Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36283

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
atarim-visual-collaboration	atarim-visual-collaboration	93	Atarim <= 4.0.9 - Missing Authorization to Unauthenticated Arbitrary Post Deletion	LOW	*-4.0.9	4.1.0	June 30, 2026
os-datahub-maps	os-datahub-maps	N/A	OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload	LOW	*-1.8.3	1.8.4	June 30, 2026
tutor	tutor	N/A	Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action	LOW	*-3.9.5	3.9.6	June 30, 2026
tutor	tutor	N/A	Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion	LOW	*-3.9.5	3.9.6	June 30, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting	LOW	*-5.2.5	5.2.6	June 30, 2026
form-maker	form-maker	93	Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field	LOW	*-1.15.35	1.15.36	June 30, 2026
form-maker	form-maker	93	Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file	LOW	*-1.15.35	1.15.36	June 30, 2026
mail-mint	mail-mint	93	Mail Mint <= 1.19.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-1.19.2	1.19.3	June 30, 2026
happy-elementor-addons	happy-elementor-addons	93	Happy Addons for Elementor <= 3.20.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_elementor_data' Meta Field	LOW	*-3.20.7	3.20.8	June 30, 2026
unlimited-elements-for-elementor	unlimited-elements-for-elementor	N/A	Unlimited Elements for Elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Border Hero Widget	LOW	*-2.0.1	2.0.2	June 30, 2026
Spectra Gutenberg Blocks – Website Builder for the Block Editor	ultimate-addons-for-gutenberg	N/A	Spectra Gutenberg Blocks <= 2.19.17 - Unauthenticated Information Disclosure in Sensitive Data	LOW	*-2.19.17	2.19.18	June 30, 2026
wp-ulike	wp-ulike	N/A	WP ULike <= 4.8.3.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Log Deletion via 'id' Parameter	LOW	*-4.8.3.1	5.0.0	June 30, 2026
thirstyaffiliates	thirstyaffiliates	N/A	ThirstyAffiliates <= 3.11.9 - Cross-Site Request Forgery	LOW	*-3.11.9	3.11.10	June 30, 2026
mikado-core	mikado-core	93	Mikado Core <= 1.6 - Authenticated (Contributor+) Local File Inclusion	LOW	*-1.6	2.2.2	June 30, 2026
contest-code-checker	contest-code-checker	91	Run Contests, Raffles, and Giveaways with ContestsWP <= 2.0.7 - Unauthenticated Information Exposure	LOW	*-2.0.7	2.1.1	June 30, 2026
cmsmasters-content-composer	cmsmasters-content-composer	93	CMSMasters Content Composer <= 1.4.5 - Authenticated (Contributor+) Local File Inclusion	LOW	*-1.4.5	1.4.6	June 30, 2026
booktics	booktics	93	Booktics <= 1.0.16 - Missing Authorization	LOW	*-1.0.16	1.0.17	June 30, 2026
kivicare-clinic-management-system	kivicare-clinic-management-system	93	KiviCare <= 3.6.16 - Authenticated (Receptionist+) SQL Injection	LOW	*-3.6.16	4.0.0	June 30, 2026
quiz-master-next	quiz-master-next	N/A	Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker <= 10.3.4 - Unauthenticated Insecure Direct Object Reference	LOW	*-10.3.4	10.3.5	June 30, 2026
mybooktable	mybooktable	N/A	MyBookTable Bookstore <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-3.6.0		June 30, 2026
gyan-elements	gyan-elements	93	Gyan Elements <= 2.2.1 - Authenticated (Contributor+) Local File Inclusion	LOW	*-2.2.1	2.2.2	June 30, 2026
buddypress-media	buddypress-media	93	rtMedia for WordPress, BuddyPress and bbPress <= 4.7.8 - Unauthenticated Information Exposure	LOW	*-4.7.8	4.7.9	June 30, 2026
wp-conditional-captcha	wp-conditional-captcha	N/A	Conditional CAPTCHA <= 4.0.0 - Unauthenticated Open Redirect	LOW	*-4.0.0		June 30, 2026
order-tracking	order-tracking	N/A	Order Tracking <= 3.4.4 - Missing Authorization	LOW	*-3.4.4		June 30, 2026
