Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36304

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
wp-insert	wp-insert	N/A	Wp-Insert <= 2.5.0 Authenticated (Admin+) Stored Cross Site Scripting	LOW	*-2.5.0	2.5.1	June 30, 2026
wp-email-capture	wp-email-capture	N/A	WordPress Email Marketing Plugin – WP Email Capture <= 3.9.3 - Cross Site Request Forgery	LOW	*-3.9.3	3.10	June 30, 2026
wp-baidu-submit	wp-baidu-submit	N/A	WP BaiDu Submit <= 1.2.1 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.2.1		June 30, 2026
woo-wallet	woo-wallet	N/A	TeraWallet – For WooCommerce <= 1.3.24 - Cross-Site Request Forgery via admin_options	LOW	*-1.3.24	1.4.0	June 30, 2026
vslider	vslider	N/A	vSlider Multi Image Slider <= 4.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-4.1.2		June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in admin_widgets_welcome function	LOW	*-1.5.12	1.6.0	June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.6.1 - Cross-Site Request Forgery in multiple functions in admin/controller.php	LOW	*-1.6.1	1.6.2	June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in saveconfig function	LOW	*-1.5.12	1.6.0	June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in savetmplfile function	LOW	*-1.5.12	1.6.0	June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in exec_multitask_widgets function	LOW	*-1.5.12	1.6.0	June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.6.1 - Cross-Site Request Forgery in listenTosFieldSavingTask function	LOW	*-1.6.1	1.6.2	June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in widgets_watch_data function	LOW	*-1.5.12	1.6.0	June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in exec_admin_widget function	LOW	*-1.5.12	1.6.0	June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in savetranslation function	LOW	*-1.5.12	1.6.0	June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in savetranslationstay function	LOW	*-1.5.12	1.6.0	June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in save_admin_widgets function	LOW	*-1.5.12	1.6.0	June 30, 2026
upload-file-type-settings-plugin	upload-file-type-settings-plugin	N/A	Upload File Type Settings Plugin <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.1		June 30, 2026
ultimate-wp-query-search-filter	ultimate-wp-query-search-filter	N/A	Ultimate WP Query Search Filter <= 1.0.10 - Authenticated (Contributor+) Stored Cross Site Scripting	LOW	*-1.0.10		June 30, 2026
tapfiliate	tapfiliate	N/A	Tapfiliate <= 3.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-3.0.12	3.0.13	June 30, 2026
sticky-ad-bar	sticky-ad-bar	N/A	Sticky Ad Bar <= 1.3.1 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.3.1		June 30, 2026
service-area-postcode-checker	service-area-postcode-checker	N/A	Service Area Postcode Checker <= 2.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.0.8		June 30, 2026
quiz-master-next	quiz-master-next	N/A	Quiz And Survey Master <= 8.0.8 - Unauthenticated Arbitrary Media Deletion	LOW	*-8.0.8	8.0.9	June 30, 2026
quick-paypal-payments	quick-paypal-payments	N/A	Quick Paypal Payments <= 5.7.25 - Authenticated (Contributor+) Cross Site Scripting	LOW	*-5.7.25	5.7.26	June 30, 2026
quick-contact-form	quick-contact-form	N/A	Quick Contact Form <= 8.0.3.1 - Authenticated (Admin+) Stored Cross Site Scripting	LOW	*-8.0.3.1	8.0.4	June 30, 2026
podlove-subscribe-button	podlove-subscribe-button	N/A	Podlove Subscribe button <= 1.3.7 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.3.7	1.3.9	June 30, 2026
podlove-subscribe-button	podlove-subscribe-button	N/A	Podlove Subscribe button <= 1.3.7 - Cross-Site Request Forgery via process_form function	LOW	*-1.3.7	1.3.9	June 30, 2026
podlove-subscribe-button	podlove-subscribe-button	N/A	Podlove Subscribe button <= 1.3.7 - Cross-Site Request Forgery via save function	LOW	*-1.3.7	1.3.9	June 30, 2026
