Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36316

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
quote-comments	quote-comments	N/A	Quote Comments <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update	LOW	*-3.0.0		June 30, 2026
newsletter-email-subscribe	newsletter-email-subscribe	N/A	Newsletter Email Subscribe <= 2.4 - Cross-Site Request Forgery to Plugin Settings Update	LOW	*-2.4		June 30, 2026
hblpay-payment-gateway-for-woocommerce	hblpay-payment-gateway-for-woocommerce	93	HBLPAY Payment Gateway for WooCommerce <= 5.0.0 - Reflected Cross-Site Scripting via 'cusdata' Parameter	LOW	*-5.0.0	6.0.0	June 30, 2026
flashcard	flashcard	91	Flashcard Plugin for WordPress <= 0.9 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal	LOW	*-0.9		June 30, 2026
twinklesmtp	twinklesmtp	N/A	twinklesmtp – Email Service Provider For WordPress <= 1.03 - Authenticated (Administrator+) Stored Cross-Site Scripting via Sender Settings	LOW	*-1.03		June 30, 2026
simple-user-meta-editor	simple-user-meta-editor	N/A	Simple User Meta Editor <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via User Meta Value Field	LOW	*-1.0.0		June 30, 2026
helpdesk-contact-form	helpdesk-contact-form	93	HelpDesk contact form plugin <= 1.1.5 - Cross-Site Request Forgery to Settings Update via handle_query_args	LOW	*-1.1.5	1.1.6	June 30, 2026
ipaymu-for-woocommerce	ipaymu-for-woocommerce	93	iPaymu Payment Gateway for WooCommerce <= 2.0.2 - Missing Authentication to Unauthenticated Payment Bypass and Order Information Disclosure	LOW	*-2.0.2	2.0.3	June 30, 2026
ns-ie-compatibility-fixer	ns-ie-compatibility-fixer	N/A	NS IE Compatibility Fixer <= 2.1.5 - Cross-Site Request Forgery to Plugin Settings Update	LOW	*-2.1.5		June 30, 2026
Drag and Drop Multiple File Upload for Contact Form 7	drag-and-drop-multiple-file-upload-contact-form-7	93	Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.2 - Unauthenticated Limited Arbitrary File Upload	LOW	*-1.3.9.2	1.3.9.3	June 30, 2026
bit-form	bit-form	93	Bit Form – Contact Form Plugin <= 2.21.6 - Missing Authorization to Unauthenticated Workflow Replay	LOW	*-2.21.6	2.21.7	June 30, 2026
wp-photo-album-plus	wp-photo-album-plus	N/A	WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting	LOW	*-9.1.05.008	9.1.05.009	June 30, 2026
accelerated-mobile-pages	accelerated-mobile-pages	97	AMP for WP – Accelerated Mobile Pages <= 1.1.9 - Cross-Site Request Forgery to Comment Submission	LOW	*-1.1.9	1.1.10	June 30, 2026
customer-reviews-woocommerce	customer-reviews-woocommerce	93	Customer Reviews for WooCommerce <= 5.93.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via displayName Parameter	LOW	*-5.93.1	5.94.0	June 30, 2026
emailkit	emailkit	93	EmailKit <= 1.6.1 - Authenticated (Author+) Arbitrary File Read via Path Traversal	LOW	*-1.6.1	1.6.2	June 30, 2026
wp-members	wp-members	N/A	WP-Members Membership Plugin <= 3.5.4.4 - Unauthenticated Information Exposure via Unprotected Files	LOW	*-3.5.4.4	3.5.4.5	June 30, 2026
YayMail – WooCommerce Email Customizer	yaymail	N/A	YayMail – WooCommerce Email Customizer <= 4.3.2 - Missing Authorization	LOW	*-4.3.2	4.3.3	June 30, 2026
user-activity-log	user-activity-log	N/A	User Activity Log <= 2.2 - Unauthenticated Limited Arbitrary Option Update	LOW	*-2.2		June 30, 2026
ultimate-reviews	ultimate-reviews	N/A	Ultimate Reviews <= 3.2.16 - Unauthenticated Insecure Direct Object Reference	LOW	*-3.2.16	3.2.17	June 30, 2026
teachpress	teachpress	N/A	teachPress <= 9.0.12 - Cross-Site Request Forgery	LOW	*-9.0.12	9.0.13	June 30, 2026
taskbuilder	taskbuilder	N/A	Taskbuilder <= 4.0.9 - Reflected Cross-Site Scripting	LOW	*-4.0.9	5.0.0	June 30, 2026
smsa-shipping-official	smsa-shipping-official	N/A	SMSA Shipping <= 2.3 - Authenticated (Subscriber+) Arbitrary File Deletion	LOW	*-2.3	2.4	June 30, 2026
listeo-core	listeo-core	91	Listeo Core < 2.0.19 - Reflected Cross-Site Scripting	LOW	[*, 2.0.19)	2.0.19	June 30, 2026