ajax-load-more	ajax-load-more	97	Ajax Load More – Infinite Scroll, Lazy Load & Load More <= 7.8.1 - Incorrect Authorization to Unauthenticated Private/Draft Post Title and Excerpt Exposure	LOW	*-7.8.1	7.8.2	June 30, 2026
Booking Calendar	booking	71	Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure	LOW	*-10.14.13	10.14.14	June 30, 2026
nex-forms-express-wp-form-builder	nex-forms-express-wp-form-builder	N/A	NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.8 - Missing Authorization to Unauthenticated Sensitive Information Exposure	LOW	*-9.1.8	9.1.9	June 30, 2026
wp-sync-for-notion	wp-sync-for-notion	N/A	WP Sync for Notion <= 1.7.0 - Missing Authorization	LOW	*-1.7.0	1.7.1	June 30, 2026
update-urls	update-urls	N/A	Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress <= 1.4.1 - Unauthenticated Open Redirect	LOW	*-1.4.1		June 30, 2026
supportcandy	supportcandy	N/A	SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) SQL Injection via Number Field Filter	LOW	*-3.4.4	3.4.5	June 30, 2026
sell-btc-by-hayyatapps	sell-btc-by-hayyatapps	N/A	Sell BTC - Cryptocurrency Selling Calculator <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'orderform_data' AJAX Action	LOW	*-1.5	1.6	June 30, 2026
mizan-demo-importer	mizan-demo-importer	93	Mizan Demo Importer <= 0.1.3 - Missing Authorization	LOW	*-0.1.3	0.1.4	June 30, 2026
cryout-serious-slider	cryout-serious-slider	93	Serious Slider <= 1.2.7 - Missing Authorization	LOW	*-1.2.7	1.3.0	June 30, 2026
ays-popup-box	ays-popup-box	93	Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change	LOW	*-6.1.1	6.1.2	June 30, 2026
atarim-visual-collaboration	atarim-visual-collaboration	93	Atarim <= 4.3.1 - Missing Authorization	LOW	*-4.3.1	4.3.2	June 30, 2026
WP Wand – Unlimited Content Generation using AI – for OpenAI, Claude, Openrouter and Deepseek	ai-content-generation	89	WP Wand – Unlimited Content Generation using AI – for OpenAI, Claude, Openrouter and Deepseek <= 1.3.07 - Missing Authorization	LOW	*-1.3.07		June 30, 2026
WP Job Manager	wp-job-manager	84	WP Job Manager <= 2.4.0 - Missing Authorization	LOW	*-2.4.0	2.4.1	June 30, 2026
travelpayouts	travelpayouts	N/A	Travelpayouts <= 1.2.1 - Missing Authorization	LOW	*-1.2.1		June 30, 2026
the-grid	the-grid	N/A	The Grid < 2.8.0 - Missing Authorization	LOW	[*, 2.8.0)	2.8.0	June 30, 2026
supportcandy	supportcandy	N/A	SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Missing Authorization	LOW	*-3.4.4	3.4.5	June 30, 2026
shiprocket	shiprocket	N/A	Shiprocket <= 2.0.8 - Authenticated (Subscriber+) Insecure Direct Object Reference	LOW	*-2.0.8		June 30, 2026
revisionary	revisionary	N/A	PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes <= 3.7.22 - Cross-Site Request Forgery	LOW	*-3.7.22	3.7.23	June 30, 2026
osm	osm	N/A	OSM – OpenStreetMap <= 6.1.12 - Missing Authorization	LOW	*-6.1.12	6.1.13	June 30, 2026
nelio-popups	nelio-popups	N/A	Nelio Popups <= 1.3.5 - Missing Authorization	LOW	*-1.3.5	1.3.6	June 30, 2026
id-arrays	id-arrays	91	ID Arrays <= 2.1.2 - Reflected Cross-Site Scripting	LOW	*-2.1.2		June 30, 2026
echo-knowledge-base	echo-knowledge-base	93	Echo Knowledge Base – Documentation, FAQs, AI Chat & AI Search <= 16.011.0 - Missing Authorization	LOW	*-16.011.0	16.20.0	June 30, 2026
easy-hotel	easy-hotel	91	Easy Hotel Booking <= 1.8.4 - Missing Authorization	LOW	*-1.8.4		June 30, 2026
cookiebot	cookiebot	93	Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode <= 4.6.4 - Missing Authorization	LOW	*-4.6.4	4.6.5	June 30, 2026
broken-link-notifier	broken-link-notifier	93	Broken Link Notifier <= 1.3.5 - Missing Authorization	LOW	*-1.3.5	1.3.6	June 30, 2026
booked	booked	91	Booked <= 3.0.0 - Authentication Bypass	LOW	*-3.0.0		June 30, 2026
