links Lite <= 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-2.6	2.7	June 30, 2026
adfoxly	adfoxly	93	AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.4 - Reflected Cross-Site Scripting	LOW	*-1.8.4		June 30, 2026
woo-coupon-usage	woo-coupon-usage	N/A	Coupon Affiliates <= 5.4.5 - Reflected Cross-Site Scripting via 'page'	LOW	*-5.4.5	5.4.6	June 30, 2026
watu	watu	N/A	Watu Quiz <= 3.3.9.2 - Reflected Cross-Site Scripting via 'question'	LOW	*-3.3.9.2	3.3.9.3	June 30, 2026
ultimate-noindex-nofollow-tool-ii	ultimate-noindex-nofollow-tool-ii	N/A	Ultimate Noindex Nofollow Tool II <= 1.3.3 - Cross-Site Request Forgery	LOW	[*, 1.3.4)	1.3.4	June 30, 2026
ultimate-landing-page	ultimate-landing-page	N/A	Landing Page Builder – Free Landing Page Templates <= 3.1.9.8 - Local File Inclusion via 'lpp_template_select'	LOW	*-3.1.9.8	3.2	June 30, 2026
stock-exporter-for-woocommerce	stock-exporter-for-woocommerce	N/A	Stock Exporter for WooCommerce <= 1.1.0 - Cross-Site Request Forgery	LOW	*-1.1.0	1.2.0	June 30, 2026
stampedio-product-reviews	stampedio-product-reviews	N/A	Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.2 - Missing Authorization	LOW	*-2.3.2	2.3.3	June 30, 2026
stampedio-product-reviews	stampedio-product-reviews	N/A	Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.3 - Cross-Site Request Forgery	LOW	*-2.3.3	2.4.0	June 30, 2026
simple-popup	simple-popup	N/A	Simple Popup Images <= 1.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.8.6		June 30, 2026
shiftcontroller	shiftcontroller	N/A	ShiftController Employee Shift Scheduling <= 4.9.25 - Reflected Cross-Site Scripting via Query String	LOW	*-4.9.25	4.9.26	June 30, 2026
reviewx	reviewx	N/A	ReviewX <= 1.6.7 - Unauthenticated CSV Injection	LOW	*-1.6.7	1.6.8	June 30, 2026
PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin	pretty-link	N/A	Shortlinks by Pretty Links <= 3.4.0 - Cross-Site Request Forgery via route	LOW	*-3.4.0	3.4.1	June 30, 2026
newsletters-lite	newsletters-lite	N/A	Newsletters <= 4.8.8 - Cross-Site Request Forgery	LOW	*-4.8.8	4.8.9	June 30, 2026
neshan-maps	neshan-maps	N/A	Neshan Maps <= 1.1.4 - Authenticated (Administrator+) SQL Injection	LOW	*-1.1.4		June 30, 2026
kaya-qr-code-generator	kaya-qr-code-generator	93	Kaya QR Code Generator <= 1.5.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via url parameter	LOW	*-1.5.2	1.5.3	June 30, 2026
Gallery by FooGallery	foogallery	82	FooGallery <= 2.2.35 - Reflected Cross-Site Scripting	LOW	*-2.2.35	2.2.41	June 30, 2026
featured-post-creative	featured-post-creative	93	Featured Post Creative <= 1.2.7 - Cross-Site Request Forgery via wpfp_update_featured_post	LOW	*-1.2.7	1.2.8	June 30, 2026
featured-post-creative	featured-post-creative	93	Featured Post Creative <= 1.2.7 - Missing Authorization via wpfp_update_featured_post	LOW	*-1.2.7	1.2.8	June 30, 2026
fantastic-content-protector-free	fantastic-content-protector-free	91	Fantastic Content Protector Free <= 2.6 - Missing Authorization via update_setting_fantastic_content_protector	LOW	*-2.6		June 30, 2026
enable-accessibility	enable-accessibility	91	Enable Accessibility <= 1.4 - Cross-Site Request Forgery	LOW	*-1.4	1.4.1	June 30, 2026
cyr3lat	cyr3lat	93	Cyr to Lat <= 3.5 - Authenticated SQL Injection	LOW	*-3.5	3.7	June 30, 2026
coschedule-by-todaymade	coschedule-by-todaymade	93	CoSchedule <= 3.3.8 - Cross-Site Request Forgery	LOW	*-3.3.8	3.3.9	June 30, 2026
affiliate-solution	affiliate-solution	95	AFFILIATE Solution <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.0		June 30, 2026
