Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36283

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
inpost-gallery	inpost-gallery	93	InPost Gallery <= 2.1.4.1 - Reflected Cross-Site Scripting via 'imgurl'	LOW	*-2.1.4.1	2.1.4.2	June 30, 2026
hummingbird-performance	hummingbird-performance	93	Hummingbird <= 3.4.1 - Unauthenticated Path Traversal	LOW	*-3.4.1	3.4.2	June 30, 2026
groundhogg	groundhogg	93	Groundhogg <= 2.7.9.3 - Authenticated (Administrator)+ SQL Injection	LOW	*-2.7.9.3	2.7.9.4	June 30, 2026
google-mobile-sitemap	google-mobile-sitemap	91	Google XML Sitemap for Mobile <= 1.6.1 - Cross-Site Request Forgery via mobile_sitemap_generate	LOW	*-1.6.1		June 30, 2026
giveasap	giveasap	91	Simple Giveaways <= 2.45.0 - Authenticated (Editor+) Stored Cross-Site Scripting via Form, Prize, and Sharing Method Fields	LOW	*-2.45.0	2.45.1	June 30, 2026
giveasap	giveasap	91	Simple Giveaways <= 2.45.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings	LOW	*-2.45.0	2.45.1	June 30, 2026
giveasap	giveasap	91	Simple Giveaways <= 2.45.0 - Authenticated(Admin+) Stored Cross-Site Scripting via form fields	LOW	*-2.45.0	2.45.1	June 30, 2026
gamipress-youtube-integration	gamipress-youtube-integration	93	GamiPress – Youtube integration <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.0.7	1.0.8	June 30, 2026
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	fluentform	78	FluentForms <= 4.3.24 - Authenticated(Contributor+) Stored Cross-Site Scripting	LOW	*-4.3.24	4.3.25	June 30, 2026
events-made-easy	events-made-easy	91	Events Made Easy <= 2.3.14 - Authenticated (Subscriber+) SQL Injection via 'search_name'	LOW	*-2.3.14		June 30, 2026
cyberus-key	cyberus-key	93	Cyberus Key <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'uid' in 'cyberkey_settings' Plugin Setting	LOW	*-1.0	1.1	June 30, 2026
cyberus-key	cyberus-key	93	Cyberus Key <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.0	1.1	June 30, 2026
convertbox-auto-embed	convertbox-auto-embed	93	ConvertBox Auto Embed WordPress plugin <= 1.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.0.19	1.0.20	June 30, 2026
branded-social-images	branded-social-images	93	Branded Social Images <= 1.1.0 - Missing Authorization leading to Unauthenticated Plugin Settings Updates	LOW	*-1.1.0	1.1.1	June 30, 2026
All-In-One Security (AIOS) – Security and Firewall	all-in-one-wp-security-and-firewall	72	All-In-One Security (AIOS) <= 5.1.4 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-5.1.4	5.1.5	June 30, 2026
agile-store-locator	agile-store-locator	97	Store Locator WordPress <= 1.4.9 - Authenticated (Editor+) Stored Cross-Site Scripting via 'category_name', 'description', 'description_2' parameters	LOW	*-1.4.9	1.4.10	June 30, 2026
wp-simple-events	wp-simple-events	N/A	WP Simple Events <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.0		June 30, 2026
wp-popup-banners	wp-popup-banners	N/A	WP Popup Banners <= 1.2.5 - Authenticated (Subscriber+) SQL Injection	LOW	*-1.2.5		June 30, 2026
wp-job-portal	wp-job-portal	N/A	WP Job Portal <= 2.0.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-2.0.5	2.0.6	June 30, 2026
wp-express-checkout	wp-express-checkout	N/A	WP Express Checkout <= 2.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon[code]	LOW	2.2.8	2.2.9	June 30, 2026
wc-return-warrranty	wc-return-warrranty	N/A	Return and Warranty Management System for WooCommerce <= 1.2.3 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.2.3		June 30, 2026
unusedcss	unusedcss	N/A	RapidLoad Power-Up for Autoptimize <= 1.7.1 - Cross-Site Request Forgery	LOW	*-1.7.1	1.7.2	June 30, 2026
surbma-gdpr-proof-google-analytics	surbma-gdpr-proof-google-analytics	N/A	Surbma \| GDPR Proof Cookie Consent & Notice Bar <= 17.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-17.5.3	17.6.0	June 30, 2026
GEO Plugin by Squirrly SEO	squirrly-seo	N/A	SEO Plugin by Squirrly SEO <= 12.1.20 - Reflected Cross-Site Scripting via 'page' and 'tab'	LOW	*-12.1.20	12.1.21	June 30, 2026
