Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36283

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
Gallery by FooGallery	foogallery	82	FooGallery <= 3.1.11 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-3.1.11	3.1.13	June 30, 2026
editorial-calendar	editorial-calendar	93	Editorial Calendar <= 3.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.9.0	3.9.1	June 30, 2026
activitytime	activitytime	97	Sessions Time Monitoring Full Automatic <= 1.1.3 - Missing Authorization	LOW	*-1.1.3	1.1.4	June 30, 2026
bdthemes-element-pack-lite	bdthemes-element-pack-lite	93	Element Pack Addons for Elementor <= 8.3.17 - Authenticated (Contributor+) Arbitrary File Read	LOW	*-8.3.17	8.3.18	June 30, 2026
ecwid-shopping-cart	ecwid-shopping-cart	93	Ecwid by Lightspeed Ecommerce Shopping Cart <= 7.0.7 - Authenticated (Subscriber+) Privilege Escalation via ec_store_admin_access	LOW	*-7.0.7	7.0.8	June 30, 2026
Anti Spam for Contact Forms, Comments & Online Stores – CleanTalk	cleantalk-spam-protect	71	Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation	LOW	*-6.71	6.72	June 30, 2026
wp-ultimate-review	wp-ultimate-review	N/A	Ultimate Review <= 2.3.9 - Missing Authorization	LOW	*-2.3.9	2.4.0	June 30, 2026
WP Activity Log	wp-security-audit-log	N/A	Activity Log <= 5.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-5.5.4	5.6.0	June 30, 2026
theme-editor	theme-editor	N/A	Theme Editor <= 3.2 - Cross-Site Request Forgery	LOW	*-3.2		June 30, 2026
simple-blog-card	simple-blog-card	N/A	Simple Blog Card <= 2.37 - Authenticated (Contributor+) Server-Side Request Forgery	LOW	*-2.37	2.38	June 30, 2026
rps-include-content	rps-include-content	N/A	RPS Include Content <= 1.2.2 - Missing Authorization	LOW	*-1.2.2		June 30, 2026
Robo Gallery – Photo & Image Slider	robo-gallery	N/A	Robo Gallery <= 5.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-5.1.2	5.1.3	June 30, 2026
qubely	qubely	N/A	Qubely <= 1.8.14 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-1.8.14		June 30, 2026
Payment Plugins for PayPal WooCommerce	pymntpl-paypal-woocommerce	92	Payment Plugins for PayPal WooCommerce <= 2.0.13 - Missing Authorization	LOW	*-2.0.13	2.0.14	June 30, 2026
Event Booking Manager for WooCommerce	mage-eventpress	82	WpEvently < 5.1.9 - Unauthenticated Information Exposure	LOW	[*, 5.1.9)	5.1.9	June 30, 2026
jet-engine	jet-engine	93	JetEngine < 3.8.4.1 - Authenticated (Contributor+) PHP Object Injection	LOW	[*, 3.8.4.1)	3.8.4.1	June 30, 2026
Booking Calendar	booking	71	Booking Calendar <= 10.14.15 - Authenticated (Editor+) SQL Injection	LOW	*-10.14.15	10.14.16	June 30, 2026
alttext-ai	alttext-ai	97	Download Alt Text AI <= 1.10.15 - Missing Authorization	LOW	*-1.10.15	1.10.18	June 30, 2026
media-library-plus	media-library-plus	93	Media Library Folders <= 8.3.6 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename	LOW	*-8.3.6	8.3.7	June 30, 2026
Essential Addons for Elementor – Popular Elementor Templates & Widgets	essential-addons-for-elementor-lite	85	Essential Addons for Elementor <= 6.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Info Box Widget	LOW	*-6.5.9	6.5.10	June 30, 2026
mp3-music-player-by-sonaar	mp3-music-player-by-sonaar	N/A	MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 - 5.10 - Authenticated (Author+) Server-Side Request Forgery	LOW	5.3-5.10	5.11	June 30, 2026
truelysell-core	truelysell-core	N/A	Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration	LOW	*-1.8.7	1.8.8	June 30, 2026
mail-mint	mail-mint	93	Mail Mint <= 1.19.2 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints	LOW	*-1.19.2	1.19.3	June 30, 2026
modula-best-grid-gallery	modula-best-grid-gallery	93	Modula Image Gallery – Photo Grid & Video Gallery <= 2.13.6 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post/Page Editing	LOW	*-2.13.6	2.13.7	June 30, 2026
Super Page Cache – Cloudflare Cache, Page Speed & Core Web Vitals	wp-cloudflare-page-cache	89	Super Page Cache <= 5.2.2 - Unauthenticated Stored Cross-Site Scripting via Activity Log	LOW	*-5.2.2	5.2.3	June 30, 2026