b-slider	b-slider	93	B Slider <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.0.6	2.0.7	June 30, 2026
zita-site-library	zita-site-library	N/A	Zita Site Library for Elementor <= 1.6.6 - Cross-Site Request Forgery	LOW	*-1.6.6	1.6.7	June 30, 2026
wpbookit-pro	wpbookit-pro	N/A	WPBookit Pro <= 1.6.18 - Missing Authorization	LOW	*-1.6.18		June 30, 2026
wp-recipe-maker	wp-recipe-maker	N/A	Recipe Maker <= 10.2.4 - Missing Authorization	LOW	*-10.2.4	10.3.0	June 30, 2026
wp-jamstack-deployments	wp-jamstack-deployments	N/A	JAMstack Deployments <= 1.1.1 - Missing Authorization	LOW	*-1.1.1		June 30, 2026
wp-cors	wp-cors	N/A	WP-CORS <= 0.2.2 - Missing Authorization	LOW	*-0.2.2		June 30, 2026
woodly-core	woodly-core	N/A	Woodly Core <= 1.4 - Unauthenticated SQL Injection	LOW	*-1.4		June 30, 2026
userswp	userswp	N/A	UsersWP <= 1.2.53 - Cross-Site Request Forgery	LOW	*-1.2.53	1.2.54	June 30, 2026
uroan-core	uroan-core	N/A	Uroan Core <= 1.4.4 - Unauthenticated SQL Injection	LOW	*-1.4.4		June 30, 2026
sendy	sendy	N/A	Sendy <= 3.4.2 - Missing Authorization	LOW	*-3.4.2	3.4.3	June 30, 2026
sb-elementor-contact-form-db	sb-elementor-contact-form-db	N/A	FormsDB – Save Elementor Forms to Google Sheets & Post Type <= 2.1.3 - Missing Authorization	LOW	*-2.1.3	2.1.4	June 30, 2026
saasplate-core	saasplate-core	N/A	Saasplate Core <= 1.2.8 - Unauthenticated SQL Injection	LOW	*-1.2.8		June 30, 2026
revision-manager-tmc	revision-manager-tmc	N/A	Revision Manager TMC <= 2.8.22 - Cross-Site Request Forgery	LOW	*-2.8.22		June 30, 2026
quiz-master-next	quiz-master-next	N/A	Quiz And Survey Master <= 10.3.1 - Authenticated (Subscriber+) SQL Injection	LOW	*-10.3.1	10.3.2	June 30, 2026
popularis-extra	popularis-extra	N/A	Popularis Extra <= 1.2.10 - Cross-Site Request Forgery	LOW	*-1.2.10		June 30, 2026
official-mailerlite-sign-up-forms	official-mailerlite-sign-up-forms	N/A	MailerLite – Signup forms (official) <= 1.7.18 - Missing Authorization	LOW	*-1.7.18	1.7.19	June 30, 2026
news-kit-elementor-addons	news-kit-elementor-addons	N/A	News Kit Addons For Elementor <= 1.4.2 - Missing Authorization	LOW	*-1.4.2	1.4.3	June 30, 2026
nestbyte-core	nestbyte-core	N/A	Nestbyte Core <= 1.2 - Unauthenticated SQL Injection	LOW	*-1.2		June 30, 2026
modeltheme-framework	modeltheme-framework	93	ModelTheme Framework < 2.0.0 - Missing Authorization	LOW	[*, 2.0.0)	2.0.0	June 30, 2026
medinik-core	medinik-core	91	Medinik Core <= 1.3.6 - Unauthenticated SQL Injection	LOW	*-1.3.6		June 30, 2026
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management	74	EventPrime <= 4.2.8.0 - Missing Authorization	LOW	*-4.2.8.0	4.2.8.1	June 30, 2026
enteraddons	enteraddons	93	Enter Addons <= 2.3.2 - Cross-Site Request Forgery	LOW	*-2.3.2	2.3.3	June 30, 2026
emerce-core	emerce-core	91	Emerce Core <= 1.8 - Unauthenticated SQL Injection	LOW	*-1.8		June 30, 2026
electio-core	electio-core	91	Electio Core <= 1.4 - Unauthenticated SQL Injection	LOW	*-1.4		June 30, 2026
educare	educare	93	Educare <= 1.6.1 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.6.1	1.6.2	June 30, 2026
checkout-upsell-and-order-bumps	checkout-upsell-and-order-bumps	93	UpsellWP <= 2.2.5 - Missing Authorization	LOW	*-2.2.5	2.2.6	June 30, 2026
bit-form	bit-form	93	Bit Form <= 2.21.10 - Authenticated (Administrator+) SQL Injection	LOW	*-2.21.10	2.21.11	June 30, 2026
wp-registration	wp-registration	N/A	Simple User Registration <= 6.7 - Authenticated (Subscriber+) Privilege Escalation via profile_save_field	LOW	*-6.7	6.8	June 30, 2026
Frontend File Manager Plugin	nmedia-user-file-uploader	86	Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter	LOW	*-23.5		June 30, 2026