imgspider	imgspider	91	IMGspider <= 2.3.12 - Authenticated (Contributor+) Server-Side Request Forgery	LOW	*-2.3.12		June 30, 2026
fs-real-estate-plugin	fs-real-estate-plugin	91	FireStorm Professional Real Estate <= 2.7.11 - Authenticated (Administrator+) SQL Injection	LOW	*-2.7.11		June 30, 2026
Essential Addons for Elementor – Popular Elementor Templates & Widgets	essential-addons-for-elementor-lite	85	Essential Addons for Elementor <= 6.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-6.5.3	6.5.4	June 30, 2026
ehive-search	ehive-search	93	eHive Search <= 2.5.0 - Reflected Cross-Site Scripting	LOW	*-2.5.0	2.5.1	June 30, 2026
edublink-core	edublink-core	91	EduBlink Core <= 2.0.7 - Authenticated (Contributor+) Local File Inclusion	LOW	*-2.0.7		June 30, 2026
easy-form-builder	easy-form-builder	93	Easy Form Builder <= 3.9.6 - Missing Authorization	LOW	*-3.9.6	4.0.0	June 30, 2026
countdown-for-the-events-calendar	countdown-for-the-events-calendar	93	The Events Calendar Countdown Addon <= 1.4.15 - Missing Authorization	LOW	*-1.4.15	1.4.16	June 30, 2026
BulletProof Security	bulletproof-security	68	BulletProof Security <= 6.9 - Unauthenticated Sensitive Information Exposure	LOW	*-6.9	7.0	June 30, 2026
better-business-reviews	better-business-reviews	93	Better Business Reviews <= 0.1.1 - Missing Authorization	LOW	*-0.1.1	0.1.2	June 30, 2026
bd-courier-order-ratio-checker	bd-courier-order-ratio-checker	91	BD Courier Order Ratio Checker <= 2.0.1 - Missing Authorization	LOW	*-2.0.1		June 30, 2026
affiliatex	affiliatex	97	AffiliateX <= 1.3.9.3 - Missing Authorization	LOW	*-1.3.9.3	1.4.0	June 30, 2026
mediapress	mediapress	93	MediaPress <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode	LOW	*-1.6.1	1.6.2	June 30, 2026
quiz-master-next	quiz-master-next	N/A	Quiz and Survey Master (QSM) <= 10.3.1 - Missing Authorization to Unpublished, Private And Password-Protected Quiz Information Disclosure And Image Response Uploads	LOW	*-10.3.1	10.3.2	June 30, 2026
quiz-master-next	quiz-master-next	N/A	Quiz and Survey Master (QSM) <= 10.3.1 - Authenticated (Subscriber+) SQL Injection via `is_linking` Query Parameter	LOW	*-10.3.1	10.3.2	June 30, 2026
timetics	timetics	N/A	Appointment Booking and Scheduling Calendar Plugin – WP Timetics <= 1.0.36 - Missing Authorization to Unauthenticated Booking Details View And Modification	LOW	*-1.0.36	1.0.37	June 30, 2026
quiz-master-next	quiz-master-next	N/A	Quiz And Survey Master <= 10.3.1 - Missing Authorization to Authenticated (Subscriber+) Quiz Results Deletion	LOW	*-10.3.1	10.3.2	June 30, 2026
learnpress	learnpress	93	LearnPress – WordPress LMS Plugin <= 4.3.2 - Missing Authentication to Unauthenticated Course Modification	LOW	*-4.3.2	4.3.2.1	June 30, 2026
masterstudy-lms-learning-management-system	masterstudy-lms-learning-management-system	93	MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.6 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and Deletion	LOW	*-3.7.6	3.7.7	June 30, 2026
Tag, Category, and Taxonomy Manager – Autotagger Automatically Add Terms	simple-tags	70	TaxoPress <= 3.41.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Tag Modification	LOW	*-3.41.0	3.42.0	June 30, 2026
advanced-custom-fields-table-field	advanced-custom-fields-table-field	97	Table Field Add-on for ACF and SCF <= 1.3.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table Cell Content	LOW	*-1.3.30	1.3.31	June 30, 2026
gamipress	gamipress	93	GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress <= 7.6.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure	LOW	*-7.6.1	7.6.2	June 30, 2026
auxin-elements	auxin-elements	89	Shortcodes and extra features for Phlox theme <= 2.17.13 - Unauthenticated Draft Posts Information Exposure	LOW	*-2.17.13	2.17.14	June 30, 2026
registration-password	registration-password	N/A	FS Registration Password <= 1.0.1 - Unauthenticated Privilege Escalation via Account Takeover	LOW	*-1.0.1	2.0.1	June 30, 2026