mycred	mycred	N/A	myCred <= 2.9.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode	LOW	*-2.9.7.3	2.9.7.4	June 30, 2026
link-hopper	link-hopper	91	Link Hopper <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'hop_name' Parameter	LOW	*-2.5		June 30, 2026
ravelry-designs-widget	ravelry-designs-widget	N/A	Ravelry Designs Widget <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sb_ravelry_designs' Shortcode 'layout' Attribute	LOW	*-1.0.0		June 30, 2026
upmenu	upmenu	N/A	UpMenu <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute	LOW	*-3.1		June 30, 2026
midi-synth	midi-synth	93	midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action	LOW	*-1.1.0	2.0.0	June 30, 2026
collectchat	collectchat	93	Chatbot for WordPress by Collect.chat ⚡️ <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Field	LOW	*-2.4.8	2.4.9	June 30, 2026
geowidget	geowidget	91	Geo Widet <= 1.0 - Reflected Cross-Site Scripting	LOW	*-1.0		June 30, 2026
press3d	press3d	N/A	Press3D <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block	LOW	*-1.0.2	1.1.0	June 30, 2026
smart-forms	smart-forms	N/A	Smart Forms <= 2.6.100 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure	LOW	*-2.6.100	2.6.101	June 30, 2026
user-language-switch	user-language-switch	N/A	User Language Switch <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'tab_color_picker_language_switch' Parameter	LOW	*-1.6.10		June 30, 2026
user-language-switch	user-language-switch	N/A	User Language Switch <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter	LOW	*-1.6.10		June 30, 2026
payment-page	payment-page	N/A	Payment Page \| Payment Form for Stripe <= 1.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'pricing_plan_select_text_font_family' Parameter	LOW	*-1.4.6	1.4.7	June 30, 2026
mdirector-newsletter	mdirector-newsletter	93	MDirector Newsletter <= 4.5.8 - Cross-Site Request Forgery to Plugin Settings Update	LOW	*-4.5.8	4.5.9	June 30, 2026
olalaweb-mailchimp-campaign-manager	olalaweb-mailchimp-campaign-manager	N/A	MailChimp Campaigns <= 3.2.4 - Missing Authorization to Authenticated (Subscriber+) MailChimp App Disconnection	LOW	*-3.2.4		June 30, 2026
wp-quick-contact-us	wp-quick-contact-us	N/A	WP Quick Contact Us <= 1.0 - Cross-Site Request Forgery to Settings Update	LOW	*-1.0		June 30, 2026
percent-to-infograph	percent-to-infograph	N/A	Percent to Infograph <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.0		June 30, 2026
scheduler-widget	scheduler-widget	N/A	Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification	LOW	*-0.1.6		June 30, 2026
address-bar-ads	address-bar-ads	95	Address Bar Ads <= 1.0.0 - Reflected Cross-Site Scripting	LOW	*-1.0.0		June 30, 2026
stylebidet	stylebidet	N/A	StyleBidet <= 1.0.0 - Reflected Cross-Site Scripting	LOW	*-1.0.0		June 30, 2026
questionpro-surveys	questionpro-surveys	N/A	QuestionPro Surveys <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.0		June 30, 2026
super-simple-contact-form	super-simple-contact-form	N/A	Super Simple Contact Form <= 1.6.2 - Reflected Cross-Site Scripting via 'sscf_name' Parameter	LOW	*-1.6.2		June 30, 2026
sphere-manager	sphere-manager	N/A	Sphere Manager <= 1.0.2 - Authenticated (Contributor+) Cross-Site Scripting via 'width' Shortcode Attribute	LOW	*-1.0.2		June 30, 2026
callbackkiller-service-widget	callbackkiller-service-widget	91	CallbackKiller service widget <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update	LOW	*-1.2		June 30, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Cross-Site Request Forgery	LOW	*-5.2.5	5.2.6	June 30, 2026
masterstudy-lms-learning-management-system	masterstudy-lms-learning-management-system	93	MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'stm_lms_courses_grid_display' Shortcode	LOW	*-3.7.11	3.7.12	June 30, 2026
flexi-product-slider-grid	flexi-product-slider-grid	91	Flexi Product Slider and Grid for WooCommerce <= 1.0.5 - Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute	LOW	*-1.0.5		June 30, 2026
