Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36282

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
h5pxapikatchu	h5pxapikatchu	93	SNORDIAN's H5PxAPIkatchu <= 0.4.17 - Unauthenticated Stored Cross-Site Scripting via insert_data	LOW	*-0.4.17	0.4.18	June 30, 2026
wp-plugin-manager	wp-plugin-manager	N/A	Plugin Manager <= 1.4.7 - Cross-Site Request Forgery	LOW	*-1.4.7	1.4.8	June 30, 2026
theatre	theatre	N/A	Theater for WordPress <= 0.18.8 - Missing Authorization	LOW	*-0.18.8	0.19	June 30, 2026
shopkeeper-extender	shopkeeper-extender	N/A	Shopkeeper Extender < 7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	[*, 7.0)	7.0	June 30, 2026
debug-tool	debug-tool	86	Debug Tool <= 2.2 - Unauthenticated Remote Code Execution	LOW	*-2.2		June 30, 2026
Booking Calendar	booking	71	Booking Calendar <= 10.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-10.14.7	10.14.8	June 30, 2026
wp-flipper	wp-flipper	N/A	WordPress Content Flipper <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-0.1		June 30, 2026
save-as-pdf	save-as-pdf	N/A	Save as PDF Button <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via restpackpdfbutton Shortcode	LOW	*-1.9.2		June 30, 2026
quicq	quicq	N/A	Convert WebP & AVIF \| Quicq \| Best image optimizer and compression plugin \| Improve your Google Pagespeed <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Afosto Disconnect	LOW	*-2.0.0		June 30, 2026
poll-maker	poll-maker	N/A	Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 6.0.7 - Authenticated (Administrator+) SQL Injection via `filterbyauthor` Parameter	LOW	*-6.0.7	6.0.8	June 30, 2026
survey-maker	survey-maker	N/A	Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Information Exposure	LOW	*-5.1.9.4	5.1.9.5	June 30, 2026
pagelayer	pagelayer	N/A	Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference	LOW	*-2.0.5	2.0.6	June 30, 2026
SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder	sureforms	N/A	SureForms <= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure	LOW	*-1.13.1	1.13.2	June 30, 2026
survey-maker	survey-maker	N/A	Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Limited Option Update	LOW	*-5.1.9.4	5.1.9.5	June 30, 2026
lifterlms	lifterlms	93	LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes - Various Versions - Authenticated (Student+) Privilege Escalation	LOW	3.5.3-3.41.1, 4.0.0-4.21.3, 5.0.0-5.10.0, 6.0.0-6.11.0, 7.0.0-7.8.7, 8.0.0-8.0.7	3.41.2	June 30, 2026
WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets	wp-all-import	66	Import any XML, CSV or Excel File to WordPress (WP All Import) <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic	LOW	*-3.9.6	4.0.0	June 30, 2026
usc-e-shop	usc-e-shop	N/A	Welcart e-Commerce <= 2.11.24 - Missing Authorization to Unauthenticated Information Exposure	LOW	*-2.11.24	2.11.25	June 30, 2026
simple-comment-editing	simple-comment-editing	N/A	Comment Edit Core – Simple Comment Editing <= 3.1.0 - Unauthenticated Sensitive Information Exposure	LOW	*-3.1.0	3.2.0	June 30, 2026
mp-timetable	mp-timetable	N/A	Timetable and Event Schedule by MotoPress <= 2.4.15 - Insecure Direct Object Reference to Authenticated (Contributor+) Event Disclosure	LOW	*-2.4.15	2.4.16	June 30, 2026
meeting-scheduler-by-vcita	meeting-scheduler-by-vcita	93	Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.5 - Cross-Site Request Forgery	LOW	*-4.5.5	4.6.0	June 30, 2026
meeting-scheduler-by-vcita	meeting-scheduler-by-vcita	93	Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.5 - Missing Authorization	LOW	*-4.5.5	4.6.0	June 30, 2026
Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More	envira-gallery-lite	94	Gallery Plugin for WordPress – Envira Photo Gallery <= 1.12.0 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions	LOW	*-1.12.0	1.12.1	June 30, 2026
Data Tables Generator by Supsystic	data-tables-generator-by-supsystic	89	Data Tables Generator by Supsystic <= 1.10.45 - Authenticated (Admin+) Arbitrary File Deletion	LOW	*-1.10.45	1.10.46	June 30, 2026
