Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36283

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
new-user-approve	new-user-approve	N/A	New User Approve <= 3.2.0 - Missing Authorization	LOW	*-3.2.0	3.2.1	June 30, 2026
new-image-gallery	new-image-gallery	N/A	Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery <= 1.6.0 - Authenticated (Contributor+) PHP Object Injection	LOW	*-1.6.0	1.6.1	June 30, 2026
Mollie Payments for WooCommerce	mollie-payments-for-woocommerce	92	Mollie Payments for WooCommerce <= 8.1.1 - Reflected Cross-Site Scripting	LOW	*-8.1.1	8.1.2	June 30, 2026
modal-popup-box	modal-popup-box	93	Modal Popup Box <= 1.6.1 - Authenticated (Contributor+) PHP Object Injection	LOW	*-1.6.1	1.6.2	June 30, 2026
masvideos	masvideos	91	MAS Videos <= 1.3.2 - Missing Authorization	LOW	*-1.3.2	1.3.3	June 30, 2026
learnpress-import-export	learnpress-import-export	93	LearnPress Export Import <= 4.1.0 - Missing Authentication to Unauthenticated Migrated Course Deletion	LOW	*-4.1.0	4.1.1	June 30, 2026
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor	kadence-blocks	91	Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization	LOW	*-3.5.32	3.6.0	June 30, 2026
js-support-ticket	js-support-ticket	93	JS Help Desk <= 3.0.1 - Authenticated (Subscriber+) SQL Injection	LOW	*-3.0.1	3.0.2	June 30, 2026
jet-engine	jet-engine	93	JetEngine <= 3.8.0 - Reflected Cross-Site Scripting	LOW	*-3.8.0	3.8.1	June 30, 2026
imoney	imoney	91	iMoney <= 0.36 - Reflected Cross-Site Scripting	LOW	*-0.36		June 30, 2026
final-tiles-grid-gallery-lite	final-tiles-grid-gallery-lite	93	Image Photo Gallery Final Tiles Grid <= 3.6.11 - Authenticated (Author+) Insecure Direct Object Reference	LOW	*-3.6.11	3.6.12	June 30, 2026
fastdup	fastdup	93	FastDup – Fastest WordPress Migration & Duplicator <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download	LOW	*-2.7.1	2.7.2	June 30, 2026
embed-pdf-viewer	embed-pdf-viewer	93	Embed PDF Viewer <= 2.4.7 - Authenticated (Contributor+) Server-Side Request Forgery	LOW	*-2.4.7	2.4.8	June 30, 2026
Easy Table of Contents	easy-table-of-contents	95	Easy Table of Contents <= 2.0.80 - Cross-Site Request Forgery	LOW	*-2.0.80	2.0.81	June 30, 2026
duplicate-post	duplicate-post	97	Duplicate Post <= 3.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-3.2.3	3.2.4	June 30, 2026
cnvrse	cnvrse	93	Cnvrse < 026.02.10.20 - Unauthenticated Insecure Direct Object Reference	LOW	[*, 026.02.10.20)	026.02.10.20	June 30, 2026
byconsole-woo-order-delivery-time	byconsole-woo-order-delivery-time	91	WooODT Lite <= 2.5.5 - Unauthenticated Payment Bypass	LOW	*-2.5.5	2.5.6	June 30, 2026
bravis-addons	bravis-addons	93	Bravis Addons <= 1.3.0 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-1.3.0	1.3.1	June 30, 2026
blog-filter	blog-filter	93	Blog Filter <= 1.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.7.6	1.7.7	June 30, 2026
videospirecore	videospirecore	N/A	Videospirecore Theme Plugin <= 1.0.6 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover	LOW	*-1.0.6		June 30, 2026
wpzoom-elementor-addons	wpzoom-elementor-addons	N/A	WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.2 - Unauthenticated Protected Post Exposure via ajax_post_grid_load_more	LOW	*-1.3.2	1.3.3	June 30, 2026
listsearch	listsearch	91	BuddyHolis ListSearch <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'placeholder' Shortcode Attribute	LOW	*-1.1		June 30, 2026
flask-micro	flask-micro	91	IDE Micro code-editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute	LOW	*-1.0.0		June 30, 2026
wdes-responsive-popup	wdes-responsive-popup	N/A	WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute	LOW	*-1.3.6		June 30, 2026
kirilkirkov-pdf-invoice-manager	kirilkirkov-pdf-invoice-manager	93	Invoct – PDF Invoices & Billing for WooCommerce <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Information Exposure	LOW	*-1.6	1.7	June 30, 2026