accordion-and-accordion-slider	accordion-and-accordion-slider	97	Accordion and Accordion Slider <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification	LOW	*-1.4.5	1.4.6	June 30, 2026
WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards	wp-data-access	N/A	WP Data Access <= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode	LOW	*-5.5.63	5.5.64	June 30, 2026
allow-html-in-category-descriptions	allow-html-in-category-descriptions	95	Allow HTML in Category Descriptions <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Category Descriptions	LOW	*-1.2.4		June 30, 2026
tz-zoomifywp-free	tz-zoomifywp-free	N/A	ZoomifyWP Free <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'filename' Shortcode Attribute	LOW	*-1.1		June 30, 2026
SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder	sureforms	N/A	SureForms – Drag and Drop Form Builder for WordPress <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation	LOW	*-2.2.1	2.2.2	June 30, 2026
wpguppy-lite	wpguppy-lite	N/A	One to one user Chat by WPGuppy <= 1.1.4 - Unauthenticated Information Disclosure via Chat Message Interception	LOW	*-1.1.4		June 30, 2026
simple-plyr	simple-plyr	N/A	Simple Plyr <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'poster' Shortcode Attribute	LOW	*-0.0.1		June 30, 2026
photostack-gallery	photostack-gallery	N/A	PhotoStack Gallery <= 0.4.1 - Unauthenticated SQL Injection via 'postid' Parameter	LOW	*-0.4.1		June 30, 2026
bookr	bookr	91	Appointment Booking Calendar Plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification	LOW	*-1.0.2		June 30, 2026
simple-wp-colorfull-accordion	simple-wp-colorfull-accordion	N/A	Simple Wp colorfull Accordion <= 1.0 - Authenticated (Contributor+) Cross-Site Scripting via 'title' Shortcode Attribute	LOW	*-1.0		June 30, 2026
personal-authors-category	personal-authors-category	N/A	personal-authors-category <= 0.3 - Reflected Cross-Site Scripting	LOW	*-0.3		June 30, 2026
magic-login-mail	magic-login-mail	93	Magic Login Mail or QR Code <= 2.05 - Unauthenticated Privilege Escalation via Insecure QR Code File Storage	LOW	*-2.05	2.06	June 30, 2026
amp-enhancer	amp-enhancer	95	AMP Enhancer <= 1.0.49 - Authenticated (Administrator+) Stored Cross-Site Scripting via AMP Custom CSS Setting	LOW	*-1.0.49		June 30, 2026
bluesnap-payment-gateway-for-woocommerce	bluesnap-payment-gateway-for-woocommerce	93	BlueSnap Payment Gateway for WooCommerce <= 3.4.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation	LOW	*-3.4.0	3.4.1	June 30, 2026
citations-tools	citations-tools	91	Citations tools <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'code' Shortcode Attribute	LOW	*-0.3.2		June 30, 2026
simple-event-attendance	simple-event-attendance	N/A	SEATT: Simple Event Attendance <= 1.5.0 - Cross-Site Request Forgery to Arbitrary Event Deletion	LOW	*-1.5.0		June 30, 2026
easy-voice-mail	easy-voice-mail	93	Easy Voice Mail <= 1.2.5 - Unauthenticated Stored Cross-Site Scripting via 'message'	LOW	*-1.2.5	1.2.6	June 30, 2026
easy-form-builder	easy-form-builder	93	Easy Form Builder <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure	LOW	*-3.9.3	3.9.4	June 30, 2026
bfg-tools-extension-zipper	bfg-tools-extension-zipper	93	BFG Tools – Extension Zipper <= 1.0.7 - Authenticated (Administrator+) Path Traversal via 'first_file' Parameter	LOW	*-1.0.7	1.0.8	June 30, 2026
stickeasy-protected-contact-form	stickeasy-protected-contact-form	N/A	StickEasy Protected Contact Form <= 1.0.1 - Unauthenticated Information Disclosure	LOW	*-1.0.1	1.0.2	June 30, 2026
starfish-reviews	starfish-reviews	N/A	Starfish Review Generation & Marketing for WordPress <= 3.1.19 - Authenticated (Subscriber+) Arbitrary Options Update via srm_restore_options_defaults	LOW	*-3.1.19	3.1.20	June 30, 2026
pixelyoursite-pro	pixelyoursite-pro	N/A	PixelYourSite PRO <= 12.4.0.2 - Unauthenticated Stored Cross-Site Scripting	LOW	*-12.4.0.2	12.4.0.3	June 30, 2026
pixelyoursite	pixelyoursite	N/A	PixelYourSite <= 11.2.0 - Unauthenticated Stored Cross-Site Scripting	LOW	*-11.2.0	11.2.0.1	June 30, 2026