GEO Plugin by Squirrly SEO	squirrly-seo	N/A	SEO Plugin by Squirrly SEO <= 12.1.20 - Missing Authorization	LOW	*-12.1.20	12.1.21	June 30, 2026
open-rdw-kenteken-voertuiginformatie	open-rdw-kenteken-voertuiginformatie	N/A	Open RDW kenteken voertuiginformatie <= 2.0.14 - Reflected Cross-Site Scripting via open_data_rdw_kenteken	LOW	*-2.0.14	2.1.0	June 30, 2026
ecwid-shopping-cart	ecwid-shopping-cart	93	Ecwid Shopping Cart <= 6.11.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-6.11.4	6.11.5	June 30, 2026
ecommerce-product-catalog	ecommerce-product-catalog	93	eCommerce Product Catalog plugin for WordPress <= 3.3.8 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-3.3.8	3.3.9	June 30, 2026
contact-form-7-paypal-add-on	contact-form-7-paypal-add-on	93	Contact Form 7 – PayPal & Stripe Add-on <= 1.9.3 - Cross-Site Request Forgery	LOW	*-1.9.3	1.9.4	June 30, 2026
bookly-responsive-appointment-booking-tool	bookly-responsive-appointment-booking-tool	93	Bookly <= 21.5 - Unauthenticated Stored Cross-Site Scripting via Name	LOW	21.5	21.5.1	June 30, 2026
wpml	wpml	N/A	WPML <= 4.6.1 - Cross-Site Scripting	LOW	*-4.6.0	4.6.1	June 30, 2026
wp-tiles	wp-tiles	N/A	WP Tiles <= 1.1.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode	LOW	*-1.1.2		June 30, 2026
wp-tiles	wp-tiles	N/A	WP Tiles <= 1.1.2 - Authenticated(Subscriber+) Sensitive Information Exposure	LOW	*-1.1.2		June 30, 2026
wp-shortcode	wp-shortcode	N/A	WP Shortcode by MyThemeShop <= 1.4.16 - Cross-Site Request Forgery	LOW	*-1.4.16	1.4.17	June 30, 2026
wp-basic-elements	wp-basic-elements	N/A	WP Basic Elements <= 5.2.15 - Missing Authorization to Plugin Settings Update via wpbe_save_settings	LOW	*-5.2.15	5.3.0	June 30, 2026
wordpress-simple-paypal-shopping-cart	wordpress-simple-paypal-shopping-cart	N/A	WP Simple Shopping Cart <= 4.6.3 - Information Disclosure	LOW	4.6.3	4.6.4	June 30, 2026
website-monetization-by-magenet	website-monetization-by-magenet	N/A	Website Monetization by MageNet <= 1.0.29.1 - Cross-Site Request Forgery via admin_magenet_settings	LOW	*-1.0.29.1	1.0.29.2	June 30, 2026
UpdraftPlus: WP Backup & Migration Plugin	updraftplus	69	UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 - Privilege Escalation via updraft_central_ajax_handler	LOW	1.22.14-1.23.2, 2.22.14-2.23.2	1.23.3	June 30, 2026
smtp2go	smtp2go	N/A	SMTP2GO <= 1.4.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings	LOW	*-1.4.2	1.5.0	June 30, 2026
MotoPress Hotel Booking	motopress-hotel-booking-lite	N/A	Hotel Booking Lite <= 4.6.0 - Cross-Site Request Forgery to Settings Update	LOW	*-4.6.0	4.7.0	June 30, 2026
Event Booking Manager for WooCommerce	mage-eventpress	82	Event Manager for WooCommerce <= 3.7.7 - Cross-Site Request Forgery leading to Uninstall Form Submission	LOW	*-3.7.7	3.7.8	June 30, 2026
import-external-images	import-external-images	91	Import External Images <= 1.4 - Cross-Site Request Forgery via external_image_import_all_ajax	LOW	*-1.4		June 30, 2026
ht-instagram	ht-instagram	93	HT Feed <= 1.2.7 - Cross-Site Request Forgery leading to Limited Plugin Activation	LOW	*-1.2.7	1.2.8	June 30, 2026
force-first-last	force-first-last	93	Force First and Last Name as Display Name <= 1.2 - Cross-Site Request Forgery	LOW	*-1.2	1.2.1	June 30, 2026
estatik-mortgage-calculator	estatik-mortgage-calculator	86	WordPress Mortgage Calculator Estatik <= 2.0.11 - Reflected Cross-Site Scripting	LOW	*-2.0.11		June 30, 2026
custom-options-plus	custom-options-plus	91	Custom Options Plus <= 1.8.1 - Cross-Site Request Forgery via custom_options_plus_adm	LOW	*-1.8.1		June 30, 2026
cp-multi-view-calendar	cp-multi-view-calendar	91	CP Multi View Event Calendar <= 1.4.10 - Missing Authentication leading to Authenticated (Subscriber+) Private Form Submission	LOW	*-1.4.10	1.4.11	June 30, 2026
contact-form-to-email	contact-form-to-email	93	Contact Form Email <= 1.3.31 - Missing Authorization to Feedback Submission	LOW	*-1.3.31	1.3.32	June 30, 2026
bulk-resize-media	bulk-resize-media	91	Bulk Resize Media <= 1.1 - Cross-Site Request Forgery via bulk_resize_resize_image	LOW	*-1.1		June 30, 2026