wp-inventory-manager	wp-inventory-manager	N/A	WP Inventory Manager <= 2.1.0.11 - Reflected Cross-Site Scripting via 'message'	LOW	*-2.1.0.11	2.1.0.12	June 30, 2026
userplus	userplus	N/A	UserPlus <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-2.0		June 30, 2026
restaurant-pickup-delivery-dine-in	restaurant-pickup-delivery-dine-in	N/A	Pickup \| Delivery \| Dine-in date time <= 1.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.0.9		June 30, 2026
hiweb-migration-simple	hiweb-migration-simple	89	hiWeb Migration Simple <= 2.0.0.1 - Reflected Cross-Site Scripting	LOW	*-2.0.0.1		June 30, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder	forminator	92	Forminator <= 1.22.1 - Missing Authorization on 'load_hcaptcha_preview' AJAX function	LOW	*-1.22.1	1.23.3	June 30, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder	forminator	92	Forminator <= 1.22.1 - Missing Authorization on 'load_recaptcha_preview' AJAX function	LOW	*-1.22.1	1.23.3	June 30, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder	forminator	92	Forminator <= 1.22.1 - Missing Authorization on 'hubspot_support_request' AJAX function	LOW	*-1.22.1	1.23.3	June 30, 2026
cloud-manager	cloud-manager	91	Cloud Manager <= 1.0 - Reflected Cross-Site Scripting	LOW	*-1.0		June 30, 2026
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services	chatbot	66	ChatBot <= 4.4.6 - Unauthenticated PHP Object Injection via Cookies	LOW	*-4.4.6	4.4.7	June 30, 2026
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services	chatbot	66	ChatBot <= 4.4.8 - Unauthenticated Stored Cross-Site Scripting in Admin Dashboard	LOW	*-4.4.8	4.4.9	June 30, 2026
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services	chatbot	66	AI ChatBot <= 4.4.9 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-4.4.9	4.5.1	June 30, 2026
WPBot – AI ChatBot for Live Support, Lead Generation, AI Services	chatbot	66	ChatBot <= 4.4.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via openai_settings_option_callback	LOW	*-4.4.8	4.4.9	June 30, 2026
restricted-site-access	restricted-site-access	N/A	webpack JS package <= 5.75.0 - Sandbox Bypass	LOW	*-7.3.5	7.4.0	June 30, 2026
powerpress	powerpress	N/A	PowerPress <= 10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-10.0	10.0.2	June 30, 2026
elasticpress	elasticpress	93	webpack JS package <= 5.75.0 - Sandbox Bypass	LOW	*-4.5.0	4.5.1	June 30, 2026
tencentcloud-cos	tencentcloud-cos	N/A	tencentcloud-cos <= 1.0.7 - Cross-Site Request Forgery	LOW	*-1.0.7		June 30, 2026
supportcandy	supportcandy	N/A	SupportCandy <= 3.1.4 - Unauthenticated SQL Injection via parse_user_filters	LOW	*-3.1.4	3.1.5	June 30, 2026
smart-wishlist-for-more-convert	smart-wishlist-for-more-convert	N/A	MC Woocommerce Wishlist <= 1.5.4 - Cross-Site Request Forgery	LOW	*-1.5.4	1.5.5	June 30, 2026
ruby-help-desk	ruby-help-desk	N/A	Ruby Help Desk <= 1.3.3 - Missing Authorization to Arbitrary Ticket Modification	LOW	*-1.3.3	1.3.4	June 30, 2026
product-catalog-feed	product-catalog-feed	N/A	Product Catalog Feed by PixelYourSite <= 2.1.0 - Reflected Cross-Site Scripting via 'page'	LOW	*-2.1.0	2.1.1	June 30, 2026
product-catalog-feed	product-catalog-feed	N/A	Product Catalog Feed by PixelYourSite <= 2.1.0 - Reflected Cross-Site Scripting via 'edit'	LOW	*-2.1.0	2.1.1	June 30, 2026
limit-login-attempts	limit-login-attempts	93	Limit Login Attempts <= 1.7.1 - Authenticated(Subscriber+) Stored Cross-Site Scripting	LOW	*-1.7.1	1.7.2	June 30, 2026
Download Manager	download-manager	63	Download Manager Pro <= 6.2.9 - Unauthenticated Information Disclosure	LOW	[4.0, 6.3.0)	6.3.0	June 30, 2026
