Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36283

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
popup-anything-on-click	popup-anything-on-click	N/A	WP OnlineSupport, Essential Plugin Popup Anything <= 2.2.1 - Cross Site Request Forgery	LOW	[*, 2.2.2)	2.2.2	June 30, 2026
ms-reviews	ms-reviews	N/A	MS-Reviews <= 1.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-1.5		June 30, 2026
ip-address-blocker	ip-address-blocker	89	IP Blocker Lite <= 11.1.1 - Cross-Site Request Forgery	LOW	*-11.1.1		June 30, 2026
google-maps-widget	google-maps-widget	93	Maps Widget for Google Maps <= 4.23 - Cross-Site Request Forgery via dismiss_notice	LOW	*-4.23	4.24	June 30, 2026
full-width-responsive-slider-wp	full-width-responsive-slider-wp	93	Full Width Banner Slider Wp <= 1.1.7 - Reflected Cross-Site Scripting via search_term	LOW	*-1.1.7	1.1.8	June 30, 2026
elementor-pro	elementor-pro	93	Elementor Pro <= 3.11.6 - Authenticated(Subscriber+) Privilege Escalation via update_page_option	LOW	*-3.11.6	3.11.7	June 30, 2026
easy-media-replace	easy-media-replace	93	Easy Media Replace <= 0.1.3 - Authenticated (Author+) Arbitrary File Deletion	LOW	*-0.1.3	0.2.0	June 30, 2026
custom-post-type-ui	custom-post-type-ui	93	Custom Post Type UI <= 1.13.4 - Cross-Site Request Forgery to Sensitive Information Exposure	LOW	*-1.13.4	1.13.5	June 30, 2026
custom-post-type-cpt-cusom-taxonomy-ct-manager	custom-post-type-cpt-cusom-taxonomy-ct-manager	91	Custom Post Type and Taxonomy GUI Manager <= 1.1 - Cross-Site Request Forgery to Cross-Site Scripting	LOW	*-1.1		June 30, 2026
advanced-local-pickup-for-woocommerce	advanced-local-pickup-for-woocommerce	97	Advanced Local Pickup for WooCommerce <= 1.5.2 - Missing Authorization	LOW	*-1.5.2	1.5.3	June 30, 2026
yikes-inc-easy-mailchimp-extender	yikes-inc-easy-mailchimp-extender	N/A	Easy Forms for MailChimp <= 6.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-6.8.6	6.8.7	June 30, 2026
wp-user-avatar	wp-user-avatar	N/A	ProfilePress <= 4.5.3 - Unauthenticated Cross-Site Scripting	LOW	*-4.5.3	4.5.4	June 30, 2026
wp-meta-seo	wp-meta-seo	N/A	WP Meta SEO <= 4.5.4 - Authenticated (Author+) PHAR Deserialization	LOW	*-4.5.4	4.5.5	June 30, 2026
wc-fields-factory	wc-fields-factory	N/A	WC Fields Factory <= 4.1.5 - Authenticated (Administrator+) SQL Injection	LOW	*-4.1.5	4.1.6	June 30, 2026
tf-numbers-number-counter-animaton	tf-numbers-number-counter-animaton	N/A	Themeflection Numbers <= 1.8.1 - Authenticated(Subscriber+) Privilege Escalation via tf_numb_save_licenses	LOW	*-1.8.1	2.0.1	June 30, 2026
review-stream	review-stream	N/A	Review Stream <= 1.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.6.5	1.6.6	June 30, 2026
quick-paypal-payments	quick-paypal-payments	N/A	Quick Paypal Payments <= 5.7.26.3 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-5.7.26.3	5.7.26.4	June 30, 2026
pagination	pagination	N/A	Pagination by BestWebSoft <= 1.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.2.2	1.2.3	June 30, 2026
newsletter	newsletter	N/A	Newsletter <= 7.6.8 - Reflected Cross-Site Scripting	LOW	*-7.6.8	7.6.9	June 30, 2026
gallery-plugin	gallery-plugin	93	Gallery by BestWebSoft <= 4.6.9 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-4.6.9	4.7.0	June 30, 2026
gallery-plugin	gallery-plugin	93	Gallery by BestWebSoft <= 4.6.9 - Authenticated (Author+) SQL Injection	LOW	*-4.6.9	4.7.0	June 30, 2026
FileBird – WordPress Media Library Folders & File Manager	filebird	80	Filebird <= 5.1.4 - Missing Authorization via resAdminPermissionsCheck	LOW	*-5.1.4	5.1.5	June 30, 2026
continuous-image-carousel-with-lightbox	continuous-image-carousel-with-lightbox	93	Continuous Image Carousel With Lightbox <= 1.0.15 - Reflected Cross-Site Scripting via search_term, order_by and order_pos	LOW	*-1.0.15	1.0.16	June 30, 2026
continuous-image-carousel-with-lightbox	continuous-image-carousel-with-lightbox	93	Continuous Image Carousel With Lightbox <= 1.0.15 - Reflected Cross-Site Scripting via search_term, order_by and order_pos	LOW	*-1.0.15	1.0.16	June 30, 2026