branda-white-labeling	branda-white-labeling	93	Branda – White Label WordPress <= 3.4.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-3.4.8.1	3.4.9	June 30, 2026
xml-sitemaps-for-videos	xml-sitemaps-for-videos	N/A	Google XML Sitemap for Videos <= 2.6.1 - Cross-Site Request Forgery via video_sitemap_generate	LOW	*-2.6.1		June 30, 2026
wsb-brands	wsb-brands	N/A	WSB Brands <= 1.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via $logo	LOW	*-1.1.8	1.2	June 30, 2026
wp-email-capture	wp-email-capture	N/A	WordPress Email Marketing Plugin – WP Email Capture <= 3.10 - Information Exposure via wp_email_capture_options_process	LOW	*-3.10	3.11	June 30, 2026
wp-backup-bank	wp-backup-bank	N/A	Backup Bank: WordPress Backup Plugin <= 4.0.28 - Missing Authorization via post_user_feedback_backup_bank	LOW	*-4.0.28		June 30, 2026
store-locator	store-locator	N/A	Store Locator <= 3.98.7 - Cross-Site Request Forgery to Settings Update	LOW	*-3.98.7	3.98.8	June 30, 2026
slideshow-gallery	slideshow-gallery	N/A	Slideshow Gallery LITE <= 1.7.6 - Cross-Site Request Forgery via admin_galleries	LOW	*-1.7.6	1.7.7	June 30, 2026
slideshow-gallery	slideshow-gallery	N/A	Slideshow Gallery LITE <= 1.7.6 - Cross-Site Request Forgery via admin_slides	LOW	*-1.7.6	1.7.7	June 30, 2026
slideshow-gallery	slideshow-gallery	N/A	Slideshow Gallery LITE <= 1.7.6 - Authenticated(Admin+) SQL Injection	LOW	*-1.7.6	1.7.7	June 30, 2026
slide-anything	slide-anything	N/A	Slide Anything <= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-2.4.7	2.4.9	June 30, 2026
pb-seo-friendly-images	pb-seo-friendly-images	N/A	PB SEO Friendly Images <= 4.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-4.0.5		June 30, 2026
integration-dynamics	integration-dynamics	93	Dynamics 365 Integration <= 1.3.12 - Missing Authorization via wp_ajax_wpcrm_log & wp_ajax_wpcrm_log_verbosity	LOW	*-1.3.12	1.3.13	June 30, 2026
drag-n-drop-upload-cf7-pro	drag-n-drop-upload-cf7-pro	93	Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard <= 5.0.6.3 and <= 2.11.0 - Reflected Cross-Site Scripting	LOW	2.0-2.11.0, 5.0-5.0.6.3	2.11.1	June 30, 2026
cf7-redirect-thank-you-page	cf7-redirect-thank-you-page	93	Contact Form 7 Redirect & Thank You Page <= 1.0.3 - Cross-Site Request Forgery via cf7rl_admin_table	LOW	*-1.0.3	1.0.4	June 30, 2026
be-popia-compliant	be-popia-compliant	93	Be POPIA Compliant <= 1.2.0 - Authenticated (Subscriber+) SQL Injection	LOW	*-1.2.0	1.3.0	June 30, 2026
yandexnews-feed-by-teplitsa	yandexnews-feed-by-teplitsa	N/A	Yandex.News Feed by Teplitsa <= 1.12.5 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.12.5		June 30, 2026
xili-tidy-tags	xili-tidy-tags	N/A	xili-tidy-tags <= 1.12.03 - Cross-Site Request Forgery	LOW	*-1.12.03	1.12.04	June 30, 2026
wp-email-capture	wp-email-capture	N/A	WordPress Email Marketing Plugin – WP Email Capture <= 3.10 - Missing Authorization to Email Capture List Download	LOW	*-3.10	3.11	June 30, 2026
wp-basic-elements	wp-basic-elements	N/A	WP Basic Elements <= 5.2.15 - Cross-Site Request Forgery via wpbe_save_settings	LOW	*-5.2.15	5.3.0	June 30, 2026
wp-advanced-search	wp-advanced-search	N/A	WP-Advanced-Search <= 3.3.8 - Cross-Site Request Forgery leading to Plugin Settings Updates	LOW	*-3.3.8	3.3.9	June 30, 2026
wordpress-console	wordpress-console	N/A	WordPress Console <= 0.3.9 - Missing Authorization via reload.php	LOW	*-0.3.9		June 30, 2026
tags-cloud-manager	tags-cloud-manager	N/A	Tags Cloud Manager <= 1.0.0 - Reflected Cross-Site Scripting	LOW	*-1.0.0		June 30, 2026
redirect-redirection	redirect-redirection	N/A	Redirect Redirection <= 1.1.4 - Cross-Site Request Forgery to Plugin De-Installation	LOW	*-1.1.4	1.1.5	June 30, 2026
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder	popup-maker	N/A	Popup Maker <= 1.17.1 - Sensitive Data Exposure via debug log file	LOW	*-1.17.1	1.18.0	June 30, 2026
modern-footnotes	modern-footnotes	93	Modern Footnotes <= 1.4.15 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.4.15	1.4.16	June 30, 2026