Blocksy Companion	blocksy-companion	N/A	Blocksy Companion <= 1.8.81 - Authenticated(Subscriber+) Sensitive Information Exposure via blocksy_posts shortcode	LOW	*-1.8.81	1.8.82	June 30, 2026
better-search	better-search	93	Better Search <= 3.1.0 - Cross-Site Request Forgery	LOW	*-3.1.0	3.2.0	June 30, 2026
a3-portfolio	a3-portfolio	97	a3 Portfolio <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-3.1.0	3.1.1	June 30, 2026
simple-job-board	simple-job-board	N/A	Simple Job Board <= 2.10.3 - Cross-Site Request Forgery via sjb_save_settings_section	LOW	*-2.10.3	2.10.4	June 30, 2026
pixtypes	pixtypes	N/A	PixTypes <= 1.4.14 - Cross-Site Request Forgery	LOW	*-1.4.14	1.4.15	June 30, 2026
front-end-only-users	front-end-only-users	89	Front End Users <= 3.2.24 - Missing Authorization to Unauthenticated Registered User Deletion	LOW	*-3.2.24	3.2.25	June 30, 2026
front-end-only-users	front-end-only-users	89	Front End Users <= 3.2.24 - Cross-Site Request Forgery	LOW	*-3.2.24	3.2.25	June 30, 2026
email-subscribe	email-subscribe	93	Email Subscription Popup <= 1.2.16 - Reflected Cross-Site Scripting	LOW	[*, 1.2.17)	1.2.17	June 30, 2026
comments-ratings	comments-ratings	89	Comments Ratings <= 1.1.6 - Cross-Site Request Forgery	LOW	*-1.1.6	1.1.7	June 30, 2026
wp-listings	wp-listings	N/A	IMPress Listings <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Listing Fields	LOW	*-2.6.2		June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_preload_single_save_settings_callback'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_clear_cache_of_allsites_callback'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_start_cdn_integration_ajax_request_callback'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_preload_single_callback'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_purgecache_varnish_callback'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_remove_cdn_integration_ajax_request_callback'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'deleteCssAndJsCacheToolbar'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_preload_single_callback'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_pause_cdn_integration_ajax_request_callback'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_toolbar_save_settings_callback'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Missing Authorization to Cache Deletion	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Missing Authorization in 'deleteCssAndJsCacheToolbar'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'deleteCacheToolbar'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_clear_cache_of_allsites_callback'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Fastest Cache – WordPress Cache Plugin	wp-fastest-cache	78	WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_purgecache_varnish_callback'	LOW	*-1.1.2	1.1.3	June 30, 2026
WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards	wp-data-access	N/A	WP Data Access <= 5.3.7 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-5.3.7	5.3.8	June 30, 2026
Hustle – Email Marketing, Lead Generation, Optins, Popups	wordpress-popup	91	Hustle <= 7.6.4 = Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-7.6.4	7.6.6	June 30, 2026
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder	user-registration	N/A	User Registration <= 2.3.2.1 - Missing Authorization via send_test_email	LOW	*-2.3.2.1	2.3.3	June 30, 2026
transbank-webpay-plus-rest	transbank-webpay-plus-rest	N/A	Transbank Webpay REST <= 1.6.6 - Authenticated (Administrator+) SQL Injection via orderby	LOW	*-1.6.6	1.6.7	June 30, 2026