bp-xprofile-custom-field-types	bp-xprofile-custom-field-types	93	BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion	LOW	*-1.2.8	1.3.0	June 30, 2026
as-password-field-in-default-registration-form	as-password-field-in-default-registration-form	95	AS Password Field In Default Registration Form <= 2.0.0 - Unauthenticated Privilege Escalation via Account Takeover	LOW	*-2.0.0		June 30, 2026
Xagio SEO – AI Powered SEO	xagio-seo	64	Xagio SEO <= 7.1.0.30 - Authenticated (Subscriber+) Server-Side Request Forgery	LOW	*-7.1.0.30	7.1.0.31	June 30, 2026
popup-builder-block	popup-builder-block	N/A	Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion	LOW	*-2.2.0	2.2.1	June 30, 2026
url-image-importer	url-image-importer	N/A	URL Image Importer <= 1.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload	LOW	*-1.0.7	1.0.8	June 30, 2026
Depicter — Popup & Slider Builder	depicter	95	Depicter <= 4.0.7 - Missing Authorization to Unauthenticated Display Rule Updates	LOW	*-4.0.7	4.7.0	June 30, 2026
cbxwpbookmark	cbxwpbookmark	93	CBX Bookmark & Favorite <= 2.0.4 - Authenticated (Subscriber+) SQL Injection via `orderby` Parameter	LOW	*-2.0.4	2.0.5	June 30, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticated Sensitive Information Exposure	LOW	*-1.6.9.5	1.6.9.6	June 30, 2026
wc-support-system	wc-support-system	N/A	ilGhera Support System for WooCommerce <= 1.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Deletion	LOW	*-1.2.6	1.2.7	June 30, 2026
page-expire-popup	page-expire-popup	N/A	Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute	LOW	*-1.0	1.1	June 30, 2026
fastdup	fastdup	93	FastDup <= 2.7 - Authenticated (Contributor+) Path Traversal via 'dir_path' REST Parameter	LOW	*-2.7	2.7.1	June 30, 2026
form-vibes	form-vibes	93	Form Vibes – Database Manager for Forms <= 1.4.13 - Authenticated (Admin+) SQL Injection	LOW	*-1.4.13	1.5	June 30, 2026
forumwp	forumwp	93	ForumWP – Forum & Discussion Board <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Display Name	LOW	*-2.1.6	2.1.7	June 30, 2026
Download Manager	download-manager	63	Download Manager <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword	LOW	*-3.3.40	3.3.41	June 30, 2026
Sugar Calendar – Events Calendar, Event Tickets, and Events Management Platform	sugar-calendar-lite	N/A	Sugar Calendar (Lite) <= 3.9.1 - Missing Authorization	LOW	*-3.9.1	3.10.0	June 30, 2026
woffice-core	woffice-core	N/A	Woffice Core <= 5.4.30 - Unauthenticated Insecure Direct Object Reference	LOW	*-5.4.30	5.4.31	June 30, 2026
timetics	timetics	N/A	Timetics <= 1.0.46 - Incorrect Authorization to Authenticated (Timetics Customer+) User Creation	LOW	*-1.0.46	1.0.48	June 30, 2026
spiffy-calendar	spiffy-calendar	N/A	Spiffy Calendar <= 5.0.7 - Missing Authorization	LOW	*-5.0.7	5.0.8	June 30, 2026
post-and-page-builder	post-and-page-builder	N/A	Post and Page Builder by BoldGrid <= 1.27.9 - Missing Authorization	LOW	*-1.27.9	1.27.10	June 30, 2026
link-whisper	link-whisper	93	Link Whisper Free <= 0.8.8 - Reflected Cross-Site Scripting	LOW	*-0.8.8	0.8.9	June 30, 2026
jet-engine	jet-engine	93	JetEngine <= 3.7.7 - Unauthenticated Stored Cross-Site Scripting	LOW	*-3.7.7	3.7.8	June 30, 2026
icegram	icegram	93	Icegram <= 3.1.35 - Missing Authorization	LOW	*-3.1.35	3.1.36	June 30, 2026
getgenie	getgenie	93	GetGenie <= 4.3.0 - Missing Authorization	LOW	*-4.3.0	4.3.1	June 30, 2026
Fluent Support – Helpdesk & Customer Support Ticket System	fluent-support	79	Fluent Support <= 1.10.4 - Missing Authorization	LOW	*-1.10.4	1.10.5	June 30, 2026
Depicter — Popup & Slider Builder	depicter	95	Depicter Slider <= 4.0.4 - Missing Authorization	LOW	*-4.0.4	4.0.5	June 30, 2026
demo-importer-plus	demo-importer-plus	93	Demo Importer Plus <= 2.0.8 - Missing Authorization	LOW	*-2.0.8	2.0.9	June 30, 2026
Cookies and Content Security Policy	cookies-and-content-security-policy	89	Cookies and Content Security Policy <= 2.34 - Unauthenticated Information Exposure	LOW	*-2.34	2.35	June 30, 2026
