Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36282

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
elastic-theme-editor	elastic-theme-editor	91	Elastic Theme Editor <= 0.0.3 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-0.0.3		June 30, 2026
paypal-donation-shortcode	paypal-donation-shortcode	N/A	Paypal Donation Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-0.1		June 30, 2026
live-photos	live-photos	91	Live Photos on WordPress <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-0.1		June 30, 2026
cpi-wp-migration	cpi-wp-migration	91	WP移行専用プラグイン for CPI <= 1.0.2 - Unauthenticated Arbitrary File Upload	LOW	*-1.0.2		June 30, 2026
document-pro-elementor	document-pro-elementor	91	Document Pro Elementor – Documentation & Knowledge Base <= 1.0.9 - Unauthenticated Information Exposure	LOW	*-1.0.9		June 30, 2026
stars-testimonials-with-slider-and-masonry-grid	stars-testimonials-with-slider-and-masonry-grid	N/A	Stars Testimonials <= 3.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.3.4	3.3.5	June 30, 2026
custom-fields-account-registration-for-woocommerce	custom-fields-account-registration-for-woocommerce	93	Custom Fields Account Registration For Woocommerce <= 1.2 - Authenticated (Author+) Privilege Escalation	LOW	*-1.2	1.3	June 30, 2026
woocommerce-ultimate-points-and-rewards	woocommerce-ultimate-points-and-rewards	N/A	WooCommerce Ultimate Points And Rewards <= 2.10.2 - Authenticated (Subscriber+) Information Exposure	LOW	*-2.10.2	2.10.3	June 30, 2026
travelers-map	travelers-map	N/A	Travelers' Map <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.3.2	2.3.3	June 30, 2026
seriously-simple-podcasting	seriously-simple-podcasting	N/A	Seriously Simple Podcasting <= 3.13.0 - Missing Authorization	LOW	*-3.13.0	3.14.0	June 30, 2026
seriously-simple-podcasting	seriously-simple-podcasting	N/A	Seriously Simple Podcasting <= 3.13.0 - Unauthenticated Information Exposure	LOW	*-3.13.0	3.14.0	June 30, 2026
rac	rac	N/A	WooCommerce Recover Abandoned Cart <= 24.6.0 - Missing Authorization to Unauthenticated Arbitrary Content Deletion	LOW	*-24.6.0	24.7.0	June 30, 2026
mp-restaurant-menu	mp-restaurant-menu	N/A	Restaurant Menu by MotoPress <= 2.4.7 - Authenticated (Subscriber+) Information Exposure	LOW	*-2.4.7	2.4.8	June 30, 2026
hub-core	hub-core	91	Hub Core <= 5.0.8 - Authenticated (Contributor+) Local File Inclusion	LOW	*-5.0.8		June 30, 2026
follow-my-blog-post	follow-my-blog-post	93	Follow My Blog Post <= 2.3.9 - Unauthenticated Information Exposure	LOW	*-2.3.9	2.4.0	June 30, 2026
delicious-recipes	delicious-recipes	93	WP Delicious <= 1.9.1 - Missing Authorization	LOW	*-1.9.1	1.9.2	June 30, 2026
custom-option-tree	custom-option-tree	91	Traveler Option Tree <= 2.8 - Authenticated (Editor+) Information Exposure	LOW	*-2.8		June 30, 2026
wp-content-pilot	wp-content-pilot	N/A	Content Pilot <= 2.1.7 - Missing Authorization	LOW	*-2.1.7	2.1.8	June 30, 2026
ultimate-faqs	ultimate-faqs	N/A	Ultimate FAQ <= 2.4.3 - Cross-Site Request Forgery	LOW	*-2.4.3	2.4.4	June 30, 2026
new-user-approve	new-user-approve	N/A	New User Approve <= 3.2.3 - Cross-Site Request Forgery	LOW	*-3.2.3	3.2.4	June 30, 2026
mycred	mycred	N/A	myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program. <= 2.9.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.9.7.6	3.0	June 30, 2026
gdpr-cookie-consent	gdpr-cookie-consent	93	Cookie Notice for GDPR, CCPA & ePrivacy Consent <= 4.0.3 - Missing Authorization	LOW	*-4.0.3	4.0.4	June 30, 2026
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress	email-subscribers	65	Email Subscribers & Newsletters <= 5.9.10 - Authenticated (Administrator+) PHP Object Injection	LOW	*-5.9.10	5.9.11	June 30, 2026
customizer-login-page	customizer-login-page	93	Login Page Customizer – Customizer Login Page, Admin Page, Custom Design <= 2.1.1 - Missing Authorization	LOW	*-2.1.1	2.1.2	June 30, 2026
auto-prune-posts	auto-prune-posts	93	Auto Prune Posts <= 3.0.0 - Cross-Site Request Forgery	LOW	*-3.0.0	3.1.0	June 30, 2026