tiny-carousel-horizontal-slider-plus	tiny-carousel-horizontal-slider-plus	N/A	Tiny carousel horizontal slider plus <= 3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-3.2		June 30, 2026
tencentcloud-cos	tencentcloud-cos	N/A	tencentcloud-cos <= 1.0.7 - Missing Authorization via AJAX actions	LOW	*-1.0.7		June 30, 2026
superb-social-share-and-follow-buttons	superb-social-share-and-follow-buttons	N/A	Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 - Missing Authorization via spbsmAjax	LOW	*-1.1.3	1.1.5	June 30, 2026
superb-social-share-and-follow-buttons	superb-social-share-and-follow-buttons	N/A	Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 - Cross-Site Request Forgery via spbsmAjax	LOW	*-1.1.3	1.1.5	June 30, 2026
spreadshop	spreadshop	N/A	Spreadshop Plugin <= 1.6.5 - Cross-Site Request Forgery	LOW	*-1.6.5	1.6.6	June 30, 2026
simplemodal-contact-form-smcf	simplemodal-contact-form-smcf	N/A	SimpleModal Contact Form (SMCF) <= 1.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.2.9		June 30, 2026
shiftcontroller	shiftcontroller	N/A	ShiftController Employee Shift Scheduling <= 4.9.23 - Unauthenticated Stored Cross-Site Scripting via 'hc-title'	LOW	*-4.9.23	4.9.24	June 30, 2026
shiftcontroller	shiftcontroller	N/A	ShiftController Employee Shift Scheduling <= 4.9.23 - Cross-Site Request Forgery via get	LOW	*-4.9.23	4.9.24	June 30, 2026
qtranslate-to-wpml-export	qtranslate-to-wpml-export	N/A	qTranslate X Cleanup and WPML Import <= 3.0.1 - Cross-Site Request Forgery via clean_ajx	LOW	*-3.0.1	3.0.2	June 30, 2026
qtranslate-to-wpml-export	qtranslate-to-wpml-export	N/A	qTranslate X Cleanup and WPML Import <= 3.0.1 - Missing Authorization via clean_ajx	LOW	*-3.0.1	3.0.2	June 30, 2026
post-type-x	post-type-x	N/A	Product Catalog Simple <= 1.6.17 - Reflected Cross-Site Scripting	LOW	[*, 1.7.0)	1.7.0	June 30, 2026
php-compatibility-checker	php-compatibility-checker	N/A	PHP Compatibility Checker <= 1.5.2 - Cross-Site Request Forgery	LOW	*-1.5.2	1.6.0	June 30, 2026
optin-forms	optin-forms	N/A	Optin Forms <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.3.2	1.3.3	June 30, 2026
mycryptocheckout	mycryptocheckout	N/A	MyCryptoCheckout <= 2.123 - Reflected Cross-Site Scripting via url	LOW	*-2.123	2.124	June 30, 2026
mappress-google-maps-for-wordpress	mappress-google-maps-for-wordpress	93	MapPress Maps for WordPress <= 2.85.4 - Authenticated (Contributor+) SQL Injection via get_maps	LOW	*-2.85.4	2.85.5	June 30, 2026
limit-login-attempts	limit-login-attempts	93	Limit Login Attempts <= 1.7.1 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.7.1	1.7.2	June 30, 2026
integration-dynamics	integration-dynamics	93	Dynamics 365 Integration <= 1.3.13 - Missing Authorization via init	LOW	*-1.3.13	1.3.14	June 30, 2026
google-maps-widget	google-maps-widget	93	Maps Widget for Google Maps <= 4.24 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-4.24	4.25	June 30, 2026
formidable	formidable	93	Formidable Forms <= 6.1.2 - Unauthenticated PHP Object Injection	LOW	*-6.1.2	6.2	June 30, 2026
flynsarmy-iframe-shortcode	flynsarmy-iframe-shortcode	93	IFrame Shortcode <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.0.5	1.0.6	June 30, 2026
easy-sign-up	easy-sign-up	91	Easy Sign Up <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-3.4.1		June 30, 2026
cryptocurrency-prices	cryptocurrency-prices	91	Cryptocurrency All-in-One <= 3.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.0.19		June 30, 2026
connections	connections	91	Connections Business Directory <= 10.4.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-10.4.36	10.4.37	June 30, 2026