contest-gallery	contest-gallery	93	Contest Gallery <= 21.1.2 - Reflected Cross-Site Scripting	LOW	*-21.1.2	21.1.2.1	June 30, 2026
contact-forms	contact-forms	93	WordPress Contact Forms by Cimatti <= 1.5.4 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.5.4	1.5.5	June 30, 2026
contact-forms	contact-forms	93	Contact Forms by Cimatti <= 1.5.4 - Reflected Cross-Site Scripting via 'form-field-id', 'edit-fid', 'id', 'name', 'type', 'description' Parameters	LOW	*-1.5.4	1.5.5	June 30, 2026
Kadence Security – Password, Two Factor Authentication, and Brute Force Protection	better-wp-security	92	iThemes Security <= 8.1.4 - Open Redirection via redirect_to_https	LOW	*-8.1.4	8.1.5	June 30, 2026
armember-membership	armember-membership	95	ARMember <= 3.4.11 - Unauthenticated SQL Injection	LOW	*-3.4.11	4.0	June 30, 2026
albo-pretorio-on-line	albo-pretorio-on-line	95	Albo Pretorio Online <= 4.6 - Reflected Cross-Site Scripting via 'Errore'	LOW	*-4.6	4.6.1	June 30, 2026
advanced-page-visit-counter	advanced-page-visit-counter	93	Advanced Page Visit Counter <= 6.4.2 - Authenticated (Contributor+) SQL Injection	LOW	*-6.4.2	6.4.2.1	June 30, 2026
th-all-in-one-woo-cart	th-all-in-one-woo-cart	N/A	TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 - Cross-Site Request Forgery	LOW	*-1.1.1	1.1.2	June 30, 2026
WooPayments: Integrated WooCommerce Payments	woocommerce-payments	84	WooCommerce Payments 4.8.0 - 5.6.1 Authentication Bypass and Privilege Escalation	LOW	4.8.0-5.6.1	5.6.2	June 30, 2026
safe-svg	safe-svg	N/A	SVG Sanitizer library <= 0.15.4 - Cross-Site Scripting Bypass	LOW	*-2.0.3	2.1.0	June 30, 2026
pagination	pagination	N/A	Pagination by BestWebSoft < 1.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.2.2	1.2.3	June 30, 2026
give	give	93	GiveWP <= 2.25.2 - Cross-Site Request Forgery	LOW	*-2.25.2	2.25.3	June 30, 2026
give	give	93	GiveWP <= 2.25.2 - Cross-Site Request Forgery via give_ajax_delete_payment_note	LOW	*-2.25.2	2.25.3	June 30, 2026
give	give	93	GiveWP <= 2.25.2 - Cross-Site Request Forgery via give_ajax_store_payment_note	LOW	*-2.25.2	2.25.3	June 30, 2026
gallery-plugin	gallery-plugin	93	Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress <= 4.6.9 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-4.6.9	4.7.0	June 30, 2026
wpvr	wpvr	N/A	WP VR <= 8.2.8 - Reflected Cross-Site Scripting	LOW	*-8.2.5	8.2.6	June 30, 2026
woo-thank-you-page-customizer	woo-thank-you-page-customizer	N/A	Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.0.13 - Cross-Site Request Forgery via send_email	LOW	*-1.0.13	1.0.14	June 30, 2026
woo-product-feed-pro	woo-product-feed-pro	N/A	Product Feed PRO for WooCommerce <= 12.4.0 - Cross-Site Request Forgery via update_project	LOW	*-12.4.0	12.4.1	June 30, 2026
woo-bulk-price-update	woo-bulk-price-update	N/A	Bulk Price Update for Woocommerce <= 2.2.1 - Reflected Cross-Site Scripting	LOW	*-2.2.1	2.2.2	June 30, 2026
waiting	waiting	N/A	Waiting: One-click countdowns <= 0.6.2 - Authenticated (Subscriber+) SQL Injection via 'pbc_down[meta][id]'	LOW	*-0.6.2		June 30, 2026
w4-post-list	w4-post-list	N/A	W4 Post List <= 2.4.5 - Information Disclosure via post_excerpt	LOW	*-2.4.5	2.4.6	June 30, 2026
w4-post-list	w4-post-list	N/A	W4 Post List <= 2.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options	LOW	*-2.4.5	2.4.6	June 30, 2026
w4-post-list	w4-post-list	N/A	W4 Post List <= 2.4.5 - Reflected Cross-Site Scripting	LOW	*-2.4.5	2.4.6	June 30, 2026
th-variation-swatches	th-variation-swatches	N/A	TH Variation Swatches <= 1.2.7 - Cross-Site Request Forgery via delete_settings	LOW	*-1.2.7	1.2.8	June 30, 2026
th-product-compare	th-product-compare	N/A	Multiple Plugins By ThemeHunk (Various Versions) - Missing Authorization via settings_init	LOW	*-1.2.5	1.2.6	June 30, 2026
th-all-in-one-woo-cart	th-all-in-one-woo-cart	N/A	TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 - Missing Authorization	LOW	*-1.1.1	1.1.2	June 30, 2026
