Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36189

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
learning-management-system	learning-management-system	93	Masteriyo LMS – LMS Course Builder, Quizzes & Certificates <= 2.2.0 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-2.2.0	2.2.1	June 28, 2026
Knit Pay – Cashfree, Instamojo, Razorpay, PayPal and more	knit-pay	N/A	Knit Pay – Cashfree, Instamojo, Razorpay, PayPal and more <= 9.4.0.0 - Missing Authorization	LOW	*-9.4.0.0	9.4.0.1	June 28, 2026
jet-engine	jet-engine	93	JetEngine < 3.8.9.1 - Unauthenticated SQL Injection	LOW	[*, 3.8.9.1)	3.8.9.1	June 28, 2026
jet-engine	jet-engine	93	JetEngine <= 3.8.9.1 - Authenticated (Contributor+) PHP Object Injection	LOW	*-3.8.9.1	3.8.10	June 28, 2026
jet-engine	jet-engine	93	JetEngine <= 3.8.9.1 - Unauthenticated Stored Cross-Site Scripting	LOW	*-3.8.9.1	3.8.10	June 28, 2026
jet-engine	jet-engine	93	JetEngine <= 3.8.9.1 - Unauthenticated SQL Injection	LOW	*-3.8.9.1	3.8.10	June 28, 2026
invoicing	invoicing	93	Payment forms, Buy now buttons, and Invoicing System \| GetPaid <= 2.8.49 - Unauthenticated Information Exposure	LOW	*-2.8.49	2.8.50	June 28, 2026
hippoo	hippoo	93	Hippoo Mobile App for WooCommerce <= 1.9.5 - Missing Authorization	LOW	*-1.9.5	1.9.6	June 28, 2026
faustwp	faustwp	N/A	Faust.js <= 1.8.7 - Missing Authorization	LOW	*-1.8.7	1.8.8	June 28, 2026
directorist-booking	directorist-booking	91	Booking (Reservation & Appointment) <= 3.0.3 - Authenticated (Subscriber+) SQL Injection	LOW	*-3.0.3	3.0.4	June 28, 2026
conekta-payment-gateway	conekta-payment-gateway	N/A	Conekta Payment Gateway <= 6.0.0 - Unauthenticated Information Exposure	LOW	*-6.0.0	6.0.1	June 28, 2026
affiliates-manager	affiliates-manager	97	Affiliates Manager <= 2.9.50 - Unauthenticated Information Exposure	LOW	*-2.9.50	2.9.51	June 28, 2026
advanced-301-and-302-redirect	advanced-301-and-302-redirect	N/A	Advanced 301 and 302 Redirect <= 1.6.9 - Unauthenticated SQL Injection	LOW	*-1.6.9	1.7.0	June 28, 2026
recipe-card-blocks-by-wpzoom	recipe-card-blocks-by-wpzoom	N/A	Recipe Card Blocks Lite <= 3.4.13 - Authenticated (Author+) Stored Cross-Site Scripting via 'summary' and 'notes'	LOW	*-3.4.13	3.4.14	June 28, 2026
Booking Package	booking-package	85	Booking Package <= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action	LOW	*-1.7.16	1.7.17	June 28, 2026
photo-gallery	photo-gallery	N/A	Photo Gallery by 10Web <= 1.8.41 - Authenticated (Contributor+) SQL Injection via 'compact_album_order_by' Shortcode Parameter	LOW	*-1.8.41	1.8.42	June 28, 2026
WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters	wp-google-map-plugin	74	WP Maps <= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter	LOW	*-4.9.4	4.9.5	June 28, 2026
mappress-google-maps-for-wordpress	mappress-google-maps-for-wordpress	N/A	MapPress Maps for WordPress <= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints	LOW	*-2.96.6	2.97.1	June 28, 2026
GEO Plugin by Squirrly SEO	squirrly-seo	N/A	SEO Plugin by Squirrly SEO <= 12.4.16 - Missing Authorization to Authenticated (Contributor+) Privileged Cloud API Operations	LOW	*-12.4.16	12.4.17	June 28, 2026
klamra-paycal-for-aspaclaria	klamra-paycal-for-aspaclaria	N/A	Klamra Paycal for Aspaclaria <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via 'invoice_id' Parameter	LOW	*-1.1.4	1.1.5	June 28, 2026
Smart Slider 3	smart-slider-3	90	Smart Slider 3 <= 3.5.1.36 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'src'/'srcset' Attribute in HTML Export	LOW	*-3.5.1.36	3.5.1.37	June 28, 2026
Essential Addons for Elementor – Popular Elementor Templates & Widgets	essential-addons-for-elementor-lite	85	Essential Addons for Elementor <= 6.6.4 - Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler	LOW	*-6.6.4	6.6.5	June 28, 2026
learnpress	learnpress	93	LearnPress <= 4.3.6 - Unauthenticated Sensitive Information Exposure via 'c_status' and 'return_type' Parameters	LOW	*-4.3.6	4.3.7	June 28, 2026
quick-playground	quick-playground	N/A	Quick Playground <= 1.3.4 - Authenticated (Administrator+) Arbitrary File Read via 'filename' Parameter	LOW	*-1.3.4	1.3.5	June 28, 2026
mobile-dj-manager	mobile-dj-manager	N/A	MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter	LOW	*-1.7.8.3	1.7.8.4	June 28, 2026
learnpress-import-export	learnpress-import-export	93	LearnPress <= 4.1.4 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'import-user-file' Parameter	LOW	*-4.1.4	4.1.5	June 28, 2026
EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more	embedpress	69	EmbedPress <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block 'url' Attribute	LOW	*-4.5.3	4.5.4	June 28, 2026
Drag and Drop Multiple File Upload for Contact Form 7	drag-and-drop-multiple-file-upload-contact-form-7	93	Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings	LOW	*-1.3.9.7	1.3.9.8	June 28, 2026
ad-inserter	ad-inserter	97	Ad Inserter <= 2.8.15 - Reflected Cross-Site Scripting via URL Parameters in iframe Mode	LOW	*-2.8.15	2.8.16	June 28, 2026
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More	wpforms-lite	70	WPForms <= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint	LOW	*-1.10.0.4	1.10.0.5	June 28, 2026
optincraft	optincraft	N/A	OptinCraft <= 1.2.0 - Authenticated (Administrator+) SQL Injection via 'order_by' Parameter	LOW	*-1.2.0	1.2.1	June 28, 2026
Click to Chat – HoliThemes	click-to-chat-for-whatsapp	90	Click to Chat <= 4.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Parameter	LOW	*-4.39	4.40	June 28, 2026