modern-events-calendar-lite	modern-events-calendar-lite	93	Modern Events Calendar lite < 6.10.5 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	[*, 6.10.5)	6.10.5	June 30, 2026
login-attempts-limit-wp	login-attempts-limit-wp	89	LOGIN AND REGISTRATION ATTEMPTS LIMIT <= 2.1 - Cross-Site Request Forgery	LOW	*-2.1		June 30, 2026
integration-dynamics	integration-dynamics	93	Dynamics 365 Integration <= 1.3.12 - Cross-Site Request Forgery via wp_ajax_wpcrm_log_verbosity	LOW	*-1.3.12	1.3.13	June 30, 2026
google-image-sitemap	google-image-sitemap	91	Google XML Sitemap for Images <= 2.1.3 - Cross-Site Request Forgery via image_sitemap_generate	LOW	*-2.1.3		June 30, 2026
embed-any-document	embed-any-document	93	Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files <= 2.7.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG files	LOW	*-2.7.1	2.7.2	June 30, 2026
easy-event-calendar	easy-event-calendar	91	Easy Event calendar <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.0		June 30, 2026
customify	customify	93	Customify <= 2.10.4 - Cross-Site Request Forgery to Settings Update	LOW	*-2.10.4	2.10.5	June 30, 2026
chronoforms	chronoforms	91	Chronoforms <= 7.0.9 - Cross-Site Request Forgery	LOW	*-7.0.9		June 30, 2026
cf7-invisible-recaptcha	cf7-invisible-recaptcha	93	CF7 Invisible reCAPTCHA <= 1.3.3 - Cross-Site Request Forgery via vsz_cf7_invisible_recaptcha_page	LOW	*-1.3.3	1.3.4	June 30, 2026
auto-rename-media-on-upload	auto-rename-media-on-upload	93	Auto Rename Media On Upload <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.0.5	1.1.0	June 30, 2026
admin-side-data-storage-for-contact-form-7	admin-side-data-storage-for-contact-form-7	90	Admin side data storage for Contact Form 7 <= 1.1.2 - Stored Cross-Site Scripting	LOW	*-1.1.2		June 30, 2026
8-degree-coming-soon-page	8-degree-coming-soon-page	95	Coming Soon Landing Page and Maintenance Mode WordPress Plugin <= 2.2.0 - Missing Authorization	LOW	*-2.2.0		June 30, 2026
WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters	wp-google-map-plugin	74	WP Google Map Plugin <= 4.4.2 - Cross-Site Request Forgery via delete()	LOW	*-4.4.2	4.4.3	June 30, 2026
wp-easycart	wp-easycart	N/A	Shopping Cart & eCommerce Store <= 5.4.2 - Authenticated (Admin+) Local File Inclusion via import_file_url	LOW	*-5.4.2	5.4.3	June 30, 2026
woocommerce-delivery-notes	woocommerce-delivery-notes	N/A	Print Invoice & Delivery Notes for WooCommerce <= 4.7.2 - Cross-Site Request Forgery via ts_reset_tracking_setting	LOW	*-4.7.2	4.7.3	June 30, 2026
wh-testimonials	wh-testimonials	N/A	WH Testimonials <= 3.0.0 - Unauthenticated Stored Cross-Site Scripting	LOW	*-3.0.0		June 30, 2026
weight-based-shipping-for-woocommerce	weight-based-shipping-for-woocommerce	N/A	WooCommerce Weight Based Shipping <= 5.4.1 - Cross-Site Request Forgery leading to Plugin Settings Changes	LOW	*-5.4.1	5.5.0	June 30, 2026
user-role	user-role	N/A	User Role by BestWebSoft <= 1.6.6 - Cross-Site Request Forgery to Privilege Escalation	LOW	*-1.6.6	1.6.7	June 30, 2026
stock-ticker	stock-ticker	N/A	Stock Ticker <= 3.23.0 - Missing Authorization via AJAX actions	LOW	*-3.23.0	3.23.1	June 30, 2026
solidres	solidres	N/A	Solidres <= 0.9.4 - Reflected Cross-Site Scripting	LOW	*-0.9.4		June 30, 2026
solidres	solidres	N/A	Solidres <= 0.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-0.9.4		June 30, 2026
Site Reviews	site-reviews	N/A	Site Reviews <= 6.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute	LOW	*-6.5.1	6.6.0	June 30, 2026
Site Reviews	site-reviews	N/A	Site Reviews <= 6.5.1 - Missing Authorization	LOW	*-6.5.0	6.6.0	June 30, 2026
Site Reviews	site-reviews	N/A	Site Reviews <= 6.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode	LOW	*-6.5.1	6.6.0	June 30, 2026
Robo Gallery – Photo & Image Slider	robo-gallery	N/A	Robo Gallery <= 3.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes	LOW	*-3.2.12	3.2.13	June 30, 2026
reusable-blocks-extended	reusable-blocks-extended	N/A	Reusable Blocks Extended <= 0.9 - Cross-Site Request Forgery via reblex_reusable_screen_block_pattern_registration	LOW	*-0.9	0.9.1	June 30, 2026

