Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36296

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
smart-product-viewer	smart-product-viewer	N/A	Smart Product Viewer <= 1.5.4 - Missing Authorization	LOW	*-1.5.4		June 30, 2026
ninja-tables	ninja-tables	N/A	Ninja Tables – Easy Data Table Builder <= 5.2.5 - Authenticated (Contributor+) Information Exposure	LOW	*-5.2.5	5.2.6	June 30, 2026
ajax-hits-counter	ajax-hits-counter	95	AJAX Hits Counter + Popular Posts Widget <= 0.10.210305 - Missing Authorization	LOW	*-0.10.210305		June 30, 2026
wpresidence-core	wpresidence-core	N/A	Wpresidence Core <= 5.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-5.4.0		June 30, 2026
Spectra Gutenberg Blocks – Website Builder for the Block Editor	ultimate-addons-for-gutenberg	N/A	Spectra <= 2.19.17 - Missing Authorization	LOW	*-2.19.17	2.19.18	June 30, 2026
premium-addons-for-elementor	premium-addons-for-elementor	N/A	Premium Addons for Elementor <= 4.11.63 - Missing Authorization to Authenticated (Subscriber+) Settings Update	LOW	*-4.11.63	4.11.64	June 30, 2026
houzez-theme-functionality	houzez-theme-functionality	93	Houzez Theme - Functionality <= 4.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-4.2.6	4.2.7	June 30, 2026
cargus	cargus	93	Cargus <= 1.5.8 - Unauthenticated Information Exposure	LOW	*-1.5.8	1.5.9	June 30, 2026
woocommerce-for-paygent-payment-main	woocommerce-for-paygent-payment-main	N/A	PAYGENT for WooCommerce <= 2.4.6 - Missing Authorization to Unauthenticated Payment Callback Manipulation	LOW	*-2.4.6	2.4.7	June 30, 2026
integrate-dynamics-365-crm	integrate-dynamics-365-crm	93	Integrate Dynamics 365 CRM <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Field Mapping Configuration	LOW	*-1.1.1	1.1.2	June 30, 2026
CubeWP Framework	cubewp-framework	74	CubeWP <= 1.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via cubewp_shortcode_taxonomy Shortcode	LOW	*-1.1.26	1.1.27	June 30, 2026
CubeWP Framework	cubewp-framework	74	CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 - Unauthenticated Information Exposure	LOW	*-1.1.27	1.1.28	June 30, 2026
spin-wheel	spin-wheel	N/A	Spin Wheel <= 2.1.0 - Unauthenticated Client-Side Prize Manipulation via 'prize_index' Parameter	LOW	*-2.1.0	2.1.1	June 30, 2026
team-section	team-section	N/A	Team Section Block <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link	LOW	*-2.0.0	2.0.1	June 30, 2026
community-events	community-events	93	Community Events <= 1.5.6 - Missing Authorization to Unauthenticated Arbitrary Event Approval via 'eventlist' Parameter	LOW	*-1.5.6	1.5.7	June 30, 2026
memsource-connector	memsource-connector	93	Phrase TMS Integration for WordPress <= 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Log Deletion	LOW	*-4.7.5	4.7.6	June 30, 2026
thim-blocks	thim-blocks	N/A	Gutenberg Thim Blocks <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read via 'iconSVG' Parameter	LOW	*-1.0.1	1.0.2	June 30, 2026
church-admin	church-admin	93	Church Admin <= 5.0.28 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter	LOW	*-5.0.28	5.0.29	June 30, 2026
wp-paypal	wp-paypal	N/A	Payment Button for PayPal <= 1.2.3.41 - Missing Authorization to Unauthenticated Arbitrary Order Creation	LOW	*-1.2.3.41	1.2.3.42	June 30, 2026
computer-repair-shop	computer-repair-shop	93	RepairBuddy <= 4.1116 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders	LOW	*-4.1116	4.1121	June 30, 2026
filr-protection	filr-protection	93	Filr – Secure document library <= 1.2.11 - Authenticated (Administrator+) Stored Cross-Site Scripting via HTML Upload	LOW	*-1.2.11	1.2.12	June 30, 2026
wallet-system-for-woocommerce	wallet-system-for-woocommerce	N/A	Wallet System for WooCommerce <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wallet Balance Manipulation	LOW	*-2.7.2	2.7.3	June 30, 2026
youtube-feed-pro	youtube-feed-pro	N/A	Feeds for YouTube Pro <= 2.6.0 - Unauthenticated Arbitrary File Read via Path Traversal	LOW	*-2.6.0	2.6.1	June 30, 2026
WP Hotel Booking	wp-hotel-booking	N/A	WP Hotel Booking <= 2.2.7 - Unauthenticated Sensitive Information Exposure via 'email' Parameter	LOW	*-2.2.7	2.2.8	June 30, 2026