content-protector	content-protector	93	Passster <= 4.2.19 - Unauthenticated Information Exposure	LOW	*-4.2.19	4.2.20	June 30, 2026
AI Engine – The Chatbot, AI Framework & MCP for WordPress	ai-engine	82	AI Engine <= 3.1.8 - Authenticated (Subscriber+) PHP Object Injection via PHAR Deserialization	LOW	*-3.1.8	3.1.9	June 30, 2026
0-day-analytics	0-day-analytics	97	0 Day Analytics <= 4.0.0 - Authenticated (Administrator+) SQL Injection	LOW	*-4.0.0	4.1.0	June 30, 2026
specific-content-for-mobile	specific-content-for-mobile	N/A	Specific Content For Mobile – Customize the mobile version without redirections <= 0.5.5 - Authenticated (Contributor+) SQL Injection	LOW	*-0.5.5	0.5.6	June 30, 2026
email-subscription-with-secure-captcha	email-subscription-with-secure-captcha	93	Easy Email Subscription <= 1.3 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.3	1.3.1	June 30, 2026
wp-ultimate-csv-importer	wp-ultimate-csv-importer	N/A	WP Import – Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure	LOW	*-7.33	7.33.1	June 30, 2026
woo-payment-gateway	woo-payment-gateway	N/A	Payment Plugins Braintree For WooCommerce <= 3.2.78 - Missing Authorization to Payment Token Exposure and Transaction Fraud	LOW	*-3.2.78	3.2.79	June 30, 2026
bookit	bookit	93	Booking Calendar \| Appointment Booking \| Bookit <= 2.5.0 - Missing Authorization to Unauthenticated Stripe Connection	LOW	*-2.5.0	2.5.1	June 30, 2026
memberfindme	memberfindme	93	MembershipWorks <= 6.14 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-6.14	6.15	June 30, 2026
alt-text-generator	alt-text-generator	97	Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images <= 1.8.3 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion	LOW	*-1.8.3	1.8.4	June 30, 2026
aco-wishlist-for-woocommerce	aco-wishlist-for-woocommerce	97	Wishlist and Save for later for Woocommerce <= 1.1.22 - Insecure Direct Object Reference to Authenticated (Subscriber+) Wishlist Item Deletion	LOW	*-1.1.22	1.1.23	June 30, 2026
asgaros-forum	asgaros-forum	97	Asgaros Forum <= 3.2.1 - Cross-Site Request Forgery to Subscription Settings Update	LOW	*-3.2.1	3.3.0	June 30, 2026
wp-responsive-slider-with-lightbox	wp-responsive-slider-with-lightbox	N/A	Thumbnail Slider With Lightbox <= 1.0.21 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting	LOW	*-1.0.21	1.0.22	June 30, 2026
woomulti	woomulti	N/A	WooMulti <= 1.7 - Authenticated (Subscriber+) Arbitrary File Deletion	LOW	*-1.7		June 30, 2026
seriously-simple-podcasting	seriously-simple-podcasting	N/A	Seriously Simple Podcasting <= 3.13.0 - Cross-Site Request Forgery	LOW	*-3.13.0	3.14.0	June 30, 2026
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory	geodirectory	66	GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.139 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment	LOW	*-2.8.139	2.8.140	June 30, 2026
donation	donation	91	Donation <= 1.0 - Authenticated (Admin+) SQL Injection	LOW	*-1.0		June 30, 2026
db-access	db-access	91	DB Access <= 0.8.7 - Authenticated (Subscriber+) SQL Injection	LOW	*-0.8.7		June 30, 2026
ChatHelp – Click to Chat Button, Chat to Order, Floating Chat & Form	chat-help	89	Chat Help <= 3.1.3 - Missing Authorization	LOW	*-3.1.3	3.1.4	June 30, 2026
hydra-booking	hydra-booking	93	Hydra Booking – All in One Appointment Booking System \| Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass	LOW	*-1.1.27	1.1.28	June 30, 2026
classified-listing	classified-listing	93	Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.2.0 - Missing Authorization to Authenticated (Subscriber+) Listing Types Tampering	LOW	*-5.2.0	5.2.1	June 30, 2026
TNC Toolbox: Web Performance	tnc-toolbox	98	TNC Toolbox: Web Performance <= 1.4.2 - Unauthenticated Sensitive Information Exposure to Privilege Escalation/cPanel Account Takeover	LOW	*-1.4.2	2.0.0	June 30, 2026