learnpress-import-export	learnpress-import-export	93	LearnPress – Backup & Migration Tool <= 4.1.4 - Authenticated (Administrator+) PHP Object Injection via WXR XML File Upload	LOW	*-4.1.4	4.1.5	June 28, 2026
page-list	page-list	N/A	Page-list <= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes	LOW	*-6.2	6.3	June 28, 2026
crm-integration-freshworks-any-form	crm-integration-freshworks-any-form	N/A	Integration for Freshsales <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Form Submission Data	LOW	*-1.0.15	1.0.16	June 28, 2026
master-addons	master-addons	N/A	Master Addons For Elementor <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension)	LOW	*-3.1.0	3.1.1	June 28, 2026
All-In-One Security (AIOS) – Security and Firewall	all-in-one-wp-security-and-firewall	72	All-In-One Security (AIOS) <= 5.4.7 - Unauthenticated Stored Cross-Site Scripting via REST API Request Path	LOW	*-5.4.7	5.4.8	June 28, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action	LOW	*-5.6.0	5.6.1	June 28, 2026
simple-seo-slideshow	simple-seo-slideshow	N/A	Simple SEO Slideshow <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.2.8	1.2.9	June 28, 2026
feedzy-rss-feeds	feedzy-rss-feeds	93	RSS Aggregator by Feedzy <= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions	LOW	*-5.1.7	5.1.8	June 28, 2026
quiz-master-next	quiz-master-next	N/A	Quiz and Survey Master (QSM) <= 11.1.2 - Authenticated (Admin+) SQL Injection via 'order' and 'limit' Parameters	LOW	*-11.1.2	11.1.3	June 28, 2026
WPvivid — Backup, Migration & Staging	wpvivid-backuprestore	63	Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.128 - Authenticated (Admin+) Arbitrary Directory Deletion	LOW	*-0.9.128	0.9.129	June 28, 2026
frontend-user-notes	frontend-user-notes	93	Frontend User Notes <= 2.1.1 - Cross-Site Request Forgery to Note Content Modification via 'confirmEdit' Action	LOW	*-2.1.1	2.2.0	June 28, 2026
wp-stripe-express	wp-stripe-express	N/A	Express Payment For Stripe <= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.28.0	1.28.2	June 28, 2026
charitable	charitable	93	Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter	LOW	*-1.8.11.1	1.8.11.2	June 28, 2026
alba-board	alba-board	N/A	Alba Board <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'card_id' Parameter	LOW	*-2.1.3	2.1.4	June 28, 2026
Advanced Google reCAPTCHA	advanced-google-recaptcha	89	WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link	LOW	*-5.38	5.39	June 28, 2026
Advanced Google reCAPTCHA	advanced-google-recaptcha	89	WP Captcha PRO <= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-5.38	5.39	June 28, 2026
hippoo	hippoo	93	Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API	LOW	*-1.9.4	1.9.5	June 28, 2026
WP User Manager – User Profile Builder & Membership	wp-user-manager	83	WP User Manager <= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter	LOW	*-2.9.17	2.9.18	June 28, 2026
WP User Manager – User Profile Builder & Membership	wp-user-manager	83	WP User Manager – User Profile Builder & Membership <= 2.9.16 - Authenticated (Subscriber+) Arbitrary File Deletion	LOW	*-2.9.16	2.9.17	June 28, 2026
WP Travel Engine – Tour Booking Plugin – Tour Operator Software	wp-travel-engine	N/A	WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.10 - Missing Authorization	LOW	*-6.7.10	6.7.11	June 28, 2026
WP Go Maps (formerly WP Google Maps)	wp-google-maps	66	WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback	LOW	*-10.0.09	10.0.10	June 28, 2026
user-registration-stripe	user-registration-stripe	N/A	User Registration Stripe <= 1.3.12 - Missing Authorization	LOW	*-1.3.12	1.3.13	June 28, 2026
Shared Files – Frontend File Upload Form & Secure File Sharing	shared-files	78	Shared Files – Frontend File Upload Form & Secure File Sharing <= 1.7.64 - Unauthenticated Path Traversal	LOW	*-1.7.64	1.7.65	June 28, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.5.1 - Authenticated (Contributor+) Privilege Escalation	LOW	*-5.5.1	5.5.2	June 28, 2026
jet-search	jet-search	93	JetSearch <= 3.5.17 - Unauthenticated SQL Injection	LOW	*-3.5.17	3.5.17.1	June 28, 2026
hybrid-composer	hybrid-composer	93	Hybrid Composer <= 1.4.6 - Missing Authorization	LOW	*-1.4.6	1.4.7	June 28, 2026
event-monster	event-monster	93	Event Monster <= 2.1.0 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via em_capture_payment AJAX Action	LOW	*-2.1.0	2.2.0	June 28, 2026
debug-log-manager	debug-log-manager	93	Debug Log Manager <= 2.5.0 - Unauthenticated Improper Output Neutralization for Logs via log_js_errors AJAX Action	LOW	*-2.5.0	2.5.1	June 28, 2026
codepress-admin-columns	codepress-admin-columns	93	Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value	LOW	*-7.0.18	7.0.19	June 28, 2026
Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons	chatway-live-chat	97	Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 - Authenticated (Subscriber+) Information Exposure	LOW	*-1.4.8	1.4.9	June 28, 2026
cf7-zendesk	cf7-zendesk	93	WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 - Unauthenticated PHP Object Injection	LOW	*-1.1.4	1.1.5	June 28, 2026
cf7-insightly	cf7-insightly	93	WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 - Unauthenticated PHP Object Injection	LOW	*-1.1.4	1.1.5	June 28, 2026
cf7-infusionsoft	cf7-infusionsoft	93	Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 - Unauthenticated PHP Object Injection	LOW	*-1.2.1	1.2.2	June 28, 2026
cf7-active-campaign	cf7-active-campaign	93	Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection	LOW	*-1.1.1	1.1.2	June 28, 2026
ad-manager-wd	ad-manager-wd	N/A	10WebAdManager <= 1.0.11 - Unauthenticated Arbitrary File Download	LOW	*-1.0.11		June 28, 2026