LOW

article-directory-redux

Score: 95/100 Article Directory Redux <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.0.2 Patched: Updated: June 30, 2026

LOW

affiliate-links

Score: 97/100 Affiliate Links Lite <= 2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-2.6 Patched: 2.7 Updated: June 30, 2026

LOW

adfoxly

Score: 93/100 AdFoxly – Ad Manager, AdSense Ads & Ads.txt <= 1.8.4 - Reflected Cross-Site Scripting Affected: *-1.8.4 Patched: Updated: June 30, 2026

LOW

woo-coupon-usage

Score: N/A Coupon Affiliates <= 5.4.5 - Reflected Cross-Site Scripting via 'page' Affected: *-5.4.5 Patched: 5.4.6 Updated: June 30, 2026

LOW

watu

Score: N/A Watu Quiz <= 3.3.9.2 - Reflected Cross-Site Scripting via 'question' Affected: *-3.3.9.2 Patched: 3.3.9.3 Updated: June 30, 2026

LOW

ultimate-noindex-nofollow-tool-ii

Score: N/A Ultimate Noindex Nofollow Tool II <= 1.3.3 - Cross-Site Request Forgery Affected: [*, 1.3.4) Patched: 1.3.4 Updated: June 30, 2026

LOW

ultimate-landing-page

Score: N/A Landing Page Builder – Free Landing Page Templates <= 3.1.9.8 - Local File Inclusion via 'lpp_template_select' Affected: *-3.1.9.8 Patched: 3.2 Updated: June 30, 2026

LOW

stock-exporter-for-woocommerce

Score: N/A Stock Exporter for WooCommerce <= 1.1.0 - Cross-Site Request Forgery Affected: *-1.1.0 Patched: 1.2.0 Updated: June 30, 2026

LOW

stampedio-product-reviews

Score: N/A Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.2 - Missing Authorization Affected: *-2.3.2 Patched: 2.3.3 Updated: June 30, 2026

LOW

stampedio-product-reviews

Score: N/A Stamped.io Product Reviews & UGC for WooCommerce <= 2.3.3 - Cross-Site Request Forgery Affected: *-2.3.3 Patched: 2.4.0 Updated: June 30, 2026

LOW

simple-popup

Score: N/A Simple Popup Images <= 1.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.8.6 Patched: Updated: June 30, 2026

LOW

shiftcontroller

Score: N/A ShiftController Employee Shift Scheduling <= 4.9.25 - Reflected Cross-Site Scripting via Query String Affected: *-4.9.25 Patched: 4.9.26 Updated: June 30, 2026

LOW

reviewx

Score: N/A ReviewX <= 1.6.7 - Unauthenticated CSV Injection Affected: *-1.6.7 Patched: 1.6.8 Updated: June 30, 2026

LOW

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

pretty-link

Score: N/A Shortlinks by Pretty Links <= 3.4.0 - Cross-Site Request Forgery via route Affected: *-3.4.0 Patched: 3.4.1 Updated: June 30, 2026

LOW

newsletters-lite

Score: N/A Newsletters <= 4.8.8 - Cross-Site Request Forgery Affected: *-4.8.8 Patched: 4.8.9 Updated: June 30, 2026

LOW

neshan-maps

Score: N/A Neshan Maps <= 1.1.4 - Authenticated (Administrator+) SQL Injection Affected: *-1.1.4 Patched: Updated: June 30, 2026

LOW

kaya-qr-code-generator

Score: 93/100 Kaya QR Code Generator <= 1.5.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via url parameter Affected: *-1.5.2 Patched: 1.5.3 Updated: June 30, 2026

LOW

Gallery by FooGallery

foogallery

Score: 82/100 FooGallery <= 2.2.35 - Reflected Cross-Site Scripting Affected: *-2.2.35 Patched: 2.2.41 Updated: June 30, 2026

LOW

featured-post-creative

Score: 93/100 Featured Post Creative <= 1.2.7 - Cross-Site Request Forgery via wpfp_update_featured_post Affected: *-1.2.7 Patched: 1.2.8 Updated: June 30, 2026

LOW

featured-post-creative

Score: 93/100 Featured Post Creative <= 1.2.7 - Missing Authorization via wpfp_update_featured_post Affected: *-1.2.7 Patched: 1.2.8 Updated: June 30, 2026

LOW

fantastic-content-protector-free

Score: 91/100 Fantastic Content Protector Free <= 2.6 - Missing Authorization via update_setting_fantastic_content_protector Affected: *-2.6 Patched: Updated: June 30, 2026

LOW

enable-accessibility

Score: 91/100 Enable Accessibility <= 1.4 - Cross-Site Request Forgery Affected: *-1.4 Patched: 1.4.1 Updated: June 30, 2026

LOW

cyr3lat

Score: 93/100 Cyr to Lat <= 3.5 - Authenticated SQL Injection Affected: *-3.5 Patched: 3.7 Updated: June 30, 2026

LOW

coschedule-by-todaymade

Score: 93/100 CoSchedule <= 3.3.8 - Cross-Site Request Forgery Affected: *-3.3.8 Patched: 3.3.9 Updated: June 30, 2026

LOW

affiliate-solution

Score: 95/100 AFFILIATE Solution <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

wp-inventory-manager

Score: N/A WP Inventory Manager <= 2.1.0.11 - Reflected Cross-Site Scripting via 'message' Affected: *-2.1.0.11 Patched: 2.1.0.12 Updated: June 30, 2026