th-advance-product-search	th-advance-product-search	N/A	Multiple Plugins By ThemeHunk (Various Versions) - Missing Authorization via settings_init	LOW	*-1.1.4	1.1.5	June 30, 2026
stock-sync-for-woocommerce	stock-sync-for-woocommerce	N/A	Stock Sync for WooCommerce <= 2.3.2 - Missing Authorization	LOW	*-2.3.2	2.4.0	June 30, 2026
stock-sync-for-woocommerce	stock-sync-for-woocommerce	N/A	Stock Sync for WooCommerce <= 2.3.2 - Cross-Site Request Forgery	LOW	*-2.3.2	2.4.0	June 30, 2026
pricing-tables-for-wpbakery-page-builder	pricing-tables-for-wpbakery-page-builder	N/A	Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 - Authenticated (Subscriber+) Local File Inclusion via Shortcode	LOW	*-2.0	3.0	June 30, 2026
pricing-tables-for-wpbakery-page-builder	pricing-tables-for-wpbakery-page-builder	N/A	Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-2.0	3.0	June 30, 2026
owl-carousel	owl-carousel	N/A	Owl Carousel <= 0.5.3 - Missing Authorization via save_paramter.php	LOW	*-0.5.3		June 30, 2026
LiteSpeed Cache	litespeed-cache	69	LiteSpeed Cache <= 5.3 - Missing Authorization to Toggle Crawler State	LOW	*-5.3	5.3.1	June 30, 2026
lead-form-builder	lead-form-builder	93	Multiple Plugins By ThemeHunk (Various Versions) - Missing Authorization via settings_init	LOW	*-1.8.4	1.8.5	June 30, 2026
jazzcash-woocommerce-gateway	jazzcash-woocommerce-gateway	91	WooCommerce JazzCash Gateway Plugin <= 2.0 - Unauthenticated Cross-Site Scripting	LOW	*-2.0		June 30, 2026
if-menu	if-menu	93	If Menu <= 0.16.3 - Missing Authorization to Admin Settings Modification	LOW	*-0.16.3	0.17	June 30, 2026
i-recommend-this	i-recommend-this	93	I Recommend This <= 3.9.0 - Cross-Site Request Forgery	LOW	*-3.9.0	3.9.1	June 30, 2026
gs-pinterest-portfolio	gs-pinterest-portfolio	93	WordPress Pinterest Plugin <= 1.6.1 - Stored (Contributor+) Cross-Site Scripting via Shortcode	LOW	*-1.6.1	1.6.2	June 30, 2026
export-users-data-distinct	export-users-data-distinct	91	Export Users Data Distinct <= 1.3 - Authenticated (Subscriber+) CSV Injection	LOW	*-1.3		June 30, 2026
eroom-zoom-meetings-webinar	eroom-zoom-meetings-webinar	93	eRoom – Zoom Meetings & Webinar <= 1.4.6 - Missing Authorization via stm_wpcfto_get_settings_callback	LOW	*-1.4.6	1.4.7	June 30, 2026
cbcurrencyconverter	cbcurrencyconverter	93	CBX Currency Converter <= 3.0.3 - Cross-Site Request Forgery leading to Plugin Settings Leakage/Changes	LOW	*-3.0.3	3.0.4	June 30, 2026
bp-activity-social-share	bp-activity-social-share	93	Wbcom Designs – BuddyPress Activity Social Share <= 3.5.0 - Cross-Site Request Forgery	LOW	*-3.5.0	3.5.1	June 30, 2026
amr-users	amr-users	95	amr users <= 4.59.4 - Authenticated (Subscriber+) CSV Injection	LOW	*-4.59.4		June 30, 2026
vigilantor	vigilantor	N/A	VigilanTor <= 1.3.10 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.3.10	1.3.11	June 30, 2026
vertical-scroll-recent-post	vertical-scroll-recent-post	N/A	Vertical scroll recent post <= 14.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes	LOW	*-14.0		June 30, 2026
userlike	userlike	N/A	Userlike <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.2	2.3	June 30, 2026
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder	user-registration	N/A	User Registration <= 2.3.2.1 - PHP Object Injection	LOW	*-2.3.2.1	2.3.3	June 30, 2026
team-showcase-supreme	team-showcase-supreme	N/A	Team Member <= 4.4 - Authenticated (Editor+) Stored Cross-Site Scripting via new_style_name	LOW	*-4.4	4.5	June 30, 2026
simple-custom-author-profiles	simple-custom-author-profiles	N/A	Simple Custom Author Profiles <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.0.0		June 30, 2026
redirect-redirection	redirect-redirection	N/A	Redirection <= 1.1.4 - Cross-Site Request Forgery to Plugin Reset	LOW	*-1.1.4	1.1.5	June 30, 2026
photo-gallery	photo-gallery	N/A	Photo Gallery by 10Web <= 1.8.14 - Authenticated (Administrator+) Directory Traversal	LOW	*-1.8.14	1.8.15	June 30, 2026