quick-contact-form	quick-contact-form	N/A	Quick Contact Form <= 8.2.6 - Unauthenticated Open Mail Relay	LOW	*-8.2.6	8.2.7	June 30, 2026
custom-registration-form-builder-with-submission-manager	custom-registration-form-builder-with-submission-manager	93	RegistrationMagic <= 6.0.7.1 - Unauthenticated Privilege Escalation via admin_order	LOW	*-6.0.7.1	6.0.7.2	June 30, 2026
wp-mail	wp-mail	N/A	Mail <= 1.3 - Reflected Cross-Site Scripting	LOW	*-1.3		June 30, 2026
wordcents	wordcents	N/A	Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 - Reflected Cross-Site Scripting	LOW	*-1.3.03.27		June 30, 2026
wc-peach-payments-gateway	wc-peach-payments-gateway	N/A	Peach Payments Gateway <= 3.3.6 - Missing Authorization	LOW	*-3.3.6	3.3.7	June 30, 2026
user-registration-using-contact-form-7	user-registration-using-contact-form-7	N/A	User Registration Using Contact Form 7 <= 2.5 - Authenticated (Subscriber+) Information Exposure	LOW	*-2.5	2.6	June 30, 2026
tickera-event-ticketing-system	tickera-event-ticketing-system	N/A	Tickera <= 3.5.6.2 - Missing Authorization	LOW	*-3.5.6.2	3.5.6.3	June 30, 2026
the-guardian-news-feed	the-guardian-news-feed	N/A	The Guardian News Feed <= 1.2 - Cross-Site Request Forgery to Settings Update	LOW	*-1.2		June 30, 2026
syntax-highlighter-compress	syntax-highlighter-compress	N/A	Syntax Highlighter Compress <= 3.0.83.3 - Reflected Cross-Site Scripting	LOW	*-3.0.83.3		June 30, 2026
registration-login-with-mobile-phone-number	registration-login-with-mobile-phone-number	N/A	Registration & Login with Mobile Phone Number for WooCommerce <= 1.3.1 - Authentication Bypass	LOW	*-1.3.1	1.3.2	June 30, 2026
quote-master	quote-master	N/A	Quote Master <= 7.1.1 - Reflected Cross-Site Scripting	LOW	*-7.1.1		June 30, 2026
post-slides	post-slides	N/A	Post Slides <= 1.0.1 - Authenticated (Contributor+) Local File Inclusion	LOW	*-1.0.1		June 30, 2026
onepay-payment-gateway-for-woocommerce	onepay-payment-gateway-for-woocommerce	N/A	onepay Payment Gateway For WooCommerce <= 1.1.2 - Missing Authorization to Unauthenticated Order Status Modification	LOW	*-1.1.2	1.1.3	June 30, 2026
Frontend File Manager Plugin	nmedia-user-file-uploader	86	Frontend File Manager Plugin <= 23.5 - Unauthenticated Insecure Direct Object Reference	LOW	*-23.5	23.6	June 30, 2026
modular-connector	modular-connector	93	Modular DS 2.5.2 - Unauthenticated Privilege Escalation	LOW	2.5.2	2.6.0	June 30, 2026
faq-schema-block-to-accordion	faq-schema-block-to-accordion	91	Turn Yoast SEO FAQ Block to Accordion <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.0.6		June 30, 2026
elementinvader	elementinvader	93	Element Invader – Template Kits for Elementor <= 1.2.4 - Missing Authorization	LOW	*-1.2.4	1.2.5	June 30, 2026
dooodl	dooodl	91	Dooodl <= 2.3.0 - Reflected Cross-Site Scripting	LOW	*-2.3.0		June 30, 2026
demo-importer-plus	demo-importer-plus	93	Demo Importer Plus <= 2.0.9 - Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload	LOW	*-2.0.9	2.0.10	June 30, 2026
cm-email-blacklist	cm-email-blacklist	93	CM E-Mail Blacklist <= 1.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'black_email' Parameter	LOW	*-1.6.2	1.6.3	June 30, 2026
cm-business-directory	cm-business-directory	93	CM Business Directory – Optimise and showcase local business <= 1.5.3 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-1.5.3	1.5.4	June 30, 2026
client-portal	client-portal	93	Client Portal – Private user pages and login <= 1.2.1 - Missing Authorization	LOW	*-1.2.1	1.2.2	June 30, 2026
bidorbuystoreintegrator	bidorbuystoreintegrator	89	bidorbuy Store Integrator <= 2.12.0 - Reflected Cross-Site Scripting	LOW	*-2.12.0		June 30, 2026
best-wp-google-map	best-wp-google-map	91	Best-wp-google-map <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'latitude' Shortcode Attribute	LOW	*-2.1		June 30, 2026
bdthemes-element-pack-lite	bdthemes-element-pack-lite	93	Element Pack Elementor Addons <= 8.3.13 - Cross-Site Request Forgery	LOW	*-8.3.13	8.3.14	June 30, 2026
Antideo Email Validator	antideo-email-validator	94	Antideo Email Validator <= 1.0.10 - Unauthenticated SQL Injection	LOW	*-1.0.10	1.0.11	June 30, 2026