alex-reservations	alex-reservations	97	Alex Reservations: Smart Restaurant Booking <= 2.2.3 - Authenticated (Admin+) Arbitrary File Upload	LOW	*-2.2.3	2.2.4	June 30, 2026
mail-mint	mail-mint	93	Mail Mint <= 1.18.10 - Authenticated (Admin+) Arbitrary File Upload	LOW	*-1.18.10	1.18.11	June 30, 2026
quick-featured-images	quick-featured-images	N/A	Quick Featured Images <= 13.7.3 - Authenticated (Editor+) SQL Injection via delete_orphaned	LOW	*-13.7.3	13.7.4	June 30, 2026
Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More	envira-gallery-lite	94	Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 - Missing Authorization to Authenticated (Contributor+) Gallery Conversion	LOW	*-1.11.0	1.12.0	June 30, 2026
cyan-backup	cyan-backup	93	CYAN Backup <= 2.5.4 - Authenticated (Admin+) Arbitrary File Deletion	LOW	*-2.5.4	2.5.5	June 30, 2026
athemes-addons-for-elementor-lite	athemes-addons-for-elementor-lite	93	aThemes Addons for Elementor <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget	LOW	*-1.1.5	1.1.6	June 30, 2026
saphali-liqpay-for-donate	saphali-liqpay-for-donate	N/A	Saphali LiqPay for donate <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	LOW	*-1.0.2	1.0.3	June 30, 2026
ova-events-manager	ova-events-manager	N/A	Ovatheme Events Manager <= 1.8.6 - Missing Authorization	LOW	*-1.8.6	1.8.7	June 30, 2026
mangboard	mangboard	93	Mang Board WP <= 2.3.1 - Reflected Cross-Site Scripting	LOW	*-2.3.1	2.3.2	June 30, 2026
wpfunnels	wpfunnels	N/A	WPFunnels <= 3.6.2 - Authenticated (Administrator+) Arbitrary File Deletion via Path Traversal	LOW	*-3.6.2	3.6.3	June 30, 2026
wpfunnels	wpfunnels	N/A	WPFunnels <= 3.6.2 - Unauthorized User Registration	LOW	*-3.6.2	3.6.3	June 30, 2026
insert-headers-and-footers-script	insert-headers-and-footers-script	93	Insert Headers and Footers Code – HT Script <= 1.1.6 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-1.1.6	1.1.7	June 30, 2026
simple-downloads-list	simple-downloads-list	N/A	Simple Downloads List <= 1.4.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-1.4.3	1.5.0	June 30, 2026
asgaros-forum	asgaros-forum	97	Asgaros Forum <= 3.1.0 - Unauthenticated SQL Injection	LOW	*-3.1.0	3.2.0	June 30, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.8.2 - Unauthenticated Information Exposure	LOW	*-1.8.2	1.8.3	June 30, 2026
uncanny-automator	uncanny-automator	N/A	Uncanny Automator < 6.10.0 - Authenticated (Subscriber+) Information Exposure	LOW	[*, 6.10.0)	6.10.0	June 30, 2026
smart-auto-upload-images	smart-auto-upload-images	N/A	Smart Auto Upload Images <= 1.2.0 - Authenticated (Contributor+) Arbitrary File Upload	LOW	*-1.2.0	1.2.1	June 30, 2026
Tag, Category, and Taxonomy Manager – Autotagger Automatically Add Terms	simple-tags	70	Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.0 - Authenticated (Editor+) SQL Injection	LOW	*-3.40.0	3.40.1	June 30, 2026
real-time-auto-find-and-replace	real-time-auto-find-and-replace	N/A	Better Find and Replace <= 1.7.7 - Authenticated (Subscriber+) Limited Code Injection	LOW	*-1.7.7	1.7.8	June 30, 2026
integrate-contact-form-7-and-aweber	integrate-contact-form-7-and-aweber	93	Contact Form 7 AWeber Extension <= 0.1.42 - Missing Authorization to Authenticated (Subscriber+) Log Reset	LOW	*-0.1.42	0.1.43	June 30, 2026
HTML Forms – Simple WordPress Forms Plugin	html-forms	86	HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.5.5	1.5.6	June 30, 2026
groups	groups	93	Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join	LOW	*-3.7.0	3.8.0	June 30, 2026
flexible-refund-and-return-order-for-woocommerce	flexible-refund-and-return-order-for-woocommerce	93	Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update	LOW	*-1.0.42	1.0.43	June 30, 2026
facebook-auto-publish	facebook-auto-publish	93	WP2Social Auto Publish <= 2.4.7 - Reflected Cross-Site Scripting via PostMessage	LOW	*-2.4.7	2.4.8	June 30, 2026
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management	74	EventPrime – Events Calendar, Bookings and Tickets <= 4.2.0.0 - Missing Authorization to Authenticated (Subscriber+) Booking Note Creation	LOW	*-4.2.0.0	4.2.0.1	June 30, 2026