mma-call-tracking	mma-call-tracking	91	MMA Call Tracking <= 2.3.15 - Cross-Site Request Forgery to Plugin Settings Update	LOW	*-2.3.15		June 30, 2026
wplyr-media-block	wplyr-media-block	N/A	WPlyr Media Block <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via '_wplyr_accent_color' Parameter	LOW	*-1.3.0		June 30, 2026
slideshow-wp	slideshow-wp	N/A	Slideshow Wp <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute	LOW	*-1.1		June 30, 2026
sudoku-shortcode	sudoku-shortcode	N/A	Sudoku Shortcode <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'background' Shortcode Attribute	LOW	*-1.0.0		June 30, 2026
ione360-configurator	ione360-configurator	89	iONE360 configurator <= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact Form Parameters	LOW	*-2.0.57		June 30, 2026
wpos-lite-version	wpos-lite-version	N/A	OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-3.0	3.1	June 30, 2026
html-shortcodes	html-shortcodes	91	HTML Shortcodes <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.1		June 30, 2026
wamate-confirm	wamate-confirm	N/A	WaMate Confirm <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Phone Number Blocking/Unblocking	LOW	*-2.0.1		June 30, 2026
category-image	category-image	91	Category Image <= 2.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'tag-image' Parameter	LOW	*-2.0		June 30, 2026
microtango	microtango	93	Microtango <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-0.9.29	0.9.30	June 30, 2026
twitter-posts-to-blog	twitter-posts-to-blog	N/A	Twitter posts to Blog <= 1.11.25 - Missing Authorization to Unauthenticated Plugin Settings Update	LOW	*-1.11.25		June 30, 2026
WPvivid — Backup, Migration & Staging	wpvivid-backuprestore	63	Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload	LOW	*-0.9.123	0.9.124	June 30, 2026
orbisius-random-name-generator	orbisius-random-name-generator	N/A	Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute	LOW	*-1.0.2	1.0.3	June 30, 2026
beaver-builder-lite-version	beaver-builder-lite-version	93	Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings	LOW	*-2.10.0.5	2.10.0.6	June 30, 2026
SlimStat Analytics	wp-slimstat	N/A	SlimStat Analytics <= 5.3.1 - Authenticated (Subscriber+) SQL Injection via `args` Parameter	LOW	*-5.3.1	5.3.2	June 30, 2026
Gallery by FooGallery	foogallery	82	Gallery by FooGallery <= 3.1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Gallery Metadata Exposure	LOW	*-3.1.9	3.1.10	June 30, 2026
wp-lucky-wheel	wp-lucky-wheel	N/A	Lucky Wheel Giveaway <= 1.0.22 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter	LOW	*-1.0.22	1.0.23	June 30, 2026
wpforo	wpforo	N/A	wpForo Forum <= 2.4.13 - Authenticated (Subscriber+) PHP Object Injection	LOW	*-2.4.13	2.4.14	June 30, 2026
wp-sms	wp-sms	N/A	WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce <= 7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-7.1	7.1.1	June 30, 2026
woo-coming-soon-product	woo-coming-soon-product	N/A	WooCommerce Coming Soon Product with Countdown <= 5.0 - Authenticated (Subscriber+) Local File Inclusion	LOW	*-5.0	5.1	June 30, 2026
visitor-maps-extended-referer-field	visitor-maps-extended-referer-field	N/A	Visitor Maps Extended Referer Field <= 1.2.6 - Reflected Cross-Site Scripting	LOW	*-1.2.6		June 30, 2026
uni-woo-custom-product-options-premium	uni-woo-custom-product-options-premium	N/A	Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) <= 4.9.60 - Missing Authorization to Unauthenticated Arbitrary Attachment and Dropbox File Deletion	LOW	*-4.9.60	4.9.61	June 30, 2026
templates-and-addons-for-wpbakery-page-builder	templates-and-addons-for-wpbakery-page-builder	N/A	Business Template Blocks for WPBakery (Visual Composer) Page Builder <= 1.3.2 - Reflected Cross-Site Scripting	LOW	*-1.3.2		June 30, 2026