LOW

userplus

Score: N/A UserPlus <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-2.0 Patched: Updated: June 30, 2026

LOW

restaurant-pickup-delivery-dine-in

Score: N/A Pickup | Delivery | Dine-in date time <= 1.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.0.9 Patched: Updated: June 30, 2026

LOW

hiweb-migration-simple

Score: 89/100 hiWeb Migration Simple <= 2.0.0.1 - Reflected Cross-Site Scripting Affected: *-2.0.0.1 Patched: Updated: June 30, 2026

LOW

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

Score: 92/100 Forminator <= 1.22.1 - Missing Authorization on 'load_hcaptcha_preview' AJAX function Affected: *-1.22.1 Patched: 1.23.3 Updated: June 30, 2026

LOW

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

Score: 92/100 Forminator <= 1.22.1 - Missing Authorization on 'load_recaptcha_preview' AJAX function Affected: *-1.22.1 Patched: 1.23.3 Updated: June 30, 2026

LOW

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

Score: 92/100 Forminator <= 1.22.1 - Missing Authorization on 'hubspot_support_request' AJAX function Affected: *-1.22.1 Patched: 1.23.3 Updated: June 30, 2026

LOW

cloud-manager

Score: 91/100 Cloud Manager <= 1.0 - Reflected Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

chatbot

Score: 66/100 ChatBot <= 4.4.6 - Unauthenticated PHP Object Injection via Cookies Affected: *-4.4.6 Patched: 4.4.7 Updated: June 30, 2026

LOW

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

chatbot

Score: 66/100 ChatBot <= 4.4.8 - Unauthenticated Stored Cross-Site Scripting in Admin Dashboard Affected: *-4.4.8 Patched: 4.4.9 Updated: June 30, 2026

LOW

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

chatbot

Score: 66/100 AI ChatBot <= 4.4.9 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-4.4.9 Patched: 4.5.1 Updated: June 30, 2026

LOW

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services

chatbot

Score: 66/100 ChatBot <= 4.4.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting via openai_settings_option_callback Affected: *-4.4.8 Patched: 4.4.9 Updated: June 30, 2026

LOW

restricted-site-access

Score: N/A webpack JS package <= 5.75.0 - Sandbox Bypass Affected: *-7.3.5 Patched: 7.4.0 Updated: June 30, 2026

LOW

powerpress

Score: N/A PowerPress <= 10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-10.0 Patched: 10.0.2 Updated: June 30, 2026

LOW

elasticpress

Score: 93/100 webpack JS package <= 5.75.0 - Sandbox Bypass Affected: *-4.5.0 Patched: 4.5.1 Updated: June 30, 2026

LOW

tencentcloud-cos

Score: N/A tencentcloud-cos <= 1.0.7 - Cross-Site Request Forgery Affected: *-1.0.7 Patched: Updated: June 30, 2026

LOW

supportcandy

Score: N/A SupportCandy <= 3.1.4 - Unauthenticated SQL Injection via parse_user_filters Affected: *-3.1.4 Patched: 3.1.5 Updated: June 30, 2026

LOW

smart-wishlist-for-more-convert

Score: N/A MC Woocommerce Wishlist <= 1.5.4 - Cross-Site Request Forgery Affected: *-1.5.4 Patched: 1.5.5 Updated: June 30, 2026

LOW

ruby-help-desk

Score: N/A Ruby Help Desk <= 1.3.3 - Missing Authorization to Arbitrary Ticket Modification Affected: *-1.3.3 Patched: 1.3.4 Updated: June 30, 2026

LOW

product-catalog-feed

Score: N/A Product Catalog Feed by PixelYourSite <= 2.1.0 - Reflected Cross-Site Scripting via 'page' Affected: *-2.1.0 Patched: 2.1.1 Updated: June 30, 2026

LOW

product-catalog-feed

Score: N/A Product Catalog Feed by PixelYourSite <= 2.1.0 - Reflected Cross-Site Scripting via 'edit' Affected: *-2.1.0 Patched: 2.1.1 Updated: June 30, 2026

LOW

limit-login-attempts

Score: 93/100 Limit Login Attempts <= 1.7.1 - Authenticated(Subscriber+) Stored Cross-Site Scripting Affected: *-1.7.1 Patched: 1.7.2 Updated: June 30, 2026