open-social	open-social	N/A	WP Open Social <= 5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-5.0		June 30, 2026
olevmedia-shortcodes	olevmedia-shortcodes	N/A	Olevmedia Shortcodes <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.1.9		June 30, 2026
nooz	nooz	N/A	Nooz <= 1.6.0 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.6.0	1.7.0	June 30, 2026
miniorange-login-with-eve-online-google-facebook	miniorange-login-with-eve-online-google-facebook	93	OAuth Single Sign On – SSO (OAuth Client) <= 6.24.1- Cross-Site Request Forgery via 'discard' in mooauth_client_applist_page	LOW	*-6.24.1	6.24.2	June 30, 2026
miniorange-login-openid	miniorange-login-openid	91	WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.5.14 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-7.5.14	7.6.0	June 30, 2026
miniorange-login-openid	miniorange-login-openid	91	WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.5.14 - Cross-Site Request Forgery	LOW	*-7.5.14	7.5.15	June 30, 2026
meta-slider-and-carousel-with-lightbox	meta-slider-and-carousel-with-lightbox	93	Meta Slider and Carousel with Lightbox <= 1.6.2 - Cross-Site Request Forgery	LOW	*-1.6.2	1.7	June 30, 2026
json-content-importer	json-content-importer	93	JSON Content Importer <= 1.3.15 - Authenticated (Admin+) Cross Site Scripting	LOW	*-1.3.15	1.3.16	June 30, 2026
inline-tweet-sharer	inline-tweet-sharer	93	Inline Tweet Sharer <= 2.5.3 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-2.5.3	2.6	June 30, 2026
get-url-cron	get-url-cron	93	Get URL Cron <= 1.4.7 - Missing Authorization via geturlcron_action_handle	LOW	*-1.4.7	1.4.8	June 30, 2026
get-url-cron	get-url-cron	93	Get URL Cron <= 1.4.7 - Cross-Site Request Forgery via geturlcron_action_handle	LOW	*-1.4.7	1.4.8	June 30, 2026
fontiran	fontiran	87	Fontiran <= 2.1 - Missing Authorization via fi_add_rule and fi_delete_webfont_php	LOW	*-2.1		June 30, 2026
feed-changer	feed-changer	93	Feed Changer <= 0.2 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-0.2	0.3	June 30, 2026
facebook-like-send-button	facebook-like-send-button	93	Peadig's Like & Share Button <= 1.1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.1.5	1.2	June 30, 2026
eyes-only-user-access-shortcode	eyes-only-user-access-shortcode	91	Eyes Only: User Access Shortcode <= 1.8.2 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.8.2		June 30, 2026
easy-panorama	easy-panorama	93	Easy Panorama <= 1.1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.1.4	1.1.5	June 30, 2026
download-info-page	download-info-page	91	WP资源下载管理 <= 1.3.9 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.3.9		June 30, 2026
click-to-call-or-chat-buttons	click-to-call-or-chat-buttons	93	Click to Call or Chat Buttons <= 1.4.0 - Authenticated(Admin+) Stored Cross-Site Scripting	LOW	*-1.4.0	1.5.0	June 30, 2026
campaign-url-builder	campaign-url-builder	93	Campaign URL Builder <= 1.8.1 - Authenticated (Admin+) Stored Cross-Site Scripting via Create Link	LOW	*-1.8.1	1.8.2	June 30, 2026
archivist-custom-archive-templates	archivist-custom-archive-templates	95	Archivist – Custom Archive Templates <= 1.7.4 - Cross-Site Request Forgery	LOW	*-1.7.4	1.7.5	June 30, 2026
archivist-custom-archive-templates	archivist-custom-archive-templates	95	Archivist – Custom Archive Templates <= 1.7.4 - Authenticated(Admin+) Stored Cross-Site Scripting	LOW	*-1.7.4	1.7.5	June 30, 2026
wpvr	wpvr	N/A	WP VR <= 8.2.7 - Cross-Site Request Forgery	LOW	*-8.2.7	8.2.8	June 30, 2026
wpglobus-translate-options	wpglobus-translate-options	N/A	WPGlobus Translate Options <= 2.1.0 - Reflected Cross-Site Scripting via page	LOW	*-2.1.0	2.2.0	June 30, 2026
wp-prayer	wp-prayer	N/A	WP Prayer <= 1.9.6 - Authenticated(Admin+) Stored Cross-Site Scripting	LOW	*-1.9.6	1.9.7	June 30, 2026