hydra-booking	hydra-booking	93	Hydra Booking – All in One Appointment Booking System \| Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation	LOW	*-1.1.27	1.1.28	June 30, 2026
Blocksy Companion	blocksy-companion	N/A	Blocksy Companion <= 2.1.19 - Authenticated (Author+) Arbitrary File Upload via SVG Upload Bypass	LOW	*-2.1.19	2.1.20	June 30, 2026
progressmatify-blocks	progressmatify-blocks	N/A	Progress Bar Blocks for Gutenberg <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG	LOW	*-1.0.0		June 30, 2026
ungapped-widgets	ungapped-widgets	N/A	Ungapped Widgets <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1		June 30, 2026
include-fussball-de-widgets	include-fussball-de-widgets	89	Include fussball.de Widgets <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'api' and 'type'	LOW	*-4.0.0		June 30, 2026
wp-flickrshow	wp-flickrshow	N/A	Flickr Show <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.5		June 30, 2026
slippy-slider-responsive-touch-navigation-slider	slippy-slider-responsive-touch-navigation-slider	N/A	Slippy Slider – Responsive Touch Navigation Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.0		June 30, 2026
wp-iconics	wp-iconics	N/A	WP-Iconics <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-0.0.4		June 30, 2026
five9	five9	91	Five9 Live Chat <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.1.2		June 30, 2026
github-gist-shortcode	github-gist-shortcode	91	GitHub Gist Shortcode Plugin <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-0.2		June 30, 2026
authors-list	authors-list	91	Authors List <= 2.0.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in Plugin's Shortcode	LOW	*-2.0.6.1	2.0.6.2	June 30, 2026
usb-qr-code-scanner-for-woocommerce	usb-qr-code-scanner-for-woocommerce	N/A	USB Qr Code Scanner For Woocommerce <= 1.0.0 - Cross-Site Request Forgery to Settings Update	LOW	*-1.0.0		June 30, 2026
nonaki-email-template-customizer	nonaki-email-template-customizer	N/A	Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields	LOW	*-1.0.11		June 30, 2026
amazon-auto-links	amazon-auto-links	95	Auto Amazon Links – Amazon Associates Affiliate Plugin <= 5.4.3 - Unauthenticated Arbitrary File Read	LOW	*-5.4.3		June 30, 2026
featured-image	featured-image	93	Featured Image <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-2.1	2.2	June 30, 2026
wp-bbcode	wp-bbcode	N/A	WP BBCode <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.8.1		June 30, 2026
geopost	geopost	91	Geopost <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.2		June 30, 2026
the-total-book-project	the-total-book-project	N/A	The Total Book Project <= 1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Book Manipulation	LOW	*-1.0	1.1	June 30, 2026
add-multiple-marker	add-multiple-marker	97	Add Multiple Marker <= 1.2 - Missing Authorization to Unauthenticated Settings Update	LOW	*-1.2	1.3	June 30, 2026
ot-twitter-feed	ot-twitter-feed	N/A	Twitter Feed <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.3.1		June 30, 2026
skip-to-timestamp	skip-to-timestamp	N/A	Skip to Timestamp <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.4.4		June 30, 2026
find-unused-images	find-unused-images	91	Find Unused Images <= 1.0.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion	LOW	*-1.0.7		June 30, 2026
wp-oauth	wp-oauth	N/A	WP-OAuth <= 0.4.1 - Reflected Cross-Site Scripting	LOW	*-0.4.1		June 30, 2026
chart-expert	chart-expert	91	Chart Expert <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.0		June 30, 2026
shelf-planner	shelf-planner	N/A	Shelf Planner <= 2.8.1 - Missing Authorization to Unauthenticated Settings Update	LOW	*-2.8.1	2.8.2	June 30, 2026
shelf-planner	shelf-planner	N/A	Shelf Planner <= 2.8.1 - Unauthenticated Information Exposure via Log Files	LOW	*-2.8.1	2.8.2	June 30, 2026
wp-custom-login-page-logo	wp-custom-login-page-logo	N/A	WP Custom Admin Login Page Logo <= 1.4.8.4 - Cross-Site Request Forgery to Settings Update	LOW	*-1.4.8.4		June 30, 2026