bitcoin-donate-button	bitcoin-donate-button	91	Bitcoin Donate Button <= 1.0 - Cross-Site Request Forgery to Settings Update	LOW	*-1.0		June 30, 2026
vzaar-media-management	vzaar-media-management	N/A	Vzaar Media Management <= 1.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']	LOW	*-1.2		June 30, 2026
imwptip	imwptip	91	imwptip <= 1.1 - Cross-Site Request Forgery to Settings Update	LOW	*-1.1		June 30, 2026
recooty	recooty	N/A	Recooty <= 1.0.6 - Cross-Site Request Forgery to Settings Update	LOW	1.0.1-1.0.6		June 30, 2026
telsender	telsender	N/A	TelSender <= 1.14.14 - Unauthenticated Stored Cross-Site Scripting via Telegram Chat Title	LOW	*-1.14.14	1.14.15	June 30, 2026
change-wp-url	change-wp-url	91	Change WP URL <= 1.0 - Cross-Site Request Forgery to Settings Update	LOW	*-1.0		June 30, 2026
wp-google-ad-manager-plugin	wp-google-ad-manager-plugin	N/A	WP Google Ad Manager Plugin <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings	LOW	*-1.1.0		June 30, 2026
rupantorpay	rupantorpay	N/A	Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification	LOW	*-2.0.0		June 30, 2026
seo-links-interlinking	seo-links-interlinking	N/A	SEO Links Interlinking <= 1.7.9.9.1 - Reflected Cross-Site Scripting via 'google_error' Parameter	LOW	*-1.7.9.9.1	1.7.9.9.2	June 30, 2026
blockart-blocks	blockart-blocks	93	BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.14 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.2.14	2.2.15	June 30, 2026
metasync	metasync	93	Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization 2.4.4 - 2.5.15 - Missing Authorization to Authenticated (Subscriber+) Authentication Bypass via Account Takeover	LOW	2.4.4-2.5.15	2.5.16	June 30, 2026
order-minimum-amount-for-woocommerce	order-minimum-amount-for-woocommerce	N/A	Order Minimum/Maximum Amount Limits for WooCommerce <= 4.6.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Hide Add to Cart Content Fields	LOW	*-4.6.8	4.6.9	June 30, 2026
add-search-to-menu	add-search-to-menu	97	Ivory Search <= 5.5.13 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_gcse' and 'nothing_found_text' Parameters	LOW	*-5.5.13	5.5.14	June 30, 2026
AI Engine – The Chatbot, AI Framework & MCP for WordPress	ai-engine	82	AI Engine <= 3.3.2 - Authenticated (Editor+) Arbitrary File Upload via 'filename' Parameter in update_media_metadata Endpoint	LOW	*-3.3.2	3.3.3	June 30, 2026
document-emberdder	document-emberdder	93	Document Embedder <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion	LOW	*-2.0.4	2.0.5	June 30, 2026
custom-registration-form-builder-with-submission-manager	custom-registration-form-builder-with-submission-manager	93	RegistrationMagic <= 6.0.7.4 - Missing Authorization to Unauthenticated Arbitrary Settings Modification	LOW	*-6.0.7.4	6.0.7.5	June 30, 2026
simple-calendar-for-elementor	simple-calendar-for-elementor	N/A	Simple calendar for Elementor <= 1.6.6 - Missing Authorization to Unauthenticated Arbitrary Calendar Entry Deletion	LOW	*-1.6.6	1.6.7	June 30, 2026
interactions	interactions	93	Interactions – Create Interactive Experiences in the Block Editor <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.3.1	1.3.2	June 30, 2026
new-user-approve	new-user-approve	N/A	New User Approve <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure	LOW	*-3.2.2	3.2.3	June 30, 2026
Database for Contact Form 7, WPforms, Elementor forms	contact-form-entries	84	Database for Contact Form 7, WPforms, Elementor forms <= 1.4.5 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export	LOW	*-1.4.5	1.4.6	June 30, 2026
wpbits-addons-for-elementor	wpbits-addons-for-elementor	N/A	WPBITS Addons For Elementor <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.8	1.8.1	June 30, 2026