essential-blocks	essential-blocks	93	Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 6.1.3 - Authenticated (Author+) Server-Side Request Forgery	LOW	*-6.1.3	6.1.4	June 28, 2026
wpfunnels-pro	wpfunnels-pro	N/A	WPFunnels Pro <= 2.9.4 - Unauthenticated Stored Cross-Site Scripting	LOW	*-2.9.4	2.9.5	June 28, 2026
wpforo	wpforo	N/A	wpForo Forum <= 3.1.0 - Missing Authorization	LOW	*-3.1.0	3.1.1	June 28, 2026
wpforo	wpforo	N/A	wpForo Forum <= 3.1.0 - Unauthenticated PHP Object Injection	LOW	*-3.1.0	3.1.1	June 28, 2026
WP Travel Engine – Tour Booking Plugin – Tour Operator Software	wp-travel-engine	N/A	WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.12 - Unauthenticated PHP Object Injection	LOW	*-6.7.12	6.8.0	June 28, 2026
wp-media-folder-addon	wp-media-folder-addon	N/A	Media folder Addon <= 4.0.1 - Unauthenticated Arbitrary File Download	LOW	*-4.0.1	4.0.2	June 28, 2026
wp-emember	wp-emember	N/A	Wp EMember <= v10.2.2 - Unauthenticated Information Exposure	LOW	* - v10.2.2		June 28, 2026
woo-product-slider-pro	woo-product-slider-pro	N/A	Multiple ShapedPlugin Plugins < (Various Versions) - Backdoored Software	LOW	[*, 3.5.4)	3.5.4	June 28, 2026
usc-e-shop	usc-e-shop	N/A	Welcart e-Commerce <= 2.11.28 - Missing Authorization	LOW	*-2.11.28	2.11.29	June 28, 2026
Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups.	upsell-order-bump-offer-for-woocommerce	N/A	Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups. <= 3.1.4 - Missing Authorization	LOW	*-3.1.4	3.1.5	June 28, 2026
thrive-apprentice	thrive-apprentice	N/A	Thrive Apprentice < 10.8.10.2 - Unauthenticated PHP Object Injection	LOW	[*, 10.8.10.2)	10.8.10.2	June 28, 2026
testimonial-pro	testimonial-pro	N/A	Multiple ShapedPlugin Plugins < (Various Versions) - Backdoored Software	LOW	*-3.2.5		June 28, 2026
suretriggers	suretriggers	N/A	OttoKit: All-in-One Automation Platform <= 1.1.27 - Unauthenticated PHP Object Injection	LOW	*-1.1.27	1.1.28	June 28, 2026
smart-show-post-pro	smart-show-post-pro	N/A	Multiple ShapedPlugin Plugins < (Various Versions) - Backdoored Software	LOW	[*, 4.0.2)	4.0.2	June 28, 2026
photo-gallery	photo-gallery	N/A	Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.41 - Authenticated (Contributor+) SQL Injection	LOW	*-1.8.41	1.8.42	June 28, 2026
integracao-rd-station	integracao-rd-station	93	RD Station <= 5.6.0 - Authenticated (Contributor+) Remote Code Execution	LOW	*-5.6.0	5.7.0	June 28, 2026
happyforms	happyforms	93	Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms <= 1.26.13 - Unauthenticated PHP Object Injection	LOW	*-1.26.13	1.26.14	June 28, 2026
GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites	gptranslate	89	GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 - Unauthenticated SQL Injection	LOW	*-2.32.6	2.32.7	June 28, 2026
fv-wordpress-flowplayer	fv-wordpress-flowplayer	93	FV Flowplayer Video Player < 7.5.51.7212 - Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	[*, 7.5.51.7212)	7.5.51.7212	June 28, 2026
email-encoder-premium	email-encoder-premium	N/A	Email Encoder < 0.3.12 (premium) < 1.0.25 (free) - Unauthenticated Stored Cross-Site Scripting	LOW	[*, 0.3.12)	0.3.12	June 28, 2026
Email Address Encoder	email-address-encoder	95	Email Encoder < 0.3.12 (premium) < 1.0.25 (free) - Unauthenticated Stored Cross-Site Scripting	LOW	[*, 1.0.25)	1.0.25	June 28, 2026
custom-registration-form-builder-with-submission-manager	custom-registration-form-builder-with-submission-manager	93	RegistrationMagic – User Registration Forms Plugin <= 6.0.8.6 - Missing Authorization	LOW	*-6.0.8.6	6.0.8.7	June 28, 2026
cornerstone	cornerstone	91	Cornerstone < 7.8.8 - Authenticated (Subscriber+) Arbitrary Code Execution	LOW	[*, 7.8.8)	7.8.8	June 28, 2026
content-visibility-for-divi-builder	content-visibility-for-divi-builder	N/A	Content Visibility for Divi Builder <= 4.02 - Authenticated (Contributor+) Remote Code Execution	LOW	*-4.02	5.00	June 28, 2026
cf7-salesforce	cf7-salesforce	93	Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 - Unauthenticated PHP Object Injection	LOW	*-1.4.3	1.4.4	June 28, 2026
cf7-mailchimp	cf7-mailchimp	93	Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 - Unauthenticated PHP Object Injection	LOW	*-1.1.8	1.1.9	June 28, 2026
cf7-hubspot	cf7-hubspot	93	Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.3.7 - Unauthenticated PHP Object Injection	LOW	*-1.3.7	1.3.8	June 28, 2026
cf7-constant-contact	cf7-constant-contact	93	Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.6 - Unauthenticated PHP Object Injection	LOW	*-1.1.6	1.1.7	June 28, 2026
sp-client-document-manager	sp-client-document-manager	87	SP Project & Document Manager <= 4.71 - Missing Authorization to Unauthenticated Arbitrary File Information Disclosure via view_file() Function	LOW	*-4.71		June 28, 2026
masterstudy-lms-learning-management-system-pro	masterstudy-lms-learning-management-system-pro	N/A	MasterStudy LMS Pro Plus <= 4.8.20 - Authenticated (Instructor+) SQL Injection via 'columns' Parameter	LOW	*-4.8.20	4.8.21	June 28, 2026
xcloner-backup-and-restore	xcloner-backup-and-restore	N/A	Backup, Restore and Migrate your sites with XCloner <= 4.8.6 - Authenticated (Subscriber+) Information Exposure	LOW	*-4.8.6	4.8.7	June 28, 2026
wp-jobsearch	wp-jobsearch	N/A	JobSearch WP Job Board <= 3.2.7 - Missing Authorization	LOW	*-3.2.7	3.2.8	June 28, 2026
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings	seo-by-rank-math	85	Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization	LOW	*-1.0.271	1.0.271.1	June 28, 2026