open-graphite	open-graphite	N/A	Open Graphite <= 1.6.0 - Reflected Cross-Site Scripting via topic parameter	LOW	*-1.6.0	1.6.1	June 30, 2026
live-weather-station	live-weather-station	93	Weather Station <= 3.8.11 - Cross-Site Request Forgery	LOW	*-3.8.12	3.8.13	June 30, 2026
lazy-facebook-comments	lazy-facebook-comments	93	Lazy Social Comments <= 2.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Options	LOW	*-2.0.4	2.0.5	June 30, 2026
js-jobs	js-jobs	81	JS Job Manager <= 2.0.0 - Missing Authorization	LOW	*-2.0.0	2.0.1	June 30, 2026
enhanced-plugin-admin	enhanced-plugin-admin	93	Enhanced Plugin Admin <= 1.16 - Cross-Site Request Forgery via epa_options_page	LOW	*-1.16	1.17	June 30, 2026
Easy Table of Contents	easy-table-of-contents	95	Easy Table of Contents <= 2.0.45.2 - Missing Authorization via eztoc_reset_options_to_default	LOW	*-2.0.45.2	2.0.46	June 30, 2026
disqus-conditional-load	disqus-conditional-load	93	Disqus Conditional Load <= 11.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings.	LOW	*-11.1.1	11.1.2	June 30, 2026
custom-field-template	custom-field-template	93	Custom Field Template <= 2.5.8 - Cross-Site Request Forgery via Plugin Options Update	LOW	*-2.5.8	2.5.9	June 30, 2026
contact-form-to-email	contact-form-to-email	93	Contact Form Email <= 1.3.31 - Cross-Site Request Forgery to Feedback Submission	LOW	*-1.3.31	1.3.32	June 30, 2026
bigcontact	bigcontact	91	BigContact <= 1.5.8 - Cross-Site Request Forgery leading to Plugin Settings Updates	LOW	*-1.5.8		June 30, 2026
wp-s3	wp-s3	N/A	WordPress Amazon S3 Plugin <= 1.5 - Reflected Cross-Site Scripting	LOW	*-1.5	1.6	June 30, 2026
wp-popup-banners	wp-popup-banners	N/A	WP Popup Banners <= 1.2.5 - Authenticated (Subscriber+) SQL Injection via 'value'	LOW	*-1.2.5		June 30, 2026
wp-meta-data-filter-and-taxonomy-filter	wp-meta-data-filter-and-taxonomy-filter	N/A	MDTF – Meta Data and Taxonomies Filter <= 1.3.0.1 - Relected Cross-Site Scripting via 'tax_name'	LOW	*-1.3.0.1	1.3.1	June 30, 2026
wp-content-filter	wp-content-filter	N/A	WP Content Filter – Censor All Offensive Content From Your Site <= 3.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-3.0.1	3.1.0	June 30, 2026
treepress	treepress	N/A	TreePress – Easy Family Trees & Ancestor Profiles <= 2.0.22 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'post_title' parameter	LOW	*-2.0.22	3.0.0	June 30, 2026
time-sheets	time-sheets	N/A	Time Sheets <= 1.29.2 - Authenticated(Admin+) Stored Cross-Site Scripting	LOW	*-1.29.2	1.29.3	June 30, 2026
stylish-cost-calculator-premium	stylish-cost-calculator-premium	N/A	Stylish Cost Calculator < 7.9.0 - Unauthenticated Stored Cross-Site Scripting	LOW	[*, 7.9.0)	7.9.0	June 30, 2026
simple-mobile-url-redirect	simple-mobile-url-redirect	N/A	Simple Mobile URL Redirect <= 1.7.2 - Cross-Site Request Forgery leading to Mobile Redirect Updates	LOW	*-1.7.2		June 30, 2026
scheduled-announcements-widget	scheduled-announcements-widget	N/A	Scheduled Announcements Widget <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-0.2	1.0	June 30, 2026
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider	ml-slider	88	Slider, Gallery, and Carousel by MetaSlider <= 3.29.0 - Reflected Cross-Site Scripting	LOW	*-3.29.0	3.29.1	June 30, 2026
Event Booking Manager for WooCommerce	mage-eventpress	82	Event Manager for WooCommerce <= 3.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'mep_get_option' function	LOW	*-3.8.6	3.8.7	June 30, 2026
lead-generated	lead-generated	93	Lead Generated <= 1.23 - Unauthenticated PHP Object Injection	LOW	*-1.23	1.25	June 30, 2026
klaviyo	klaviyo	93	Klaviyo <= 3.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-3.0.9	3.0.10	June 30, 2026
kanban	kanban	86	Kanban Boards for WordPress <= 2.5.21 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.5.21		June 30, 2026
jet-engine	jet-engine	93	Crocoblock JetEngine <= 3.1.3 - Authenticated(Author+) Arbitrary File Upload to Remote Code Execution	LOW	*-3.1.3	3.1.3.1	June 30, 2026