LOW

atarim-visual-collaboration

Score: 93/100 Atarim <= 4.0.9 - Missing Authorization to Unauthenticated Arbitrary Post Deletion Affected: *-4.0.9 Patched: 4.1.0 Updated: June 30, 2026

LOW

os-datahub-maps

Score: N/A OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload Affected: *-1.8.3 Patched: 1.8.4 Updated: June 30, 2026

LOW

tutor

Score: N/A Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action Affected: *-3.9.5 Patched: 3.9.6 Updated: June 30, 2026

LOW

tutor

Score: N/A Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion Affected: *-3.9.5 Patched: 3.9.6 Updated: June 30, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting Affected: *-5.2.5 Patched: 5.2.6 Updated: June 30, 2026

LOW

form-maker

Score: 93/100 Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field Affected: *-1.15.35 Patched: 1.15.36 Updated: June 30, 2026

LOW

form-maker

Score: 93/100 Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file Affected: *-1.15.35 Patched: 1.15.36 Updated: June 30, 2026

LOW

mail-mint

Score: 93/100 Mail Mint <= 1.19.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-1.19.2 Patched: 1.19.3 Updated: June 30, 2026

LOW

Score: 93/100 Happy Addons for Elementor <= 3.20.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_elementor_data' Meta Field Affected: *-3.20.7 Patched: 3.20.8 Updated: June 30, 2026

LOW

unlimited-elements-for-elementor

Score: N/A Unlimited Elements for Elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Border Hero Widget Affected: *-2.0.1 Patched: 2.0.2 Updated: June 30, 2026

LOW

Spectra Gutenberg Blocks – Website Builder for the Block Editor

ultimate-addons-for-gutenberg

Score: N/A Spectra Gutenberg Blocks <= 2.19.17 - Unauthenticated Information Disclosure in Sensitive Data Affected: *-2.19.17 Patched: 2.19.18 Updated: June 30, 2026

LOW

wp-ulike

Score: N/A WP ULike <= 4.8.3.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Log Deletion via 'id' Parameter Affected: *-4.8.3.1 Patched: 5.0.0 Updated: June 30, 2026

LOW

thirstyaffiliates

Score: N/A ThirstyAffiliates <= 3.11.9 - Cross-Site Request Forgery Affected: *-3.11.9 Patched: 3.11.10 Updated: June 30, 2026

LOW

mikado-core

Score: 93/100 Mikado Core <= 1.6 - Authenticated (Contributor+) Local File Inclusion Affected: *-1.6 Patched: 2.2.2 Updated: June 30, 2026

LOW

contest-code-checker

Score: 91/100 Run Contests, Raffles, and Giveaways with ContestsWP <= 2.0.7 - Unauthenticated Information Exposure Affected: *-2.0.7 Patched: 2.1.1 Updated: June 30, 2026

LOW

cmsmasters-content-composer

Score: 93/100 CMSMasters Content Composer <= 1.4.5 - Authenticated (Contributor+) Local File Inclusion Affected: *-1.4.5 Patched: 1.4.6 Updated: June 30, 2026

LOW

booktics

Score: 93/100 Booktics <= 1.0.16 - Missing Authorization Affected: *-1.0.16 Patched: 1.0.17 Updated: June 30, 2026

LOW

kivicare-clinic-management-system

Score: 93/100 KiviCare <= 3.6.16 - Authenticated (Receptionist+) SQL Injection Affected: *-3.6.16 Patched: 4.0.0 Updated: June 30, 2026

LOW

quiz-master-next

Score: N/A Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker <= 10.3.4 - Unauthenticated Insecure Direct Object Reference Affected: *-10.3.4 Patched: 10.3.5 Updated: June 30, 2026

LOW

mybooktable

Score: N/A MyBookTable Bookstore <= 3.6.0 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-3.6.0 Patched: Updated: June 30, 2026

LOW

gyan-elements

Score: 93/100 Gyan Elements <= 2.2.1 - Authenticated (Contributor+) Local File Inclusion Affected: *-2.2.1 Patched: 2.2.2 Updated: June 30, 2026

LOW

buddypress-media

Score: 93/100 rtMedia for WordPress, BuddyPress and bbPress <= 4.7.8 - Unauthenticated Information Exposure Affected: *-4.7.8 Patched: 4.7.9 Updated: June 30, 2026

LOW

wp-conditional-captcha

Score: N/A Conditional CAPTCHA <= 4.0.0 - Unauthenticated Open Redirect Affected: *-4.0.0 Patched: Updated: June 30, 2026

LOW

order-tracking

Score: N/A Order Tracking <= 3.4.4 - Missing Authorization Affected: *-3.4.4 Patched: Updated: June 30, 2026

LOW

ajax-load-more

Score: 97/100 Ajax Load More – Infinite Scroll, Lazy Load & Load More <= 7.8.1 - Incorrect Authorization to Unauthenticated Private/Draft Post Title and Excerpt Exposure Affected: *-7.8.1 Patched: 7.8.2 Updated: June 30, 2026

LOW

Booking Calendar

booking

Score: 71/100 Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure Affected: *-10.14.13 Patched: 10.14.14 Updated: June 30, 2026

LOW

nex-forms-express-wp-form-builder

Score: N/A NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.8 - Missing Authorization to Unauthenticated Sensitive Information Exposure Affected: *-9.1.8 Patched: 9.1.9 Updated: June 30, 2026

LOW

wp-sync-for-notion

Score: N/A WP Sync for Notion <= 1.7.0 - Missing Authorization Affected: *-1.7.0 Patched: 1.7.1 Updated: June 30, 2026