LOW

learning-management-system

Score: 93/100 Masteriyo LMS – LMS Course Builder, Quizzes & Certificates <= 2.2.0 - Authenticated (Subscriber+) Privilege Escalation Affected: *-2.2.0 Patched: 2.2.1 Updated: June 28, 2026

LOW

Knit Pay – Cashfree, Instamojo, Razorpay, PayPal and more

knit-pay

Score: N/A Knit Pay – Cashfree, Instamojo, Razorpay, PayPal and more <= 9.4.0.0 - Missing Authorization Affected: *-9.4.0.0 Patched: 9.4.0.1 Updated: June 28, 2026

LOW

jet-engine

Score: 93/100 JetEngine < 3.8.9.1 - Unauthenticated SQL Injection Affected: [*, 3.8.9.1) Patched: 3.8.9.1 Updated: June 28, 2026

LOW

jet-engine

Score: 93/100 JetEngine <= 3.8.9.1 - Authenticated (Contributor+) PHP Object Injection Affected: *-3.8.9.1 Patched: 3.8.10 Updated: June 28, 2026

LOW

jet-engine

Score: 93/100 JetEngine <= 3.8.9.1 - Unauthenticated Stored Cross-Site Scripting Affected: *-3.8.9.1 Patched: 3.8.10 Updated: June 28, 2026