coon-google-maps	coon-google-maps	91	Coon Google Maps <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.0		June 30, 2026
ctl-arcade-lite	ctl-arcade-lite	91	CTL Arcade Lite <= 1.0 - Cross-Site Request Forgery to Plugin Activation and Deactivation	LOW	*-1.0		June 30, 2026
private-google-calendars	private-google-calendars	N/A	Private Google Calendars <= 20250811 - Missing Authorization to Authenticated (Subscriber+) Settings Reset	LOW	*-20250811	20251128	June 30, 2026
getastra	getastra	89	Astra Security Suite – Firewall & Malware Scan <= 0.2 - Unauthenticated Arbitrary File Upload	LOW	*-0.2		June 30, 2026
precise-columns	precise-columns	N/A	Precise Columns <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.0		June 30, 2026
jeba-cute-forkit	jeba-cute-forkit	91	Jeba Cute forkit <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.0		June 30, 2026
easycommerce	easycommerce	93	EasyCommerce – AI-Powered, Blazing-Fast & Beautiful WordPress Ecommerce Plugin 0.9.0-beta2 - 1.8.2 - Unauthenticated Privilege Escalation	LOW	*-1.8.2	1.8.3	June 30, 2026
wp-count-down-timer	wp-count-down-timer	N/A	WP Count Down Timer <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.0.1		June 30, 2026
crypto	crypto	89	Crypto Tool <= 2.22 - Unauthenticated Information Exposure via Global Authentication State	LOW	*-2.22		June 30, 2026
crypto	crypto	89	Crypto Tool <= 2.22 - Missing Authentication to Unauthenticated Limited File Deletion	LOW	*-2.22		June 30, 2026
wp-walla	wp-walla	N/A	WP-Walla <= 0.5.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-0.5.3.5		June 30, 2026
share-to-google-classroom	share-to-google-classroom	N/A	Share to Google Classroom <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via share_to_google Shortcode	LOW	*-1.0		June 30, 2026
mementor-core	mementor-core	91	Mementor Core <= 2.2.5 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-2.2.5		June 30, 2026
bnm-blocks	bnm-blocks	93	Magazine Companion <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.2.3	1.2.4	June 30, 2026
my-geo-posts-free	my-geo-posts-free	N/A	My Geo Posts Free <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.2		June 30, 2026
double-the-donation	double-the-donation	93	Double the Donation <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-3.0.0	3.1.0	June 30, 2026
ninja-countdown	ninja-countdown	N/A	Ninja Countdown <= 1.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Countdown Deletion	LOW	*-1.5.0		June 30, 2026
squirrels-auto-inventory	squirrels-auto-inventory	N/A	Squirrels Auto Inventory <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.0.3		June 30, 2026
woocommerce-products-by-custom-tax	woocommerce-products-by-custom-tax	N/A	Woocommerce – Products By Custom Tax <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-2.2		June 30, 2026
holiday-class-post-calendar	holiday-class-post-calendar	93	Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents'	LOW	*-7.1	7.2	June 30, 2026
preload-current-images	preload-current-images	N/A	Preload Current Images <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.3		June 30, 2026
simple-donate	simple-donate	N/A	Simple Donate <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.0		June 30, 2026
fleet	fleet	93	Fleet Manager <= 2.5.1 - Authenticated (Editor+) Stored Cross-Site Scripting	LOW	*-2.5.1	2.6.0	June 30, 2026
yslider	yslider	N/A	YSlider <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-1.1		June 30, 2026
wisly	wisly	N/A	Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation	LOW	*-1.0.0		June 30, 2026
wp-bootstrap-tabs	wp-bootstrap-tabs	N/A	WP Bootstrap Tabs <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.0.4		June 30, 2026
randomquotr	randomquotr	N/A	RandomQuotr <= 1.0.4 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.0.4		June 30, 2026
eventbee-ticketing-widget	eventbee-ticketing-widget	91	Eventbee Ticketing Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.0		June 30, 2026