wpschoolpress	wpschoolpress	N/A	WPSchoolPress <= 2.2.36 - Missing Authorization	LOW	*-2.2.36		June 30, 2026
wp-last-modified-info	wp-last-modified-info	N/A	WP Last Modified Info <= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification	LOW	*-1.9.5	1.9.6	June 30, 2026
wp-e-commerce	wp-e-commerce	N/A	eCommerce <= 3.15.1 - Cross-Site Request Forgery to Coupon Deletion	LOW	*-3.15.1		June 30, 2026
share-this-image	share-this-image	N/A	Share This Image <= 2.14 - Unauthenticated Server-Side Request Forgery	LOW	*-2.14	2.15	June 30, 2026
powerpress	powerpress	N/A	PowerPress Podcasting <= 11.15.13 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-11.15.13	11.15.14	June 30, 2026
powerpack-for-learndash	powerpack-for-learndash	N/A	Powerpack for LearnDash <= 1.2.0 - Unauthenticated Arbitrary Options Update	LOW	*-1.2.0	1.3.0	June 30, 2026
mailerpress	mailerpress	93	MailerPress <= 1.4.2 - Authenticated (Contributor+) Server-Side Request Forgery	LOW	*-1.4.2	1.5.0	June 30, 2026
getty-images	getty-images	91	Getty Images <= 4.1.0 - Authenticated (Contributor+) Server-Side Request Forgery	LOW	*-4.1.0		June 30, 2026
Elementor Website Builder – more than just a page builder	elementor	79	Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.35.5	3.35.6	June 30, 2026
addons-for-elementor	addons-for-elementor	93	Livemesh Addons for Elementor <= 9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-9.0		June 30, 2026
secure-copy-content-protection	secure-copy-content-protection	N/A	Secure Copy Content Protection and Content Locking <= 4.9.8 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header	LOW	*-4.9.8	4.9.9	June 30, 2026
customer-reviews-woocommerce	customer-reviews-woocommerce	93	Customer Reviews for WooCommerce <= 5.97.0 - Unauthenticated Stored Cross-Site Scripting via media[].href Parameter	LOW	*-5.97.0	5.98.0	June 30, 2026
post-type-archive-mapping	post-type-archive-mapping	N/A	Custom Query Blocks <= 5.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-5.5.0	5.6.0	June 30, 2026
login-with-salesforce	login-with-salesforce	91	Login with Salesforce <= 1.0.2 - Authentication Bypass	LOW	*-1.0.2		June 30, 2026
content-protector	content-protector	93	Passster <= 4.2.25 - Missing Authorization	LOW	*-4.2.25	4.2.26	June 30, 2026
winterlock	winterlock	N/A	Activity Log for WordPress <= 1.2.8 - Missing Authorization to Sensitive Information Exposure via Log File	LOW	*-1.2.8	1.2.9	June 30, 2026
webp-converter-for-media	webp-converter-for-media	N/A	Converter for Media – Optimize images \| Convert WebP & AVIF <= 6.5.1 - Unauthenticated Server-Side Request Forgery via src	LOW	*-6.5.1	6.5.2	June 30, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure	LOW	*-5.2.6	5.2.7	June 30, 2026
wpdm-elementor	wpdm-elementor	N/A	Download Manager Addons for Elementor <= 1.3.0 - Unauthenticated SQL Injection	LOW	*-1.3.0	2.0.0	June 30, 2026
wp-fullcalendar	wp-fullcalendar	N/A	FullCalendar <= 1.6 - Missing Authorization	LOW	*-1.6		June 30, 2026
slider-responsive-slideshow	slider-responsive-slideshow	N/A	Slider Responsive Slideshow – Image slider, Gallery slideshow <= 1.5.4 - Authenticated (Contributor+) PHP Object Injection	LOW	*-1.5.4		June 30, 2026
persian-woocommerce-sms	persian-woocommerce-sms	N/A	Persian Woocommerce SMS <= 7.1.1 - Reflected Cross-Site Scripting	LOW	*-7.1.1		June 30, 2026
pdf-for-wpforms	pdf-for-wpforms	N/A	PDF for WPForms <= 6.3.0 - Missing Authorization	LOW	*-6.3.0	6.3.1	June 30, 2026
pdf-for-elementor-forms	pdf-for-elementor-forms	N/A	PDF for Elementor Forms + Drag And Drop Template Builder <= 6.3.1 - Missing Authorization	LOW	*-6.3.1	6.5.0	June 30, 2026
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction	paid-member-subscriptions	N/A	Paid Member Subscriptions <= 2.16.8 - Authenticated (Subscriber+) Insecure Direct Object Reference	LOW	*-2.16.8	2.16.9	June 30, 2026
openpix-for-woocommerce	openpix-for-woocommerce	N/A	OpenPix <= 2.13.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update	LOW	*-2.13.3		June 30, 2026