LOW

jet-engine

Score: 93/100 JetEngine <= 3.8.9.1 - Unauthenticated SQL Injection Affected: *-3.8.9.1 Patched: 3.8.10 Updated: June 28, 2026

LOW

invoicing

Score: 93/100 Payment forms, Buy now buttons, and Invoicing System | GetPaid <= 2.8.49 - Unauthenticated Information Exposure Affected: *-2.8.49 Patched: 2.8.50 Updated: June 28, 2026

LOW

hippoo

Score: 93/100 Hippoo Mobile App for WooCommerce <= 1.9.5 - Missing Authorization Affected: *-1.9.5 Patched: 1.9.6 Updated: June 28, 2026

LOW

faustwp

Score: N/A Faust.js <= 1.8.7 - Missing Authorization Affected: *-1.8.7 Patched: 1.8.8 Updated: June 28, 2026

LOW

directorist-booking

Score: 91/100 Booking (Reservation & Appointment) <= 3.0.3 - Authenticated (Subscriber+) SQL Injection Affected: *-3.0.3 Patched: 3.0.4 Updated: June 28, 2026

LOW

conekta-payment-gateway

Score: N/A Conekta Payment Gateway <= 6.0.0 - Unauthenticated Information Exposure Affected: *-6.0.0 Patched: 6.0.1 Updated: June 28, 2026

LOW

affiliates-manager

Score: 97/100 Affiliates Manager <= 2.9.50 - Unauthenticated Information Exposure Affected: *-2.9.50 Patched: 2.9.51 Updated: June 28, 2026

LOW

advanced-301-and-302-redirect

Score: N/A Advanced 301 and 302 Redirect <= 1.6.9 - Unauthenticated SQL Injection Affected: *-1.6.9 Patched: 1.7.0 Updated: June 28, 2026

LOW

recipe-card-blocks-by-wpzoom

Score: N/A Recipe Card Blocks Lite <= 3.4.13 - Authenticated (Author+) Stored Cross-Site Scripting via 'summary' and 'notes' Affected: *-3.4.13 Patched: 3.4.14 Updated: June 28, 2026

LOW

Booking Package

booking-package

Score: 85/100 Booking Package <= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action Affected: *-1.7.16 Patched: 1.7.17 Updated: June 28, 2026

LOW

photo-gallery

Score: N/A Photo Gallery by 10Web <= 1.8.41 - Authenticated (Contributor+) SQL Injection via 'compact_album_order_by' Shortcode Parameter Affected: *-1.8.41 Patched: 1.8.42 Updated: June 28, 2026

LOW

WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters

wp-google-map-plugin

Score: 74/100 WP Maps <= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter Affected: *-4.9.4 Patched: 4.9.5 Updated: June 28, 2026

LOW

mappress-google-maps-for-wordpress

Score: N/A MapPress Maps for WordPress <= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints Affected: *-2.96.6 Patched: 2.97.1 Updated: June 28, 2026

LOW

GEO Plugin by Squirrly SEO

squirrly-seo

Score: N/A SEO Plugin by Squirrly SEO <= 12.4.16 - Missing Authorization to Authenticated (Contributor+) Privileged Cloud API Operations Affected: *-12.4.16 Patched: 12.4.17 Updated: June 28, 2026

LOW

Score: N/A Klamra Paycal for Aspaclaria <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via 'invoice_id' Parameter Affected: *-1.1.4 Patched: 1.1.5 Updated: June 28, 2026

LOW

Smart Slider 3

smart-slider-3

Score: 90/100 Smart Slider 3 <= 3.5.1.36 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'src'/'srcset' Attribute in HTML Export Affected: *-3.5.1.36 Patched: 3.5.1.37 Updated: June 28, 2026

LOW

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Score: 85/100 Essential Addons for Elementor <= 6.6.4 - Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler Affected: *-6.6.4 Patched: 6.6.5 Updated: June 28, 2026

LOW

learnpress

Score: 93/100 LearnPress <= 4.3.6 - Unauthenticated Sensitive Information Exposure via 'c_status' and 'return_type' Parameters Affected: *-4.3.6 Patched: 4.3.7 Updated: June 28, 2026

LOW

quick-playground

Score: N/A Quick Playground <= 1.3.4 - Authenticated (Administrator+) Arbitrary File Read via 'filename' Parameter Affected: *-1.3.4 Patched: 1.3.5 Updated: June 28, 2026

LOW

mobile-dj-manager

Score: N/A MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter Affected: *-1.7.8.3 Patched: 1.7.8.4 Updated: June 28, 2026

LOW

learnpress-import-export

Score: 93/100 LearnPress <= 4.1.4 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'import-user-file' Parameter Affected: *-4.1.4 Patched: 4.1.5 Updated: June 28, 2026

LOW

EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more

embedpress

Score: 69/100 EmbedPress <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block 'url' Attribute Affected: *-4.5.3 Patched: 4.5.4 Updated: June 28, 2026

LOW

Drag and Drop Multiple File Upload for Contact Form 7

drag-and-drop-multiple-file-upload-contact-form-7

Score: 93/100 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings Affected: *-1.3.9.7 Patched: 1.3.9.8 Updated: June 28, 2026