absolute-addons	absolute-addons	95	Absolute Addons For Elementor <= 1.0.14 - Missing Authorization	LOW	*-1.0.14		June 30, 2026
my-auctions-allegro-free-edition	my-auctions-allegro-free-edition	89	My auctions allegro <= 3.6.33 - Authenticated (Contributor+) Local File Inclusion	LOW	*-3.6.33	3.6.34	June 30, 2026
wp-mapit	wp-mapit	N/A	MapIt <= 3.0.3 - Missing Authorization	LOW	*-3.0.3		June 30, 2026
webappick-product-feed-for-woocommerce	webappick-product-feed-for-woocommerce	N/A	CTX Feed <= 6.6.18 - Missing Authorization	LOW	*-6.6.18	6.6.19	June 30, 2026
form-to-chat	form-to-chat	91	Form to Chat App <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.2.5		June 30, 2026
add-polylang-support-for-customizer	add-polylang-support-for-customizer	95	Add Polylang support for Customizer <= 1.4.5 - Cross-Site Request Forgery	LOW	*-1.4.5		June 30, 2026
smart-auto-upload-images	smart-auto-upload-images	N/A	Smart Auto Upload Images – Import External Images <= 1.2.2 - Authenticated (Contributor+) Server-Side Request Forgery	LOW	*-1.2.2	1.2.3	June 30, 2026
apimo	apimo	95	Apimo Connector <= 2.6.4 - Missing Authorization	LOW	*-2.6.4		June 30, 2026
tutor	tutor	N/A	Tutor LMS <= 3.9.4 - Authenticated (Instructor+) Insecure Direct Object Reference	LOW	*-3.9.4	3.9.5	June 30, 2026
Five Star Restaurant Reservations – WordPress Booking Plugin	restaurant-reservations	N/A	Five Star Restaurant Reservations <= 2.7.4 - Unauthenticated Insecure Direct Object Reference	LOW	*-2.7.4	2.7.5	June 30, 2026
branda-white-labeling	branda-white-labeling	93	Branda – White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover	LOW	*-3.4.24	3.4.29	June 30, 2026
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration	wp-user-frontend	N/A	WP User Frontend <= 4.2.4 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion	LOW	*-4.2.4	4.2.5	June 30, 2026
wp-ultimate-csv-importer	wp-ultimate-csv-importer	N/A	WP Import – Ultimate CSV XML Importer for WordPress <= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass	LOW	*-7.35	7.36	June 30, 2026
wedesigntech-ultimate-booking-addon	wedesigntech-ultimate-booking-addon	N/A	WeDesignTech Ultimate Booking Addon <= 1.0.3 - Missing Authorization	LOW	*-1.0.3	1.0.4	June 30, 2026
user-submitted-posts	user-submitted-posts	N/A	User Submitted Posts <= 20251121 - Unauthenticated Open Redirect	LOW	*-20251121	20251210	June 30, 2026
owl-carousel-wp	owl-carousel-wp	N/A	Owl Carousel WP <= 2.2.2 - Authenticated (Editor+) Stored Cross-Site Scripting	LOW	*-2.2.2		June 30, 2026
Aruba HiSpeed Cache	aruba-hispeed-cache	94	Aruba HiSpeed Cache < 3.0.3 - Missing Authorization	LOW	[*, 3.0.3)	3.0.3	June 30, 2026
myd-delivery	myd-delivery	91	MyD Delivery <= 1.3.7 - Unauthenticated Insecure Direct Object Reference	LOW	*-1.3.7		June 30, 2026
mybooktable	mybooktable	89	MyBookTable Bookstore <= 3.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.5.6		June 30, 2026
mx-time-zone-clocks	mx-time-zone-clocks	89	MX Time Zone Clocks <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-5.1.1		June 30, 2026
wp-tiktok-feed	wp-tiktok-feed	N/A	QuadLayers TikTok Feed <= 4.6.4 - Missing Authorization	LOW	*-4.6.4		June 30, 2026
wp-post-signature	wp-post-signature	N/A	Post Signature <= 0.4.1 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-0.4.1		June 30, 2026
wp-gmail-smtp	wp-gmail-smtp	N/A	Gmail SMTP <= 1.0.7 - Cross-Site Request Forgery	LOW	*-1.0.7		June 30, 2026
wp-export-categories-taxonomies	wp-export-categories-taxonomies	N/A	Export Categories & Taxonomies <= 1.0.3 - Missing Authorization	LOW	*-1.0.3		June 30, 2026
wp-email-capture	wp-email-capture	N/A	Email Capture <= 3.12.5 - Cross-Site Request Forgery	LOW	*-3.12.5	3.12.6	June 30, 2026
wp-easyarchives	wp-easyarchives	N/A	WP-EasyArchives <= 3.1.2 - Cross-Site Request Forgery	LOW	*-3.1.2		June 30, 2026
wp-dashboard-beacon	wp-dashboard-beacon	N/A	Dashboard Beacon <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.2.0		June 30, 2026