sudoku-shortcode	sudoku-shortcode	N/A	Sudoku Shortcode <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.0.0		June 30, 2026
real3d-flipbook-lite	real3d-flipbook-lite	N/A	Real 3D FlipBook <= 4.19.1 - Missing Authorization	LOW	*-4.19.1	4.19.2	June 30, 2026
Quiz Maker by AYS	quiz-maker	66	Quiz Maker <= 6.7.1.2 - Cross-Site Request Forgery	LOW	*-6.7.1.2	6.7.1.3	June 30, 2026
miraculous-el	miraculous-el	93	Miraculous Elementor <= 2.0.7 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-2.0.7	2.0.8	June 30, 2026
Custom Block Builder – Lazy Blocks	lazy-blocks	96	Custom Block Builder – Lazy Blocks <= 4.2.0 - Authenticated (Contributor+) Remote Code Execution	LOW	*-4.2.0	4.2.1	June 30, 2026
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor	kadence-blocks	91	Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.5.32 - Incorrect Authorization to Authenticated (Contributor+) Post Publication	LOW	*-3.5.32	3.6.0	June 30, 2026
jw-player-7-for-wp	jw-player-7-for-wp	91	JW Player for WordPress <= 2.3.7 - Missing Authorization	LOW	*-2.3.7		June 30, 2026
Download Manager	download-manager	63	Download Manager <= 3.3.53 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-3.3.53	3.3.54	June 30, 2026
download-attachments	download-attachments	91	Download Attachments <= 1.4.0 - Unauthenticated Insecure Direct Object Reference	LOW	*-1.4.0		June 30, 2026
name-directory	name-directory	N/A	Name Directory <= 1.32.0 - Unauthenticated Stored Cross-Site Scripting via Double HTML-Entity Encoding in Submission Form	LOW	*-1.32.0	1.32.1	June 30, 2026
Ninja Forms – The Contact Form Builder That Grows With You	ninja-forms	69	Ninja Forms <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action	LOW	*-3.14.0	3.14.1	June 30, 2026
the-events-calendar-shortcode	the-events-calendar-shortcode	N/A	The Events Calendar Shortcode & Block <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-3.1.2	3.1.3	June 30, 2026
popup-builder-block	popup-builder-block	N/A	PopupKit <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion	LOW	*-2.2.0	2.2.1	June 30, 2026
wc-multivendor-marketplace	wc-multivendor-marketplace	N/A	WCFM Marketplace <= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation	LOW	*-3.7.0	3.7.1	June 30, 2026
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	fluentform	78	Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module	LOW	*-6.1.14	6.1.15	June 30, 2026
wc-frontend-manager	wc-frontend-manager	N/A	WCFM - WooCommerce Frontend Manager <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update	LOW	*-6.7.24	6.7.25	June 30, 2026
wc-multivendor-membership	wc-multivendor-membership	N/A	WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment	LOW	*-2.11.8	2.11.9	June 30, 2026
yaycurrency	yaycurrency	N/A	YayCurrency <= 3.3 - Missing Authorization to Unauthenticated Arbitrary Post Deletion	LOW	*-3.3	3.3.1	June 30, 2026
wpshop	wpshop	N/A	shop <= 2.6.1 - Unauthenticated Local File Inclusion	LOW	*-2.6.1		June 30, 2026
wp-user-extra-fields	wp-user-extra-fields	N/A	User Extra Fields <= 16.8 - Unauthenticated Stored Cross-Site Scripting	LOW	*-16.8	16.9	June 30, 2026
wp-upload-files-anywhere	wp-upload-files-anywhere	N/A	Upload Files Anywhere <= 2.8 - Unauthenticated Arbitrary File Download	LOW	*-2.8		June 30, 2026
wp-upload-files-anywhere	wp-upload-files-anywhere	N/A	Upload Files Anywhere <= 2.8 - Unauthenticated Arbitrary File Deletion	LOW	*-2.8		June 30, 2026
woocommerce-quick-product-editor	woocommerce-quick-product-editor	N/A	WooCommerce Bulk Product Editor <= 3.0 - Missing Authorization	LOW	*-3.0		June 30, 2026
whizz-plugins	whizz-plugins	N/A	Whizz Plugins <= 1.9 - Reflected Cross-Site Scripting	LOW	*-1.9	2.0.0	June 30, 2026
timeline-event-history	timeline-event-history	N/A	Timeline Event History <= 3.2 - Reflected Cross-Site Scripting	LOW	*-3.2		June 30, 2026