LOW

ad-inserter

Score: 97/100 Ad Inserter <= 2.8.15 - Reflected Cross-Site Scripting via URL Parameters in iframe Mode Affected: *-2.8.15 Patched: 2.8.16 Updated: June 28, 2026

LOW

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

Score: 70/100 WPForms <= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint Affected: *-1.10.0.4 Patched: 1.10.0.5 Updated: June 28, 2026

LOW

optincraft

Score: N/A OptinCraft <= 1.2.0 - Authenticated (Administrator+) SQL Injection via 'order_by' Parameter Affected: *-1.2.0 Patched: 1.2.1 Updated: June 28, 2026

LOW

Click to Chat – HoliThemes

click-to-chat-for-whatsapp

Score: 90/100 Click to Chat <= 4.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Parameter Affected: *-4.39 Patched: 4.40 Updated: June 28, 2026

LOW

learnpress-import-export

Score: 93/100 LearnPress – Backup & Migration Tool <= 4.1.4 - Authenticated (Administrator+) PHP Object Injection via WXR XML File Upload Affected: *-4.1.4 Patched: 4.1.5 Updated: June 28, 2026

LOW

page-list

Score: N/A Page-list <= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes Affected: *-6.2 Patched: 6.3 Updated: June 28, 2026

LOW

crm-integration-freshworks-any-form

Score: N/A Integration for Freshsales <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Form Submission Data Affected: *-1.0.15 Patched: 1.0.16 Updated: June 28, 2026

LOW

master-addons

Score: N/A Master Addons For Elementor <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) Affected: *-3.1.0 Patched: 3.1.1 Updated: June 28, 2026

LOW

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

Score: 72/100 All-In-One Security (AIOS) <= 5.4.7 - Unauthenticated Stored Cross-Site Scripting via REST API Request Path Affected: *-5.4.7 Patched: 5.4.8 Updated: June 28, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action Affected: *-5.6.0 Patched: 5.6.1 Updated: June 28, 2026

LOW

simple-seo-slideshow

Score: N/A Simple SEO Slideshow <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.2.8 Patched: 1.2.9 Updated: June 28, 2026

LOW

feedzy-rss-feeds

Score: 93/100 RSS Aggregator by Feedzy <= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions Affected: *-5.1.7 Patched: 5.1.8 Updated: June 28, 2026

LOW

quiz-master-next

Score: N/A Quiz and Survey Master (QSM) <= 11.1.2 - Authenticated (Admin+) SQL Injection via 'order' and 'limit' Parameters Affected: *-11.1.2 Patched: 11.1.3 Updated: June 28, 2026

LOW

WPvivid — Backup, Migration & Staging

wpvivid-backuprestore

Score: 63/100 Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.128 - Authenticated (Admin+) Arbitrary Directory Deletion Affected: *-0.9.128 Patched: 0.9.129 Updated: June 28, 2026

LOW

frontend-user-notes

Score: 93/100 Frontend User Notes <= 2.1.1 - Cross-Site Request Forgery to Note Content Modification via 'confirmEdit' Action Affected: *-2.1.1 Patched: 2.2.0 Updated: June 28, 2026

LOW

wp-stripe-express

Score: N/A Express Payment For Stripe <= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.28.0 Patched: 1.28.2 Updated: June 28, 2026

LOW

charitable

Score: 93/100 Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter Affected: *-1.8.11.1 Patched: 1.8.11.2 Updated: June 28, 2026

LOW

alba-board

Score: N/A Alba Board <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'card_id' Parameter Affected: *-2.1.3 Patched: 2.1.4 Updated: June 28, 2026

LOW

Advanced Google reCAPTCHA

advanced-google-recaptcha

Score: 89/100 WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link Affected: *-5.38 Patched: 5.39 Updated: June 28, 2026

LOW

Advanced Google reCAPTCHA

advanced-google-recaptcha

Score: 89/100 WP Captcha PRO <= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload Affected: *-5.38 Patched: 5.39 Updated: June 28, 2026

LOW

hippoo

Score: 93/100 Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API Affected: *-1.9.4 Patched: 1.9.5 Updated: June 28, 2026

LOW

WP User Manager – User Profile Builder & Membership

wp-user-manager

Score: 83/100 WP User Manager <= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter Affected: *-2.9.17 Patched: 2.9.18 Updated: June 28, 2026

LOW

WP User Manager – User Profile Builder & Membership

wp-user-manager

Score: 83/100 WP User Manager – User Profile Builder & Membership <= 2.9.16 - Authenticated (Subscriber+) Arbitrary File Deletion Affected: *-2.9.16 Patched: 2.9.17 Updated: June 28, 2026

LOW

WP Travel Engine – Tour Booking Plugin – Tour Operator Software

wp-travel-engine

Score: N/A WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.10 - Missing Authorization Affected: *-6.7.10 Patched: 6.7.11 Updated: June 28, 2026

LOW

WP Go Maps (formerly WP Google Maps)

wp-google-maps

Score: 66/100 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback Affected: *-10.0.09 Patched: 10.0.10 Updated: June 28, 2026