LOW

quote-comments

Score: N/A Quote Comments <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update Affected: *-3.0.0 Patched: Updated: June 30, 2026

LOW

newsletter-email-subscribe

Score: N/A Newsletter Email Subscribe <= 2.4 - Cross-Site Request Forgery to Plugin Settings Update Affected: *-2.4 Patched: Updated: June 30, 2026

LOW

hblpay-payment-gateway-for-woocommerce

Score: 93/100 HBLPAY Payment Gateway for WooCommerce <= 5.0.0 - Reflected Cross-Site Scripting via 'cusdata' Parameter Affected: *-5.0.0 Patched: 6.0.0 Updated: June 30, 2026

LOW

flashcard

Score: 91/100 Flashcard Plugin for WordPress <= 0.9 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal Affected: *-0.9 Patched: Updated: June 30, 2026

LOW

twinklesmtp

Score: N/A twinklesmtp – Email Service Provider For WordPress <= 1.03 - Authenticated (Administrator+) Stored Cross-Site Scripting via Sender Settings Affected: *-1.03 Patched: Updated: June 30, 2026

LOW

simple-user-meta-editor

Score: N/A Simple User Meta Editor <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via User Meta Value Field Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

helpdesk-contact-form

Score: 93/100 HelpDesk contact form plugin <= 1.1.5 - Cross-Site Request Forgery to Settings Update via handle_query_args Affected: *-1.1.5 Patched: 1.1.6 Updated: June 30, 2026

LOW

Score: 93/100 iPaymu Payment Gateway for WooCommerce <= 2.0.2 - Missing Authentication to Unauthenticated Payment Bypass and Order Information Disclosure Affected: *-2.0.2 Patched: 2.0.3 Updated: June 30, 2026

LOW

ns-ie-compatibility-fixer

Score: N/A NS IE Compatibility Fixer <= 2.1.5 - Cross-Site Request Forgery to Plugin Settings Update Affected: *-2.1.5 Patched: Updated: June 30, 2026

LOW

Drag and Drop Multiple File Upload for Contact Form 7

drag-and-drop-multiple-file-upload-contact-form-7

Score: 93/100 Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.2 - Unauthenticated Limited Arbitrary File Upload Affected: *-1.3.9.2 Patched: 1.3.9.3 Updated: June 30, 2026

LOW

bit-form

Score: 93/100 Bit Form – Contact Form Plugin <= 2.21.6 - Missing Authorization to Unauthenticated Workflow Replay Affected: *-2.21.6 Patched: 2.21.7 Updated: June 30, 2026

LOW

wp-photo-album-plus

Score: N/A WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting Affected: *-9.1.05.008 Patched: 9.1.05.009 Updated: June 30, 2026

LOW

accelerated-mobile-pages

Score: 97/100 AMP for WP – Accelerated Mobile Pages <= 1.1.9 - Cross-Site Request Forgery to Comment Submission Affected: *-1.1.9 Patched: 1.1.10 Updated: June 30, 2026

LOW

customer-reviews-woocommerce

Score: 93/100 Customer Reviews for WooCommerce <= 5.93.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via displayName Parameter Affected: *-5.93.1 Patched: 5.94.0 Updated: June 30, 2026

LOW

emailkit

Score: 93/100 EmailKit <= 1.6.1 - Authenticated (Author+) Arbitrary File Read via Path Traversal Affected: *-1.6.1 Patched: 1.6.2 Updated: June 30, 2026

LOW

wp-members

Score: N/A WP-Members Membership Plugin <= 3.5.4.4 - Unauthenticated Information Exposure via Unprotected Files Affected: *-3.5.4.4 Patched: 3.5.4.5 Updated: June 30, 2026

LOW

YayMail – WooCommerce Email Customizer

yaymail

Score: N/A YayMail – WooCommerce Email Customizer <= 4.3.2 - Missing Authorization Affected: *-4.3.2 Patched: 4.3.3 Updated: June 30, 2026

LOW

user-activity-log

Score: N/A User Activity Log <= 2.2 - Unauthenticated Limited Arbitrary Option Update Affected: *-2.2 Patched: Updated: June 30, 2026

LOW

ultimate-reviews

Score: N/A Ultimate Reviews <= 3.2.16 - Unauthenticated Insecure Direct Object Reference Affected: *-3.2.16 Patched: 3.2.17 Updated: June 30, 2026

LOW

teachpress

Score: N/A teachPress <= 9.0.12 - Cross-Site Request Forgery Affected: *-9.0.12 Patched: 9.0.13 Updated: June 30, 2026

LOW

taskbuilder

Score: N/A Taskbuilder <= 4.0.9 - Reflected Cross-Site Scripting Affected: *-4.0.9 Patched: 5.0.0 Updated: June 30, 2026

LOW

smsa-shipping-official

Score: N/A SMSA Shipping <= 2.3 - Authenticated (Subscriber+) Arbitrary File Deletion Affected: *-2.3 Patched: 2.4 Updated: June 30, 2026

LOW

listeo-core

Score: 91/100 Listeo Core < 2.0.19 - Reflected Cross-Site Scripting Affected: [*, 2.0.19) Patched: 2.0.19 Updated: June 30, 2026

LOW

imgspider

Score: 91/100 IMGspider <= 2.3.12 - Authenticated (Contributor+) Server-Side Request Forgery Affected: *-2.3.12 Patched: Updated: June 30, 2026

LOW

fs-real-estate-plugin

Score: 91/100 FireStorm Professional Real Estate <= 2.7.11 - Authenticated (Administrator+) SQL Injection Affected: *-2.7.11 Patched: Updated: June 30, 2026

LOW

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Score: 85/100 Essential Addons for Elementor <= 6.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-6.5.3 Patched: 6.5.4 Updated: June 30, 2026

LOW

ehive-search

Score: 93/100 eHive Search <= 2.5.0 - Reflected Cross-Site Scripting Affected: *-2.5.0 Patched: 2.5.1 Updated: June 30, 2026

LOW

edublink-core

Score: 91/100 EduBlink Core <= 2.0.7 - Authenticated (Contributor+) Local File Inclusion Affected: *-2.0.7 Patched: Updated: June 30, 2026