LOW

Download Manager

download-manager

Score: 63/100 Download Manager Pro <= 6.2.9 - Unauthenticated Information Disclosure Affected: [4.0, 6.3.0) Patched: 6.3.0 Updated: June 30, 2026

LOW

Blocksy Companion

blocksy-companion

Score: N/A Blocksy Companion <= 1.8.81 - Authenticated(Subscriber+) Sensitive Information Exposure via blocksy_posts shortcode Affected: *-1.8.81 Patched: 1.8.82 Updated: June 30, 2026

LOW

better-search

Score: 93/100 Better Search <= 3.1.0 - Cross-Site Request Forgery Affected: *-3.1.0 Patched: 3.2.0 Updated: June 30, 2026

LOW

a3-portfolio

Score: 97/100 a3 Portfolio <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-3.1.0 Patched: 3.1.1 Updated: June 30, 2026

LOW

simple-job-board

Score: N/A Simple Job Board <= 2.10.3 - Cross-Site Request Forgery via sjb_save_settings_section Affected: *-2.10.3 Patched: 2.10.4 Updated: June 30, 2026

LOW

pixtypes

Score: N/A PixTypes <= 1.4.14 - Cross-Site Request Forgery Affected: *-1.4.14 Patched: 1.4.15 Updated: June 30, 2026

LOW

front-end-only-users

Score: 89/100 Front End Users <= 3.2.24 - Missing Authorization to Unauthenticated Registered User Deletion Affected: *-3.2.24 Patched: 3.2.25 Updated: June 30, 2026

LOW

front-end-only-users

Score: 89/100 Front End Users <= 3.2.24 - Cross-Site Request Forgery Affected: *-3.2.24 Patched: 3.2.25 Updated: June 30, 2026

LOW

email-subscribe

Score: 93/100 Email Subscription Popup <= 1.2.16 - Reflected Cross-Site Scripting Affected: [*, 1.2.17) Patched: 1.2.17 Updated: June 30, 2026

LOW

comments-ratings

Score: 89/100 Comments Ratings <= 1.1.6 - Cross-Site Request Forgery Affected: *-1.1.6 Patched: 1.1.7 Updated: June 30, 2026

LOW

wp-listings

Score: N/A IMPress Listings <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Listing Fields Affected: *-2.6.2 Patched: Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_preload_single_save_settings_callback' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_clear_cache_of_allsites_callback' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_start_cdn_integration_ajax_request_callback' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_preload_single_callback' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_purgecache_varnish_callback' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_remove_cdn_integration_ajax_request_callback' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'deleteCssAndJsCacheToolbar' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_preload_single_callback' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_pause_cdn_integration_ajax_request_callback' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_toolbar_save_settings_callback' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Missing Authorization to Cache Deletion Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Missing Authorization in 'deleteCssAndJsCacheToolbar' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'deleteCacheToolbar' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Missing Authorization in 'wpfc_clear_cache_of_allsites_callback' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Fastest Cache – WordPress Cache Plugin

wp-fastest-cache

Score: 78/100 WP Fastest Cache <= 1.1.2 - Cross-Site Request Forgery via 'wpfc_purgecache_varnish_callback' Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards

wp-data-access

Score: N/A WP Data Access <= 5.3.7 - Authenticated (Subscriber+) Privilege Escalation Affected: *-5.3.7 Patched: 5.3.8 Updated: June 30, 2026

LOW

Hustle – Email Marketing, Lead Generation, Optins, Popups

wordpress-popup

Score: 91/100 Hustle <= 7.6.4 = Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-7.6.4 Patched: 7.6.6 Updated: June 30, 2026

LOW

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Score: N/A User Registration <= 2.3.2.1 - Missing Authorization via send_test_email Affected: *-2.3.2.1 Patched: 2.3.3 Updated: June 30, 2026

LOW

transbank-webpay-plus-rest

Score: N/A Transbank Webpay REST <= 1.6.6 - Authenticated (Administrator+) SQL Injection via orderby Affected: *-1.6.6 Patched: 1.6.7 Updated: June 30, 2026

LOW

tiny-carousel-horizontal-slider-plus

Score: N/A Tiny carousel horizontal slider plus <= 3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-3.2 Patched: Updated: June 30, 2026

LOW

tencentcloud-cos

Score: N/A tencentcloud-cos <= 1.0.7 - Missing Authorization via AJAX actions Affected: *-1.0.7 Patched: Updated: June 30, 2026