themesflat-elementor	themesflat-elementor	N/A	Themesflat Elementor <= 1.0.1 - Unauthenticated PHP Object Injection	LOW	*-1.0.1		June 30, 2026
simple-retail-menus	simple-retail-menus	N/A	Simple Retail Menus <= 4.2.1 - Unauthenticated Local File Inclusion	LOW	*-4.2.1		June 30, 2026
Simple File List	simple-file-list	90	Simple File List <= 6.1.15 - Authenticated (Subscriber+) Arbitrary File Download	LOW	*-6.1.15	6.1.16	June 30, 2026
rvcfdi-para-woocommerce	rvcfdi-para-woocommerce	N/A	RVCFDI para Woocommerce <= 8.1.8 - Reflected Cross-Site Scripting	LOW	*-8.1.8		June 30, 2026
primer-mydata	primer-mydata	N/A	Primer MyData for Woocommerce <= 4.2.8 - Unauthenticated Path Traversal	LOW	*-4.2.8	4.2.9	June 30, 2026
nex-forms-express-wp-form-builder	nex-forms-express-wp-form-builder	N/A	NEX-Forms <= 9.1.7 - Reflected Cross-Site Scripting	LOW	*-9.1.7	9.1.8	June 30, 2026
easy-form	easy-form	93	Easy Form <= 2.7.9 - Missing Authorization	LOW	*-2.7.9	2.8.0	June 30, 2026
cliengo	cliengo	93	Cliengo – Chatbot <= 3.0.4 - Missing Authorization	LOW	*-3.0.4	3.0.5	June 30, 2026
booking-and-rental-manager-for-woocommerce	booking-and-rental-manager-for-woocommerce	93	Booking and Rental Manager <= 2.5.9 - Authenticated (Contributor+) PHP Object Injection	LOW	*-2.5.9	2.6.0	June 30, 2026
atarim-visual-collaboration	atarim-visual-collaboration	93	Atarim <= 4.2.1 - Missing Authorization	LOW	*-4.2.1	4.2.2	June 30, 2026
fluentformpro	fluentformpro	93	Fluent Forms Pro Add On Pack <= 6.1.12 - Authenticated (Subscriber+) Server-Side Request Forgery via 'saveDataSource'	LOW	*-6.1.12	6.1.13	June 30, 2026
webtexttool	webtexttool	N/A	Textmetrics <= 3.6.4 - Missing Authorization	LOW	*-3.6.4	3.6.5	June 30, 2026
secure-copy-content-protection	secure-copy-content-protection	N/A	Secure Copy Content Protection and Content Locking <= 5.0.0 - Missing Authorization	LOW	*-5.0.0	5.0.1	June 30, 2026
photo-gallery	photo-gallery	N/A	Photo Gallery by 10Web <= 1.8.37 - Cross-Site Request Forgery	LOW	*-1.8.37	1.8.38	June 30, 2026
ays-chatgpt-assistant	ays-chatgpt-assistant	93	AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.4 - Missing Authorization	LOW	*-2.7.4	2.7.5	June 30, 2026
advanced-related-posts	advanced-related-posts	97	Advanced Related Posts <= 1.9.1 - Missing Authorization	LOW	*-1.9.1	1.9.2	June 30, 2026
jay-login-register	jay-login-register	93	JAY Login & Register <= 2.6.03 - Authenticated (Subscriber+) Privilege Escalation via jay_panel_ajax_update_profile	LOW	*-2.6.03	2.6.04	June 30, 2026
jay-login-register	jay-login-register	93	JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user	LOW	*-2.6.03	2.6.04	June 30, 2026
wpxmas-snow	wpxmas-snow	N/A	WpXmas-Snow <= 1.1 - Missing Authorization	LOW	*-1.1	1.2	June 30, 2026
wava-payment	wava-payment	N/A	Wava Payment <= 0.3.7 - Missing Authorization	LOW	*-0.3.7		June 30, 2026
sigmize	sigmize	N/A	Sigmize <= 0.0.9 - Cross-Site Request Forgery	LOW	*-0.0.9	0.0.10	June 30, 2026
ipospays-gateways-wc	ipospays-gateways-wc	93	iPOSpays Gateways WC <= 1.3.7 - Unauthenticated Missing Authorization to Settings Update via REST API Endpoint	LOW	*-1.3.7	1.3.8	June 30, 2026
fox-lms	fox-lms	93	Fox LMS <= 1.0.6.3 - Authenticated (Contributor+) SQL Injection	LOW	*-1.0.6.3	1.0.6.4	June 30, 2026
endless-posts-navigation	endless-posts-navigation	93	Endless Posts Navigation <= 2.2.9 - Missing Authorization	LOW	*-2.2.9	2.3.0	June 30, 2026
the-bucketlister	the-bucketlister	N/A	The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification	LOW	*-0.1.5		June 30, 2026
the-bucketlister	the-bucketlister	N/A	The Bucketlister <= 0.1.5 - Authenticated (Contributor+) SQL Injection via `category` and `id` Shortcode Attributes	LOW	*-0.1.5		June 30, 2026
premmerce	premmerce	N/A	Premmerce <= 1.3.20 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'premmerce_wizard_actions' AJAX Endpoint	LOW	*-1.3.20	1.3.21	June 30, 2026