LOW

Gallery by FooGallery

foogallery

Score: 82/100 FooGallery <= 3.1.11 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-3.1.11 Patched: 3.1.13 Updated: June 30, 2026

LOW

editorial-calendar

Score: 93/100 Editorial Calendar <= 3.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.9.0 Patched: 3.9.1 Updated: June 30, 2026

LOW

activitytime

Score: 97/100 Sessions Time Monitoring Full Automatic <= 1.1.3 - Missing Authorization Affected: *-1.1.3 Patched: 1.1.4 Updated: June 30, 2026

LOW

bdthemes-element-pack-lite

Score: 93/100 Element Pack Addons for Elementor <= 8.3.17 - Authenticated (Contributor+) Arbitrary File Read Affected: *-8.3.17 Patched: 8.3.18 Updated: June 30, 2026

LOW

ecwid-shopping-cart

Score: 93/100 Ecwid by Lightspeed Ecommerce Shopping Cart <= 7.0.7 - Authenticated (Subscriber+) Privilege Escalation via ec_store_admin_access Affected: *-7.0.7 Patched: 7.0.8 Updated: June 30, 2026

LOW

Anti Spam for Contact Forms, Comments & Online Stores – CleanTalk

cleantalk-spam-protect

Score: 71/100 Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation Affected: *-6.71 Patched: 6.72 Updated: June 30, 2026

LOW

wp-ultimate-review

Score: N/A Ultimate Review <= 2.3.9 - Missing Authorization Affected: *-2.3.9 Patched: 2.4.0 Updated: June 30, 2026

LOW

WP Activity Log

wp-security-audit-log

Score: N/A Activity Log <= 5.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-5.5.4 Patched: 5.6.0 Updated: June 30, 2026

LOW

theme-editor

Score: N/A Theme Editor <= 3.2 - Cross-Site Request Forgery Affected: *-3.2 Patched: Updated: June 30, 2026

LOW

simple-blog-card

Score: N/A Simple Blog Card <= 2.37 - Authenticated (Contributor+) Server-Side Request Forgery Affected: *-2.37 Patched: 2.38 Updated: June 30, 2026

LOW

rps-include-content

Score: N/A RPS Include Content <= 1.2.2 - Missing Authorization Affected: *-1.2.2 Patched: Updated: June 30, 2026

LOW

Robo Gallery – Photo & Image Slider

robo-gallery

Score: N/A Robo Gallery <= 5.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-5.1.2 Patched: 5.1.3 Updated: June 30, 2026

LOW

qubely

Score: N/A Qubely <= 1.8.14 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-1.8.14 Patched: Updated: June 30, 2026

LOW

Payment Plugins for PayPal WooCommerce

pymntpl-paypal-woocommerce

Score: 92/100 Payment Plugins for PayPal WooCommerce <= 2.0.13 - Missing Authorization Affected: *-2.0.13 Patched: 2.0.14 Updated: June 30, 2026

LOW

Event Booking Manager for WooCommerce

mage-eventpress

Score: 82/100 WpEvently < 5.1.9 - Unauthenticated Information Exposure Affected: [*, 5.1.9) Patched: 5.1.9 Updated: June 30, 2026

LOW

jet-engine

Score: 93/100 JetEngine < 3.8.4.1 - Authenticated (Contributor+) PHP Object Injection Affected: [*, 3.8.4.1) Patched: 3.8.4.1 Updated: June 30, 2026

LOW

Booking Calendar

booking

Score: 71/100 Booking Calendar <= 10.14.15 - Authenticated (Editor+) SQL Injection Affected: *-10.14.15 Patched: 10.14.16 Updated: June 30, 2026

LOW

alttext-ai

Score: 97/100 Download Alt Text AI <= 1.10.15 - Missing Authorization Affected: *-1.10.15 Patched: 1.10.18 Updated: June 30, 2026

LOW

media-library-plus

Score: 93/100 Media Library Folders <= 8.3.6 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename Affected: *-8.3.6 Patched: 8.3.7 Updated: June 30, 2026

LOW

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Score: 85/100 Essential Addons for Elementor <= 6.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Info Box Widget Affected: *-6.5.9 Patched: 6.5.10 Updated: June 30, 2026

LOW

mp3-music-player-by-sonaar

Score: N/A MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 - 5.10 - Authenticated (Author+) Server-Side Request Forgery Affected: 5.3-5.10 Patched: 5.11 Updated: June 30, 2026

LOW

truelysell-core

Score: N/A Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration Affected: *-1.8.7 Patched: 1.8.8 Updated: June 30, 2026

LOW

mail-mint

Score: 93/100 Mail Mint <= 1.19.2 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints Affected: *-1.19.2 Patched: 1.19.3 Updated: June 30, 2026

LOW

modula-best-grid-gallery

Score: 93/100 Modula Image Gallery – Photo Grid & Video Gallery <= 2.13.6 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post/Page Editing Affected: *-2.13.6 Patched: 2.13.7 Updated: June 30, 2026

LOW

Super Page Cache – Cloudflare Cache, Page Speed & Core Web Vitals

wp-cloudflare-page-cache

Score: 89/100 Super Page Cache <= 5.2.2 - Unauthenticated Stored Cross-Site Scripting via Activity Log Affected: *-5.2.2 Patched: 5.2.3 Updated: June 30, 2026