LOW

inpost-gallery

Score: 93/100 InPost Gallery <= 2.1.4.1 - Reflected Cross-Site Scripting via 'imgurl' Affected: *-2.1.4.1 Patched: 2.1.4.2 Updated: June 30, 2026

LOW

hummingbird-performance

Score: 93/100 Hummingbird <= 3.4.1 - Unauthenticated Path Traversal Affected: *-3.4.1 Patched: 3.4.2 Updated: June 30, 2026

LOW

groundhogg

Score: 93/100 Groundhogg <= 2.7.9.3 - Authenticated (Administrator)+ SQL Injection Affected: *-2.7.9.3 Patched: 2.7.9.4 Updated: June 30, 2026

LOW

google-mobile-sitemap

Score: 91/100 Google XML Sitemap for Mobile <= 1.6.1 - Cross-Site Request Forgery via mobile_sitemap_generate Affected: *-1.6.1 Patched: Updated: June 30, 2026

LOW

giveasap

Score: 91/100 Simple Giveaways <= 2.45.0 - Authenticated (Editor+) Stored Cross-Site Scripting via Form, Prize, and Sharing Method Fields Affected: *-2.45.0 Patched: 2.45.1 Updated: June 30, 2026

LOW

giveasap

Score: 91/100 Simple Giveaways <= 2.45.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings Affected: *-2.45.0 Patched: 2.45.1 Updated: June 30, 2026

LOW

giveasap

Score: 91/100 Simple Giveaways <= 2.45.0 - Authenticated(Admin+) Stored Cross-Site Scripting via form fields Affected: *-2.45.0 Patched: 2.45.1 Updated: June 30, 2026

LOW

gamipress-youtube-integration

Score: 93/100 GamiPress – Youtube integration <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.0.7 Patched: 1.0.8 Updated: June 30, 2026

LOW

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

Score: 78/100 FluentForms <= 4.3.24 - Authenticated(Contributor+) Stored Cross-Site Scripting Affected: *-4.3.24 Patched: 4.3.25 Updated: June 30, 2026

LOW

events-made-easy

Score: 91/100 Events Made Easy <= 2.3.14 - Authenticated (Subscriber+) SQL Injection via 'search_name' Affected: *-2.3.14 Patched: Updated: June 30, 2026

LOW

cyberus-key

Score: 93/100 Cyberus Key <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'uid' in 'cyberkey_settings' Plugin Setting Affected: *-1.0 Patched: 1.1 Updated: June 30, 2026

LOW

cyberus-key

Score: 93/100 Cyberus Key <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.0 Patched: 1.1 Updated: June 30, 2026

LOW

convertbox-auto-embed

Score: 93/100 ConvertBox Auto Embed WordPress plugin <= 1.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.0.19 Patched: 1.0.20 Updated: June 30, 2026

LOW

branded-social-images

Score: 93/100 Branded Social Images <= 1.1.0 - Missing Authorization leading to Unauthenticated Plugin Settings Updates Affected: *-1.1.0 Patched: 1.1.1 Updated: June 30, 2026

LOW

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

Score: 72/100 All-In-One Security (AIOS) <= 5.1.4 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-5.1.4 Patched: 5.1.5 Updated: June 30, 2026

LOW

Score: 97/100 Store Locator WordPress <= 1.4.9 - Authenticated (Editor+) Stored Cross-Site Scripting via 'category_name', 'description', 'description_2' parameters Affected: *-1.4.9 Patched: 1.4.10 Updated: June 30, 2026

LOW

wp-simple-events

Score: N/A WP Simple Events <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

wp-popup-banners

Score: N/A WP Popup Banners <= 1.2.5 - Authenticated (Subscriber+) SQL Injection Affected: *-1.2.5 Patched: Updated: June 30, 2026

LOW

wp-job-portal

Score: N/A WP Job Portal <= 2.0.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-2.0.5 Patched: 2.0.6 Updated: June 30, 2026

LOW

wp-express-checkout

Score: N/A WP Express Checkout <= 2.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon[code] Affected: 2.2.8 Patched: 2.2.9 Updated: June 30, 2026

LOW

wc-return-warrranty

Score: N/A Return and Warranty Management System for WooCommerce <= 1.2.3 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.2.3 Patched: Updated: June 30, 2026

LOW

unusedcss

Score: N/A RapidLoad Power-Up for Autoptimize <= 1.7.1 - Cross-Site Request Forgery Affected: *-1.7.1 Patched: 1.7.2 Updated: June 30, 2026

LOW

surbma-gdpr-proof-google-analytics

Score: N/A Surbma | GDPR Proof Cookie Consent & Notice Bar <= 17.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-17.5.3 Patched: 17.6.0 Updated: June 30, 2026

LOW

GEO Plugin by Squirrly SEO

squirrly-seo

Score: N/A SEO Plugin by Squirrly SEO <= 12.1.20 - Reflected Cross-Site Scripting via 'page' and 'tab' Affected: *-12.1.20 Patched: 12.1.21 Updated: June 30, 2026

LOW

GEO Plugin by Squirrly SEO

squirrly-seo

Score: N/A SEO Plugin by Squirrly SEO <= 12.1.20 - Missing Authorization Affected: *-12.1.20 Patched: 12.1.21 Updated: June 30, 2026

LOW

open-rdw-kenteken-voertuiginformatie

Score: N/A Open RDW kenteken voertuiginformatie <= 2.0.14 - Reflected Cross-Site Scripting via open_data_rdw_kenteken Affected: *-2.0.14 Patched: 2.1.0 Updated: June 30, 2026

LOW

ecwid-shopping-cart

Score: 93/100 Ecwid Shopping Cart <= 6.11.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-6.11.4 Patched: 6.11.5 Updated: June 30, 2026

LOW

ecommerce-product-catalog

Score: 93/100 eCommerce Product Catalog plugin for WordPress <= 3.3.8 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-3.3.8 Patched: 3.3.9 Updated: June 30, 2026

LOW

contact-form-7-paypal-add-on

Score: 93/100 Contact Form 7 – PayPal & Stripe Add-on <= 1.9.3 - Cross-Site Request Forgery Affected: *-1.9.3 Patched: 1.9.4 Updated: June 30, 2026