LOW

update-urls

Score: N/A Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress <= 1.4.1 - Unauthenticated Open Redirect Affected: *-1.4.1 Patched: Updated: June 30, 2026

LOW

supportcandy

Score: N/A SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) SQL Injection via Number Field Filter Affected: *-3.4.4 Patched: 3.4.5 Updated: June 30, 2026

LOW

sell-btc-by-hayyatapps

Score: N/A Sell BTC - Cryptocurrency Selling Calculator <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'orderform_data' AJAX Action Affected: *-1.5 Patched: 1.6 Updated: June 30, 2026

LOW

mizan-demo-importer

Score: 93/100 Mizan Demo Importer <= 0.1.3 - Missing Authorization Affected: *-0.1.3 Patched: 0.1.4 Updated: June 30, 2026

LOW

cryout-serious-slider

Score: 93/100 Serious Slider <= 1.2.7 - Missing Authorization Affected: *-1.2.7 Patched: 1.3.0 Updated: June 30, 2026

LOW

ays-popup-box

Score: 93/100 Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change Affected: *-6.1.1 Patched: 6.1.2 Updated: June 30, 2026

LOW

atarim-visual-collaboration

Score: 93/100 Atarim <= 4.3.1 - Missing Authorization Affected: *-4.3.1 Patched: 4.3.2 Updated: June 30, 2026

LOW

WP Wand – Unlimited Content Generation using AI – for OpenAI, Claude, Openrouter and Deepseek

ai-content-generation

Score: 89/100 WP Wand – Unlimited Content Generation using AI – for OpenAI, Claude, Openrouter and Deepseek <= 1.3.07 - Missing Authorization Affected: *-1.3.07 Patched: Updated: June 30, 2026

LOW

WP Job Manager

wp-job-manager

Score: 84/100 WP Job Manager <= 2.4.0 - Missing Authorization Affected: *-2.4.0 Patched: 2.4.1 Updated: June 30, 2026

LOW

travelpayouts

Score: N/A Travelpayouts <= 1.2.1 - Missing Authorization Affected: *-1.2.1 Patched: Updated: June 30, 2026

LOW

the-grid

Score: N/A The Grid < 2.8.0 - Missing Authorization Affected: [*, 2.8.0) Patched: 2.8.0 Updated: June 30, 2026

LOW

supportcandy

Score: N/A SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Missing Authorization Affected: *-3.4.4 Patched: 3.4.5 Updated: June 30, 2026

LOW

shiprocket

Score: N/A Shiprocket <= 2.0.8 - Authenticated (Subscriber+) Insecure Direct Object Reference Affected: *-2.0.8 Patched: Updated: June 30, 2026

LOW

revisionary

Score: N/A PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes <= 3.7.22 - Cross-Site Request Forgery Affected: *-3.7.22 Patched: 3.7.23 Updated: June 30, 2026

LOW

osm

Score: N/A OSM – OpenStreetMap <= 6.1.12 - Missing Authorization Affected: *-6.1.12 Patched: 6.1.13 Updated: June 30, 2026

LOW

nelio-popups

Score: N/A Nelio Popups <= 1.3.5 - Missing Authorization Affected: *-1.3.5 Patched: 1.3.6 Updated: June 30, 2026

LOW

id-arrays

Score: 91/100 ID Arrays <= 2.1.2 - Reflected Cross-Site Scripting Affected: *-2.1.2 Patched: Updated: June 30, 2026

LOW

echo-knowledge-base

Score: 93/100 Echo Knowledge Base – Documentation, FAQs, AI Chat & AI Search <= 16.011.0 - Missing Authorization Affected: *-16.011.0 Patched: 16.20.0 Updated: June 30, 2026

LOW

easy-hotel

Score: 91/100 Easy Hotel Booking <= 1.8.4 - Missing Authorization Affected: *-1.8.4 Patched: Updated: June 30, 2026

LOW

cookiebot

Score: 93/100 Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode <= 4.6.4 - Missing Authorization Affected: *-4.6.4 Patched: 4.6.5 Updated: June 30, 2026

LOW

broken-link-notifier

Score: 93/100 Broken Link Notifier <= 1.3.5 - Missing Authorization Affected: *-1.3.5 Patched: 1.3.6 Updated: June 30, 2026

LOW

booked

Score: 91/100 Booked <= 3.0.0 - Authentication Bypass Affected: *-3.0.0 Patched: Updated: June 30, 2026

LOW

b-slider

Score: 93/100 B Slider <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.0.6 Patched: 2.0.7 Updated: June 30, 2026

LOW

zita-site-library

Score: N/A Zita Site Library for Elementor <= 1.6.6 - Cross-Site Request Forgery Affected: *-1.6.6 Patched: 1.6.7 Updated: June 30, 2026