woo-cart-all-in-one	woo-cart-all-in-one	N/A	Cart All In One For WooCommerce <= 1.1.10 - Cross-Site Request Forgery to Cart Changes	LOW	*-1.1.10	1.1.11	June 30, 2026
woo-alidropship	woo-alidropship	N/A	ALD Dropping and Fulfillment for AliExpress and WooCommerce <= 1.0.21 - Cross-Site Request Forgery to Order Information Disclosure	LOW	*-1.0.21	1.0.22	June 30, 2026
woo-alidropship	woo-alidropship	N/A	ALD Dropping and Fulfillment for AliExpress and WooCommerce <= 1.0.21 - Missing Authorization to Order Information Disclosure	LOW	*-1.0.21	1.0.22	June 30, 2026
watchtowerhq	watchtowerhq	N/A	WatchTowerHQ <= 3.6.16 - Type Juggling to Authentication Bypass in check_ota	LOW	*-3.6.16	3.6.17	June 30, 2026
tickera-event-ticketing-system	tickera-event-ticketing-system	N/A	Tickera <= 3.5.1.0 - Cross-Site Request Forgery to Ticket Post Status Change	LOW	*-3.5.1.0	3.5.1.1	June 30, 2026
quick-paypal-payments	quick-paypal-payments	N/A	Quick Paypal Payments <= 5.7.25 - Unauthenticated Stored Cross Site Scripting	LOW	[*, 5.7.26)	5.7.26	June 30, 2026
quick-paypal-payments	quick-paypal-payments	N/A	Quick Paypal Payments <= 5.7.25 - Missing Authorization	LOW	*-5.7.25	5.7.26	June 30, 2026
quick-event-manager	quick-event-manager	N/A	Quick Event Manager <= 9.6.4 - Authenticated(Admin+) Stored Cross-Site Scripting	LOW	*-9.6.4	9.6.5	June 30, 2026
ocean-extra	ocean-extra	N/A	Ocean Extra <= 2.1.2 - Authenticated (Subscriber+) Arbitrary Post Access	LOW	*-2.1.2	2.1.3	June 30, 2026
ocean-extra	ocean-extra	N/A	Ocean Extra <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.1.2	2.1.3	June 30, 2026
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery	nextgen-gallery	66	NextGEN Gallery <= 3.28 - Cross-Site Request Forgery leading to Post Thumbnail Change	LOW	*-3.28	3.29	June 30, 2026
multi-rating	multi-rating	N/A	Multi Rating <= 5.0.5 - Unauthenticated Stored Cross-Site Scripting	LOW	*-5.0.5	5.0.6	June 30, 2026
locatoraid	locatoraid	91	Locatoraid Store Locator <= 3.9.11 - Cross Site Request Forgery in grab	LOW	*-3.9.11	3.9.12	June 30, 2026
interactive-image-map-builder	interactive-image-map-builder	93	Interactive SVG Image Map Builder <= 1.0 - Authenticated(Admin+) Stored Cross-Site Scripting	LOW	*-1.0	1.1	June 30, 2026
google-analytics-opt-out	google-analytics-opt-out	93	Google Analytics Opt-Out <= 2.3.4 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-2.3.4	2.3.5	June 30, 2026
gamipress	gamipress	93	GamiPress <= 2.5.7 - Unauthenticated SQL Injection	LOW	*-2.5.7	2.5.7.1	June 30, 2026
gamipress	gamipress	93	GamiPress <= 2.5.6 - Cross-Site Request Forgery to User Earnings Deletion	LOW	*-2.5.6	2.5.7	June 30, 2026
Conditional Payments for WooCommerce	conditional-payments-for-woocommerce	95	Conditional Payments for WooCommerce <= 2.3.1 - Cross-Site Request Forgery	LOW	*-2.3.1	2.3.2	June 30, 2026
better-robots-txt	better-robots-txt	93	Robots.txt optimization <= 1.4.5 - Cross Site Request Forgery	LOW	*-1.4.5	1.4.6	June 30, 2026
automatorwp	automatorwp	93	AutomatorWP <= 2.5.8 - Cross Site Request Forgery via bulk_delete	LOW	*-2.5.8	2.5.9	June 30, 2026
All-In-One Security (AIOS) – Security and Firewall	all-in-one-wp-security-and-firewall	72	All-In-One Security (AIOS) <= 5.1.4 - Authenticated(Admin+) Directory Traversal	LOW	*-5.1.4	5.1.5	June 30, 2026
wpaudio-mp3-player	wpaudio-mp3-player	N/A	WPaudio MP3 Player <= 4.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-4.0.2		June 30, 2026
upqode-google-maps	upqode-google-maps	N/A	UpQode Google Maps <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.0.5		June 30, 2026
ttv-easy-embed-player	ttv-easy-embed-player	N/A	Twitch Player <= 2.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-2.1.0	2.1.1	June 30, 2026
tlp-portfolio	tlp-portfolio	N/A	Portfolio – WordPress Portfolio Plugin <= 2.8.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-2.8.10	2.8.11	June 30, 2026