Download Manager	download-manager	63	Download Manager <= 3.3.30 - Unauthenticated Cron Trigger due to Hardcoded Cron Key	LOW	*-3.3.30	3.3.31	June 30, 2026
course-booking-system	course-booking-system	93	Course Booking System <= 6.1.5 - Missing Authorization to Unauthenticated Booking Data Export	LOW	*-6.1.5	6.1.6	June 30, 2026
academy-pro	academy-pro	97	Academy LMS Pro <= 3.3.8 - Unauthenticated Sensitive Information Exposure via 'enqueue_social_login_script'	LOW	*-3.3.8	3.3.9	June 30, 2026
academy	academy	97	Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection via 'import_all_courses'	LOW	*-3.3.8	3.3.9	June 30, 2026
page-post-notes	page-post-notes	N/A	Page & Post Notes <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Note Update/Deletion	LOW	*-1.3.4	1.3.5	June 30, 2026
gravityforms	gravityforms	93	Gravity Forms <= 2.9.20 - Unauthenticated Arbitrary File Upload via 'copy_post_image'	LOW	*-2.9.20	2.9.21	June 30, 2026
idonate	idonate	89	IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function	LOW	2.0.0-2.1.9	2.1.10	June 30, 2026
idonate	idonate	89	IDonate 2.1.5 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_password Function	LOW	2.1.5-2.1.9	2.1.10	June 30, 2026
ghl-wizard	ghl-wizard	91	LC Wizard 1.2.10 - 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation	LOW	1.2.10-1.3.0	1.4.0	June 30, 2026
wp-airbnb-review-slider	wp-airbnb-review-slider	N/A	WP Airbnb Review Slider <= 4.2 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-4.2	4.4	June 30, 2026
learnpress	learnpress	93	LearnPress <= 4.2.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-4.2.9.4	4.3.0	June 30, 2026
jet-elements	jet-elements	93	JetElements For Elementor <= 2.7.12 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.7.12	2.7.12.1	June 30, 2026
Feeds for YouTube (YouTube video, channel, and gallery plugin)	feeds-for-youtube	68	Feeds for YouTube <= 2.4.0 - Missing Authorization	LOW	*-2.4.0	2.6.1	June 30, 2026
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management	74	EventPrime <= 4.2.4.1 - Authenticated (Subscriber+) Information Exposure	LOW	*-4.2.4.1	4.2.5.0	June 30, 2026
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management	74	EventPrime <= 4.2.4.1 - Missing Authorization	LOW	*-4.2.4.1	4.2.5.0	June 30, 2026
strong-testimonials	strong-testimonials	N/A	Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution	LOW	*-3.2.16	3.2.17	June 30, 2026
real-time-auto-find-and-replace	real-time-auto-find-and-replace	N/A	Better Find and Replace <= 1.7.7 - Missing Authorization	LOW	*-1.7.7	1.7.8	June 30, 2026
social-pug	social-pug	N/A	Hubbub Lite <= 1.36.0 - Reflected Cross-Site Scripting	LOW	*-1.36.0	1.36.1	June 30, 2026
blog2social	blog2social	93	Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via post_url	LOW	*-8.6.0	8.6.1	June 30, 2026
blog2social	blog2social	93	Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Incorrect Authorization to Video File Upload	LOW	*-8.6.0	8.6.1	June 30, 2026
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy	easy-digital-downloads	78	Easy Digital Download <= 3.5.2 - Insufficient Verification to Order Manipulation	LOW	*-3.5.2	3.5.3	June 30, 2026
email-subscription-with-secure-captcha	email-subscription-with-secure-captcha	93	Easy Email Subscription <= 1.3 - Cross-Site Request Forgery to Arbitrary Subscriber Deletion	LOW	*-1.3	1.3.1	June 30, 2026
email-subscription-with-secure-captcha	email-subscription-with-secure-captcha	93	Easy Email Subscription <= 1.3 - Authenticated (Admin+) SQL Injection via uid	LOW	*-1.3	1.3.1	June 30, 2026
WP Hotel Booking	wp-hotel-booking	N/A	Hotel Booking <= 2.2.8 - Cross-Site Request Forgery	LOW	*-2.2.8	2.2.9	June 30, 2026
WP Hotel Booking	wp-hotel-booking	N/A	Hotel Booking <= 2.2.7 - Unauthenticated Information Exposure	LOW	*-2.2.7	2.2.8	June 30, 2026
WP Hotel Booking	wp-hotel-booking	N/A	Hotel Booking <= 2.2.8 - Authenticated (Editor+) Stored Cross-Site Scripting	LOW	*-2.2.8	2.2.9	June 30, 2026