LOW

easy-form-builder

Score: 93/100 Easy Form Builder <= 3.9.6 - Missing Authorization Affected: *-3.9.6 Patched: 4.0.0 Updated: June 30, 2026

LOW

countdown-for-the-events-calendar

Score: 93/100 The Events Calendar Countdown Addon <= 1.4.15 - Missing Authorization Affected: *-1.4.15 Patched: 1.4.16 Updated: June 30, 2026

LOW

BulletProof Security

bulletproof-security

Score: 68/100 BulletProof Security <= 6.9 - Unauthenticated Sensitive Information Exposure Affected: *-6.9 Patched: 7.0 Updated: June 30, 2026

LOW

better-business-reviews

Score: 93/100 Better Business Reviews <= 0.1.1 - Missing Authorization Affected: *-0.1.1 Patched: 0.1.2 Updated: June 30, 2026

LOW

bd-courier-order-ratio-checker

Score: 91/100 BD Courier Order Ratio Checker <= 2.0.1 - Missing Authorization Affected: *-2.0.1 Patched: Updated: June 30, 2026

LOW

affiliatex

Score: 97/100 AffiliateX <= 1.3.9.3 - Missing Authorization Affected: *-1.3.9.3 Patched: 1.4.0 Updated: June 30, 2026

LOW

mediapress

Score: 93/100 MediaPress <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode Affected: *-1.6.1 Patched: 1.6.2 Updated: June 30, 2026

LOW

quiz-master-next

Score: N/A Quiz and Survey Master (QSM) <= 10.3.1 - Missing Authorization to Unpublished, Private And Password-Protected Quiz Information Disclosure And Image Response Uploads Affected: *-10.3.1 Patched: 10.3.2 Updated: June 30, 2026

LOW

quiz-master-next

Score: N/A Quiz and Survey Master (QSM) <= 10.3.1 - Authenticated (Subscriber+) SQL Injection via `is_linking` Query Parameter Affected: *-10.3.1 Patched: 10.3.2 Updated: June 30, 2026

LOW

timetics

Score: N/A Appointment Booking and Scheduling Calendar Plugin – WP Timetics <= 1.0.36 - Missing Authorization to Unauthenticated Booking Details View And Modification Affected: *-1.0.36 Patched: 1.0.37 Updated: June 30, 2026

LOW

quiz-master-next

Score: N/A Quiz And Survey Master <= 10.3.1 - Missing Authorization to Authenticated (Subscriber+) Quiz Results Deletion Affected: *-10.3.1 Patched: 10.3.2 Updated: June 30, 2026

LOW

learnpress

Score: 93/100 LearnPress – WordPress LMS Plugin <= 4.3.2 - Missing Authentication to Unauthenticated Course Modification Affected: *-4.3.2 Patched: 4.3.2.1 Updated: June 30, 2026

LOW

masterstudy-lms-learning-management-system

Score: 93/100 MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.6 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and Deletion Affected: *-3.7.6 Patched: 3.7.7 Updated: June 30, 2026

LOW

Tag, Category, and Taxonomy Manager – Autotagger Automatically Add Terms

simple-tags

Score: 70/100 TaxoPress <= 3.41.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Tag Modification Affected: *-3.41.0 Patched: 3.42.0 Updated: June 30, 2026

LOW

advanced-custom-fields-table-field

Score: 97/100 Table Field Add-on for ACF and SCF <= 1.3.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table Cell Content Affected: *-1.3.30 Patched: 1.3.31 Updated: June 30, 2026

LOW

gamipress

Score: 93/100 GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress <= 7.6.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure Affected: *-7.6.1 Patched: 7.6.2 Updated: June 30, 2026

LOW

auxin-elements

Score: 89/100 Shortcodes and extra features for Phlox theme <= 2.17.13 - Unauthenticated Draft Posts Information Exposure Affected: *-2.17.13 Patched: 2.17.14 Updated: June 30, 2026

LOW

registration-password

Score: N/A FS Registration Password <= 1.0.1 - Unauthenticated Privilege Escalation via Account Takeover Affected: *-1.0.1 Patched: 2.0.1 Updated: June 30, 2026

LOW

bp-xprofile-custom-field-types

Score: 93/100 BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion Affected: *-1.2.8 Patched: 1.3.0 Updated: June 30, 2026

LOW

as-password-field-in-default-registration-form

Score: 95/100 AS Password Field In Default Registration Form <= 2.0.0 - Unauthenticated Privilege Escalation via Account Takeover Affected: *-2.0.0 Patched: Updated: June 30, 2026

LOW

Xagio SEO – AI Powered SEO

xagio-seo

Score: 64/100 Xagio SEO <= 7.1.0.30 - Authenticated (Subscriber+) Server-Side Request Forgery Affected: *-7.1.0.30 Patched: 7.1.0.31 Updated: June 30, 2026

LOW

popup-builder-block

Score: N/A Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion Affected: *-2.2.0 Patched: 2.2.1 Updated: June 30, 2026