LOW

h5pxapikatchu

Score: 93/100 SNORDIAN's H5PxAPIkatchu <= 0.4.17 - Unauthenticated Stored Cross-Site Scripting via insert_data Affected: *-0.4.17 Patched: 0.4.18 Updated: June 30, 2026

LOW

wp-plugin-manager

Score: N/A Plugin Manager <= 1.4.7 - Cross-Site Request Forgery Affected: *-1.4.7 Patched: 1.4.8 Updated: June 30, 2026

LOW

theatre

Score: N/A Theater for WordPress <= 0.18.8 - Missing Authorization Affected: *-0.18.8 Patched: 0.19 Updated: June 30, 2026

LOW

shopkeeper-extender

Score: N/A Shopkeeper Extender < 7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: [*, 7.0) Patched: 7.0 Updated: June 30, 2026

LOW

debug-tool

Score: 86/100 Debug Tool <= 2.2 - Unauthenticated Remote Code Execution Affected: *-2.2 Patched: Updated: June 30, 2026

LOW

Booking Calendar

booking

Score: 71/100 Booking Calendar <= 10.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-10.14.7 Patched: 10.14.8 Updated: June 30, 2026

LOW

wp-flipper

Score: N/A WordPress Content Flipper <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-0.1 Patched: Updated: June 30, 2026

LOW

save-as-pdf

Score: N/A Save as PDF Button <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via restpackpdfbutton Shortcode Affected: *-1.9.2 Patched: Updated: June 30, 2026

LOW

Score: N/A Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Afosto Disconnect Affected: *-2.0.0 Patched: Updated: June 30, 2026

LOW

poll-maker

Score: N/A Poll Maker – Versus Polls, Anonymous Polls, Image Polls <= 6.0.7 - Authenticated (Administrator+) SQL Injection via `filterbyauthor` Parameter Affected: *-6.0.7 Patched: 6.0.8 Updated: June 30, 2026

LOW

survey-maker

Score: N/A Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Information Exposure Affected: *-5.1.9.4 Patched: 5.1.9.5 Updated: June 30, 2026

LOW

pagelayer

Score: N/A Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference Affected: *-2.0.5 Patched: 2.0.6 Updated: June 30, 2026

LOW

SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder

sureforms

Score: N/A SureForms <= 1.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure Affected: *-1.13.1 Patched: 1.13.2 Updated: June 30, 2026

LOW

survey-maker

Score: N/A Survey Maker <= 5.1.9.4 - Missing Authorization to Unauthenticated Limited Option Update Affected: *-5.1.9.4 Patched: 5.1.9.5 Updated: June 30, 2026

LOW

lifterlms

Score: 93/100 LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes - Various Versions - Authenticated (Student+) Privilege Escalation Affected: 3.5.3-3.41.1, 4.0.0-4.21.3, 5.0.0-5.10.0, 6.0.0-6.11.0, 7.0.0-7.8.7, 8.0.0-8.0.7 Patched: 3.41.2 Updated: June 30, 2026

LOW

WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets

wp-all-import

Score: 66/100 Import any XML, CSV or Excel File to WordPress (WP All Import) <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic Affected: *-3.9.6 Patched: 4.0.0 Updated: June 30, 2026

LOW

usc-e-shop

Score: N/A Welcart e-Commerce <= 2.11.24 - Missing Authorization to Unauthenticated Information Exposure Affected: *-2.11.24 Patched: 2.11.25 Updated: June 30, 2026

LOW

simple-comment-editing

Score: N/A Comment Edit Core – Simple Comment Editing <= 3.1.0 - Unauthenticated Sensitive Information Exposure Affected: *-3.1.0 Patched: 3.2.0 Updated: June 30, 2026

LOW

mp-timetable

Score: N/A Timetable and Event Schedule by MotoPress <= 2.4.15 - Insecure Direct Object Reference to Authenticated (Contributor+) Event Disclosure Affected: *-2.4.15 Patched: 2.4.16 Updated: June 30, 2026

LOW

meeting-scheduler-by-vcita

Score: 93/100 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.5 - Cross-Site Request Forgery Affected: *-4.5.5 Patched: 4.6.0 Updated: June 30, 2026

LOW

meeting-scheduler-by-vcita

Score: 93/100 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.5 - Missing Authorization Affected: *-4.5.5 Patched: 4.6.0 Updated: June 30, 2026

LOW

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

envira-gallery-lite

Score: 94/100 Gallery Plugin for WordPress – Envira Photo Gallery <= 1.12.0 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions Affected: *-1.12.0 Patched: 1.12.1 Updated: June 30, 2026

LOW

Data Tables Generator by Supsystic

data-tables-generator-by-supsystic

Score: 89/100 Data Tables Generator by Supsystic <= 1.10.45 - Authenticated (Admin+) Arbitrary File Deletion Affected: *-1.10.45 Patched: 1.10.46 Updated: June 30, 2026

LOW

content-protector

Score: 93/100 Passster <= 4.2.19 - Unauthenticated Information Exposure Affected: *-4.2.19 Patched: 4.2.20 Updated: June 30, 2026