another-wordpress-classifieds-plugin	another-wordpress-classifieds-plugin	97	AWP Classifieds <= 4.4.3 - Unauthenticated Information Exposure	LOW	*-4.4.3	4.4.4	June 30, 2026
Advanced Ads – Ad Manager & AdSense	advanced-ads	80	Advanced Ads – Ad Manager & AdSense <= 2.0.15 - Authenticated (Admin+) SQL Injection	LOW	*-2.0.15	2.0.16	June 30, 2026
Membership Plugin – Kadence Memberships	restrict-content	N/A	Membership Plugin – Restrict Content <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure	LOW	*-3.2.16	3.2.17	June 30, 2026
cost-calculator-builder	cost-calculator-builder	93	Cost Calculator Builder <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass	LOW	*-3.6.9	3.6.10	June 30, 2026
Essential Addons for Elementor – Popular Elementor Templates & Widgets	essential-addons-for-elementor-lite	85	Essential Addons for Elementor <= 6.5.5 - Missing Authorization to Unauthenticated Sensitive Information Exposure	LOW	*-6.5.5	6.5.6	June 30, 2026
wp-rss-aggregator	wp-rss-aggregator	N/A	RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 - Reflected Cross-Site Scripting via className	LOW	*-5.0.10	5.0.11	June 30, 2026
last-email-address-validator	last-email-address-validator	91	LEAV Last Email Address Validator <= 1.7.1 - Cross-Site Request Forgery to Plugin Settings Update	LOW	*-1.7.1		June 30, 2026
related-posts-by-taxonomy	related-posts-by-taxonomy	N/A	Related Posts by Taxonomy <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'related_posts_by_tax' Shortcode	LOW	*-2.7.6	2.7.7	June 30, 2026
dk-pdf	dk-pdf	93	DK PDF – WordPress PDF Generator <= 2.3.0 - Authenticated (Author+) Server-Side Request Forgery	LOW	*-2.3.0	2.3.1	June 30, 2026
woo-rede	woo-rede	N/A	Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.5 - Missing Authorization to Unauthenticated Rede Order Logs Deletion	LOW	*-5.1.5	5.1.6	June 30, 2026
woo-rede	woo-rede	N/A	Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.2 - Unauthenticated Order Status Manipulation	LOW	*-5.1.2	5.1.3	June 30, 2026
All-in-One Video Gallery	all-in-one-video-gallery	70	All-in-One Video Gallery <= 4.5.7 - Authenticated (Author+) Arbitrary File Upload via VTT Upload Bypass	LOW	*-4.5.7	4.6.4	June 30, 2026
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic	all-in-one-seo-pack	88	All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure	LOW	*-4.9.2	4.9.3	June 30, 2026
Booking Calendar	booking	71	Booking Calendar <= 10.14.11 - Missing Authorization to Sensitive Information Exposure	LOW	*-10.14.11	10.14.12	June 30, 2026
wp-simple-firewall	wp-simple-firewall	N/A	Shield Security <= 21.0.9 - Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator	LOW	*-21.0.9	21.0.10	June 30, 2026
awesome-support	awesome-support	93	Awesome Support – WordPress HelpDesk & Support Plugin <= 6.3.6 - Missing Authorization to Unauthenticated Role Demotion	LOW	*-6.3.6	6.3.7	June 30, 2026
supreme-modules-for-divi	supreme-modules-for-divi	N/A	Supreme Modules Lite <= 2.5.62 - Authenticated (Author+) Arbitrary File Upload via JSON Upload Bypass	LOW	*-2.5.62	2.5.63	June 30, 2026
affiliatex	affiliatex	97	AffiliateX 1.0.0 - 1.3.9.3 - Authenticated (Subscriber+) Missing Authorization to Stored Cross-Site Scripting via save_customization_settings	LOW	1.0.0-1.3.9.3	1.4.0	June 30, 2026
zoho-crm-forms	zoho-crm-forms	N/A	Zoho CRM Lead Magnet <= 1.8.1.9 - Missing Authorization	LOW	*-1.8.1.9	1.8.2.0	June 30, 2026
WPMasterToolKit (WPMTK) – All in one plugin	wpmastertoolkit	N/A	WPMasterToolKit <= 2.14.0 - Missing Authorization	LOW	*-2.14.0	2.14.1	June 30, 2026
WP Test Email	wp-test-email	90	Test Email <= 1.1.7 - Reflected Cross-Site Scripting	LOW	*-1.1.7		June 30, 2026
wp-simple-redirect	wp-simple-redirect	N/A	Simple Redirect <= 1.1 - Reflected Cross-Site Scripting	LOW	*-1.1		June 30, 2026
workreap_core	workreap_core	N/A	Workreap Core <= 3.4.0 - Authentication Bypass	LOW	*-3.4.0		June 30, 2026
woozone	woozone	N/A	WZone <= 14.0.31 - Missing Authorization	LOW	*-14.0.31		June 30, 2026