LOW

url-image-importer

Score: N/A URL Image Importer <= 1.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload Affected: *-1.0.7 Patched: 1.0.8 Updated: June 30, 2026

LOW

Depicter — Popup & Slider Builder

depicter

Score: 95/100 Depicter <= 4.0.7 - Missing Authorization to Unauthenticated Display Rule Updates Affected: *-4.0.7 Patched: 4.7.0 Updated: June 30, 2026

LOW

cbxwpbookmark

Score: 93/100 CBX Bookmark & Favorite <= 2.0.4 - Authenticated (Subscriber+) SQL Injection via `orderby` Parameter Affected: *-2.0.4 Patched: 2.0.5 Updated: June 30, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticated Sensitive Information Exposure Affected: *-1.6.9.5 Patched: 1.6.9.6 Updated: June 30, 2026

LOW

wc-support-system

Score: N/A ilGhera Support System for WooCommerce <= 1.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Deletion Affected: *-1.2.6 Patched: 1.2.7 Updated: June 30, 2026

LOW

page-expire-popup

Score: N/A Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute Affected: *-1.0 Patched: 1.1 Updated: June 30, 2026

LOW

fastdup

Score: 93/100 FastDup <= 2.7 - Authenticated (Contributor+) Path Traversal via 'dir_path' REST Parameter Affected: *-2.7 Patched: 2.7.1 Updated: June 30, 2026

LOW

form-vibes

Score: 93/100 Form Vibes – Database Manager for Forms <= 1.4.13 - Authenticated (Admin+) SQL Injection Affected: *-1.4.13 Patched: 1.5 Updated: June 30, 2026

LOW

forumwp

Score: 93/100 ForumWP – Forum & Discussion Board <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Display Name Affected: *-2.1.6 Patched: 2.1.7 Updated: June 30, 2026

LOW

Download Manager

download-manager

Score: 63/100 Download Manager <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword Affected: *-3.3.40 Patched: 3.3.41 Updated: June 30, 2026

LOW

Sugar Calendar – Events Calendar, Event Tickets, and Events Management Platform

sugar-calendar-lite

Score: N/A Sugar Calendar (Lite) <= 3.9.1 - Missing Authorization Affected: *-3.9.1 Patched: 3.10.0 Updated: June 30, 2026

LOW

woffice-core

Score: N/A Woffice Core <= 5.4.30 - Unauthenticated Insecure Direct Object Reference Affected: *-5.4.30 Patched: 5.4.31 Updated: June 30, 2026

LOW

timetics

Score: N/A Timetics <= 1.0.46 - Incorrect Authorization to Authenticated (Timetics Customer+) User Creation Affected: *-1.0.46 Patched: 1.0.48 Updated: June 30, 2026

LOW

spiffy-calendar

Score: N/A Spiffy Calendar <= 5.0.7 - Missing Authorization Affected: *-5.0.7 Patched: 5.0.8 Updated: June 30, 2026

LOW

post-and-page-builder

Score: N/A Post and Page Builder by BoldGrid <= 1.27.9 - Missing Authorization Affected: *-1.27.9 Patched: 1.27.10 Updated: June 30, 2026

LOW

link-whisper

Score: 93/100 Link Whisper Free <= 0.8.8 - Reflected Cross-Site Scripting Affected: *-0.8.8 Patched: 0.8.9 Updated: June 30, 2026

LOW

jet-engine

Score: 93/100 JetEngine <= 3.7.7 - Unauthenticated Stored Cross-Site Scripting Affected: *-3.7.7 Patched: 3.7.8 Updated: June 30, 2026

LOW

icegram

Score: 93/100 Icegram <= 3.1.35 - Missing Authorization Affected: *-3.1.35 Patched: 3.1.36 Updated: June 30, 2026

LOW

getgenie

Score: 93/100 GetGenie <= 4.3.0 - Missing Authorization Affected: *-4.3.0 Patched: 4.3.1 Updated: June 30, 2026

LOW

Fluent Support – Helpdesk & Customer Support Ticket System

fluent-support

Score: 79/100 Fluent Support <= 1.10.4 - Missing Authorization Affected: *-1.10.4 Patched: 1.10.5 Updated: June 30, 2026

LOW

Depicter — Popup & Slider Builder

depicter

Score: 95/100 Depicter Slider <= 4.0.4 - Missing Authorization Affected: *-4.0.4 Patched: 4.0.5 Updated: June 30, 2026

LOW

demo-importer-plus

Score: 93/100 Demo Importer Plus <= 2.0.8 - Missing Authorization Affected: *-2.0.8 Patched: 2.0.9 Updated: June 30, 2026

LOW

Cookies and Content Security Policy

cookies-and-content-security-policy

Score: 89/100 Cookies and Content Security Policy <= 2.34 - Unauthenticated Information Exposure Affected: *-2.34 Patched: 2.35 Updated: June 30, 2026

LOW

absolute-addons

Score: 95/100 Absolute Addons For Elementor <= 1.0.14 - Missing Authorization Affected: *-1.0.14 Patched: Updated: June 30, 2026

LOW

my-auctions-allegro-free-edition

Score: 89/100 My auctions allegro <= 3.6.33 - Authenticated (Contributor+) Local File Inclusion Affected: *-3.6.33 Patched: 3.6.34 Updated: June 30, 2026