LOW

AI Engine – The Chatbot, AI Framework & MCP for WordPress

ai-engine

Score: 82/100 AI Engine <= 3.1.8 - Authenticated (Subscriber+) PHP Object Injection via PHAR Deserialization Affected: *-3.1.8 Patched: 3.1.9 Updated: June 30, 2026

LOW

0-day-analytics

Score: 97/100 0 Day Analytics <= 4.0.0 - Authenticated (Administrator+) SQL Injection Affected: *-4.0.0 Patched: 4.1.0 Updated: June 30, 2026

LOW

specific-content-for-mobile

Score: N/A Specific Content For Mobile – Customize the mobile version without redirections <= 0.5.5 - Authenticated (Contributor+) SQL Injection Affected: *-0.5.5 Patched: 0.5.6 Updated: June 30, 2026

LOW

email-subscription-with-secure-captcha

Score: 93/100 Easy Email Subscription <= 1.3 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.3 Patched: 1.3.1 Updated: June 30, 2026

LOW

wp-ultimate-csv-importer

Score: N/A WP Import – Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure Affected: *-7.33 Patched: 7.33.1 Updated: June 30, 2026

LOW

woo-payment-gateway

Score: N/A Payment Plugins Braintree For WooCommerce <= 3.2.78 - Missing Authorization to Payment Token Exposure and Transaction Fraud Affected: *-3.2.78 Patched: 3.2.79 Updated: June 30, 2026

LOW

bookit

Score: 93/100 Booking Calendar | Appointment Booking | Bookit <= 2.5.0 - Missing Authorization to Unauthenticated Stripe Connection Affected: *-2.5.0 Patched: 2.5.1 Updated: June 30, 2026

LOW

memberfindme

Score: 93/100 MembershipWorks <= 6.14 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-6.14 Patched: 6.15 Updated: June 30, 2026

LOW

alt-text-generator

Score: 97/100 Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images <= 1.8.3 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion Affected: *-1.8.3 Patched: 1.8.4 Updated: June 30, 2026

LOW

aco-wishlist-for-woocommerce

Score: 97/100 Wishlist and Save for later for Woocommerce <= 1.1.22 - Insecure Direct Object Reference to Authenticated (Subscriber+) Wishlist Item Deletion Affected: *-1.1.22 Patched: 1.1.23 Updated: June 30, 2026

LOW

asgaros-forum

Score: 97/100 Asgaros Forum <= 3.2.1 - Cross-Site Request Forgery to Subscription Settings Update Affected: *-3.2.1 Patched: 3.3.0 Updated: June 30, 2026

LOW

wp-responsive-slider-with-lightbox

Score: N/A Thumbnail Slider With Lightbox <= 1.0.21 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting Affected: *-1.0.21 Patched: 1.0.22 Updated: June 30, 2026

LOW

woomulti

Score: N/A WooMulti <= 1.7 - Authenticated (Subscriber+) Arbitrary File Deletion Affected: *-1.7 Patched: Updated: June 30, 2026

LOW

seriously-simple-podcasting

Score: N/A Seriously Simple Podcasting <= 3.13.0 - Cross-Site Request Forgery Affected: *-3.13.0 Patched: 3.14.0 Updated: June 30, 2026

LOW

GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

geodirectory

Score: 66/100 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.139 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment Affected: *-2.8.139 Patched: 2.8.140 Updated: June 30, 2026

LOW

donation

Score: 91/100 Donation <= 1.0 - Authenticated (Admin+) SQL Injection Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

db-access

Score: 91/100 DB Access <= 0.8.7 - Authenticated (Subscriber+) SQL Injection Affected: *-0.8.7 Patched: Updated: June 30, 2026

LOW

ChatHelp – Click to Chat Button, Chat to Order, Floating Chat & Form

chat-help

Score: 89/100 Chat Help <= 3.1.3 - Missing Authorization Affected: *-3.1.3 Patched: 3.1.4 Updated: June 30, 2026

LOW

hydra-booking

Score: 93/100 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass Affected: *-1.1.27 Patched: 1.1.28 Updated: June 30, 2026

LOW

classified-listing

Score: 93/100 Classified Listing – AI-Powered Classified ads & Business Directory Plugin <= 5.2.0 - Missing Authorization to Authenticated (Subscriber+) Listing Types Tampering Affected: *-5.2.0 Patched: 5.2.1 Updated: June 30, 2026