LOW

bookly-responsive-appointment-booking-tool

Score: 93/100 Bookly <= 21.5 - Unauthenticated Stored Cross-Site Scripting via Name Affected: 21.5 Patched: 21.5.1 Updated: June 30, 2026

LOW

wpml

Score: N/A WPML <= 4.6.1 - Cross-Site Scripting Affected: *-4.6.0 Patched: 4.6.1 Updated: June 30, 2026

LOW

wp-tiles

Score: N/A WP Tiles <= 1.1.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode Affected: *-1.1.2 Patched: Updated: June 30, 2026

LOW

wp-tiles

Score: N/A WP Tiles <= 1.1.2 - Authenticated(Subscriber+) Sensitive Information Exposure Affected: *-1.1.2 Patched: Updated: June 30, 2026

LOW

wp-shortcode

Score: N/A WP Shortcode by MyThemeShop <= 1.4.16 - Cross-Site Request Forgery Affected: *-1.4.16 Patched: 1.4.17 Updated: June 30, 2026

LOW

wp-basic-elements

Score: N/A WP Basic Elements <= 5.2.15 - Missing Authorization to Plugin Settings Update via wpbe_save_settings Affected: *-5.2.15 Patched: 5.3.0 Updated: June 30, 2026

LOW

wordpress-simple-paypal-shopping-cart

Score: N/A WP Simple Shopping Cart <= 4.6.3 - Information Disclosure Affected: 4.6.3 Patched: 4.6.4 Updated: June 30, 2026

LOW

website-monetization-by-magenet

Score: N/A Website Monetization by MageNet <= 1.0.29.1 - Cross-Site Request Forgery via admin_magenet_settings Affected: *-1.0.29.1 Patched: 1.0.29.2 Updated: June 30, 2026

LOW

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

Score: 69/100 UpdraftPlus 1.22.14 to 1.23.2 and UpdraftPlus (Premium) 2.22.14 to 2.23.2 - Privilege Escalation via updraft_central_ajax_handler Affected: 1.22.14-1.23.2, 2.22.14-2.23.2 Patched: 1.23.3 Updated: June 30, 2026

LOW

smtp2go

Score: N/A SMTP2GO <= 1.4.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings Affected: *-1.4.2 Patched: 1.5.0 Updated: June 30, 2026

LOW

MotoPress Hotel Booking

motopress-hotel-booking-lite

Score: N/A Hotel Booking Lite <= 4.6.0 - Cross-Site Request Forgery to Settings Update Affected: *-4.6.0 Patched: 4.7.0 Updated: June 30, 2026

LOW

Event Booking Manager for WooCommerce

mage-eventpress

Score: 82/100 Event Manager for WooCommerce <= 3.7.7 - Cross-Site Request Forgery leading to Uninstall Form Submission Affected: *-3.7.7 Patched: 3.7.8 Updated: June 30, 2026

LOW

import-external-images

Score: 91/100 Import External Images <= 1.4 - Cross-Site Request Forgery via external_image_import_all_ajax Affected: *-1.4 Patched: Updated: June 30, 2026

LOW

ht-instagram

Score: 93/100 HT Feed <= 1.2.7 - Cross-Site Request Forgery leading to Limited Plugin Activation Affected: *-1.2.7 Patched: 1.2.8 Updated: June 30, 2026

LOW

force-first-last

Score: 93/100 Force First and Last Name as Display Name <= 1.2 - Cross-Site Request Forgery Affected: *-1.2 Patched: 1.2.1 Updated: June 30, 2026

LOW

estatik-mortgage-calculator

Score: 86/100 WordPress Mortgage Calculator Estatik <= 2.0.11 - Reflected Cross-Site Scripting Affected: *-2.0.11 Patched: Updated: June 30, 2026

LOW

custom-options-plus

Score: 91/100 Custom Options Plus <= 1.8.1 - Cross-Site Request Forgery via custom_options_plus_adm Affected: *-1.8.1 Patched: Updated: June 30, 2026

LOW

cp-multi-view-calendar

Score: 91/100 CP Multi View Event Calendar <= 1.4.10 - Missing Authentication leading to Authenticated (Subscriber+) Private Form Submission Affected: *-1.4.10 Patched: 1.4.11 Updated: June 30, 2026

LOW

contact-form-to-email

Score: 93/100 Contact Form Email <= 1.3.31 - Missing Authorization to Feedback Submission Affected: *-1.3.31 Patched: 1.3.32 Updated: June 30, 2026

LOW

bulk-resize-media

Score: 91/100 Bulk Resize Media <= 1.1 - Cross-Site Request Forgery via bulk_resize_resize_image Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

branda-white-labeling

Score: 93/100 Branda – White Label WordPress <= 3.4.8.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-3.4.8.1 Patched: 3.4.9 Updated: June 30, 2026

LOW

xml-sitemaps-for-videos

Score: N/A Google XML Sitemap for Videos <= 2.6.1 - Cross-Site Request Forgery via video_sitemap_generate Affected: *-2.6.1 Patched: Updated: June 30, 2026

LOW

wsb-brands

Score: N/A WSB Brands <= 1.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via $logo Affected: *-1.1.8 Patched: 1.2 Updated: June 30, 2026