LOW

mycred

Score: N/A myCred <= 2.9.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode Affected: *-2.9.7.3 Patched: 2.9.7.4 Updated: June 30, 2026

LOW

link-hopper

Score: 91/100 Link Hopper <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'hop_name' Parameter Affected: *-2.5 Patched: Updated: June 30, 2026

LOW

ravelry-designs-widget

Score: N/A Ravelry Designs Widget <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sb_ravelry_designs' Shortcode 'layout' Attribute Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

upmenu

Score: N/A UpMenu <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute Affected: *-3.1 Patched: Updated: June 30, 2026

LOW

midi-synth

Score: 93/100 midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action Affected: *-1.1.0 Patched: 2.0.0 Updated: June 30, 2026

LOW

collectchat

Score: 93/100 Chatbot for WordPress by Collect.chat ⚡️ <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Field Affected: *-2.4.8 Patched: 2.4.9 Updated: June 30, 2026

LOW

geowidget

Score: 91/100 Geo Widet <= 1.0 - Reflected Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

press3d

Score: N/A Press3D <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block Affected: *-1.0.2 Patched: 1.1.0 Updated: June 30, 2026

LOW

smart-forms

Score: N/A Smart Forms <= 2.6.100 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure Affected: *-2.6.100 Patched: 2.6.101 Updated: June 30, 2026

LOW

user-language-switch

Score: N/A User Language Switch <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'tab_color_picker_language_switch' Parameter Affected: *-1.6.10 Patched: Updated: June 30, 2026

LOW

user-language-switch

Score: N/A User Language Switch <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter Affected: *-1.6.10 Patched: Updated: June 30, 2026

LOW

payment-page

Score: N/A Payment Page | Payment Form for Stripe <= 1.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'pricing_plan_select_text_font_family' Parameter Affected: *-1.4.6 Patched: 1.4.7 Updated: June 30, 2026

LOW

mdirector-newsletter

Score: 93/100 MDirector Newsletter <= 4.5.8 - Cross-Site Request Forgery to Plugin Settings Update Affected: *-4.5.8 Patched: 4.5.9 Updated: June 30, 2026

LOW

olalaweb-mailchimp-campaign-manager

Score: N/A MailChimp Campaigns <= 3.2.4 - Missing Authorization to Authenticated (Subscriber+) MailChimp App Disconnection Affected: *-3.2.4 Patched: Updated: June 30, 2026

LOW

wp-quick-contact-us

Score: N/A WP Quick Contact Us <= 1.0 - Cross-Site Request Forgery to Settings Update Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

percent-to-infograph

Score: N/A Percent to Infograph <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

scheduler-widget

Score: N/A Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification Affected: *-0.1.6 Patched: Updated: June 30, 2026

LOW

address-bar-ads

Score: 95/100 Address Bar Ads <= 1.0.0 - Reflected Cross-Site Scripting Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

stylebidet

Score: N/A StyleBidet <= 1.0.0 - Reflected Cross-Site Scripting Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

questionpro-surveys

Score: N/A QuestionPro Surveys <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

super-simple-contact-form

Score: N/A Super Simple Contact Form <= 1.6.2 - Reflected Cross-Site Scripting via 'sscf_name' Parameter Affected: *-1.6.2 Patched: Updated: June 30, 2026

LOW

sphere-manager

Score: N/A Sphere Manager <= 1.0.2 - Authenticated (Contributor+) Cross-Site Scripting via 'width' Shortcode Attribute Affected: *-1.0.2 Patched: Updated: June 30, 2026

LOW

callbackkiller-service-widget

Score: 91/100 CallbackKiller service widget <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Cross-Site Request Forgery Affected: *-5.2.5 Patched: 5.2.6 Updated: June 30, 2026

LOW

masterstudy-lms-learning-management-system

Score: 93/100 MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'stm_lms_courses_grid_display' Shortcode Affected: *-3.7.11 Patched: 3.7.12 Updated: June 30, 2026

LOW

flexi-product-slider-grid

Score: 91/100 Flexi Product Slider and Grid for WooCommerce <= 1.0.5 - Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute Affected: *-1.0.5 Patched: Updated: June 30, 2026

LOW

accordion-and-accordion-slider

Score: 97/100 Accordion and Accordion Slider <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification Affected: *-1.4.5 Patched: 1.4.6 Updated: June 30, 2026

LOW

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards

wp-data-access

Score: N/A WP Data Access <= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode Affected: *-5.5.63 Patched: 5.5.64 Updated: June 30, 2026

LOW

allow-html-in-category-descriptions

Score: 95/100 Allow HTML in Category Descriptions <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Category Descriptions Affected: *-1.2.4 Patched: Updated: June 30, 2026