LOW

superb-social-share-and-follow-buttons

Score: N/A Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 - Missing Authorization via spbsmAjax Affected: *-1.1.3 Patched: 1.1.5 Updated: June 30, 2026

LOW

superb-social-share-and-follow-buttons

Score: N/A Superb Social Media Share Buttons and Follow Buttons <= 1.1.3 - Cross-Site Request Forgery via spbsmAjax Affected: *-1.1.3 Patched: 1.1.5 Updated: June 30, 2026

LOW

spreadshop

Score: N/A Spreadshop Plugin <= 1.6.5 - Cross-Site Request Forgery Affected: *-1.6.5 Patched: 1.6.6 Updated: June 30, 2026

LOW

simplemodal-contact-form-smcf

Score: N/A SimpleModal Contact Form (SMCF) <= 1.2.9 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.2.9 Patched: Updated: June 30, 2026

LOW

shiftcontroller

Score: N/A ShiftController Employee Shift Scheduling <= 4.9.23 - Unauthenticated Stored Cross-Site Scripting via 'hc-title' Affected: *-4.9.23 Patched: 4.9.24 Updated: June 30, 2026

LOW

shiftcontroller

Score: N/A ShiftController Employee Shift Scheduling <= 4.9.23 - Cross-Site Request Forgery via get Affected: *-4.9.23 Patched: 4.9.24 Updated: June 30, 2026

LOW

qtranslate-to-wpml-export

Score: N/A qTranslate X Cleanup and WPML Import <= 3.0.1 - Cross-Site Request Forgery via clean_ajx Affected: *-3.0.1 Patched: 3.0.2 Updated: June 30, 2026

LOW

qtranslate-to-wpml-export

Score: N/A qTranslate X Cleanup and WPML Import <= 3.0.1 - Missing Authorization via clean_ajx Affected: *-3.0.1 Patched: 3.0.2 Updated: June 30, 2026

LOW

post-type-x

Score: N/A Product Catalog Simple <= 1.6.17 - Reflected Cross-Site Scripting Affected: [*, 1.7.0) Patched: 1.7.0 Updated: June 30, 2026

LOW

php-compatibility-checker

Score: N/A PHP Compatibility Checker <= 1.5.2 - Cross-Site Request Forgery Affected: *-1.5.2 Patched: 1.6.0 Updated: June 30, 2026

LOW

optin-forms

Score: N/A Optin Forms <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.3.2 Patched: 1.3.3 Updated: June 30, 2026

LOW

mycryptocheckout

Score: N/A MyCryptoCheckout <= 2.123 - Reflected Cross-Site Scripting via url Affected: *-2.123 Patched: 2.124 Updated: June 30, 2026

LOW

mappress-google-maps-for-wordpress

Score: 93/100 MapPress Maps for WordPress <= 2.85.4 - Authenticated (Contributor+) SQL Injection via get_maps Affected: *-2.85.4 Patched: 2.85.5 Updated: June 30, 2026

LOW

limit-login-attempts

Score: 93/100 Limit Login Attempts <= 1.7.1 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.7.1 Patched: 1.7.2 Updated: June 30, 2026

LOW

integration-dynamics

Score: 93/100 Dynamics 365 Integration <= 1.3.13 - Missing Authorization via init Affected: *-1.3.13 Patched: 1.3.14 Updated: June 30, 2026

LOW

google-maps-widget

Score: 93/100 Maps Widget for Google Maps <= 4.24 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-4.24 Patched: 4.25 Updated: June 30, 2026

LOW

formidable

Score: 93/100 Formidable Forms <= 6.1.2 - Unauthenticated PHP Object Injection Affected: *-6.1.2 Patched: 6.2 Updated: June 30, 2026

LOW

flynsarmy-iframe-shortcode

Score: 93/100 IFrame Shortcode <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.0.5 Patched: 1.0.6 Updated: June 30, 2026

LOW

easy-sign-up

Score: 91/100 Easy Sign Up <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-3.4.1 Patched: Updated: June 30, 2026

LOW

cryptocurrency-prices

Score: 91/100 Cryptocurrency All-in-One <= 3.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.0.19 Patched: Updated: June 30, 2026

LOW

connections

Score: 91/100 Connections Business Directory <= 10.4.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-10.4.36 Patched: 10.4.37 Updated: June 30, 2026

Showing 25601 to 25700 of 36282 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 06:31 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List