virtual-hdm-for-taxservice-am	virtual-hdm-for-taxservice-am	N/A	Tax Service Electronic HDM <= 1.2.0 - Unauthenticated Arbitrary SQL Injection	LOW	*-1.2.0	1.2.1	June 30, 2026
feather-login-page	feather-login-page	91	Feather Login Page <= 1.1.7 - Cross-Site Request Forgery	LOW	*-1.1.7		June 30, 2026
auxin-portfolio	auxin-portfolio	93	Premium Portfolio Features for Phlox theme <= 2.3.10 - Unauthenticated Local File Inclusion via args[extra_template_path]	LOW	*-2.3.10	2.3.12	June 30, 2026
ad-inserter	ad-inserter	97	Ad Inserter <= 2.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field	LOW	*-2.8.7	2.8.8	June 30, 2026
visual-link-preview	visual-link-preview	N/A	Visual Link Preview <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via visual-link-preview Shortcode	LOW	*-2.2.7	2.2.8	June 30, 2026
wp-marketing-automations	wp-marketing-automations	N/A	FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Unauthenticated Sensitive Information Exposure	LOW	*-3.6.4.1	3.6.4.2	June 30, 2026
graphina-elementor-charts-and-graphs	graphina-elementor-charts-and-graphs	93	Graphina – Elementor Charts and Graphs <= 3.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Widgets	LOW	*-3.1.8	3.1.9	June 30, 2026
The Events Calendar	the-events-calendar	N/A	The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure	LOW	*-6.15.9	6.15.10	June 30, 2026
wp-marketing-automations	wp-marketing-automations	N/A	FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending	LOW	*-3.6.4.1	3.6.4.2	June 30, 2026
kiotvietsync	kiotvietsync	83	KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update	LOW	*-1.8.5		June 30, 2026
kiotvietsync	kiotvietsync	83	KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass	LOW	*-1.8.5		June 30, 2026
Depicter — Popup & Slider Builder	depicter	95	Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload	LOW	*-4.0.4	4.0.5	June 30, 2026
b-carousel-block	b-carousel-block	93	B Carousel Block – Responsive Image and Content Carousel <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery	LOW	*-1.1.5	1.1.6	June 30, 2026
integrate-google-drive	integrate-google-drive	91	File Manager for Google Drive – Integrate Google Drive with WordPress <= 1.5.3 - Unauthenticated Sensitive Information Exposure	LOW	*-1.5.3	1.5.4	June 30, 2026
document-emberdder	document-emberdder	93	Document Embedder – Embed PDFs, Word, Excel, and Other Files <= 2.0.0 - Missing Authorization to Unauthenticated Document Manipulation	LOW	*-2.0.0	2.0.1	June 30, 2026
wpematico	wpematico	N/A	WPeMatico RSS Feed Fetcher <= 2.8.11 - Authenticated (Subscriber+) Server-Side Request Forgery via wpematico_test_feed	LOW	*-2.8.11	2.8.12	June 30, 2026
AI Engine – The Chatbot, AI Framework & MCP for WordPress	ai-engine	82	AI Engine <= 3.1.3 - Unauthenticated Sensitive Information Exposure to Privilege Escalation	LOW	*-3.1.3	3.1.4	June 30, 2026
The Events Calendar	the-events-calendar	N/A	The Events Calendar 6.15.1.1 - 6.15.9 - Unauthenticated SQL Injection via s	LOW	6.15.1.1-6.15.9	6.15.10	June 30, 2026
Spectra Gutenberg Blocks – Website Builder for the Block Editor	ultimate-addons-for-gutenberg	N/A	Spectra <= 2.19.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom CSS	LOW	*-2.19.14	2.19.15	June 30, 2026
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction	paid-member-subscriptions	N/A	Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.16.4 - Missing Authorization to Unauthenticated Arbitrary Member Subscription Auto Renewal	LOW	*-2.16.4	2.16.5	June 30, 2026
sms4wp	sms4wp	N/A	SMS for WordPress <= 1.1.8 - Reflected Cross-Site Scripting	LOW	*-1.1.8		June 30, 2026
features	features	91	Features <= 0.0.2 - Missing Authorization to Authenticated (Subscriber+) Option Reset	LOW	*-0.0.2		June 30, 2026
everest-forms-pro	everest-forms-pro	93	Everest Forms (Pro) <= 1.9.7 - Unauthenticated PHP Object Injection via PHAR Deserialization in Form Signature	LOW	*-1.9.7	1.9.8	June 30, 2026
zoloblocks	zoloblocks	N/A	ZoloBlocks <= 2.3.11 - Missing Authorization	LOW	*-2.3.11	2.3.12	June 30, 2026