LOW

wp-mapit

Score: N/A MapIt <= 3.0.3 - Missing Authorization Affected: *-3.0.3 Patched: Updated: June 30, 2026

LOW

webappick-product-feed-for-woocommerce

Score: N/A CTX Feed <= 6.6.18 - Missing Authorization Affected: *-6.6.18 Patched: 6.6.19 Updated: June 30, 2026

LOW

form-to-chat

Score: 91/100 Form to Chat App <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2.5 Patched: Updated: June 30, 2026

LOW

add-polylang-support-for-customizer

Score: 95/100 Add Polylang support for Customizer <= 1.4.5 - Cross-Site Request Forgery Affected: *-1.4.5 Patched: Updated: June 30, 2026

LOW

smart-auto-upload-images

Score: N/A Smart Auto Upload Images – Import External Images <= 1.2.2 - Authenticated (Contributor+) Server-Side Request Forgery Affected: *-1.2.2 Patched: 1.2.3 Updated: June 30, 2026

LOW

apimo

Score: 95/100 Apimo Connector <= 2.6.4 - Missing Authorization Affected: *-2.6.4 Patched: Updated: June 30, 2026

LOW

tutor

Score: N/A Tutor LMS <= 3.9.4 - Authenticated (Instructor+) Insecure Direct Object Reference Affected: *-3.9.4 Patched: 3.9.5 Updated: June 30, 2026

LOW

Five Star Restaurant Reservations – WordPress Booking Plugin

restaurant-reservations

Score: N/A Five Star Restaurant Reservations <= 2.7.4 - Unauthenticated Insecure Direct Object Reference Affected: *-2.7.4 Patched: 2.7.5 Updated: June 30, 2026

LOW

branda-white-labeling

Score: 93/100 Branda – White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover Affected: *-3.4.24 Patched: 3.4.29 Updated: June 30, 2026

LOW

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

wp-user-frontend

Score: N/A WP User Frontend <= 4.2.4 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion Affected: *-4.2.4 Patched: 4.2.5 Updated: June 30, 2026

LOW

wp-ultimate-csv-importer

Score: N/A WP Import – Ultimate CSV XML Importer for WordPress <= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass Affected: *-7.35 Patched: 7.36 Updated: June 30, 2026

LOW

wedesigntech-ultimate-booking-addon

Score: N/A WeDesignTech Ultimate Booking Addon <= 1.0.3 - Missing Authorization Affected: *-1.0.3 Patched: 1.0.4 Updated: June 30, 2026

LOW

user-submitted-posts

Score: N/A User Submitted Posts <= 20251121 - Unauthenticated Open Redirect Affected: *-20251121 Patched: 20251210 Updated: June 30, 2026

LOW

owl-carousel-wp

Score: N/A Owl Carousel WP <= 2.2.2 - Authenticated (Editor+) Stored Cross-Site Scripting Affected: *-2.2.2 Patched: Updated: June 30, 2026

LOW

Aruba HiSpeed Cache

aruba-hispeed-cache

Score: 94/100 Aruba HiSpeed Cache < 3.0.3 - Missing Authorization Affected: [*, 3.0.3) Patched: 3.0.3 Updated: June 30, 2026

LOW

myd-delivery

Score: 91/100 MyD Delivery <= 1.3.7 - Unauthenticated Insecure Direct Object Reference Affected: *-1.3.7 Patched: Updated: June 30, 2026

LOW

mybooktable

Score: 89/100 MyBookTable Bookstore <= 3.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.5.6 Patched: Updated: June 30, 2026

LOW

mx-time-zone-clocks

Score: 89/100 MX Time Zone Clocks <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-5.1.1 Patched: Updated: June 30, 2026

LOW

wp-tiktok-feed

Score: N/A QuadLayers TikTok Feed <= 4.6.4 - Missing Authorization Affected: *-4.6.4 Patched: Updated: June 30, 2026

LOW

wp-post-signature

Score: N/A Post Signature <= 0.4.1 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-0.4.1 Patched: Updated: June 30, 2026

LOW

wp-gmail-smtp

Score: N/A Gmail SMTP <= 1.0.7 - Cross-Site Request Forgery Affected: *-1.0.7 Patched: Updated: June 30, 2026

LOW

wp-export-categories-taxonomies

Score: N/A Export Categories & Taxonomies <= 1.0.3 - Missing Authorization Affected: *-1.0.3 Patched: Updated: June 30, 2026

LOW

wp-email-capture

Score: N/A Email Capture <= 3.12.5 - Cross-Site Request Forgery Affected: *-3.12.5 Patched: 3.12.6 Updated: June 30, 2026

LOW

wp-easyarchives

Score: N/A WP-EasyArchives <= 3.1.2 - Cross-Site Request Forgery Affected: *-3.1.2 Patched: Updated: June 30, 2026

LOW

wp-dashboard-beacon

Score: N/A Dashboard Beacon <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.2.0 Patched: Updated: June 30, 2026

Showing 3801 to 3900 of 36316 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 21:31 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List