synved-shortcodes	synved-shortcodes	N/A	WordPress Shortcodes <= 1.6.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.6.36		June 30, 2026
simple-yearly-archive	simple-yearly-archive	N/A	Simple Yearly Archive <= 2.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.1.8	2.1.9	June 30, 2026
rsvpmaker	rsvpmaker	N/A	RSVPMaker <= 9.9.3 - Authenticated (Admin+) SQL Injection via 'delete' parameter	LOW	*-9.9.3	9.9.4	June 30, 2026
rsvpmaker	rsvpmaker	N/A	RSVPMaker <= 9.9.3 - Authenticated (Admin+) SQL Injection via $email value	LOW	*-9.9.3	9.9.4	June 30, 2026
resume-builder	resume-builder	N/A	Resume Builder <= 3.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-3.1.1	3.2	June 30, 2026
profile-builder	profile-builder	N/A	Profile Builder – User Profile & User Registration Forms <= 3.9.0 - Sensitive Information Disclosure via Shortcode	LOW	*-3.9.0	3.9.1	June 30, 2026
profile-builder	profile-builder	N/A	Profile Builder – User Profile & User Registration Forms <= 3.9.0 - Insecure Password Reset Mechanism	LOW	*-3.9.0	3.9.1	June 30, 2026
product-gtin-ean-upc-isbn-for-woocommerce	product-gtin-ean-upc-isbn-for-woocommerce	N/A	Product GTIN (EAN, UPC, ISBN) for WooCommerce <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.1.1		June 30, 2026
nd-projects	nd-projects	N/A	Cost Calculator <= 1.8 - Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode	LOW	*-1.8		June 30, 2026
n-media-woocommerce-checkout-fields	n-media-woocommerce-checkout-fields	N/A	WooCommerce Checkout Field Manager <= 17.3 - Unauthenticated Arbitrary File Upload	LOW	*-17.3	18.0	June 30, 2026
miniorange-login-openid	miniorange-login-openid	91	WordPress Social Login and Register <= 7.6.0 - Missing Authorization to Unauthenticated Arbitrary Content Deletion	LOW	*-7.6.0	7.6.1	June 30, 2026
mabel-shoppable-images-lite	mabel-shoppable-images-lite	93	Shoppable Images <= 1.2.3 - Cross Site Request Forgery	LOW	*-1.2.3	1.2.4	June 30, 2026
mabel-shoppable-images-lite	mabel-shoppable-images-lite	93	Shoppable Images Lite <= 1.2.3 - Missing Authorization	LOW	*-1.2.3	1.2.4	June 30, 2026
i2-pro-cons	i2-pro-cons	91	i2 Pros & Cons <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.3.1		June 30, 2026
gamipress	gamipress	93	GamiPress <= 2.5.6 - Missing Authorization to User Points Updates	LOW	*-2.5.6	2.5.7	June 30, 2026
fancy-facebook-comments	fancy-facebook-comments	93	WordPress Fancy Comments <= 1.2.10 - Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode	LOW	*-1.2.10	1.2.11	June 30, 2026
dupeoff	dupeoff	91	DupeOff <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.6		June 30, 2026
download-attachments	download-attachments	91	Download Attachments <= 1.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.2.24	1.3	June 30, 2026
announce-from-the-dashboard	announce-from-the-dashboard	97	Announce from the Dashboard <= 1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.5.1	1.5.2	June 30, 2026
all-in-one-schemaorg-rich-snippets	all-in-one-schemaorg-rich-snippets	97	Schema - All In One Schema Rich Snippets <= 1.6.5 - Cross-Site Request Forgery in rich_snippet_dashboard	LOW	*-1.6.5	1.6.6	June 30, 2026
advanced-recent-posts	advanced-recent-posts	95	Advanced Recent Posts <= 0.6.14 - Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode	LOW	*-0.6.14		June 30, 2026
cf7-widget-elementor	cf7-widget-elementor	93	Void Contact Form 7 Widget For Elementor Page Builder <= 2.1.1 - Cross-Site Request Forgery in void_cf7_opt_in_user_data_track	LOW	*-2.1.1	2.2	June 30, 2026
under-construction-page	under-construction-page	N/A	Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_ucp_dismiss_notice	LOW	*-3.96	3.97	June 30, 2026
under-construction-page	under-construction-page	N/A	Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_install_weglot	LOW	*-3.96	3.97	June 30, 2026