LOW

new-user-approve

Score: N/A New User Approve <= 3.2.0 - Missing Authorization Affected: *-3.2.0 Patched: 3.2.1 Updated: June 30, 2026

LOW

Score: N/A Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery <= 1.6.0 - Authenticated (Contributor+) PHP Object Injection Affected: *-1.6.0 Patched: 1.6.1 Updated: June 30, 2026

LOW

Mollie Payments for WooCommerce

mollie-payments-for-woocommerce

Score: 92/100 Mollie Payments for WooCommerce <= 8.1.1 - Reflected Cross-Site Scripting Affected: *-8.1.1 Patched: 8.1.2 Updated: June 30, 2026

LOW

modal-popup-box

Score: 93/100 Modal Popup Box <= 1.6.1 - Authenticated (Contributor+) PHP Object Injection Affected: *-1.6.1 Patched: 1.6.2 Updated: June 30, 2026

LOW

masvideos

Score: 91/100 MAS Videos <= 1.3.2 - Missing Authorization Affected: *-1.3.2 Patched: 1.3.3 Updated: June 30, 2026

LOW

learnpress-import-export

Score: 93/100 LearnPress Export Import <= 4.1.0 - Missing Authentication to Unauthenticated Migrated Course Deletion Affected: *-4.1.0 Patched: 4.1.1 Updated: June 30, 2026

LOW

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

kadence-blocks

Score: 91/100 Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization Affected: *-3.5.32 Patched: 3.6.0 Updated: June 30, 2026

LOW

js-support-ticket

Score: 93/100 JS Help Desk <= 3.0.1 - Authenticated (Subscriber+) SQL Injection Affected: *-3.0.1 Patched: 3.0.2 Updated: June 30, 2026

LOW

jet-engine

Score: 93/100 JetEngine <= 3.8.0 - Reflected Cross-Site Scripting Affected: *-3.8.0 Patched: 3.8.1 Updated: June 30, 2026

LOW

imoney

Score: 91/100 iMoney <= 0.36 - Reflected Cross-Site Scripting Affected: *-0.36 Patched: Updated: June 30, 2026

LOW

final-tiles-grid-gallery-lite

Score: 93/100 Image Photo Gallery Final Tiles Grid <= 3.6.11 - Authenticated (Author+) Insecure Direct Object Reference Affected: *-3.6.11 Patched: 3.6.12 Updated: June 30, 2026

LOW

fastdup

Score: 93/100 FastDup – Fastest WordPress Migration & Duplicator <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download Affected: *-2.7.1 Patched: 2.7.2 Updated: June 30, 2026

LOW

embed-pdf-viewer

Score: 93/100 Embed PDF Viewer <= 2.4.7 - Authenticated (Contributor+) Server-Side Request Forgery Affected: *-2.4.7 Patched: 2.4.8 Updated: June 30, 2026

LOW

Easy Table of Contents

easy-table-of-contents

Score: 95/100 Easy Table of Contents <= 2.0.80 - Cross-Site Request Forgery Affected: *-2.0.80 Patched: 2.0.81 Updated: June 30, 2026

LOW

duplicate-post

Score: 97/100 Duplicate Post <= 3.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-3.2.3 Patched: 3.2.4 Updated: June 30, 2026

LOW

cnvrse

Score: 93/100 Cnvrse < 026.02.10.20 - Unauthenticated Insecure Direct Object Reference Affected: [*, 026.02.10.20) Patched: 026.02.10.20 Updated: June 30, 2026

LOW

byconsole-woo-order-delivery-time

Score: 91/100 WooODT Lite <= 2.5.5 - Unauthenticated Payment Bypass Affected: *-2.5.5 Patched: 2.5.6 Updated: June 30, 2026

LOW

bravis-addons

Score: 93/100 Bravis Addons <= 1.3.0 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-1.3.0 Patched: 1.3.1 Updated: June 30, 2026

LOW

blog-filter

Score: 93/100 Blog Filter <= 1.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.7.6 Patched: 1.7.7 Updated: June 30, 2026

LOW

videospirecore

Score: N/A Videospirecore Theme Plugin <= 1.0.6 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover Affected: *-1.0.6 Patched: Updated: June 30, 2026

LOW

wpzoom-elementor-addons

Score: N/A WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.2 - Unauthenticated Protected Post Exposure via ajax_post_grid_load_more Affected: *-1.3.2 Patched: 1.3.3 Updated: June 30, 2026

LOW

listsearch

Score: 91/100 BuddyHolis ListSearch <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'placeholder' Shortcode Attribute Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

flask-micro

Score: 91/100 IDE Micro code-editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

wdes-responsive-popup

Score: N/A WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute Affected: *-1.3.6 Patched: Updated: June 30, 2026

LOW

kirilkirkov-pdf-invoice-manager

Score: 93/100 Invoct – PDF Invoices & Billing for WooCommerce <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Information Exposure Affected: *-1.6 Patched: 1.7 Updated: June 30, 2026

LOW

mma-call-tracking

Score: 91/100 MMA Call Tracking <= 2.3.15 - Cross-Site Request Forgery to Plugin Settings Update Affected: *-2.3.15 Patched: Updated: June 30, 2026

LOW

wplyr-media-block

Score: N/A WPlyr Media Block <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via '_wplyr_accent_color' Parameter Affected: *-1.3.0 Patched: Updated: June 30, 2026

LOW

slideshow-wp

Score: N/A Slideshow Wp <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

sudoku-shortcode

Score: N/A Sudoku Shortcode <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'background' Shortcode Attribute Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

ione360-configurator

Score: 89/100 iONE360 configurator <= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact Form Parameters Affected: *-2.0.57 Patched: Updated: June 30, 2026