LOW

tz-zoomifywp-free

Score: N/A ZoomifyWP Free <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'filename' Shortcode Attribute Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder

sureforms

Score: N/A SureForms – Drag and Drop Form Builder for WordPress <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation Affected: *-2.2.1 Patched: 2.2.2 Updated: June 30, 2026

LOW

wpguppy-lite

Score: N/A One to one user Chat by WPGuppy <= 1.1.4 - Unauthenticated Information Disclosure via Chat Message Interception Affected: *-1.1.4 Patched: Updated: June 30, 2026

LOW

simple-plyr

Score: N/A Simple Plyr <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'poster' Shortcode Attribute Affected: *-0.0.1 Patched: Updated: June 30, 2026

LOW

photostack-gallery

Score: N/A PhotoStack Gallery <= 0.4.1 - Unauthenticated SQL Injection via 'postid' Parameter Affected: *-0.4.1 Patched: Updated: June 30, 2026

LOW

bookr

Score: 91/100 Appointment Booking Calendar Plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification Affected: *-1.0.2 Patched: Updated: June 30, 2026

LOW

simple-wp-colorfull-accordion

Score: N/A Simple Wp colorfull Accordion <= 1.0 - Authenticated (Contributor+) Cross-Site Scripting via 'title' Shortcode Attribute Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

personal-authors-category

Score: N/A personal-authors-category <= 0.3 - Reflected Cross-Site Scripting Affected: *-0.3 Patched: Updated: June 30, 2026

LOW

magic-login-mail

Score: 93/100 Magic Login Mail or QR Code <= 2.05 - Unauthenticated Privilege Escalation via Insecure QR Code File Storage Affected: *-2.05 Patched: 2.06 Updated: June 30, 2026

LOW

amp-enhancer

Score: 95/100 AMP Enhancer <= 1.0.49 - Authenticated (Administrator+) Stored Cross-Site Scripting via AMP Custom CSS Setting Affected: *-1.0.49 Patched: Updated: June 30, 2026

LOW

bluesnap-payment-gateway-for-woocommerce

Score: 93/100 BlueSnap Payment Gateway for WooCommerce <= 3.4.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation Affected: *-3.4.0 Patched: 3.4.1 Updated: June 30, 2026

LOW

citations-tools

Score: 91/100 Citations tools <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'code' Shortcode Attribute Affected: *-0.3.2 Patched: Updated: June 30, 2026

LOW

simple-event-attendance

Score: N/A SEATT: Simple Event Attendance <= 1.5.0 - Cross-Site Request Forgery to Arbitrary Event Deletion Affected: *-1.5.0 Patched: Updated: June 30, 2026

LOW

easy-voice-mail

Score: 93/100 Easy Voice Mail <= 1.2.5 - Unauthenticated Stored Cross-Site Scripting via 'message' Affected: *-1.2.5 Patched: 1.2.6 Updated: June 30, 2026

LOW

easy-form-builder

Score: 93/100 Easy Form Builder <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure Affected: *-3.9.3 Patched: 3.9.4 Updated: June 30, 2026

LOW

bfg-tools-extension-zipper

Score: 93/100 BFG Tools – Extension Zipper <= 1.0.7 - Authenticated (Administrator+) Path Traversal via 'first_file' Parameter Affected: *-1.0.7 Patched: 1.0.8 Updated: June 30, 2026

LOW

stickeasy-protected-contact-form

Score: N/A StickEasy Protected Contact Form <= 1.0.1 - Unauthenticated Information Disclosure Affected: *-1.0.1 Patched: 1.0.2 Updated: June 30, 2026

LOW

starfish-reviews

Score: N/A Starfish Review Generation & Marketing for WordPress <= 3.1.19 - Authenticated (Subscriber+) Arbitrary Options Update via srm_restore_options_defaults Affected: *-3.1.19 Patched: 3.1.20 Updated: June 30, 2026

LOW

pixelyoursite-pro

Score: N/A PixelYourSite PRO <= 12.4.0.2 - Unauthenticated Stored Cross-Site Scripting Affected: *-12.4.0.2 Patched: 12.4.0.3 Updated: June 30, 2026

LOW

pixelyoursite

Score: N/A PixelYourSite <= 11.2.0 - Unauthenticated Stored Cross-Site Scripting Affected: *-11.2.0 Patched: 11.2.0.1 Updated: June 30, 2026

LOW

wpschoolpress

Score: N/A WPSchoolPress <= 2.2.36 - Missing Authorization Affected: *-2.2.36 Patched: Updated: June 30, 2026

LOW

wp-last-modified-info

Score: N/A WP Last Modified Info <= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification Affected: *-1.9.5 Patched: 1.9.6 Updated: June 30, 2026

LOW

wp-e-commerce

Score: N/A eCommerce <= 3.15.1 - Cross-Site Request Forgery to Coupon Deletion Affected: *-3.15.1 Patched: Updated: June 30, 2026