LOW

wp-email-capture

Score: N/A WordPress Email Marketing Plugin – WP Email Capture <= 3.10 - Information Exposure via wp_email_capture_options_process Affected: *-3.10 Patched: 3.11 Updated: June 30, 2026

LOW

wp-backup-bank

Score: N/A Backup Bank: WordPress Backup Plugin <= 4.0.28 - Missing Authorization via post_user_feedback_backup_bank Affected: *-4.0.28 Patched: Updated: June 30, 2026

LOW

store-locator

Score: N/A Store Locator <= 3.98.7 - Cross-Site Request Forgery to Settings Update Affected: *-3.98.7 Patched: 3.98.8 Updated: June 30, 2026

LOW

slideshow-gallery

Score: N/A Slideshow Gallery LITE <= 1.7.6 - Cross-Site Request Forgery via admin_galleries Affected: *-1.7.6 Patched: 1.7.7 Updated: June 30, 2026

LOW

slideshow-gallery

Score: N/A Slideshow Gallery LITE <= 1.7.6 - Cross-Site Request Forgery via admin_slides Affected: *-1.7.6 Patched: 1.7.7 Updated: June 30, 2026

LOW

slideshow-gallery

Score: N/A Slideshow Gallery LITE <= 1.7.6 - Authenticated(Admin+) SQL Injection Affected: *-1.7.6 Patched: 1.7.7 Updated: June 30, 2026

LOW

slide-anything

Score: N/A Slide Anything <= 2.4.7 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-2.4.7 Patched: 2.4.9 Updated: June 30, 2026

LOW

pb-seo-friendly-images

Score: N/A PB SEO Friendly Images <= 4.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-4.0.5 Patched: Updated: June 30, 2026

LOW

integration-dynamics

Score: 93/100 Dynamics 365 Integration <= 1.3.12 - Missing Authorization via wp_ajax_wpcrm_log & wp_ajax_wpcrm_log_verbosity Affected: *-1.3.12 Patched: 1.3.13 Updated: June 30, 2026

LOW

drag-n-drop-upload-cf7-pro

Score: 93/100 Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard <= 5.0.6.3 and <= 2.11.0 - Reflected Cross-Site Scripting Affected: 2.0-2.11.0, 5.0-5.0.6.3 Patched: 2.11.1 Updated: June 30, 2026

LOW

cf7-redirect-thank-you-page

Score: 93/100 Contact Form 7 Redirect & Thank You Page <= 1.0.3 - Cross-Site Request Forgery via cf7rl_admin_table Affected: *-1.0.3 Patched: 1.0.4 Updated: June 30, 2026

LOW

be-popia-compliant

Score: 93/100 Be POPIA Compliant <= 1.2.0 - Authenticated (Subscriber+) SQL Injection Affected: *-1.2.0 Patched: 1.3.0 Updated: June 30, 2026

LOW

yandexnews-feed-by-teplitsa

Score: N/A Yandex.News Feed by Teplitsa <= 1.12.5 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.12.5 Patched: Updated: June 30, 2026

LOW

xili-tidy-tags

Score: N/A xili-tidy-tags <= 1.12.03 - Cross-Site Request Forgery Affected: *-1.12.03 Patched: 1.12.04 Updated: June 30, 2026

LOW

wp-email-capture

Score: N/A WordPress Email Marketing Plugin – WP Email Capture <= 3.10 - Missing Authorization to Email Capture List Download Affected: *-3.10 Patched: 3.11 Updated: June 30, 2026

LOW

wp-basic-elements

Score: N/A WP Basic Elements <= 5.2.15 - Cross-Site Request Forgery via wpbe_save_settings Affected: *-5.2.15 Patched: 5.3.0 Updated: June 30, 2026

LOW

wp-advanced-search

Score: N/A WP-Advanced-Search <= 3.3.8 - Cross-Site Request Forgery leading to Plugin Settings Updates Affected: *-3.3.8 Patched: 3.3.9 Updated: June 30, 2026

LOW

wordpress-console

Score: N/A WordPress Console <= 0.3.9 - Missing Authorization via reload.php Affected: *-0.3.9 Patched: Updated: June 30, 2026

LOW

tags-cloud-manager

Score: N/A Tags Cloud Manager <= 1.0.0 - Reflected Cross-Site Scripting Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

redirect-redirection

Score: N/A Redirect Redirection <= 1.1.4 - Cross-Site Request Forgery to Plugin De-Installation Affected: *-1.1.4 Patched: 1.1.5 Updated: June 30, 2026

LOW

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder

popup-maker

Score: N/A Popup Maker <= 1.17.1 - Sensitive Data Exposure via debug log file Affected: *-1.17.1 Patched: 1.18.0 Updated: June 30, 2026

LOW

modern-footnotes

Score: 93/100 Modern Footnotes <= 1.4.15 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.4.15 Patched: 1.4.16 Updated: June 30, 2026

LOW

modern-events-calendar-lite

Score: 93/100 Modern Events Calendar lite < 6.10.5 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: [*, 6.10.5) Patched: 6.10.5 Updated: June 30, 2026

LOW

login-attempts-limit-wp

Score: 89/100 LOGIN AND REGISTRATION ATTEMPTS LIMIT <= 2.1 - Cross-Site Request Forgery Affected: *-2.1 Patched: Updated: June 30, 2026