LOW

wpos-lite-version

Score: N/A OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-3.0 Patched: 3.1 Updated: June 30, 2026

LOW

html-shortcodes

Score: 91/100 HTML Shortcodes <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

wamate-confirm

Score: N/A WaMate Confirm <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Phone Number Blocking/Unblocking Affected: *-2.0.1 Patched: Updated: June 30, 2026

LOW

category-image

Score: 91/100 Category Image <= 2.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'tag-image' Parameter Affected: *-2.0 Patched: Updated: June 30, 2026

LOW

microtango

Score: 93/100 Microtango <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-0.9.29 Patched: 0.9.30 Updated: June 30, 2026

LOW

twitter-posts-to-blog

Score: N/A Twitter posts to Blog <= 1.11.25 - Missing Authorization to Unauthenticated Plugin Settings Update Affected: *-1.11.25 Patched: Updated: June 30, 2026

LOW

WPvivid — Backup, Migration & Staging

wpvivid-backuprestore

Score: 63/100 Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload Affected: *-0.9.123 Patched: 0.9.124 Updated: June 30, 2026

LOW

orbisius-random-name-generator

Score: N/A Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute Affected: *-1.0.2 Patched: 1.0.3 Updated: June 30, 2026

LOW

beaver-builder-lite-version

Score: 93/100 Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings Affected: *-2.10.0.5 Patched: 2.10.0.6 Updated: June 30, 2026

LOW

SlimStat Analytics

wp-slimstat

Score: N/A SlimStat Analytics <= 5.3.1 - Authenticated (Subscriber+) SQL Injection via `args` Parameter Affected: *-5.3.1 Patched: 5.3.2 Updated: June 30, 2026

LOW

Gallery by FooGallery

foogallery

Score: 82/100 Gallery by FooGallery <= 3.1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Gallery Metadata Exposure Affected: *-3.1.9 Patched: 3.1.10 Updated: June 30, 2026

LOW

wp-lucky-wheel

Score: N/A Lucky Wheel Giveaway <= 1.0.22 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter Affected: *-1.0.22 Patched: 1.0.23 Updated: June 30, 2026

LOW

wpforo

Score: N/A wpForo Forum <= 2.4.13 - Authenticated (Subscriber+) PHP Object Injection Affected: *-2.4.13 Patched: 2.4.14 Updated: June 30, 2026

LOW

wp-sms

Score: N/A WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce <= 7.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-7.1 Patched: 7.1.1 Updated: June 30, 2026

LOW

woo-coming-soon-product

Score: N/A WooCommerce Coming Soon Product with Countdown <= 5.0 - Authenticated (Subscriber+) Local File Inclusion Affected: *-5.0 Patched: 5.1 Updated: June 30, 2026

LOW

visitor-maps-extended-referer-field

Score: N/A Visitor Maps Extended Referer Field <= 1.2.6 - Reflected Cross-Site Scripting Affected: *-1.2.6 Patched: Updated: June 30, 2026

LOW

uni-woo-custom-product-options-premium

Score: N/A Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) <= 4.9.60 - Missing Authorization to Unauthenticated Arbitrary Attachment and Dropbox File Deletion Affected: *-4.9.60 Patched: 4.9.61 Updated: June 30, 2026

LOW

templates-and-addons-for-wpbakery-page-builder

Score: N/A Business Template Blocks for WPBakery (Visual Composer) Page Builder <= 1.3.2 - Reflected Cross-Site Scripting Affected: *-1.3.2 Patched: Updated: June 30, 2026

LOW

sudoku-shortcode

Score: N/A Sudoku Shortcode <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

real3d-flipbook-lite

Score: N/A Real 3D FlipBook <= 4.19.1 - Missing Authorization Affected: *-4.19.1 Patched: 4.19.2 Updated: June 30, 2026

LOW

Quiz Maker by AYS

quiz-maker

Score: 66/100 Quiz Maker <= 6.7.1.2 - Cross-Site Request Forgery Affected: *-6.7.1.2 Patched: 6.7.1.3 Updated: June 30, 2026

LOW

miraculous-el

Score: 93/100 Miraculous Elementor <= 2.0.7 - Authenticated (Subscriber+) Privilege Escalation Affected: *-2.0.7 Patched: 2.0.8 Updated: June 30, 2026

LOW

Custom Block Builder – Lazy Blocks

lazy-blocks

Score: 96/100 Custom Block Builder – Lazy Blocks <= 4.2.0 - Authenticated (Contributor+) Remote Code Execution Affected: *-4.2.0 Patched: 4.2.1 Updated: June 30, 2026

LOW

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

kadence-blocks

Score: 91/100 Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.5.32 - Incorrect Authorization to Authenticated (Contributor+) Post Publication Affected: *-3.5.32 Patched: 3.6.0 Updated: June 30, 2026