LOW

wp-insert

Score: N/A Wp-Insert <= 2.5.0 Authenticated (Admin+) Stored Cross Site Scripting Affected: *-2.5.0 Patched: 2.5.1 Updated: June 30, 2026

LOW

wp-email-capture

Score: N/A WordPress Email Marketing Plugin – WP Email Capture <= 3.9.3 - Cross Site Request Forgery Affected: *-3.9.3 Patched: 3.10 Updated: June 30, 2026

LOW

wp-baidu-submit

Score: N/A WP BaiDu Submit <= 1.2.1 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.2.1 Patched: Updated: June 30, 2026

LOW

woo-wallet

Score: N/A TeraWallet – For WooCommerce <= 1.3.24 - Cross-Site Request Forgery via admin_options Affected: *-1.3.24 Patched: 1.4.0 Updated: June 30, 2026

LOW

vslider

Score: N/A vSlider Multi Image Slider <= 4.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-4.1.2 Patched: Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in admin_widgets_welcome function Affected: *-1.5.12 Patched: 1.6.0 Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.6.1 - Cross-Site Request Forgery in multiple functions in admin/controller.php Affected: *-1.6.1 Patched: 1.6.2 Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in saveconfig function Affected: *-1.5.12 Patched: 1.6.0 Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in savetmplfile function Affected: *-1.5.12 Patched: 1.6.0 Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in exec_multitask_widgets function Affected: *-1.5.12 Patched: 1.6.0 Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.6.1 - Cross-Site Request Forgery in listenTosFieldSavingTask function Affected: *-1.6.1 Patched: 1.6.2 Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in widgets_watch_data function Affected: *-1.5.12 Patched: 1.6.0 Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in exec_admin_widget function Affected: *-1.5.12 Patched: 1.6.0 Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in savetranslation function Affected: *-1.5.12 Patched: 1.6.0 Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in savetranslationstay function Affected: *-1.5.12 Patched: 1.6.0 Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.5.12 - Cross-Site Request Forgery in save_admin_widgets function Affected: *-1.5.12 Patched: 1.6.0 Updated: June 30, 2026

LOW

upload-file-type-settings-plugin

Score: N/A Upload File Type Settings Plugin <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

ultimate-wp-query-search-filter

Score: N/A Ultimate WP Query Search Filter <= 1.0.10 - Authenticated (Contributor+) Stored Cross Site Scripting Affected: *-1.0.10 Patched: Updated: June 30, 2026

LOW

tapfiliate

Score: N/A Tapfiliate <= 3.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-3.0.12 Patched: 3.0.13 Updated: June 30, 2026

LOW

sticky-ad-bar

Score: N/A Sticky Ad Bar <= 1.3.1 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.3.1 Patched: Updated: June 30, 2026

LOW

service-area-postcode-checker

Score: N/A Service Area Postcode Checker <= 2.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.0.8 Patched: Updated: June 30, 2026

LOW

quiz-master-next

Score: N/A Quiz And Survey Master <= 8.0.8 - Unauthenticated Arbitrary Media Deletion Affected: *-8.0.8 Patched: 8.0.9 Updated: June 30, 2026

LOW

quick-paypal-payments

Score: N/A Quick Paypal Payments <= 5.7.25 - Authenticated (Contributor+) Cross Site Scripting Affected: *-5.7.25 Patched: 5.7.26 Updated: June 30, 2026

LOW

quick-contact-form

Score: N/A Quick Contact Form <= 8.0.3.1 - Authenticated (Admin+) Stored Cross Site Scripting Affected: *-8.0.3.1 Patched: 8.0.4 Updated: June 30, 2026

LOW

podlove-subscribe-button

Score: N/A Podlove Subscribe button <= 1.3.7 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.3.7 Patched: 1.3.9 Updated: June 30, 2026

LOW

podlove-subscribe-button

Score: N/A Podlove Subscribe button <= 1.3.7 - Cross-Site Request Forgery via process_form function Affected: *-1.3.7 Patched: 1.3.9 Updated: June 30, 2026

LOW

podlove-subscribe-button

Score: N/A Podlove Subscribe button <= 1.3.7 - Cross-Site Request Forgery via save function Affected: *-1.3.7 Patched: 1.3.9 Updated: June 30, 2026

LOW

open-social

Score: N/A WP Open Social <= 5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-5.0 Patched: Updated: June 30, 2026

LOW

olevmedia-shortcodes

Score: N/A Olevmedia Shortcodes <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.1.9 Patched: Updated: June 30, 2026

LOW

nooz

Score: N/A Nooz <= 1.6.0 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.6.0 Patched: 1.7.0 Updated: June 30, 2026

LOW

miniorange-login-with-eve-online-google-facebook

Score: 93/100 OAuth Single Sign On – SSO (OAuth Client) <= 6.24.1- Cross-Site Request Forgery via 'discard' in mooauth_client_applist_page Affected: *-6.24.1 Patched: 6.24.2 Updated: June 30, 2026

LOW

Score: 91/100 WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.5.14 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-7.5.14 Patched: 7.6.0 Updated: June 30, 2026

LOW

miniorange-login-openid

Score: 91/100 WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.5.14 - Cross-Site Request Forgery Affected: *-7.5.14 Patched: 7.5.15 Updated: June 30, 2026

LOW

meta-slider-and-carousel-with-lightbox

Score: 93/100 Meta Slider and Carousel with Lightbox <= 1.6.2 - Cross-Site Request Forgery Affected: *-1.6.2 Patched: 1.7 Updated: June 30, 2026