woo-thank-you-page-nextmove-lite	woo-thank-you-page-nextmove-lite	N/A	NextMove Lite <= 2.23.0 - Unauthenticated Insecure Direct Object Reference	LOW	*-2.23.0	2.24.0	June 30, 2026
woo-book-price	woo-book-price	N/A	Woocommerce Book Price <= 1.3 - Authenticated (Subscriber++) Arbitrary File Download	LOW	*-1.3		June 30, 2026
wheel-of-life	wheel-of-life	N/A	Wheel of Life <= 1.2.0 - Missing Authorization	LOW	*-1.2.0	1.2.1	June 30, 2026
wdv-one-page-docs	wdv-one-page-docs	N/A	WDV One Page Docs <= 1.2.4 - Missing Authorization	LOW	*-1.2.4		June 30, 2026
wc-frontend-manager-ultimate	wc-frontend-manager-ultimate	N/A	WooCommerce Frontend Manager – Ultimate < 6.7.7 - Authenticated (Subscriber+) SQL Injection	LOW	[*, 6.7.7)	6.7.7	June 30, 2026
user-submitted-posts	user-submitted-posts	N/A	User Submitted Posts <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'usp_access' Shortcode	LOW	*-20260110	20260113	June 30, 2026
synergy-project-manager	synergy-project-manager	N/A	Synergy Project Manager <= 1.5 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.5		June 30, 2026
shown-connector	shown-connector	N/A	Shown Connector <= 1.2.10 - Missing Authorization to Unauthenticated Settings Update	LOW	*-1.2.10		June 30, 2026
related-posts-thumbnails	related-posts-thumbnails	N/A	Related Posts Thumbnails Plugin for WordPress <= 4.3.2 - Cross-Site Request Forgery	LOW	*-4.3.2	4.3.3	June 30, 2026
notificationx	notificationx	N/A	NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar <= 3.2.1 - Missing Authorization	LOW	*-3.2.1	3.2.2	June 30, 2026
multilanguage	multilanguage	N/A	Multilanguage by BestWebSoft <= 1.5.2 - Missing Authorization	LOW	*-1.5.2		June 30, 2026
learnpress-course-review	learnpress-course-review	93	LearnPress – Course Review <= 4.1.9 - Authenticated (Learnpress student+) Stored Cross-Site Scripting	LOW	*-4.1.9	4.2.0	June 30, 2026
infility-global	infility-global	81	Infility Global <= 2.14.49 - Unauthenticated Stored Cross-Site Scripting	LOW	*-2.14.49		June 30, 2026
getgenie	getgenie	93	GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools <= 4.3.0 - Missing Authorization to Authenticated (Author+) Arbitrary Post Deletion	LOW	*-4.3.0	4.3.1	June 30, 2026
g-ffl-checkout	g-ffl-checkout	93	g-FFL Checkout <= 2.1.0 - Unauthenticated Arbitrary File Upload	LOW	*-2.1.0	2.1.1	June 30, 2026
fusion-builder	fusion-builder	93	Avada (Fusion) Builder <= 3.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.14.1	3.14.2	June 30, 2026
event-tickets-with-ticket-scanner	event-tickets-with-ticket-scanner	93	Event Tickets with Ticket Scanner <= 2.8.5 - Unauthenticated Remote Code Execution	LOW	*-2.8.5	2.8.6	June 30, 2026
event-espresso-decaf	event-espresso-decaf	93	Event Espresso 4 Decaf <= 5.0.37.decaf - Missing Authorization to Unauthenticated Settings Change	LOW	* - 5.0.37.decaf	5.0.53.decaf	June 30, 2026
codistoconnect	codistoconnect	89	Omnichannel for WooCommerce <= 1.3.65 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.3.65		June 30, 2026
cleverreach-wp	cleverreach-wp	93	CleverReach® WP <= 1.5.21 - Unauthenticated SQL Injection	LOW	*-1.5.21	1.5.22	June 30, 2026
addons-for-visual-composer	addons-for-visual-composer	93	Livemesh Addons for WPBakery Page Builder <= 3.9.4 - Authenticated (Editor+) Stored Cross-Site Scripting	LOW	*-3.9.4		June 30, 2026
Drag and Drop Multiple File Upload for Contact Form 7	drag-and-drop-multiple-file-upload-contact-form-7	93	Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion	LOW	*-1.3.9.2	1.3.9.3	June 30, 2026
wp-members	wp-members	N/A	WP-Members Membership Plugin <= 3.5.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields	LOW	*-3.5.4.3	3.5.4.4	June 30, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Simply Schedule Appointments <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters	LOW	*-1.6.9.9	1.6.9.13	June 30, 2026
universal-google-adsense-and-ads-manager	universal-google-adsense-and-ads-manager	N/A	Universal Google Adsense and Ads manager <= 1.1.8 - Missing Authorization	LOW	*-1.1.8		June 30, 2026
simple-gdpr-cookie-compliance	simple-gdpr-cookie-compliance	N/A	Simple GDPR Cookie Compliance <= 2.0.0 - Missing Authorization	LOW	*-2.0.0	2.0.1	June 30, 2026