LOW

jw-player-7-for-wp

Score: 91/100 JW Player for WordPress <= 2.3.7 - Missing Authorization Affected: *-2.3.7 Patched: Updated: June 30, 2026

LOW

Download Manager

download-manager

Score: 63/100 Download Manager <= 3.3.53 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-3.3.53 Patched: 3.3.54 Updated: June 30, 2026

LOW

download-attachments

Score: 91/100 Download Attachments <= 1.4.0 - Unauthenticated Insecure Direct Object Reference Affected: *-1.4.0 Patched: Updated: June 30, 2026

LOW

name-directory

Score: N/A Name Directory <= 1.32.0 - Unauthenticated Stored Cross-Site Scripting via Double HTML-Entity Encoding in Submission Form Affected: *-1.32.0 Patched: 1.32.1 Updated: June 30, 2026

LOW

Ninja Forms – The Contact Form Builder That Grows With You

ninja-forms

Score: 69/100 Ninja Forms <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action Affected: *-3.14.0 Patched: 3.14.1 Updated: June 30, 2026

LOW

the-events-calendar-shortcode

Score: N/A The Events Calendar Shortcode & Block <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-3.1.2 Patched: 3.1.3 Updated: June 30, 2026

LOW

popup-builder-block

Score: N/A PopupKit <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion Affected: *-2.2.0 Patched: 2.2.1 Updated: June 30, 2026

LOW

wc-multivendor-marketplace

Score: N/A WCFM Marketplace <= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation Affected: *-3.7.0 Patched: 3.7.1 Updated: June 30, 2026

LOW

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

Score: 78/100 Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module Affected: *-6.1.14 Patched: 6.1.15 Updated: June 30, 2026

LOW

wc-frontend-manager

Score: N/A WCFM - WooCommerce Frontend Manager <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update Affected: *-6.7.24 Patched: 6.7.25 Updated: June 30, 2026

LOW

wc-multivendor-membership

Score: N/A WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment Affected: *-2.11.8 Patched: 2.11.9 Updated: June 30, 2026

LOW

yaycurrency

Score: N/A YayCurrency <= 3.3 - Missing Authorization to Unauthenticated Arbitrary Post Deletion Affected: *-3.3 Patched: 3.3.1 Updated: June 30, 2026

LOW

wpshop

Score: N/A shop <= 2.6.1 - Unauthenticated Local File Inclusion Affected: *-2.6.1 Patched: Updated: June 30, 2026

LOW

wp-user-extra-fields

Score: N/A User Extra Fields <= 16.8 - Unauthenticated Stored Cross-Site Scripting Affected: *-16.8 Patched: 16.9 Updated: June 30, 2026

LOW

wp-upload-files-anywhere

Score: N/A Upload Files Anywhere <= 2.8 - Unauthenticated Arbitrary File Download Affected: *-2.8 Patched: Updated: June 30, 2026

LOW

wp-upload-files-anywhere

Score: N/A Upload Files Anywhere <= 2.8 - Unauthenticated Arbitrary File Deletion Affected: *-2.8 Patched: Updated: June 30, 2026

LOW

woocommerce-quick-product-editor

Score: N/A WooCommerce Bulk Product Editor <= 3.0 - Missing Authorization Affected: *-3.0 Patched: Updated: June 30, 2026

LOW

whizz-plugins

Score: N/A Whizz Plugins <= 1.9 - Reflected Cross-Site Scripting Affected: *-1.9 Patched: 2.0.0 Updated: June 30, 2026

LOW

timeline-event-history

Score: N/A Timeline Event History <= 3.2 - Reflected Cross-Site Scripting Affected: *-3.2 Patched: Updated: June 30, 2026

LOW

themesflat-elementor

Score: N/A Themesflat Elementor <= 1.0.1 - Unauthenticated PHP Object Injection Affected: *-1.0.1 Patched: Updated: June 30, 2026

LOW

simple-retail-menus

Score: N/A Simple Retail Menus <= 4.2.1 - Unauthenticated Local File Inclusion Affected: *-4.2.1 Patched: Updated: June 30, 2026

LOW

Simple File List

simple-file-list

Score: 90/100 Simple File List <= 6.1.15 - Authenticated (Subscriber+) Arbitrary File Download Affected: *-6.1.15 Patched: 6.1.16 Updated: June 30, 2026

LOW

rvcfdi-para-woocommerce

Score: N/A RVCFDI para Woocommerce <= 8.1.8 - Reflected Cross-Site Scripting Affected: *-8.1.8 Patched: Updated: June 30, 2026

LOW

primer-mydata

Score: N/A Primer MyData for Woocommerce <= 4.2.8 - Unauthenticated Path Traversal Affected: *-4.2.8 Patched: 4.2.9 Updated: June 30, 2026