LOW

wpbookit-pro

Score: N/A WPBookit Pro <= 1.6.18 - Missing Authorization Affected: *-1.6.18 Patched: Updated: June 30, 2026

LOW

wp-recipe-maker

Score: N/A Recipe Maker <= 10.2.4 - Missing Authorization Affected: *-10.2.4 Patched: 10.3.0 Updated: June 30, 2026

LOW

wp-jamstack-deployments

Score: N/A JAMstack Deployments <= 1.1.1 - Missing Authorization Affected: *-1.1.1 Patched: Updated: June 30, 2026

LOW

wp-cors

Score: N/A WP-CORS <= 0.2.2 - Missing Authorization Affected: *-0.2.2 Patched: Updated: June 30, 2026

LOW

woodly-core

Score: N/A Woodly Core <= 1.4 - Unauthenticated SQL Injection Affected: *-1.4 Patched: Updated: June 30, 2026

LOW

userswp

Score: N/A UsersWP <= 1.2.53 - Cross-Site Request Forgery Affected: *-1.2.53 Patched: 1.2.54 Updated: June 30, 2026

LOW

uroan-core

Score: N/A Uroan Core <= 1.4.4 - Unauthenticated SQL Injection Affected: *-1.4.4 Patched: Updated: June 30, 2026

LOW

sendy

Score: N/A Sendy <= 3.4.2 - Missing Authorization Affected: *-3.4.2 Patched: 3.4.3 Updated: June 30, 2026

LOW

sb-elementor-contact-form-db

Score: N/A FormsDB – Save Elementor Forms to Google Sheets & Post Type <= 2.1.3 - Missing Authorization Affected: *-2.1.3 Patched: 2.1.4 Updated: June 30, 2026

LOW

saasplate-core

Score: N/A Saasplate Core <= 1.2.8 - Unauthenticated SQL Injection Affected: *-1.2.8 Patched: Updated: June 30, 2026

LOW

revision-manager-tmc

Score: N/A Revision Manager TMC <= 2.8.22 - Cross-Site Request Forgery Affected: *-2.8.22 Patched: Updated: June 30, 2026

LOW

quiz-master-next

Score: N/A Quiz And Survey Master <= 10.3.1 - Authenticated (Subscriber+) SQL Injection Affected: *-10.3.1 Patched: 10.3.2 Updated: June 30, 2026

LOW

popularis-extra

Score: N/A Popularis Extra <= 1.2.10 - Cross-Site Request Forgery Affected: *-1.2.10 Patched: Updated: June 30, 2026

LOW

official-mailerlite-sign-up-forms

Score: N/A MailerLite – Signup forms (official) <= 1.7.18 - Missing Authorization Affected: *-1.7.18 Patched: 1.7.19 Updated: June 30, 2026

LOW

news-kit-elementor-addons

Score: N/A News Kit Addons For Elementor <= 1.4.2 - Missing Authorization Affected: *-1.4.2 Patched: 1.4.3 Updated: June 30, 2026

LOW

nestbyte-core

Score: N/A Nestbyte Core <= 1.2 - Unauthenticated SQL Injection Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

modeltheme-framework

Score: 93/100 ModelTheme Framework < 2.0.0 - Missing Authorization Affected: [*, 2.0.0) Patched: 2.0.0 Updated: June 30, 2026

LOW

medinik-core

Score: 91/100 Medinik Core <= 1.3.6 - Unauthenticated SQL Injection Affected: *-1.3.6 Patched: Updated: June 30, 2026

LOW

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

Score: 74/100 EventPrime <= 4.2.8.0 - Missing Authorization Affected: *-4.2.8.0 Patched: 4.2.8.1 Updated: June 30, 2026

LOW

enteraddons

Score: 93/100 Enter Addons <= 2.3.2 - Cross-Site Request Forgery Affected: *-2.3.2 Patched: 2.3.3 Updated: June 30, 2026

LOW

emerce-core

Score: 91/100 Emerce Core <= 1.8 - Unauthenticated SQL Injection Affected: *-1.8 Patched: Updated: June 30, 2026

LOW

electio-core

Score: 91/100 Electio Core <= 1.4 - Unauthenticated SQL Injection Affected: *-1.4 Patched: Updated: June 30, 2026

LOW

educare

Score: 93/100 Educare <= 1.6.1 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.6.1 Patched: 1.6.2 Updated: June 30, 2026

LOW

checkout-upsell-and-order-bumps

Score: 93/100 UpsellWP <= 2.2.5 - Missing Authorization Affected: *-2.2.5 Patched: 2.2.6 Updated: June 30, 2026

LOW

bit-form

Score: 93/100 Bit Form <= 2.21.10 - Authenticated (Administrator+) SQL Injection Affected: *-2.21.10 Patched: 2.21.11 Updated: June 30, 2026