LOW

popup-anything-on-click

Score: N/A WP OnlineSupport, Essential Plugin Popup Anything <= 2.2.1 - Cross Site Request Forgery Affected: [*, 2.2.2) Patched: 2.2.2 Updated: June 30, 2026

LOW

ms-reviews

Score: N/A MS-Reviews <= 1.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-1.5 Patched: Updated: June 30, 2026

LOW

ip-address-blocker

Score: 89/100 IP Blocker Lite <= 11.1.1 - Cross-Site Request Forgery Affected: *-11.1.1 Patched: Updated: June 30, 2026

LOW

google-maps-widget

Score: 93/100 Maps Widget for Google Maps <= 4.23 - Cross-Site Request Forgery via dismiss_notice Affected: *-4.23 Patched: 4.24 Updated: June 30, 2026

LOW

full-width-responsive-slider-wp

Score: 93/100 Full Width Banner Slider Wp <= 1.1.7 - Reflected Cross-Site Scripting via search_term Affected: *-1.1.7 Patched: 1.1.8 Updated: June 30, 2026

LOW

elementor-pro

Score: 93/100 Elementor Pro <= 3.11.6 - Authenticated(Subscriber+) Privilege Escalation via update_page_option Affected: *-3.11.6 Patched: 3.11.7 Updated: June 30, 2026

LOW

easy-media-replace

Score: 93/100 Easy Media Replace <= 0.1.3 - Authenticated (Author+) Arbitrary File Deletion Affected: *-0.1.3 Patched: 0.2.0 Updated: June 30, 2026

LOW

custom-post-type-ui

Score: 93/100 Custom Post Type UI <= 1.13.4 - Cross-Site Request Forgery to Sensitive Information Exposure Affected: *-1.13.4 Patched: 1.13.5 Updated: June 30, 2026

LOW

custom-post-type-cpt-cusom-taxonomy-ct-manager

Score: 91/100 Custom Post Type and Taxonomy GUI Manager <= 1.1 - Cross-Site Request Forgery to Cross-Site Scripting Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

advanced-local-pickup-for-woocommerce

Score: 97/100 Advanced Local Pickup for WooCommerce <= 1.5.2 - Missing Authorization Affected: *-1.5.2 Patched: 1.5.3 Updated: June 30, 2026

LOW

yikes-inc-easy-mailchimp-extender

Score: N/A Easy Forms for MailChimp <= 6.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-6.8.6 Patched: 6.8.7 Updated: June 30, 2026

LOW

wp-user-avatar

Score: N/A ProfilePress <= 4.5.3 - Unauthenticated Cross-Site Scripting Affected: *-4.5.3 Patched: 4.5.4 Updated: June 30, 2026

LOW

wp-meta-seo

Score: N/A WP Meta SEO <= 4.5.4 - Authenticated (Author+) PHAR Deserialization Affected: *-4.5.4 Patched: 4.5.5 Updated: June 30, 2026

LOW

wc-fields-factory

Score: N/A WC Fields Factory <= 4.1.5 - Authenticated (Administrator+) SQL Injection Affected: *-4.1.5 Patched: 4.1.6 Updated: June 30, 2026

LOW

tf-numbers-number-counter-animaton

Score: N/A Themeflection Numbers <= 1.8.1 - Authenticated(Subscriber+) Privilege Escalation via tf_numb_save_licenses Affected: *-1.8.1 Patched: 2.0.1 Updated: June 30, 2026

LOW

review-stream

Score: N/A Review Stream <= 1.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.6.5 Patched: 1.6.6 Updated: June 30, 2026

LOW

quick-paypal-payments

Score: N/A Quick Paypal Payments <= 5.7.26.3 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-5.7.26.3 Patched: 5.7.26.4 Updated: June 30, 2026

LOW

pagination

Score: N/A Pagination by BestWebSoft <= 1.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.2.2 Patched: 1.2.3 Updated: June 30, 2026

LOW

newsletter

Score: N/A Newsletter <= 7.6.8 - Reflected Cross-Site Scripting Affected: *-7.6.8 Patched: 7.6.9 Updated: June 30, 2026

LOW

gallery-plugin

Score: 93/100 Gallery by BestWebSoft <= 4.6.9 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-4.6.9 Patched: 4.7.0 Updated: June 30, 2026

LOW

gallery-plugin

Score: 93/100 Gallery by BestWebSoft <= 4.6.9 - Authenticated (Author+) SQL Injection Affected: *-4.6.9 Patched: 4.7.0 Updated: June 30, 2026

LOW

FileBird – WordPress Media Library Folders & File Manager

filebird

Score: 80/100 Filebird <= 5.1.4 - Missing Authorization via resAdminPermissionsCheck Affected: *-5.1.4 Patched: 5.1.5 Updated: June 30, 2026

LOW

continuous-image-carousel-with-lightbox

Score: 93/100 Continuous Image Carousel With Lightbox <= 1.0.15 - Reflected Cross-Site Scripting via search_term, order_by and order_pos Affected: *-1.0.15 Patched: 1.0.16 Updated: June 30, 2026

LOW

continuous-image-carousel-with-lightbox

Score: 93/100 Continuous Image Carousel With Lightbox <= 1.0.15 - Reflected Cross-Site Scripting via search_term, order_by and order_pos Affected: *-1.0.15 Patched: 1.0.16 Updated: June 30, 2026

LOW

contest-gallery

Score: 93/100 Contest Gallery <= 21.1.2 - Reflected Cross-Site Scripting Affected: *-21.1.2 Patched: 21.1.2.1 Updated: June 30, 2026

LOW

contact-forms

Score: 93/100 WordPress Contact Forms by Cimatti <= 1.5.4 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.5.4 Patched: 1.5.5 Updated: June 30, 2026

LOW

Score: 93/100 Contact Forms by Cimatti <= 1.5.4 - Reflected Cross-Site Scripting via 'form-field-id', 'edit-fid', 'id', 'name', 'type', 'description' Parameters Affected: *-1.5.4 Patched: 1.5.5 Updated: June 30, 2026