LOW

json-content-importer

Score: 93/100 JSON Content Importer <= 1.3.15 - Authenticated (Admin+) Cross Site Scripting Affected: *-1.3.15 Patched: 1.3.16 Updated: June 30, 2026

LOW

inline-tweet-sharer

Score: 93/100 Inline Tweet Sharer <= 2.5.3 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-2.5.3 Patched: 2.6 Updated: June 30, 2026

LOW

get-url-cron

Score: 93/100 Get URL Cron <= 1.4.7 - Missing Authorization via geturlcron_action_handle Affected: *-1.4.7 Patched: 1.4.8 Updated: June 30, 2026

LOW

get-url-cron

Score: 93/100 Get URL Cron <= 1.4.7 - Cross-Site Request Forgery via geturlcron_action_handle Affected: *-1.4.7 Patched: 1.4.8 Updated: June 30, 2026

LOW

fontiran

Score: 87/100 Fontiran <= 2.1 - Missing Authorization via fi_add_rule and fi_delete_webfont_php Affected: *-2.1 Patched: Updated: June 30, 2026

LOW

feed-changer

Score: 93/100 Feed Changer <= 0.2 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-0.2 Patched: 0.3 Updated: June 30, 2026

LOW

facebook-like-send-button

Score: 93/100 Peadig's Like & Share Button <= 1.1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.1.5 Patched: 1.2 Updated: June 30, 2026

LOW

eyes-only-user-access-shortcode

Score: 91/100 Eyes Only: User Access Shortcode <= 1.8.2 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.8.2 Patched: Updated: June 30, 2026

LOW

easy-panorama

Score: 93/100 Easy Panorama <= 1.1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.1.4 Patched: 1.1.5 Updated: June 30, 2026

LOW

download-info-page

Score: 91/100 WP资源下载管理 <= 1.3.9 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.3.9 Patched: Updated: June 30, 2026

LOW

click-to-call-or-chat-buttons

Score: 93/100 Click to Call or Chat Buttons <= 1.4.0 - Authenticated(Admin+) Stored Cross-Site Scripting Affected: *-1.4.0 Patched: 1.5.0 Updated: June 30, 2026

LOW

campaign-url-builder

Score: 93/100 Campaign URL Builder <= 1.8.1 - Authenticated (Admin+) Stored Cross-Site Scripting via Create Link Affected: *-1.8.1 Patched: 1.8.2 Updated: June 30, 2026

LOW

archivist-custom-archive-templates

Score: 95/100 Archivist – Custom Archive Templates <= 1.7.4 - Cross-Site Request Forgery Affected: *-1.7.4 Patched: 1.7.5 Updated: June 30, 2026

LOW

archivist-custom-archive-templates

Score: 95/100 Archivist – Custom Archive Templates <= 1.7.4 - Authenticated(Admin+) Stored Cross-Site Scripting Affected: *-1.7.4 Patched: 1.7.5 Updated: June 30, 2026

LOW

wpvr

Score: N/A WP VR <= 8.2.7 - Cross-Site Request Forgery Affected: *-8.2.7 Patched: 8.2.8 Updated: June 30, 2026

LOW

wpglobus-translate-options

Score: N/A WPGlobus Translate Options <= 2.1.0 - Reflected Cross-Site Scripting via page Affected: *-2.1.0 Patched: 2.2.0 Updated: June 30, 2026

LOW

wp-prayer

Score: N/A WP Prayer <= 1.9.6 - Authenticated(Admin+) Stored Cross-Site Scripting Affected: *-1.9.6 Patched: 1.9.7 Updated: June 30, 2026

LOW

woo-cart-all-in-one

Score: N/A Cart All In One For WooCommerce <= 1.1.10 - Cross-Site Request Forgery to Cart Changes Affected: *-1.1.10 Patched: 1.1.11 Updated: June 30, 2026

LOW

woo-alidropship

Score: N/A ALD Dropping and Fulfillment for AliExpress and WooCommerce <= 1.0.21 - Cross-Site Request Forgery to Order Information Disclosure Affected: *-1.0.21 Patched: 1.0.22 Updated: June 30, 2026

LOW

woo-alidropship

Score: N/A ALD Dropping and Fulfillment for AliExpress and WooCommerce <= 1.0.21 - Missing Authorization to Order Information Disclosure Affected: *-1.0.21 Patched: 1.0.22 Updated: June 30, 2026

LOW

watchtowerhq

Score: N/A WatchTowerHQ <= 3.6.16 - Type Juggling to Authentication Bypass in check_ota Affected: *-3.6.16 Patched: 3.6.17 Updated: June 30, 2026