LOW

smart-product-viewer

Score: N/A Smart Product Viewer <= 1.5.4 - Missing Authorization Affected: *-1.5.4 Patched: Updated: June 30, 2026

LOW

ninja-tables

Score: N/A Ninja Tables – Easy Data Table Builder <= 5.2.5 - Authenticated (Contributor+) Information Exposure Affected: *-5.2.5 Patched: 5.2.6 Updated: June 30, 2026

LOW

ajax-hits-counter

Score: 95/100 AJAX Hits Counter + Popular Posts Widget <= 0.10.210305 - Missing Authorization Affected: *-0.10.210305 Patched: Updated: June 30, 2026

LOW

wpresidence-core

Score: N/A Wpresidence Core <= 5.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-5.4.0 Patched: Updated: June 30, 2026

LOW

Spectra Gutenberg Blocks – Website Builder for the Block Editor

ultimate-addons-for-gutenberg

Score: N/A Spectra <= 2.19.17 - Missing Authorization Affected: *-2.19.17 Patched: 2.19.18 Updated: June 30, 2026

LOW

premium-addons-for-elementor

Score: N/A Premium Addons for Elementor <= 4.11.63 - Missing Authorization to Authenticated (Subscriber+) Settings Update Affected: *-4.11.63 Patched: 4.11.64 Updated: June 30, 2026

LOW

houzez-theme-functionality

Score: 93/100 Houzez Theme - Functionality <= 4.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-4.2.6 Patched: 4.2.7 Updated: June 30, 2026

LOW

cargus

Score: 93/100 Cargus <= 1.5.8 - Unauthenticated Information Exposure Affected: *-1.5.8 Patched: 1.5.9 Updated: June 30, 2026

LOW

woocommerce-for-paygent-payment-main

Score: N/A PAYGENT for WooCommerce <= 2.4.6 - Missing Authorization to Unauthenticated Payment Callback Manipulation Affected: *-2.4.6 Patched: 2.4.7 Updated: June 30, 2026

LOW

integrate-dynamics-365-crm

Score: 93/100 Integrate Dynamics 365 CRM <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Field Mapping Configuration Affected: *-1.1.1 Patched: 1.1.2 Updated: June 30, 2026

LOW

CubeWP Framework

cubewp-framework

Score: 74/100 CubeWP <= 1.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via cubewp_shortcode_taxonomy Shortcode Affected: *-1.1.26 Patched: 1.1.27 Updated: June 30, 2026

LOW

CubeWP Framework

cubewp-framework

Score: 74/100 CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 - Unauthenticated Information Exposure Affected: *-1.1.27 Patched: 1.1.28 Updated: June 30, 2026

LOW

spin-wheel

Score: N/A Spin Wheel <= 2.1.0 - Unauthenticated Client-Side Prize Manipulation via 'prize_index' Parameter Affected: *-2.1.0 Patched: 2.1.1 Updated: June 30, 2026

LOW

team-section

Score: N/A Team Section Block <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link Affected: *-2.0.0 Patched: 2.0.1 Updated: June 30, 2026

LOW

community-events

Score: 93/100 Community Events <= 1.5.6 - Missing Authorization to Unauthenticated Arbitrary Event Approval via 'eventlist' Parameter Affected: *-1.5.6 Patched: 1.5.7 Updated: June 30, 2026

LOW

memsource-connector

Score: 93/100 Phrase TMS Integration for WordPress <= 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Log Deletion Affected: *-4.7.5 Patched: 4.7.6 Updated: June 30, 2026

LOW

thim-blocks

Score: N/A Gutenberg Thim Blocks <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read via 'iconSVG' Parameter Affected: *-1.0.1 Patched: 1.0.2 Updated: June 30, 2026

LOW

church-admin

Score: 93/100 Church Admin <= 5.0.28 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'audio_url' Parameter Affected: *-5.0.28 Patched: 5.0.29 Updated: June 30, 2026

LOW

wp-paypal

Score: N/A Payment Button for PayPal <= 1.2.3.41 - Missing Authorization to Unauthenticated Arbitrary Order Creation Affected: *-1.2.3.41 Patched: 1.2.3.42 Updated: June 30, 2026

LOW

computer-repair-shop

Score: 93/100 RepairBuddy <= 4.1116 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders Affected: *-4.1116 Patched: 4.1121 Updated: June 30, 2026

LOW

filr-protection

Score: 93/100 Filr – Secure document library <= 1.2.11 - Authenticated (Administrator+) Stored Cross-Site Scripting via HTML Upload Affected: *-1.2.11 Patched: 1.2.12 Updated: June 30, 2026

LOW

wallet-system-for-woocommerce

Score: N/A Wallet System for WooCommerce <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wallet Balance Manipulation Affected: *-2.7.2 Patched: 2.7.3 Updated: June 30, 2026

LOW

youtube-feed-pro

Score: N/A Feeds for YouTube Pro <= 2.6.0 - Unauthenticated Arbitrary File Read via Path Traversal Affected: *-2.6.0 Patched: 2.6.1 Updated: June 30, 2026

LOW

WP Hotel Booking

wp-hotel-booking

Score: N/A WP Hotel Booking <= 2.2.7 - Unauthenticated Sensitive Information Exposure via 'email' Parameter Affected: *-2.2.7 Patched: 2.2.8 Updated: June 30, 2026

LOW

quick-contact-form

Score: N/A Quick Contact Form <= 8.2.6 - Unauthenticated Open Mail Relay Affected: *-8.2.6 Patched: 8.2.7 Updated: June 30, 2026

LOW

custom-registration-form-builder-with-submission-manager

Score: 93/100 RegistrationMagic <= 6.0.7.1 - Unauthenticated Privilege Escalation via admin_order Affected: *-6.0.7.1 Patched: 6.0.7.2 Updated: June 30, 2026

LOW

wp-mail

Score: N/A Mail <= 1.3 - Reflected Cross-Site Scripting Affected: *-1.3 Patched: Updated: June 30, 2026

LOW

wordcents

Score: N/A Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 - Reflected Cross-Site Scripting Affected: *-1.3.03.27 Patched: Updated: June 30, 2026