LOW

user-registration-stripe

Score: N/A User Registration Stripe <= 1.3.12 - Missing Authorization Affected: *-1.3.12 Patched: 1.3.13 Updated: June 28, 2026

LOW

Shared Files – Frontend File Upload Form & Secure File Sharing

shared-files

Score: 78/100 Shared Files – Frontend File Upload Form & Secure File Sharing <= 1.7.64 - Unauthenticated Path Traversal Affected: *-1.7.64 Patched: 1.7.65 Updated: June 28, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.5.1 - Authenticated (Contributor+) Privilege Escalation Affected: *-5.5.1 Patched: 5.5.2 Updated: June 28, 2026

LOW

jet-search

Score: 93/100 JetSearch <= 3.5.17 - Unauthenticated SQL Injection Affected: *-3.5.17 Patched: 3.5.17.1 Updated: June 28, 2026

LOW

hybrid-composer

Score: 93/100 Hybrid Composer <= 1.4.6 - Missing Authorization Affected: *-1.4.6 Patched: 1.4.7 Updated: June 28, 2026

LOW

event-monster

Score: 93/100 Event Monster <= 2.1.0 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via em_capture_payment AJAX Action Affected: *-2.1.0 Patched: 2.2.0 Updated: June 28, 2026

LOW

debug-log-manager

Score: 93/100 Debug Log Manager <= 2.5.0 - Unauthenticated Improper Output Neutralization for Logs via log_js_errors AJAX Action Affected: *-2.5.0 Patched: 2.5.1 Updated: June 28, 2026

LOW

codepress-admin-columns

Score: 93/100 Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value Affected: *-7.0.18 Patched: 7.0.19 Updated: June 28, 2026

LOW

Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons

chatway-live-chat

Score: 97/100 Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons <= 1.4.8 - Authenticated (Subscriber+) Information Exposure Affected: *-1.4.8 Patched: 1.4.9 Updated: June 28, 2026

LOW

cf7-zendesk

Score: 93/100 WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 - Unauthenticated PHP Object Injection Affected: *-1.1.4 Patched: 1.1.5 Updated: June 28, 2026

LOW

cf7-insightly

Score: 93/100 WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 - Unauthenticated PHP Object Injection Affected: *-1.1.4 Patched: 1.1.5 Updated: June 28, 2026

LOW

cf7-infusionsoft

Score: 93/100 Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 - Unauthenticated PHP Object Injection Affected: *-1.2.1 Patched: 1.2.2 Updated: June 28, 2026

LOW

cf7-active-campaign

Score: 93/100 Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection Affected: *-1.1.1 Patched: 1.1.2 Updated: June 28, 2026

LOW

ad-manager-wd

Score: N/A 10WebAdManager <= 1.0.11 - Unauthenticated Arbitrary File Download Affected: *-1.0.11 Patched: Updated: June 28, 2026

LOW

essential-blocks

Score: 93/100 Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns <= 6.1.3 - Authenticated (Author+) Server-Side Request Forgery Affected: *-6.1.3 Patched: 6.1.4 Updated: June 28, 2026

LOW

wpfunnels-pro

Score: N/A WPFunnels Pro <= 2.9.4 - Unauthenticated Stored Cross-Site Scripting Affected: *-2.9.4 Patched: 2.9.5 Updated: June 28, 2026

LOW

wpforo

Score: N/A wpForo Forum <= 3.1.0 - Missing Authorization Affected: *-3.1.0 Patched: 3.1.1 Updated: June 28, 2026

LOW

wpforo

Score: N/A wpForo Forum <= 3.1.0 - Unauthenticated PHP Object Injection Affected: *-3.1.0 Patched: 3.1.1 Updated: June 28, 2026

LOW

WP Travel Engine – Tour Booking Plugin – Tour Operator Software

wp-travel-engine

Score: N/A WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.7.12 - Unauthenticated PHP Object Injection Affected: *-6.7.12 Patched: 6.8.0 Updated: June 28, 2026

LOW

wp-media-folder-addon

Score: N/A Media folder Addon <= 4.0.1 - Unauthenticated Arbitrary File Download Affected: *-4.0.1 Patched: 4.0.2 Updated: June 28, 2026

LOW

wp-emember

Score: N/A Wp EMember <= v10.2.2 - Unauthenticated Information Exposure Affected: * - v10.2.2 Patched: Updated: June 28, 2026

LOW

woo-product-slider-pro

Score: N/A Multiple ShapedPlugin Plugins < (Various Versions) - Backdoored Software Affected: [*, 3.5.4) Patched: 3.5.4 Updated: June 28, 2026

LOW

usc-e-shop

Score: N/A Welcart e-Commerce <= 2.11.28 - Missing Authorization Affected: *-2.11.28 Patched: 2.11.29 Updated: June 28, 2026

LOW

Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups.

upsell-order-bump-offer-for-woocommerce

Score: N/A Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups. <= 3.1.4 - Missing Authorization Affected: *-3.1.4 Patched: 3.1.5 Updated: June 28, 2026

LOW

thrive-apprentice

Score: N/A Thrive Apprentice < 10.8.10.2 - Unauthenticated PHP Object Injection Affected: [*, 10.8.10.2) Patched: 10.8.10.2 Updated: June 28, 2026