LOW

integration-dynamics

Score: 93/100 Dynamics 365 Integration <= 1.3.12 - Cross-Site Request Forgery via wp_ajax_wpcrm_log_verbosity Affected: *-1.3.12 Patched: 1.3.13 Updated: June 30, 2026

LOW

google-image-sitemap

Score: 91/100 Google XML Sitemap for Images <= 2.1.3 - Cross-Site Request Forgery via image_sitemap_generate Affected: *-2.1.3 Patched: Updated: June 30, 2026

LOW

embed-any-document

Score: 93/100 Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files <= 2.7.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG files Affected: *-2.7.1 Patched: 2.7.2 Updated: June 30, 2026

LOW

easy-event-calendar

Score: 91/100 Easy Event calendar <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

customify

Score: 93/100 Customify <= 2.10.4 - Cross-Site Request Forgery to Settings Update Affected: *-2.10.4 Patched: 2.10.5 Updated: June 30, 2026

LOW

chronoforms

Score: 91/100 Chronoforms <= 7.0.9 - Cross-Site Request Forgery Affected: *-7.0.9 Patched: Updated: June 30, 2026

LOW

cf7-invisible-recaptcha

Score: 93/100 CF7 Invisible reCAPTCHA <= 1.3.3 - Cross-Site Request Forgery via vsz_cf7_invisible_recaptcha_page Affected: *-1.3.3 Patched: 1.3.4 Updated: June 30, 2026

LOW

auto-rename-media-on-upload

Score: 93/100 Auto Rename Media On Upload <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.0.5 Patched: 1.1.0 Updated: June 30, 2026

LOW

admin-side-data-storage-for-contact-form-7

Score: 90/100 Admin side data storage for Contact Form 7 <= 1.1.2 - Stored Cross-Site Scripting Affected: *-1.1.2 Patched: Updated: June 30, 2026

LOW

8-degree-coming-soon-page

Score: 95/100 Coming Soon Landing Page and Maintenance Mode WordPress Plugin <= 2.2.0 - Missing Authorization Affected: *-2.2.0 Patched: Updated: June 30, 2026

LOW

WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters

wp-google-map-plugin

Score: 74/100 WP Google Map Plugin <= 4.4.2 - Cross-Site Request Forgery via delete() Affected: *-4.4.2 Patched: 4.4.3 Updated: June 30, 2026

LOW

wp-easycart

Score: N/A Shopping Cart & eCommerce Store <= 5.4.2 - Authenticated (Admin+) Local File Inclusion via import_file_url Affected: *-5.4.2 Patched: 5.4.3 Updated: June 30, 2026

LOW

woocommerce-delivery-notes

Score: N/A Print Invoice & Delivery Notes for WooCommerce <= 4.7.2 - Cross-Site Request Forgery via ts_reset_tracking_setting Affected: *-4.7.2 Patched: 4.7.3 Updated: June 30, 2026

LOW

wh-testimonials

Score: N/A WH Testimonials <= 3.0.0 - Unauthenticated Stored Cross-Site Scripting Affected: *-3.0.0 Patched: Updated: June 30, 2026

LOW

weight-based-shipping-for-woocommerce

Score: N/A WooCommerce Weight Based Shipping <= 5.4.1 - Cross-Site Request Forgery leading to Plugin Settings Changes Affected: *-5.4.1 Patched: 5.5.0 Updated: June 30, 2026

LOW

user-role

Score: N/A User Role by BestWebSoft <= 1.6.6 - Cross-Site Request Forgery to Privilege Escalation Affected: *-1.6.6 Patched: 1.6.7 Updated: June 30, 2026

LOW

stock-ticker

Score: N/A Stock Ticker <= 3.23.0 - Missing Authorization via AJAX actions Affected: *-3.23.0 Patched: 3.23.1 Updated: June 30, 2026

LOW

solidres

Score: N/A Solidres <= 0.9.4 - Reflected Cross-Site Scripting Affected: *-0.9.4 Patched: Updated: June 30, 2026

LOW

solidres

Score: N/A Solidres <= 0.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-0.9.4 Patched: Updated: June 30, 2026

LOW

Site Reviews

site-reviews

Score: N/A Site Reviews <= 6.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via block attribute Affected: *-6.5.1 Patched: 6.6.0 Updated: June 30, 2026

LOW

Site Reviews

site-reviews

Score: N/A Site Reviews <= 6.5.1 - Missing Authorization Affected: *-6.5.0 Patched: 6.6.0 Updated: June 30, 2026

LOW

Site Reviews

site-reviews

Score: N/A Site Reviews <= 6.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Affected: *-6.5.1 Patched: 6.6.0 Updated: June 30, 2026

LOW

Robo Gallery – Photo & Image Slider

robo-gallery

Score: N/A Robo Gallery <= 3.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes Affected: *-3.2.12 Patched: 3.2.13 Updated: June 30, 2026

LOW

reusable-blocks-extended

Score: N/A Reusable Blocks Extended <= 0.9 - Cross-Site Request Forgery via reblex_reusable_screen_block_pattern_registration Affected: *-0.9 Patched: 0.9.1 Updated: June 30, 2026

Showing 25901 to 26000 of 36283 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 10:56 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List