LOW

wc-peach-payments-gateway

Score: N/A Peach Payments Gateway <= 3.3.6 - Missing Authorization Affected: *-3.3.6 Patched: 3.3.7 Updated: June 30, 2026

LOW

user-registration-using-contact-form-7

Score: N/A User Registration Using Contact Form 7 <= 2.5 - Authenticated (Subscriber+) Information Exposure Affected: *-2.5 Patched: 2.6 Updated: June 30, 2026

LOW

tickera-event-ticketing-system

Score: N/A Tickera <= 3.5.6.2 - Missing Authorization Affected: *-3.5.6.2 Patched: 3.5.6.3 Updated: June 30, 2026

LOW

the-guardian-news-feed

Score: N/A The Guardian News Feed <= 1.2 - Cross-Site Request Forgery to Settings Update Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

syntax-highlighter-compress

Score: N/A Syntax Highlighter Compress <= 3.0.83.3 - Reflected Cross-Site Scripting Affected: *-3.0.83.3 Patched: Updated: June 30, 2026

LOW

registration-login-with-mobile-phone-number

Score: N/A Registration & Login with Mobile Phone Number for WooCommerce <= 1.3.1 - Authentication Bypass Affected: *-1.3.1 Patched: 1.3.2 Updated: June 30, 2026

LOW

quote-master

Score: N/A Quote Master <= 7.1.1 - Reflected Cross-Site Scripting Affected: *-7.1.1 Patched: Updated: June 30, 2026

LOW

post-slides

Score: N/A Post Slides <= 1.0.1 - Authenticated (Contributor+) Local File Inclusion Affected: *-1.0.1 Patched: Updated: June 30, 2026

LOW

onepay-payment-gateway-for-woocommerce

Score: N/A onepay Payment Gateway For WooCommerce <= 1.1.2 - Missing Authorization to Unauthenticated Order Status Modification Affected: *-1.1.2 Patched: 1.1.3 Updated: June 30, 2026

LOW

Frontend File Manager Plugin

nmedia-user-file-uploader

Score: 86/100 Frontend File Manager Plugin <= 23.5 - Unauthenticated Insecure Direct Object Reference Affected: *-23.5 Patched: 23.6 Updated: June 30, 2026

LOW

modular-connector

Score: 93/100 Modular DS 2.5.2 - Unauthenticated Privilege Escalation Affected: 2.5.2 Patched: 2.6.0 Updated: June 30, 2026

LOW

faq-schema-block-to-accordion

Score: 91/100 Turn Yoast SEO FAQ Block to Accordion <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0.6 Patched: Updated: June 30, 2026

LOW

elementinvader

Score: 93/100 Element Invader – Template Kits for Elementor <= 1.2.4 - Missing Authorization Affected: *-1.2.4 Patched: 1.2.5 Updated: June 30, 2026

LOW

dooodl

Score: 91/100 Dooodl <= 2.3.0 - Reflected Cross-Site Scripting Affected: *-2.3.0 Patched: Updated: June 30, 2026

LOW

demo-importer-plus

Score: 93/100 Demo Importer Plus <= 2.0.9 - Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload Affected: *-2.0.9 Patched: 2.0.10 Updated: June 30, 2026

LOW

cm-email-blacklist

Score: 93/100 CM E-Mail Blacklist <= 1.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'black_email' Parameter Affected: *-1.6.2 Patched: 1.6.3 Updated: June 30, 2026

LOW

cm-business-directory

Score: 93/100 CM Business Directory – Optimise and showcase local business <= 1.5.3 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-1.5.3 Patched: 1.5.4 Updated: June 30, 2026

LOW

client-portal

Score: 93/100 Client Portal – Private user pages and login <= 1.2.1 - Missing Authorization Affected: *-1.2.1 Patched: 1.2.2 Updated: June 30, 2026

LOW

bidorbuystoreintegrator

Score: 89/100 bidorbuy Store Integrator <= 2.12.0 - Reflected Cross-Site Scripting Affected: *-2.12.0 Patched: Updated: June 30, 2026

LOW

best-wp-google-map

Score: 91/100 Best-wp-google-map <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'latitude' Shortcode Attribute Affected: *-2.1 Patched: Updated: June 30, 2026

LOW

bdthemes-element-pack-lite

Score: 93/100 Element Pack Elementor Addons <= 8.3.13 - Cross-Site Request Forgery Affected: *-8.3.13 Patched: 8.3.14 Updated: June 30, 2026

LOW

Antideo Email Validator

antideo-email-validator

Score: 94/100 Antideo Email Validator <= 1.0.10 - Unauthenticated SQL Injection Affected: *-1.0.10 Patched: 1.0.11 Updated: June 30, 2026

LOW

another-wordpress-classifieds-plugin

Score: 97/100 AWP Classifieds <= 4.4.3 - Unauthenticated Information Exposure Affected: *-4.4.3 Patched: 4.4.4 Updated: June 30, 2026

LOW

Advanced Ads – Ad Manager & AdSense

advanced-ads

Score: 80/100 Advanced Ads – Ad Manager & AdSense <= 2.0.15 - Authenticated (Admin+) SQL Injection Affected: *-2.0.15 Patched: 2.0.16 Updated: June 30, 2026