LOW

wp-registration

Score: N/A Simple User Registration <= 6.7 - Authenticated (Subscriber+) Privilege Escalation via profile_save_field Affected: *-6.7 Patched: 6.8 Updated: June 30, 2026

LOW

Frontend File Manager Plugin

nmedia-user-file-uploader

Score: 86/100 Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter Affected: *-23.5 Patched: Updated: June 30, 2026

LOW

bitcoin-donate-button

Score: 91/100 Bitcoin Donate Button <= 1.0 - Cross-Site Request Forgery to Settings Update Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

vzaar-media-management

Score: N/A Vzaar Media Management <= 1.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

imwptip

Score: 91/100 imwptip <= 1.1 - Cross-Site Request Forgery to Settings Update Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

recooty

Score: N/A Recooty <= 1.0.6 - Cross-Site Request Forgery to Settings Update Affected: 1.0.1-1.0.6 Patched: Updated: June 30, 2026

LOW

telsender

Score: N/A TelSender <= 1.14.14 - Unauthenticated Stored Cross-Site Scripting via Telegram Chat Title Affected: *-1.14.14 Patched: 1.14.15 Updated: June 30, 2026

LOW

change-wp-url

Score: 91/100 Change WP URL <= 1.0 - Cross-Site Request Forgery to Settings Update Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

wp-google-ad-manager-plugin

Score: N/A WP Google Ad Manager Plugin <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings Affected: *-1.1.0 Patched: Updated: June 30, 2026

LOW

rupantorpay

Score: N/A Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification Affected: *-2.0.0 Patched: Updated: June 30, 2026

LOW

seo-links-interlinking

Score: N/A SEO Links Interlinking <= 1.7.9.9.1 - Reflected Cross-Site Scripting via 'google_error' Parameter Affected: *-1.7.9.9.1 Patched: 1.7.9.9.2 Updated: June 30, 2026

LOW

blockart-blocks

Score: 93/100 BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.14 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.2.14 Patched: 2.2.15 Updated: June 30, 2026

LOW

metasync

Score: 93/100 Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization 2.4.4 - 2.5.15 - Missing Authorization to Authenticated (Subscriber+) Authentication Bypass via Account Takeover Affected: 2.4.4-2.5.15 Patched: 2.5.16 Updated: June 30, 2026

LOW

order-minimum-amount-for-woocommerce

Score: N/A Order Minimum/Maximum Amount Limits for WooCommerce <= 4.6.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Hide Add to Cart Content Fields Affected: *-4.6.8 Patched: 4.6.9 Updated: June 30, 2026

LOW

add-search-to-menu

Score: 97/100 Ivory Search <= 5.5.13 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_gcse' and 'nothing_found_text' Parameters Affected: *-5.5.13 Patched: 5.5.14 Updated: June 30, 2026

LOW

AI Engine – The Chatbot, AI Framework & MCP for WordPress

ai-engine

Score: 82/100 AI Engine <= 3.3.2 - Authenticated (Editor+) Arbitrary File Upload via 'filename' Parameter in update_media_metadata Endpoint Affected: *-3.3.2 Patched: 3.3.3 Updated: June 30, 2026

LOW

document-emberdder

Score: 93/100 Document Embedder <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion Affected: *-2.0.4 Patched: 2.0.5 Updated: June 30, 2026

LOW

custom-registration-form-builder-with-submission-manager

Score: 93/100 RegistrationMagic <= 6.0.7.4 - Missing Authorization to Unauthenticated Arbitrary Settings Modification Affected: *-6.0.7.4 Patched: 6.0.7.5 Updated: June 30, 2026

LOW

simple-calendar-for-elementor

Score: N/A Simple calendar for Elementor <= 1.6.6 - Missing Authorization to Unauthenticated Arbitrary Calendar Entry Deletion Affected: *-1.6.6 Patched: 1.6.7 Updated: June 30, 2026

LOW

interactions

Score: 93/100 Interactions – Create Interactive Experiences in the Block Editor <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.3.1 Patched: 1.3.2 Updated: June 30, 2026

LOW

new-user-approve

Score: N/A New User Approve <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure Affected: *-3.2.2 Patched: 3.2.3 Updated: June 30, 2026

LOW

Database for Contact Form 7, WPforms, Elementor forms

contact-form-entries

Score: 84/100 Database for Contact Form 7, WPforms, Elementor forms <= 1.4.5 - Missing Authorization to Unauthenticated Form Data Exfiltration via CSV Export Affected: *-1.4.5 Patched: 1.4.6 Updated: June 30, 2026

LOW

wpbits-addons-for-elementor

Score: N/A WPBITS Addons For Elementor <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.8 Patched: 1.8.1 Updated: June 30, 2026

Showing 3001 to 3100 of 36283 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 11:17 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List