LOW

TNC Toolbox: Web Performance

tnc-toolbox

Score: 98/100 TNC Toolbox: Web Performance <= 1.4.2 - Unauthenticated Sensitive Information Exposure to Privilege Escalation/cPanel Account Takeover Affected: *-1.4.2 Patched: 2.0.0 Updated: June 30, 2026

LOW

hydra-booking

Score: 93/100 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation Affected: *-1.1.27 Patched: 1.1.28 Updated: June 30, 2026

LOW

Blocksy Companion

blocksy-companion

Score: N/A Blocksy Companion <= 2.1.19 - Authenticated (Author+) Arbitrary File Upload via SVG Upload Bypass Affected: *-2.1.19 Patched: 2.1.20 Updated: June 30, 2026

LOW

progressmatify-blocks

Score: N/A Progress Bar Blocks for Gutenberg <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

ungapped-widgets

Score: N/A Ungapped Widgets <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1 Patched: Updated: June 30, 2026

LOW

include-fussball-de-widgets

Score: 89/100 Include fussball.de Widgets <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'api' and 'type' Affected: *-4.0.0 Patched: Updated: June 30, 2026

LOW

wp-flickrshow

Score: N/A Flickr Show <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.5 Patched: Updated: June 30, 2026

LOW

slippy-slider-responsive-touch-navigation-slider

Score: N/A Slippy Slider – Responsive Touch Navigation Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.0 Patched: Updated: June 30, 2026

LOW

wp-iconics

Score: N/A WP-Iconics <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-0.0.4 Patched: Updated: June 30, 2026

LOW

five9

Score: 91/100 Five9 Live Chat <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.1.2 Patched: Updated: June 30, 2026

LOW

github-gist-shortcode

Score: 91/100 GitHub Gist Shortcode Plugin <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-0.2 Patched: Updated: June 30, 2026

LOW

authors-list

Score: 91/100 Authors List <= 2.0.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in Plugin's Shortcode Affected: *-2.0.6.1 Patched: 2.0.6.2 Updated: June 30, 2026

LOW

usb-qr-code-scanner-for-woocommerce

Score: N/A USB Qr Code Scanner For Woocommerce <= 1.0.0 - Cross-Site Request Forgery to Settings Update Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

nonaki-email-template-customizer

Score: N/A Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields Affected: *-1.0.11 Patched: Updated: June 30, 2026

LOW

amazon-auto-links

Score: 95/100 Auto Amazon Links – Amazon Associates Affiliate Plugin <= 5.4.3 - Unauthenticated Arbitrary File Read Affected: *-5.4.3 Patched: Updated: June 30, 2026

LOW

featured-image

Score: 93/100 Featured Image <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-2.1 Patched: 2.2 Updated: June 30, 2026

LOW

wp-bbcode

Score: N/A WP BBCode <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.8.1 Patched: Updated: June 30, 2026

LOW

geopost

Score: 91/100 Geopost <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

the-total-book-project

Score: N/A The Total Book Project <= 1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Book Manipulation Affected: *-1.0 Patched: 1.1 Updated: June 30, 2026

LOW

add-multiple-marker

Score: 97/100 Add Multiple Marker <= 1.2 - Missing Authorization to Unauthenticated Settings Update Affected: *-1.2 Patched: 1.3 Updated: June 30, 2026

LOW

ot-twitter-feed

Score: N/A Twitter Feed <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.3.1 Patched: Updated: June 30, 2026

LOW

skip-to-timestamp

Score: N/A Skip to Timestamp <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.4.4 Patched: Updated: June 30, 2026

LOW

find-unused-images

Score: 91/100 Find Unused Images <= 1.0.7 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion Affected: *-1.0.7 Patched: Updated: June 30, 2026

LOW

wp-oauth

Score: N/A WP-OAuth <= 0.4.1 - Reflected Cross-Site Scripting Affected: *-0.4.1 Patched: Updated: June 30, 2026

LOW

chart-expert

Score: 91/100 Chart Expert <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

shelf-planner

Score: N/A Shelf Planner <= 2.8.1 - Missing Authorization to Unauthenticated Settings Update Affected: *-2.8.1 Patched: 2.8.2 Updated: June 30, 2026