LOW

elastic-theme-editor

Score: 91/100 Elastic Theme Editor <= 0.0.3 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-0.0.3 Patched: Updated: June 30, 2026

LOW

paypal-donation-shortcode

Score: N/A Paypal Donation Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-0.1 Patched: Updated: June 30, 2026

LOW

live-photos

Score: 91/100 Live Photos on WordPress <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-0.1 Patched: Updated: June 30, 2026

LOW

cpi-wp-migration

Score: 91/100 WP移行専用プラグイン for CPI <= 1.0.2 - Unauthenticated Arbitrary File Upload Affected: *-1.0.2 Patched: Updated: June 30, 2026

LOW

document-pro-elementor

Score: 91/100 Document Pro Elementor – Documentation & Knowledge Base <= 1.0.9 - Unauthenticated Information Exposure Affected: *-1.0.9 Patched: Updated: June 30, 2026

LOW

stars-testimonials-with-slider-and-masonry-grid

Score: N/A Stars Testimonials <= 3.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.3.4 Patched: 3.3.5 Updated: June 30, 2026

LOW

custom-fields-account-registration-for-woocommerce

Score: 93/100 Custom Fields Account Registration For Woocommerce <= 1.2 - Authenticated (Author+) Privilege Escalation Affected: *-1.2 Patched: 1.3 Updated: June 30, 2026

LOW

woocommerce-ultimate-points-and-rewards

Score: N/A WooCommerce Ultimate Points And Rewards <= 2.10.2 - Authenticated (Subscriber+) Information Exposure Affected: *-2.10.2 Patched: 2.10.3 Updated: June 30, 2026

LOW

travelers-map

Score: N/A Travelers' Map <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.3.2 Patched: 2.3.3 Updated: June 30, 2026

LOW

seriously-simple-podcasting

Score: N/A Seriously Simple Podcasting <= 3.13.0 - Missing Authorization Affected: *-3.13.0 Patched: 3.14.0 Updated: June 30, 2026

LOW

seriously-simple-podcasting

Score: N/A Seriously Simple Podcasting <= 3.13.0 - Unauthenticated Information Exposure Affected: *-3.13.0 Patched: 3.14.0 Updated: June 30, 2026

LOW

rac

Score: N/A WooCommerce Recover Abandoned Cart <= 24.6.0 - Missing Authorization to Unauthenticated Arbitrary Content Deletion Affected: *-24.6.0 Patched: 24.7.0 Updated: June 30, 2026