LOW

Membership Plugin – Kadence Memberships

restrict-content

Score: N/A Membership Plugin – Restrict Content <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure Affected: *-3.2.16 Patched: 3.2.17 Updated: June 30, 2026

LOW

cost-calculator-builder

Score: 93/100 Cost Calculator Builder <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass Affected: *-3.6.9 Patched: 3.6.10 Updated: June 30, 2026

LOW

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Score: 85/100 Essential Addons for Elementor <= 6.5.5 - Missing Authorization to Unauthenticated Sensitive Information Exposure Affected: *-6.5.5 Patched: 6.5.6 Updated: June 30, 2026

LOW

wp-rss-aggregator

Score: N/A RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 - Reflected Cross-Site Scripting via className Affected: *-5.0.10 Patched: 5.0.11 Updated: June 30, 2026

LOW

last-email-address-validator

Score: 91/100 LEAV Last Email Address Validator <= 1.7.1 - Cross-Site Request Forgery to Plugin Settings Update Affected: *-1.7.1 Patched: Updated: June 30, 2026

LOW

related-posts-by-taxonomy

Score: N/A Related Posts by Taxonomy <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'related_posts_by_tax' Shortcode Affected: *-2.7.6 Patched: 2.7.7 Updated: June 30, 2026

LOW

dk-pdf

Score: 93/100 DK PDF – WordPress PDF Generator <= 2.3.0 - Authenticated (Author+) Server-Side Request Forgery Affected: *-2.3.0 Patched: 2.3.1 Updated: June 30, 2026

LOW

woo-rede

Score: N/A Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.5 - Missing Authorization to Unauthenticated Rede Order Logs Deletion Affected: *-5.1.5 Patched: 5.1.6 Updated: June 30, 2026

LOW

woo-rede

Score: N/A Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.2 - Unauthenticated Order Status Manipulation Affected: *-5.1.2 Patched: 5.1.3 Updated: June 30, 2026

LOW

All-in-One Video Gallery

all-in-one-video-gallery

Score: 70/100 All-in-One Video Gallery <= 4.5.7 - Authenticated (Author+) Arbitrary File Upload via VTT Upload Bypass Affected: *-4.5.7 Patched: 4.6.4 Updated: June 30, 2026

LOW

All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

all-in-one-seo-pack

Score: 88/100 All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure Affected: *-4.9.2 Patched: 4.9.3 Updated: June 30, 2026

LOW

Booking Calendar

booking

Score: 71/100 Booking Calendar <= 10.14.11 - Missing Authorization to Sensitive Information Exposure Affected: *-10.14.11 Patched: 10.14.12 Updated: June 30, 2026

LOW

wp-simple-firewall

Score: N/A Shield Security <= 21.0.9 - Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator Affected: *-21.0.9 Patched: 21.0.10 Updated: June 30, 2026

LOW

awesome-support

Score: 93/100 Awesome Support – WordPress HelpDesk & Support Plugin <= 6.3.6 - Missing Authorization to Unauthenticated Role Demotion Affected: *-6.3.6 Patched: 6.3.7 Updated: June 30, 2026

LOW

supreme-modules-for-divi

Score: N/A Supreme Modules Lite <= 2.5.62 - Authenticated (Author+) Arbitrary File Upload via JSON Upload Bypass Affected: *-2.5.62 Patched: 2.5.63 Updated: June 30, 2026

LOW

affiliatex

Score: 97/100 AffiliateX 1.0.0 - 1.3.9.3 - Authenticated (Subscriber+) Missing Authorization to Stored Cross-Site Scripting via save_customization_settings Affected: 1.0.0-1.3.9.3 Patched: 1.4.0 Updated: June 30, 2026

LOW

zoho-crm-forms

Score: N/A Zoho CRM Lead Magnet <= 1.8.1.9 - Missing Authorization Affected: *-1.8.1.9 Patched: 1.8.2.0 Updated: June 30, 2026

LOW

WPMasterToolKit (WPMTK) – All in one plugin

wpmastertoolkit

Score: N/A WPMasterToolKit <= 2.14.0 - Missing Authorization Affected: *-2.14.0 Patched: 2.14.1 Updated: June 30, 2026

LOW

WP Test Email

wp-test-email

Score: 90/100 Test Email <= 1.1.7 - Reflected Cross-Site Scripting Affected: *-1.1.7 Patched: Updated: June 30, 2026

LOW

wp-simple-redirect

Score: N/A Simple Redirect <= 1.1 - Reflected Cross-Site Scripting Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

workreap_core

Score: N/A Workreap Core <= 3.4.0 - Authentication Bypass Affected: *-3.4.0 Patched: Updated: June 30, 2026

LOW

woozone

Score: N/A WZone <= 14.0.31 - Missing Authorization Affected: *-14.0.31 Patched: Updated: June 30, 2026

LOW

woo-thank-you-page-nextmove-lite

Score: N/A NextMove Lite <= 2.23.0 - Unauthenticated Insecure Direct Object Reference Affected: *-2.23.0 Patched: 2.24.0 Updated: June 30, 2026

LOW

woo-book-price

Score: N/A Woocommerce Book Price <= 1.3 - Authenticated (Subscriber++) Arbitrary File Download Affected: *-1.3 Patched: Updated: June 30, 2026