LOW

nex-forms-express-wp-form-builder

Score: N/A NEX-Forms <= 9.1.7 - Reflected Cross-Site Scripting Affected: *-9.1.7 Patched: 9.1.8 Updated: June 30, 2026

LOW

easy-form

Score: 93/100 Easy Form <= 2.7.9 - Missing Authorization Affected: *-2.7.9 Patched: 2.8.0 Updated: June 30, 2026

LOW

cliengo

Score: 93/100 Cliengo – Chatbot <= 3.0.4 - Missing Authorization Affected: *-3.0.4 Patched: 3.0.5 Updated: June 30, 2026

LOW

booking-and-rental-manager-for-woocommerce

Score: 93/100 Booking and Rental Manager <= 2.5.9 - Authenticated (Contributor+) PHP Object Injection Affected: *-2.5.9 Patched: 2.6.0 Updated: June 30, 2026

LOW

atarim-visual-collaboration

Score: 93/100 Atarim <= 4.2.1 - Missing Authorization Affected: *-4.2.1 Patched: 4.2.2 Updated: June 30, 2026

LOW

fluentformpro

Score: 93/100 Fluent Forms Pro Add On Pack <= 6.1.12 - Authenticated (Subscriber+) Server-Side Request Forgery via 'saveDataSource' Affected: *-6.1.12 Patched: 6.1.13 Updated: June 30, 2026

LOW

webtexttool

Score: N/A Textmetrics <= 3.6.4 - Missing Authorization Affected: *-3.6.4 Patched: 3.6.5 Updated: June 30, 2026

LOW

secure-copy-content-protection

Score: N/A Secure Copy Content Protection and Content Locking <= 5.0.0 - Missing Authorization Affected: *-5.0.0 Patched: 5.0.1 Updated: June 30, 2026

LOW

photo-gallery

Score: N/A Photo Gallery by 10Web <= 1.8.37 - Cross-Site Request Forgery Affected: *-1.8.37 Patched: 1.8.38 Updated: June 30, 2026

LOW

ays-chatgpt-assistant

Score: 93/100 AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.4 - Missing Authorization Affected: *-2.7.4 Patched: 2.7.5 Updated: June 30, 2026

LOW

advanced-related-posts

Score: 97/100 Advanced Related Posts <= 1.9.1 - Missing Authorization Affected: *-1.9.1 Patched: 1.9.2 Updated: June 30, 2026

LOW

jay-login-register

Score: 93/100 JAY Login & Register <= 2.6.03 - Authenticated (Subscriber+) Privilege Escalation via jay_panel_ajax_update_profile Affected: *-2.6.03 Patched: 2.6.04 Updated: June 30, 2026

LOW

jay-login-register

Score: 93/100 JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user Affected: *-2.6.03 Patched: 2.6.04 Updated: June 30, 2026

LOW

wpxmas-snow

Score: N/A WpXmas-Snow <= 1.1 - Missing Authorization Affected: *-1.1 Patched: 1.2 Updated: June 30, 2026

LOW

wava-payment

Score: N/A Wava Payment <= 0.3.7 - Missing Authorization Affected: *-0.3.7 Patched: Updated: June 30, 2026

LOW

sigmize

Score: N/A Sigmize <= 0.0.9 - Cross-Site Request Forgery Affected: *-0.0.9 Patched: 0.0.10 Updated: June 30, 2026

LOW

ipospays-gateways-wc

Score: 93/100 iPOSpays Gateways WC <= 1.3.7 - Unauthenticated Missing Authorization to Settings Update via REST API Endpoint Affected: *-1.3.7 Patched: 1.3.8 Updated: June 30, 2026

LOW

fox-lms

Score: 93/100 Fox LMS <= 1.0.6.3 - Authenticated (Contributor+) SQL Injection Affected: *-1.0.6.3 Patched: 1.0.6.4 Updated: June 30, 2026

LOW

endless-posts-navigation

Score: 93/100 Endless Posts Navigation <= 2.2.9 - Missing Authorization Affected: *-2.2.9 Patched: 2.3.0 Updated: June 30, 2026

LOW

the-bucketlister

Score: N/A The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification Affected: *-0.1.5 Patched: Updated: June 30, 2026

LOW

the-bucketlister

Score: N/A The Bucketlister <= 0.1.5 - Authenticated (Contributor+) SQL Injection via `category` and `id` Shortcode Attributes Affected: *-0.1.5 Patched: Updated: June 30, 2026

LOW

premmerce

Score: N/A Premmerce <= 1.3.20 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'premmerce_wizard_actions' AJAX Endpoint Affected: *-1.3.20 Patched: 1.3.21 Updated: June 30, 2026

Showing 2801 to 2900 of 36283 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 08:20 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List