LOW

mp-restaurant-menu

Score: N/A Restaurant Menu by MotoPress <= 2.4.7 - Authenticated (Subscriber+) Information Exposure Affected: *-2.4.7 Patched: 2.4.8 Updated: June 30, 2026

LOW

hub-core

Score: 91/100 Hub Core <= 5.0.8 - Authenticated (Contributor+) Local File Inclusion Affected: *-5.0.8 Patched: Updated: June 30, 2026

LOW

follow-my-blog-post

Score: 93/100 Follow My Blog Post <= 2.3.9 - Unauthenticated Information Exposure Affected: *-2.3.9 Patched: 2.4.0 Updated: June 30, 2026

LOW

delicious-recipes

Score: 93/100 WP Delicious <= 1.9.1 - Missing Authorization Affected: *-1.9.1 Patched: 1.9.2 Updated: June 30, 2026

LOW

custom-option-tree

Score: 91/100 Traveler Option Tree <= 2.8 - Authenticated (Editor+) Information Exposure Affected: *-2.8 Patched: Updated: June 30, 2026

LOW

wp-content-pilot

Score: N/A Content Pilot <= 2.1.7 - Missing Authorization Affected: *-2.1.7 Patched: 2.1.8 Updated: June 30, 2026

LOW

ultimate-faqs

Score: N/A Ultimate FAQ <= 2.4.3 - Cross-Site Request Forgery Affected: *-2.4.3 Patched: 2.4.4 Updated: June 30, 2026

LOW

new-user-approve

Score: N/A New User Approve <= 3.2.3 - Cross-Site Request Forgery Affected: *-3.2.3 Patched: 3.2.4 Updated: June 30, 2026

LOW

Score: N/A myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program. <= 2.9.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.9.7.6 Patched: 3.0 Updated: June 30, 2026

LOW

gdpr-cookie-consent

Score: 93/100 Cookie Notice for GDPR, CCPA & ePrivacy Consent <= 4.0.3 - Missing Authorization Affected: *-4.0.3 Patched: 4.0.4 Updated: June 30, 2026

LOW

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

email-subscribers

Score: 65/100 Email Subscribers & Newsletters <= 5.9.10 - Authenticated (Administrator+) PHP Object Injection Affected: *-5.9.10 Patched: 5.9.11 Updated: June 30, 2026

LOW

customizer-login-page

Score: 93/100 Login Page Customizer – Customizer Login Page, Admin Page, Custom Design <= 2.1.1 - Missing Authorization Affected: *-2.1.1 Patched: 2.1.2 Updated: June 30, 2026

LOW

auto-prune-posts

Score: 93/100 Auto Prune Posts <= 3.0.0 - Cross-Site Request Forgery Affected: *-3.0.0 Patched: 3.1.0 Updated: June 30, 2026

LOW

alex-reservations

Score: 97/100 Alex Reservations: Smart Restaurant Booking <= 2.2.3 - Authenticated (Admin+) Arbitrary File Upload Affected: *-2.2.3 Patched: 2.2.4 Updated: June 30, 2026

LOW

mail-mint

Score: 93/100 Mail Mint <= 1.18.10 - Authenticated (Admin+) Arbitrary File Upload Affected: *-1.18.10 Patched: 1.18.11 Updated: June 30, 2026

LOW

quick-featured-images

Score: N/A Quick Featured Images <= 13.7.3 - Authenticated (Editor+) SQL Injection via delete_orphaned Affected: *-13.7.3 Patched: 13.7.4 Updated: June 30, 2026

LOW

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

envira-gallery-lite

Score: 94/100 Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 - Missing Authorization to Authenticated (Contributor+) Gallery Conversion Affected: *-1.11.0 Patched: 1.12.0 Updated: June 30, 2026

LOW

cyan-backup

Score: 93/100 CYAN Backup <= 2.5.4 - Authenticated (Admin+) Arbitrary File Deletion Affected: *-2.5.4 Patched: 2.5.5 Updated: June 30, 2026

LOW

athemes-addons-for-elementor-lite

Score: 93/100 aThemes Addons for Elementor <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget Affected: *-1.1.5 Patched: 1.1.6 Updated: June 30, 2026

LOW

saphali-liqpay-for-donate

Score: N/A Saphali LiqPay for donate <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Affected: *-1.0.2 Patched: 1.0.3 Updated: June 30, 2026