LOW

tickera-event-ticketing-system

Score: N/A Tickera <= 3.5.1.0 - Cross-Site Request Forgery to Ticket Post Status Change Affected: *-3.5.1.0 Patched: 3.5.1.1 Updated: June 30, 2026

LOW

quick-paypal-payments

Score: N/A Quick Paypal Payments <= 5.7.25 - Unauthenticated Stored Cross Site Scripting Affected: [*, 5.7.26) Patched: 5.7.26 Updated: June 30, 2026

LOW

quick-paypal-payments

Score: N/A Quick Paypal Payments <= 5.7.25 - Missing Authorization Affected: *-5.7.25 Patched: 5.7.26 Updated: June 30, 2026

LOW

quick-event-manager

Score: N/A Quick Event Manager <= 9.6.4 - Authenticated(Admin+) Stored Cross-Site Scripting Affected: *-9.6.4 Patched: 9.6.5 Updated: June 30, 2026

LOW

ocean-extra

Score: N/A Ocean Extra <= 2.1.2 - Authenticated (Subscriber+) Arbitrary Post Access Affected: *-2.1.2 Patched: 2.1.3 Updated: June 30, 2026

LOW

ocean-extra

Score: N/A Ocean Extra <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.1.2 Patched: 2.1.3 Updated: June 30, 2026

LOW

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

nextgen-gallery

Score: 66/100 NextGEN Gallery <= 3.28 - Cross-Site Request Forgery leading to Post Thumbnail Change Affected: *-3.28 Patched: 3.29 Updated: June 30, 2026

LOW

multi-rating

Score: N/A Multi Rating <= 5.0.5 - Unauthenticated Stored Cross-Site Scripting Affected: *-5.0.5 Patched: 5.0.6 Updated: June 30, 2026

LOW

locatoraid

Score: 91/100 Locatoraid Store Locator <= 3.9.11 - Cross Site Request Forgery in grab Affected: *-3.9.11 Patched: 3.9.12 Updated: June 30, 2026

LOW

interactive-image-map-builder

Score: 93/100 Interactive SVG Image Map Builder <= 1.0 - Authenticated(Admin+) Stored Cross-Site Scripting Affected: *-1.0 Patched: 1.1 Updated: June 30, 2026

LOW

google-analytics-opt-out

Score: 93/100 Google Analytics Opt-Out <= 2.3.4 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-2.3.4 Patched: 2.3.5 Updated: June 30, 2026

LOW

gamipress

Score: 93/100 GamiPress <= 2.5.7 - Unauthenticated SQL Injection Affected: *-2.5.7 Patched: 2.5.7.1 Updated: June 30, 2026

LOW

gamipress

Score: 93/100 GamiPress <= 2.5.6 - Cross-Site Request Forgery to User Earnings Deletion Affected: *-2.5.6 Patched: 2.5.7 Updated: June 30, 2026

LOW

Conditional Payments for WooCommerce

conditional-payments-for-woocommerce

Score: 95/100 Conditional Payments for WooCommerce <= 2.3.1 - Cross-Site Request Forgery Affected: *-2.3.1 Patched: 2.3.2 Updated: June 30, 2026

LOW

better-robots-txt

Score: 93/100 Robots.txt optimization <= 1.4.5 - Cross Site Request Forgery Affected: *-1.4.5 Patched: 1.4.6 Updated: June 30, 2026

LOW

automatorwp

Score: 93/100 AutomatorWP <= 2.5.8 - Cross Site Request Forgery via bulk_delete Affected: *-2.5.8 Patched: 2.5.9 Updated: June 30, 2026

LOW

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

Score: 72/100 All-In-One Security (AIOS) <= 5.1.4 - Authenticated(Admin+) Directory Traversal Affected: *-5.1.4 Patched: 5.1.5 Updated: June 30, 2026

LOW

wpaudio-mp3-player

Score: N/A WPaudio MP3 Player <= 4.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-4.0.2 Patched: Updated: June 30, 2026

LOW

upqode-google-maps

Score: N/A UpQode Google Maps <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.0.5 Patched: Updated: June 30, 2026

LOW

ttv-easy-embed-player

Score: N/A Twitch Player <= 2.1.0 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-2.1.0 Patched: 2.1.1 Updated: June 30, 2026

LOW

tlp-portfolio

Score: N/A Portfolio – WordPress Portfolio Plugin <= 2.8.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-2.8.10 Patched: 2.8.11 Updated: June 30, 2026

LOW

synved-shortcodes

Score: N/A WordPress Shortcodes <= 1.6.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.6.36 Patched: Updated: June 30, 2026

LOW

simple-yearly-archive

Score: N/A Simple Yearly Archive <= 2.1.8 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.1.8 Patched: 2.1.9 Updated: June 30, 2026