LOW

share-this-image

Score: N/A Share This Image <= 2.14 - Unauthenticated Server-Side Request Forgery Affected: *-2.14 Patched: 2.15 Updated: June 30, 2026

LOW

powerpress

Score: N/A PowerPress Podcasting <= 11.15.13 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-11.15.13 Patched: 11.15.14 Updated: June 30, 2026

LOW

powerpack-for-learndash

Score: N/A Powerpack for LearnDash <= 1.2.0 - Unauthenticated Arbitrary Options Update Affected: *-1.2.0 Patched: 1.3.0 Updated: June 30, 2026

LOW

mailerpress

Score: 93/100 MailerPress <= 1.4.2 - Authenticated (Contributor+) Server-Side Request Forgery Affected: *-1.4.2 Patched: 1.5.0 Updated: June 30, 2026

LOW

getty-images

Score: 91/100 Getty Images <= 4.1.0 - Authenticated (Contributor+) Server-Side Request Forgery Affected: *-4.1.0 Patched: Updated: June 30, 2026

LOW

Elementor Website Builder – more than just a page builder

elementor

Score: 79/100 Elementor Website Builder <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.35.5 Patched: 3.35.6 Updated: June 30, 2026

LOW

addons-for-elementor

Score: 93/100 Livemesh Addons for Elementor <= 9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-9.0 Patched: Updated: June 30, 2026

LOW

secure-copy-content-protection

Score: N/A Secure Copy Content Protection and Content Locking <= 4.9.8 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header Affected: *-4.9.8 Patched: 4.9.9 Updated: June 30, 2026

LOW

customer-reviews-woocommerce

Score: 93/100 Customer Reviews for WooCommerce <= 5.97.0 - Unauthenticated Stored Cross-Site Scripting via media[].href Parameter Affected: *-5.97.0 Patched: 5.98.0 Updated: June 30, 2026

LOW

post-type-archive-mapping

Score: N/A Custom Query Blocks <= 5.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-5.5.0 Patched: 5.6.0 Updated: June 30, 2026

LOW

login-with-salesforce

Score: 91/100 Login with Salesforce <= 1.0.2 - Authentication Bypass Affected: *-1.0.2 Patched: Updated: June 30, 2026

LOW

content-protector

Score: 93/100 Passster <= 4.2.25 - Missing Authorization Affected: *-4.2.25 Patched: 4.2.26 Updated: June 30, 2026

LOW

winterlock

Score: N/A Activity Log for WordPress <= 1.2.8 - Missing Authorization to Sensitive Information Exposure via Log File Affected: *-1.2.8 Patched: 1.2.9 Updated: June 30, 2026

LOW

webp-converter-for-media

Score: N/A Converter for Media – Optimize images | Convert WebP & AVIF <= 6.5.1 - Unauthenticated Server-Side Request Forgery via src Affected: *-6.5.1 Patched: 6.5.2 Updated: June 30, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure Affected: *-5.2.6 Patched: 5.2.7 Updated: June 30, 2026

LOW

wpdm-elementor

Score: N/A Download Manager Addons for Elementor <= 1.3.0 - Unauthenticated SQL Injection Affected: *-1.3.0 Patched: 2.0.0 Updated: June 30, 2026

LOW

wp-fullcalendar

Score: N/A FullCalendar <= 1.6 - Missing Authorization Affected: *-1.6 Patched: Updated: June 30, 2026

LOW

slider-responsive-slideshow

Score: N/A Slider Responsive Slideshow – Image slider, Gallery slideshow <= 1.5.4 - Authenticated (Contributor+) PHP Object Injection Affected: *-1.5.4 Patched: Updated: June 30, 2026

LOW

persian-woocommerce-sms

Score: N/A Persian Woocommerce SMS <= 7.1.1 - Reflected Cross-Site Scripting Affected: *-7.1.1 Patched: Updated: June 30, 2026

LOW

pdf-for-wpforms

Score: N/A PDF for WPForms <= 6.3.0 - Missing Authorization Affected: *-6.3.0 Patched: 6.3.1 Updated: June 30, 2026

LOW

pdf-for-elementor-forms

Score: N/A PDF for Elementor Forms + Drag And Drop Template Builder <= 6.3.1 - Missing Authorization Affected: *-6.3.1 Patched: 6.5.0 Updated: June 30, 2026

LOW

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

paid-member-subscriptions

Score: N/A Paid Member Subscriptions <= 2.16.8 - Authenticated (Subscriber+) Insecure Direct Object Reference Affected: *-2.16.8 Patched: 2.16.9 Updated: June 30, 2026

LOW

openpix-for-woocommerce

Score: N/A OpenPix <= 2.13.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update Affected: *-2.13.3 Patched: Updated: June 30, 2026

Showing 2701 to 2800 of 36283 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 06:59 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List