LOW

ova-events-manager

Score: N/A Ovatheme Events Manager <= 1.8.6 - Missing Authorization Affected: *-1.8.6 Patched: 1.8.7 Updated: June 30, 2026

LOW

mangboard

Score: 93/100 Mang Board WP <= 2.3.1 - Reflected Cross-Site Scripting Affected: *-2.3.1 Patched: 2.3.2 Updated: June 30, 2026

LOW

wpfunnels

Score: N/A WPFunnels <= 3.6.2 - Authenticated (Administrator+) Arbitrary File Deletion via Path Traversal Affected: *-3.6.2 Patched: 3.6.3 Updated: June 30, 2026

LOW

wpfunnels

Score: N/A WPFunnels <= 3.6.2 - Unauthorized User Registration Affected: *-3.6.2 Patched: 3.6.3 Updated: June 30, 2026

LOW

insert-headers-and-footers-script

Score: 93/100 Insert Headers and Footers Code – HT Script <= 1.1.6 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-1.1.6 Patched: 1.1.7 Updated: June 30, 2026

LOW

simple-downloads-list

Score: N/A Simple Downloads List <= 1.4.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-1.4.3 Patched: 1.5.0 Updated: June 30, 2026

LOW

asgaros-forum

Score: 97/100 Asgaros Forum <= 3.1.0 - Unauthenticated SQL Injection Affected: *-3.1.0 Patched: 3.2.0 Updated: June 30, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.8.2 - Unauthenticated Information Exposure Affected: *-1.8.2 Patched: 1.8.3 Updated: June 30, 2026

LOW

uncanny-automator

Score: N/A Uncanny Automator < 6.10.0 - Authenticated (Subscriber+) Information Exposure Affected: [*, 6.10.0) Patched: 6.10.0 Updated: June 30, 2026

LOW

smart-auto-upload-images

Score: N/A Smart Auto Upload Images <= 1.2.0 - Authenticated (Contributor+) Arbitrary File Upload Affected: *-1.2.0 Patched: 1.2.1 Updated: June 30, 2026

LOW

Tag, Category, and Taxonomy Manager – Autotagger Automatically Add Terms

simple-tags

Score: 70/100 Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.0 - Authenticated (Editor+) SQL Injection Affected: *-3.40.0 Patched: 3.40.1 Updated: June 30, 2026

LOW

real-time-auto-find-and-replace

Score: N/A Better Find and Replace <= 1.7.7 - Authenticated (Subscriber+) Limited Code Injection Affected: *-1.7.7 Patched: 1.7.8 Updated: June 30, 2026

LOW

integrate-contact-form-7-and-aweber

Score: 93/100 Contact Form 7 AWeber Extension <= 0.1.42 - Missing Authorization to Authenticated (Subscriber+) Log Reset Affected: *-0.1.42 Patched: 0.1.43 Updated: June 30, 2026

LOW

HTML Forms – Simple WordPress Forms Plugin

html-forms

Score: 86/100 HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.5.5 Patched: 1.5.6 Updated: June 30, 2026

LOW

groups

Score: 93/100 Groups <= 3.7.0 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Group Join Affected: *-3.7.0 Patched: 3.8.0 Updated: June 30, 2026

LOW

flexible-refund-and-return-order-for-woocommerce

Score: 93/100 Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update Affected: *-1.0.42 Patched: 1.0.43 Updated: June 30, 2026

LOW

facebook-auto-publish

Score: 93/100 WP2Social Auto Publish <= 2.4.7 - Reflected Cross-Site Scripting via PostMessage Affected: *-2.4.7 Patched: 2.4.8 Updated: June 30, 2026

LOW

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

Score: 74/100 EventPrime – Events Calendar, Bookings and Tickets <= 4.2.0.0 - Missing Authorization to Authenticated (Subscriber+) Booking Note Creation Affected: *-4.2.0.0 Patched: 4.2.0.1 Updated: June 30, 2026

LOW

Download Manager

download-manager

Score: 63/100 Download Manager <= 3.3.30 - Unauthenticated Cron Trigger due to Hardcoded Cron Key Affected: *-3.3.30 Patched: 3.3.31 Updated: June 30, 2026

LOW

course-booking-system

Score: 93/100 Course Booking System <= 6.1.5 - Missing Authorization to Unauthenticated Booking Data Export Affected: *-6.1.5 Patched: 6.1.6 Updated: June 30, 2026