LOW

rsvpmaker

Score: N/A RSVPMaker <= 9.9.3 - Authenticated (Admin+) SQL Injection via 'delete' parameter Affected: *-9.9.3 Patched: 9.9.4 Updated: June 30, 2026

LOW

rsvpmaker

Score: N/A RSVPMaker <= 9.9.3 - Authenticated (Admin+) SQL Injection via $email value Affected: *-9.9.3 Patched: 9.9.4 Updated: June 30, 2026

LOW

resume-builder

Score: N/A Resume Builder <= 3.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-3.1.1 Patched: 3.2 Updated: June 30, 2026

LOW

profile-builder

Score: N/A Profile Builder – User Profile & User Registration Forms <= 3.9.0 - Sensitive Information Disclosure via Shortcode Affected: *-3.9.0 Patched: 3.9.1 Updated: June 30, 2026

LOW

profile-builder

Score: N/A Profile Builder – User Profile & User Registration Forms <= 3.9.0 - Insecure Password Reset Mechanism Affected: *-3.9.0 Patched: 3.9.1 Updated: June 30, 2026

LOW

product-gtin-ean-upc-isbn-for-woocommerce

Score: N/A Product GTIN (EAN, UPC, ISBN) for WooCommerce <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.1.1 Patched: Updated: June 30, 2026

LOW

nd-projects

Score: N/A Cost Calculator <= 1.8 - Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode Affected: *-1.8 Patched: Updated: June 30, 2026

LOW

n-media-woocommerce-checkout-fields

Score: N/A WooCommerce Checkout Field Manager <= 17.3 - Unauthenticated Arbitrary File Upload Affected: *-17.3 Patched: 18.0 Updated: June 30, 2026

LOW

miniorange-login-openid

Score: 91/100 WordPress Social Login and Register <= 7.6.0 - Missing Authorization to Unauthenticated Arbitrary Content Deletion Affected: *-7.6.0 Patched: 7.6.1 Updated: June 30, 2026

LOW

mabel-shoppable-images-lite

Score: 93/100 Shoppable Images <= 1.2.3 - Cross Site Request Forgery Affected: *-1.2.3 Patched: 1.2.4 Updated: June 30, 2026

LOW

mabel-shoppable-images-lite

Score: 93/100 Shoppable Images Lite <= 1.2.3 - Missing Authorization Affected: *-1.2.3 Patched: 1.2.4 Updated: June 30, 2026

LOW

i2-pro-cons

Score: 91/100 i2 Pros & Cons <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.3.1 Patched: Updated: June 30, 2026

LOW

gamipress

Score: 93/100 GamiPress <= 2.5.6 - Missing Authorization to User Points Updates Affected: *-2.5.6 Patched: 2.5.7 Updated: June 30, 2026

LOW

fancy-facebook-comments

Score: 93/100 WordPress Fancy Comments <= 1.2.10 - Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode Affected: *-1.2.10 Patched: 1.2.11 Updated: June 30, 2026

LOW

dupeoff

Score: 91/100 DupeOff <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.6 Patched: Updated: June 30, 2026

LOW

download-attachments

Score: 91/100 Download Attachments <= 1.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.2.24 Patched: 1.3 Updated: June 30, 2026

LOW

announce-from-the-dashboard

Score: 97/100 Announce from the Dashboard <= 1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.5.1 Patched: 1.5.2 Updated: June 30, 2026

LOW

all-in-one-schemaorg-rich-snippets

Score: 97/100 Schema - All In One Schema Rich Snippets <= 1.6.5 - Cross-Site Request Forgery in rich_snippet_dashboard Affected: *-1.6.5 Patched: 1.6.6 Updated: June 30, 2026

LOW

advanced-recent-posts

Score: 95/100 Advanced Recent Posts <= 0.6.14 - Authenticated (Contributor+) Stored Cross Site Scripting via Shortcode Affected: *-0.6.14 Patched: Updated: June 30, 2026

LOW

cf7-widget-elementor

Score: 93/100 Void Contact Form 7 Widget For Elementor Page Builder <= 2.1.1 - Cross-Site Request Forgery in void_cf7_opt_in_user_data_track Affected: *-2.1.1 Patched: 2.2 Updated: June 30, 2026

LOW

under-construction-page

Score: N/A Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_ucp_dismiss_notice Affected: *-3.96 Patched: 3.97 Updated: June 30, 2026

LOW

under-construction-page

Score: N/A Under Construction <= 3.96 - Cross-Site Request Forgery via admin_action_install_weglot Affected: *-3.96 Patched: 3.97 Updated: June 30, 2026

Showing 26401 to 26500 of 36304 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 17:19 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List