LOW

Kadence Security – Password, Two Factor Authentication, and Brute Force Protection

better-wp-security

Score: 92/100 iThemes Security <= 8.1.4 - Open Redirection via redirect_to_https Affected: *-8.1.4 Patched: 8.1.5 Updated: June 30, 2026

LOW

armember-membership

Score: 95/100 ARMember <= 3.4.11 - Unauthenticated SQL Injection Affected: *-3.4.11 Patched: 4.0 Updated: June 30, 2026

LOW

albo-pretorio-on-line

Score: 95/100 Albo Pretorio Online <= 4.6 - Reflected Cross-Site Scripting via 'Errore' Affected: *-4.6 Patched: 4.6.1 Updated: June 30, 2026

LOW

advanced-page-visit-counter

Score: 93/100 Advanced Page Visit Counter <= 6.4.2 - Authenticated (Contributor+) SQL Injection Affected: *-6.4.2 Patched: 6.4.2.1 Updated: June 30, 2026

LOW

th-all-in-one-woo-cart

Score: N/A TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 - Cross-Site Request Forgery Affected: *-1.1.1 Patched: 1.1.2 Updated: June 30, 2026

LOW

WooPayments: Integrated WooCommerce Payments

woocommerce-payments

Score: 84/100 WooCommerce Payments 4.8.0 - 5.6.1 Authentication Bypass and Privilege Escalation Affected: 4.8.0-5.6.1 Patched: 5.6.2 Updated: June 30, 2026

LOW

safe-svg

Score: N/A SVG Sanitizer library <= 0.15.4 - Cross-Site Scripting Bypass Affected: *-2.0.3 Patched: 2.1.0 Updated: June 30, 2026

LOW

pagination

Score: N/A Pagination by BestWebSoft < 1.2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.2.2 Patched: 1.2.3 Updated: June 30, 2026

LOW

give

Score: 93/100 GiveWP <= 2.25.2 - Cross-Site Request Forgery Affected: *-2.25.2 Patched: 2.25.3 Updated: June 30, 2026

LOW

give

Score: 93/100 GiveWP <= 2.25.2 - Cross-Site Request Forgery via give_ajax_delete_payment_note Affected: *-2.25.2 Patched: 2.25.3 Updated: June 30, 2026

LOW

give

Score: 93/100 GiveWP <= 2.25.2 - Cross-Site Request Forgery via give_ajax_store_payment_note Affected: *-2.25.2 Patched: 2.25.3 Updated: June 30, 2026

LOW

gallery-plugin

Score: 93/100 Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress <= 4.6.9 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-4.6.9 Patched: 4.7.0 Updated: June 30, 2026

LOW

wpvr

Score: N/A WP VR <= 8.2.8 - Reflected Cross-Site Scripting Affected: *-8.2.5 Patched: 8.2.6 Updated: June 30, 2026

LOW

woo-thank-you-page-customizer

Score: N/A Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.0.13 - Cross-Site Request Forgery via send_email Affected: *-1.0.13 Patched: 1.0.14 Updated: June 30, 2026

LOW

woo-product-feed-pro

Score: N/A Product Feed PRO for WooCommerce <= 12.4.0 - Cross-Site Request Forgery via update_project Affected: *-12.4.0 Patched: 12.4.1 Updated: June 30, 2026

LOW

woo-bulk-price-update

Score: N/A Bulk Price Update for Woocommerce <= 2.2.1 - Reflected Cross-Site Scripting Affected: *-2.2.1 Patched: 2.2.2 Updated: June 30, 2026

LOW

waiting

Score: N/A Waiting: One-click countdowns <= 0.6.2 - Authenticated (Subscriber+) SQL Injection via 'pbc_down[meta][id]' Affected: *-0.6.2 Patched: Updated: June 30, 2026

LOW

w4-post-list

Score: N/A W4 Post List <= 2.4.5 - Information Disclosure via post_excerpt Affected: *-2.4.5 Patched: 2.4.6 Updated: June 30, 2026

LOW

w4-post-list

Score: N/A W4 Post List <= 2.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Options Affected: *-2.4.5 Patched: 2.4.6 Updated: June 30, 2026

LOW

w4-post-list

Score: N/A W4 Post List <= 2.4.5 - Reflected Cross-Site Scripting Affected: *-2.4.5 Patched: 2.4.6 Updated: June 30, 2026

LOW

th-variation-swatches

Score: N/A TH Variation Swatches <= 1.2.7 - Cross-Site Request Forgery via delete_settings Affected: *-1.2.7 Patched: 1.2.8 Updated: June 30, 2026

LOW

th-product-compare

Score: N/A Multiple Plugins By ThemeHunk (Various Versions) - Missing Authorization via settings_init Affected: *-1.2.5 Patched: 1.2.6 Updated: June 30, 2026

LOW

th-all-in-one-woo-cart

Score: N/A TH Side Cart and Menu Cart for Woocommerce <= 1.1.1 - Missing Authorization Affected: *-1.1.1 Patched: 1.1.2 Updated: June 30, 2026

LOW

th-advance-product-search

Score: N/A Multiple Plugins By ThemeHunk (Various Versions) - Missing Authorization via settings_init Affected: *-1.1.4 Patched: 1.1.5 Updated: June 30, 2026