LOW

shelf-planner

Score: N/A Shelf Planner <= 2.8.1 - Unauthenticated Information Exposure via Log Files Affected: *-2.8.1 Patched: 2.8.2 Updated: June 30, 2026

LOW

wp-custom-login-page-logo

Score: N/A WP Custom Admin Login Page Logo <= 1.4.8.4 - Cross-Site Request Forgery to Settings Update Affected: *-1.4.8.4 Patched: Updated: June 30, 2026

LOW

coon-google-maps

Score: 91/100 Coon Google Maps <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

ctl-arcade-lite

Score: 91/100 CTL Arcade Lite <= 1.0 - Cross-Site Request Forgery to Plugin Activation and Deactivation Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

private-google-calendars

Score: N/A Private Google Calendars <= 20250811 - Missing Authorization to Authenticated (Subscriber+) Settings Reset Affected: *-20250811 Patched: 20251128 Updated: June 30, 2026

LOW

getastra

Score: 89/100 Astra Security Suite – Firewall & Malware Scan <= 0.2 - Unauthenticated Arbitrary File Upload Affected: *-0.2 Patched: Updated: June 30, 2026

LOW

precise-columns

Score: N/A Precise Columns <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

jeba-cute-forkit

Score: 91/100 Jeba Cute forkit <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

easycommerce

Score: 93/100 EasyCommerce – AI-Powered, Blazing-Fast & Beautiful WordPress Ecommerce Plugin 0.9.0-beta2 - 1.8.2 - Unauthenticated Privilege Escalation Affected: *-1.8.2 Patched: 1.8.3 Updated: June 30, 2026

LOW

wp-count-down-timer

Score: N/A WP Count Down Timer <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0.1 Patched: Updated: June 30, 2026

LOW

crypto

Score: 89/100 Crypto Tool <= 2.22 - Unauthenticated Information Exposure via Global Authentication State Affected: *-2.22 Patched: Updated: June 30, 2026

LOW

crypto

Score: 89/100 Crypto Tool <= 2.22 - Missing Authentication to Unauthenticated Limited File Deletion Affected: *-2.22 Patched: Updated: June 30, 2026

LOW

wp-walla

Score: N/A WP-Walla <= 0.5.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-0.5.3.5 Patched: Updated: June 30, 2026

LOW

share-to-google-classroom

Score: N/A Share to Google Classroom <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via share_to_google Shortcode Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

mementor-core

Score: 91/100 Mementor Core <= 2.2.5 - Authenticated (Subscriber+) Privilege Escalation Affected: *-2.2.5 Patched: Updated: June 30, 2026

LOW

bnm-blocks

Score: 93/100 Magazine Companion <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2.3 Patched: 1.2.4 Updated: June 30, 2026

LOW

my-geo-posts-free

Score: N/A My Geo Posts Free <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

double-the-donation

Score: 93/100 Double the Donation <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-3.0.0 Patched: 3.1.0 Updated: June 30, 2026

LOW

ninja-countdown

Score: N/A Ninja Countdown <= 1.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Countdown Deletion Affected: *-1.5.0 Patched: Updated: June 30, 2026

LOW

squirrels-auto-inventory

Score: N/A Squirrels Auto Inventory <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.0.3 Patched: Updated: June 30, 2026

LOW

woocommerce-products-by-custom-tax

Score: N/A Woocommerce – Products By Custom Tax <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-2.2 Patched: Updated: June 30, 2026

LOW

holiday-class-post-calendar

Score: 93/100 Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents' Affected: *-7.1 Patched: 7.2 Updated: June 30, 2026

LOW

preload-current-images

Score: N/A Preload Current Images <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.3 Patched: Updated: June 30, 2026

LOW

simple-donate

Score: N/A Simple Donate <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

fleet

Score: 93/100 Fleet Manager <= 2.5.1 - Authenticated (Editor+) Stored Cross-Site Scripting Affected: *-2.5.1 Patched: 2.6.0 Updated: June 30, 2026

LOW

yslider

Score: N/A YSlider <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

wisly

Score: N/A Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

wp-bootstrap-tabs

Score: N/A WP Bootstrap Tabs <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.0.4 Patched: Updated: June 30, 2026

LOW

randomquotr

Score: N/A RandomQuotr <= 1.0.4 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.0.4 Patched: Updated: June 30, 2026

LOW

eventbee-ticketing-widget

Score: 91/100 Eventbee Ticketing Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 30, 2026

Showing 5101 to 5200 of 36282 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 03:54 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List