LOW

testimonial-pro

Score: N/A Multiple ShapedPlugin Plugins < (Various Versions) - Backdoored Software Affected: *-3.2.5 Patched: Updated: June 28, 2026

LOW

suretriggers

Score: N/A OttoKit: All-in-One Automation Platform <= 1.1.27 - Unauthenticated PHP Object Injection Affected: *-1.1.27 Patched: 1.1.28 Updated: June 28, 2026

LOW

smart-show-post-pro

Score: N/A Multiple ShapedPlugin Plugins < (Various Versions) - Backdoored Software Affected: [*, 4.0.2) Patched: 4.0.2 Updated: June 28, 2026

LOW

photo-gallery

Score: N/A Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.41 - Authenticated (Contributor+) SQL Injection Affected: *-1.8.41 Patched: 1.8.42 Updated: June 28, 2026

LOW

integracao-rd-station

Score: 93/100 RD Station <= 5.6.0 - Authenticated (Contributor+) Remote Code Execution Affected: *-5.6.0 Patched: 5.7.0 Updated: June 28, 2026

LOW

happyforms

Score: 93/100 Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms <= 1.26.13 - Unauthenticated PHP Object Injection Affected: *-1.26.13 Patched: 1.26.14 Updated: June 28, 2026

LOW

GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites

gptranslate

Score: 89/100 GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 - Unauthenticated SQL Injection Affected: *-2.32.6 Patched: 2.32.7 Updated: June 28, 2026

LOW

fv-wordpress-flowplayer

Score: 93/100 FV Flowplayer Video Player < 7.5.51.7212 - Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: [*, 7.5.51.7212) Patched: 7.5.51.7212 Updated: June 28, 2026

LOW

email-encoder-premium

Score: N/A Email Encoder < 0.3.12 (premium) < 1.0.25 (free) - Unauthenticated Stored Cross-Site Scripting Affected: [*, 0.3.12) Patched: 0.3.12 Updated: June 28, 2026

LOW

Email Address Encoder

email-address-encoder

Score: 95/100 Email Encoder < 0.3.12 (premium) < 1.0.25 (free) - Unauthenticated Stored Cross-Site Scripting Affected: [*, 1.0.25) Patched: 1.0.25 Updated: June 28, 2026

LOW

custom-registration-form-builder-with-submission-manager

Score: 93/100 RegistrationMagic – User Registration Forms Plugin <= 6.0.8.6 - Missing Authorization Affected: *-6.0.8.6 Patched: 6.0.8.7 Updated: June 28, 2026

LOW

cornerstone

Score: 91/100 Cornerstone < 7.8.8 - Authenticated (Subscriber+) Arbitrary Code Execution Affected: [*, 7.8.8) Patched: 7.8.8 Updated: June 28, 2026

LOW

content-visibility-for-divi-builder

Score: N/A Content Visibility for Divi Builder <= 4.02 - Authenticated (Contributor+) Remote Code Execution Affected: *-4.02 Patched: 5.00 Updated: June 28, 2026

LOW

cf7-salesforce

Score: 93/100 Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 - Unauthenticated PHP Object Injection Affected: *-1.4.3 Patched: 1.4.4 Updated: June 28, 2026

LOW

cf7-mailchimp

Score: 93/100 Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 - Unauthenticated PHP Object Injection Affected: *-1.1.8 Patched: 1.1.9 Updated: June 28, 2026

LOW

cf7-hubspot

Score: 93/100 Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.3.7 - Unauthenticated PHP Object Injection Affected: *-1.3.7 Patched: 1.3.8 Updated: June 28, 2026

LOW

cf7-constant-contact

Score: 93/100 Integration for Constant Contact and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.6 - Unauthenticated PHP Object Injection Affected: *-1.1.6 Patched: 1.1.7 Updated: June 28, 2026

LOW

sp-client-document-manager

Score: 87/100 SP Project & Document Manager <= 4.71 - Missing Authorization to Unauthenticated Arbitrary File Information Disclosure via view_file() Function Affected: *-4.71 Patched: Updated: June 28, 2026

LOW

masterstudy-lms-learning-management-system-pro

Score: N/A MasterStudy LMS Pro Plus <= 4.8.20 - Authenticated (Instructor+) SQL Injection via 'columns' Parameter Affected: *-4.8.20 Patched: 4.8.21 Updated: June 28, 2026

LOW

xcloner-backup-and-restore

Score: N/A Backup, Restore and Migrate your sites with XCloner <= 4.8.6 - Authenticated (Subscriber+) Information Exposure Affected: *-4.8.6 Patched: 4.8.7 Updated: June 28, 2026

LOW

wp-jobsearch

Score: N/A JobSearch WP Job Board <= 3.2.7 - Missing Authorization Affected: *-3.2.7 Patched: 3.2.8 Updated: June 28, 2026

LOW

Rank Math SEO – AI SEO Tools to Dominate SEO Rankings

seo-by-rank-math

Score: 85/100 Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization Affected: *-1.0.271 Patched: 1.0.271.1 Updated: June 28, 2026

Showing 301 to 400 of 36189 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 28, 2026 at 19:36 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List