LOW

stock-sync-for-woocommerce

Score: N/A Stock Sync for WooCommerce <= 2.3.2 - Missing Authorization Affected: *-2.3.2 Patched: 2.4.0 Updated: June 30, 2026

LOW

stock-sync-for-woocommerce

Score: N/A Stock Sync for WooCommerce <= 2.3.2 - Cross-Site Request Forgery Affected: *-2.3.2 Patched: 2.4.0 Updated: June 30, 2026

LOW

pricing-tables-for-wpbakery-page-builder

Score: N/A Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 - Authenticated (Subscriber+) Local File Inclusion via Shortcode Affected: *-2.0 Patched: 3.0 Updated: June 30, 2026

LOW

pricing-tables-for-wpbakery-page-builder

Score: N/A Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-2.0 Patched: 3.0 Updated: June 30, 2026

LOW

owl-carousel

Score: N/A Owl Carousel <= 0.5.3 - Missing Authorization via save_paramter.php Affected: *-0.5.3 Patched: Updated: June 30, 2026

LOW

LiteSpeed Cache

litespeed-cache

Score: 69/100 LiteSpeed Cache <= 5.3 - Missing Authorization to Toggle Crawler State Affected: *-5.3 Patched: 5.3.1 Updated: June 30, 2026

LOW

lead-form-builder

Score: 93/100 Multiple Plugins By ThemeHunk (Various Versions) - Missing Authorization via settings_init Affected: *-1.8.4 Patched: 1.8.5 Updated: June 30, 2026

LOW

jazzcash-woocommerce-gateway

Score: 91/100 WooCommerce JazzCash Gateway Plugin <= 2.0 - Unauthenticated Cross-Site Scripting Affected: *-2.0 Patched: Updated: June 30, 2026

LOW

if-menu

Score: 93/100 If Menu <= 0.16.3 - Missing Authorization to Admin Settings Modification Affected: *-0.16.3 Patched: 0.17 Updated: June 30, 2026

LOW

i-recommend-this

Score: 93/100 I Recommend This <= 3.9.0 - Cross-Site Request Forgery Affected: *-3.9.0 Patched: 3.9.1 Updated: June 30, 2026

LOW

gs-pinterest-portfolio

Score: 93/100 WordPress Pinterest Plugin <= 1.6.1 - Stored (Contributor+) Cross-Site Scripting via Shortcode Affected: *-1.6.1 Patched: 1.6.2 Updated: June 30, 2026

LOW

export-users-data-distinct

Score: 91/100 Export Users Data Distinct <= 1.3 - Authenticated (Subscriber+) CSV Injection Affected: *-1.3 Patched: Updated: June 30, 2026

LOW

eroom-zoom-meetings-webinar

Score: 93/100 eRoom – Zoom Meetings & Webinar <= 1.4.6 - Missing Authorization via stm_wpcfto_get_settings_callback Affected: *-1.4.6 Patched: 1.4.7 Updated: June 30, 2026

LOW

cbcurrencyconverter

Score: 93/100 CBX Currency Converter <= 3.0.3 - Cross-Site Request Forgery leading to Plugin Settings Leakage/Changes Affected: *-3.0.3 Patched: 3.0.4 Updated: June 30, 2026

LOW

bp-activity-social-share

Score: 93/100 Wbcom Designs – BuddyPress Activity Social Share <= 3.5.0 - Cross-Site Request Forgery Affected: *-3.5.0 Patched: 3.5.1 Updated: June 30, 2026

LOW

amr-users

Score: 95/100 amr users <= 4.59.4 - Authenticated (Subscriber+) CSV Injection Affected: *-4.59.4 Patched: Updated: June 30, 2026

LOW

vigilantor

Score: N/A VigilanTor <= 1.3.10 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.3.10 Patched: 1.3.11 Updated: June 30, 2026

LOW

vertical-scroll-recent-post

Score: N/A Vertical scroll recent post <= 14.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes Affected: *-14.0 Patched: Updated: June 30, 2026

LOW

userlike

Score: N/A Userlike <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.2 Patched: 2.3 Updated: June 30, 2026

LOW

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Score: N/A User Registration <= 2.3.2.1 - PHP Object Injection Affected: *-2.3.2.1 Patched: 2.3.3 Updated: June 30, 2026

LOW

team-showcase-supreme

Score: N/A Team Member <= 4.4 - Authenticated (Editor+) Stored Cross-Site Scripting via new_style_name Affected: *-4.4 Patched: 4.5 Updated: June 30, 2026

LOW

simple-custom-author-profiles

Score: N/A Simple Custom Author Profiles <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

redirect-redirection

Score: N/A Redirection <= 1.1.4 - Cross-Site Request Forgery to Plugin Reset Affected: *-1.1.4 Patched: 1.1.5 Updated: June 30, 2026

LOW

photo-gallery

Score: N/A Photo Gallery by 10Web <= 1.8.14 - Authenticated (Administrator+) Directory Traversal Affected: *-1.8.14 Patched: 1.8.15 Updated: June 30, 2026

LOW

open-graphite

Score: N/A Open Graphite <= 1.6.0 - Reflected Cross-Site Scripting via topic parameter Affected: *-1.6.0 Patched: 1.6.1 Updated: June 30, 2026