LOW

wheel-of-life

Score: N/A Wheel of Life <= 1.2.0 - Missing Authorization Affected: *-1.2.0 Patched: 1.2.1 Updated: June 30, 2026

LOW

wdv-one-page-docs

Score: N/A WDV One Page Docs <= 1.2.4 - Missing Authorization Affected: *-1.2.4 Patched: Updated: June 30, 2026

LOW

wc-frontend-manager-ultimate

Score: N/A WooCommerce Frontend Manager – Ultimate < 6.7.7 - Authenticated (Subscriber+) SQL Injection Affected: [*, 6.7.7) Patched: 6.7.7 Updated: June 30, 2026

LOW

user-submitted-posts

Score: N/A User Submitted Posts <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'usp_access' Shortcode Affected: *-20260110 Patched: 20260113 Updated: June 30, 2026

LOW

synergy-project-manager

Score: N/A Synergy Project Manager <= 1.5 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.5 Patched: Updated: June 30, 2026

LOW

shown-connector

Score: N/A Shown Connector <= 1.2.10 - Missing Authorization to Unauthenticated Settings Update Affected: *-1.2.10 Patched: Updated: June 30, 2026

LOW

related-posts-thumbnails

Score: N/A Related Posts Thumbnails Plugin for WordPress <= 4.3.2 - Cross-Site Request Forgery Affected: *-4.3.2 Patched: 4.3.3 Updated: June 30, 2026

LOW

notificationx

Score: N/A NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar <= 3.2.1 - Missing Authorization Affected: *-3.2.1 Patched: 3.2.2 Updated: June 30, 2026

LOW

multilanguage

Score: N/A Multilanguage by BestWebSoft <= 1.5.2 - Missing Authorization Affected: *-1.5.2 Patched: Updated: June 30, 2026

LOW

learnpress-course-review

Score: 93/100 LearnPress – Course Review <= 4.1.9 - Authenticated (Learnpress student+) Stored Cross-Site Scripting Affected: *-4.1.9 Patched: 4.2.0 Updated: June 30, 2026

LOW

infility-global

Score: 81/100 Infility Global <= 2.14.49 - Unauthenticated Stored Cross-Site Scripting Affected: *-2.14.49 Patched: Updated: June 30, 2026

LOW

getgenie

Score: 93/100 GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools <= 4.3.0 - Missing Authorization to Authenticated (Author+) Arbitrary Post Deletion Affected: *-4.3.0 Patched: 4.3.1 Updated: June 30, 2026

LOW

g-ffl-checkout

Score: 93/100 g-FFL Checkout <= 2.1.0 - Unauthenticated Arbitrary File Upload Affected: *-2.1.0 Patched: 2.1.1 Updated: June 30, 2026

LOW

fusion-builder

Score: 93/100 Avada (Fusion) Builder <= 3.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.14.1 Patched: 3.14.2 Updated: June 30, 2026

LOW

event-tickets-with-ticket-scanner

Score: 93/100 Event Tickets with Ticket Scanner <= 2.8.5 - Unauthenticated Remote Code Execution Affected: *-2.8.5 Patched: 2.8.6 Updated: June 30, 2026

LOW

event-espresso-decaf

Score: 93/100 Event Espresso 4 Decaf <= 5.0.37.decaf - Missing Authorization to Unauthenticated Settings Change Affected: * - 5.0.37.decaf Patched: 5.0.53.decaf Updated: June 30, 2026

LOW

codistoconnect

Score: 89/100 Omnichannel for WooCommerce <= 1.3.65 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.3.65 Patched: Updated: June 30, 2026

LOW

cleverreach-wp

Score: 93/100 CleverReach® WP <= 1.5.21 - Unauthenticated SQL Injection Affected: *-1.5.21 Patched: 1.5.22 Updated: June 30, 2026

LOW

addons-for-visual-composer

Score: 93/100 Livemesh Addons for WPBakery Page Builder <= 3.9.4 - Authenticated (Editor+) Stored Cross-Site Scripting Affected: *-3.9.4 Patched: Updated: June 30, 2026

LOW

Drag and Drop Multiple File Upload for Contact Form 7

drag-and-drop-multiple-file-upload-contact-form-7

Score: 93/100 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion Affected: *-1.3.9.2 Patched: 1.3.9.3 Updated: June 30, 2026

LOW

wp-members

Score: N/A WP-Members Membership Plugin <= 3.5.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields Affected: *-3.5.4.3 Patched: 3.5.4.4 Updated: June 30, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Simply Schedule Appointments <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters Affected: *-1.6.9.9 Patched: 1.6.9.13 Updated: June 30, 2026

LOW

universal-google-adsense-and-ads-manager

Score: N/A Universal Google Adsense and Ads manager <= 1.1.8 - Missing Authorization Affected: *-1.1.8 Patched: Updated: June 30, 2026

LOW

simple-gdpr-cookie-compliance

Score: N/A Simple GDPR Cookie Compliance <= 2.0.0 - Missing Authorization Affected: *-2.0.0 Patched: 2.0.1 Updated: June 30, 2026

Showing 3401 to 3500 of 36296 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 16:28 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List