LOW

live-weather-station

Score: 93/100 Weather Station <= 3.8.11 - Cross-Site Request Forgery Affected: *-3.8.12 Patched: 3.8.13 Updated: June 30, 2026

LOW

lazy-facebook-comments

Score: 93/100 Lazy Social Comments <= 2.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Options Affected: *-2.0.4 Patched: 2.0.5 Updated: June 30, 2026

LOW

js-jobs

Score: 81/100 JS Job Manager <= 2.0.0 - Missing Authorization Affected: *-2.0.0 Patched: 2.0.1 Updated: June 30, 2026

LOW

enhanced-plugin-admin

Score: 93/100 Enhanced Plugin Admin <= 1.16 - Cross-Site Request Forgery via epa_options_page Affected: *-1.16 Patched: 1.17 Updated: June 30, 2026

LOW

Easy Table of Contents

easy-table-of-contents

Score: 95/100 Easy Table of Contents <= 2.0.45.2 - Missing Authorization via eztoc_reset_options_to_default Affected: *-2.0.45.2 Patched: 2.0.46 Updated: June 30, 2026

LOW

disqus-conditional-load

Score: 93/100 Disqus Conditional Load <= 11.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings. Affected: *-11.1.1 Patched: 11.1.2 Updated: June 30, 2026

LOW

custom-field-template

Score: 93/100 Custom Field Template <= 2.5.8 - Cross-Site Request Forgery via Plugin Options Update Affected: *-2.5.8 Patched: 2.5.9 Updated: June 30, 2026

LOW

contact-form-to-email

Score: 93/100 Contact Form Email <= 1.3.31 - Cross-Site Request Forgery to Feedback Submission Affected: *-1.3.31 Patched: 1.3.32 Updated: June 30, 2026

LOW

bigcontact

Score: 91/100 BigContact <= 1.5.8 - Cross-Site Request Forgery leading to Plugin Settings Updates Affected: *-1.5.8 Patched: Updated: June 30, 2026

LOW

wp-s3

Score: N/A WordPress Amazon S3 Plugin <= 1.5 - Reflected Cross-Site Scripting Affected: *-1.5 Patched: 1.6 Updated: June 30, 2026

LOW

wp-popup-banners

Score: N/A WP Popup Banners <= 1.2.5 - Authenticated (Subscriber+) SQL Injection via 'value' Affected: *-1.2.5 Patched: Updated: June 30, 2026

LOW

wp-meta-data-filter-and-taxonomy-filter

Score: N/A MDTF – Meta Data and Taxonomies Filter <= 1.3.0.1 - Relected Cross-Site Scripting via 'tax_name' Affected: *-1.3.0.1 Patched: 1.3.1 Updated: June 30, 2026

LOW

wp-content-filter

Score: N/A WP Content Filter – Censor All Offensive Content From Your Site <= 3.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-3.0.1 Patched: 3.1.0 Updated: June 30, 2026

LOW

treepress

Score: N/A TreePress – Easy Family Trees & Ancestor Profiles <= 2.0.22 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'post_title' parameter Affected: *-2.0.22 Patched: 3.0.0 Updated: June 30, 2026

LOW

time-sheets

Score: N/A Time Sheets <= 1.29.2 - Authenticated(Admin+) Stored Cross-Site Scripting Affected: *-1.29.2 Patched: 1.29.3 Updated: June 30, 2026

LOW

stylish-cost-calculator-premium

Score: N/A Stylish Cost Calculator < 7.9.0 - Unauthenticated Stored Cross-Site Scripting Affected: [*, 7.9.0) Patched: 7.9.0 Updated: June 30, 2026

LOW

simple-mobile-url-redirect

Score: N/A Simple Mobile URL Redirect <= 1.7.2 - Cross-Site Request Forgery leading to Mobile Redirect Updates Affected: *-1.7.2 Patched: Updated: June 30, 2026

LOW

scheduled-announcements-widget

Score: N/A Scheduled Announcements Widget <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-0.2 Patched: 1.0 Updated: June 30, 2026

LOW

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

ml-slider

Score: 88/100 Slider, Gallery, and Carousel by MetaSlider <= 3.29.0 - Reflected Cross-Site Scripting Affected: *-3.29.0 Patched: 3.29.1 Updated: June 30, 2026

LOW

Event Booking Manager for WooCommerce

mage-eventpress

Score: 82/100 Event Manager for WooCommerce <= 3.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'mep_get_option' function Affected: *-3.8.6 Patched: 3.8.7 Updated: June 30, 2026

LOW

lead-generated

Score: 93/100 Lead Generated <= 1.23 - Unauthenticated PHP Object Injection Affected: *-1.23 Patched: 1.25 Updated: June 30, 2026

LOW

klaviyo

Score: 93/100 Klaviyo <= 3.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-3.0.9 Patched: 3.0.10 Updated: June 30, 2026

LOW

kanban

Score: 86/100 Kanban Boards for WordPress <= 2.5.21 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.5.21 Patched: Updated: June 30, 2026

LOW

jet-engine

Score: 93/100 Crocoblock JetEngine <= 3.1.3 - Authenticated(Author+) Arbitrary File Upload to Remote Code Execution Affected: *-3.1.3 Patched: 3.1.3.1 Updated: June 30, 2026

Showing 25801 to 25900 of 36283 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 09:38 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List