LOW

academy-pro

Score: 97/100 Academy LMS Pro <= 3.3.8 - Unauthenticated Sensitive Information Exposure via 'enqueue_social_login_script' Affected: *-3.3.8 Patched: 3.3.9 Updated: June 30, 2026

LOW

academy

Score: 97/100 Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection via 'import_all_courses' Affected: *-3.3.8 Patched: 3.3.9 Updated: June 30, 2026

LOW

page-post-notes

Score: N/A Page & Post Notes <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Note Update/Deletion Affected: *-1.3.4 Patched: 1.3.5 Updated: June 30, 2026

LOW

gravityforms

Score: 93/100 Gravity Forms <= 2.9.20 - Unauthenticated Arbitrary File Upload via 'copy_post_image' Affected: *-2.9.20 Patched: 2.9.21 Updated: June 30, 2026

LOW

idonate

Score: 89/100 IDonate 2.0.0 - 2.1.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion via admin_post_donor_delete Function Affected: 2.0.0-2.1.9 Patched: 2.1.10 Updated: June 30, 2026

LOW

idonate

Score: 89/100 IDonate 2.1.5 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Account Takeover/Privilege Escalation via idonate_donor_password Function Affected: 2.1.5-2.1.9 Patched: 2.1.10 Updated: June 30, 2026

LOW

ghl-wizard

Score: 91/100 LC Wizard 1.2.10 - 1.3.0 - Missing Authorization to Unauthenticated Privilege Escalation Affected: 1.2.10-1.3.0 Patched: 1.4.0 Updated: June 30, 2026

LOW

wp-airbnb-review-slider

Score: N/A WP Airbnb Review Slider <= 4.2 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-4.2 Patched: 4.4 Updated: June 30, 2026

LOW

learnpress

Score: 93/100 LearnPress <= 4.2.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-4.2.9.4 Patched: 4.3.0 Updated: June 30, 2026

LOW

jet-elements

Score: 93/100 JetElements For Elementor <= 2.7.12 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.7.12 Patched: 2.7.12.1 Updated: June 30, 2026

LOW

Feeds for YouTube (YouTube video, channel, and gallery plugin)

feeds-for-youtube

Score: 68/100 Feeds for YouTube <= 2.4.0 - Missing Authorization Affected: *-2.4.0 Patched: 2.6.1 Updated: June 30, 2026

LOW

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

Score: 74/100 EventPrime <= 4.2.4.1 - Authenticated (Subscriber+) Information Exposure Affected: *-4.2.4.1 Patched: 4.2.5.0 Updated: June 30, 2026

LOW

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

Score: 74/100 EventPrime <= 4.2.4.1 - Missing Authorization Affected: *-4.2.4.1 Patched: 4.2.5.0 Updated: June 30, 2026

LOW

strong-testimonials

Score: N/A Strong Testimonials <= 3.2.16 - Unauthenticated Arbitrary Shortcode Execution Affected: *-3.2.16 Patched: 3.2.17 Updated: June 30, 2026

LOW

real-time-auto-find-and-replace

Score: N/A Better Find and Replace <= 1.7.7 - Missing Authorization Affected: *-1.7.7 Patched: 1.7.8 Updated: June 30, 2026

LOW

social-pug

Score: N/A Hubbub Lite <= 1.36.0 - Reflected Cross-Site Scripting Affected: *-1.36.0 Patched: 1.36.1 Updated: June 30, 2026

LOW

blog2social

Score: 93/100 Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via post_url Affected: *-8.6.0 Patched: 8.6.1 Updated: June 30, 2026

LOW

blog2social

Score: 93/100 Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Incorrect Authorization to Video File Upload Affected: *-8.6.0 Patched: 8.6.1 Updated: June 30, 2026

LOW

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

easy-digital-downloads

Score: 78/100 Easy Digital Download <= 3.5.2 - Insufficient Verification to Order Manipulation Affected: *-3.5.2 Patched: 3.5.3 Updated: June 30, 2026

LOW

email-subscription-with-secure-captcha

Score: 93/100 Easy Email Subscription <= 1.3 - Cross-Site Request Forgery to Arbitrary Subscriber Deletion Affected: *-1.3 Patched: 1.3.1 Updated: June 30, 2026

LOW

email-subscription-with-secure-captcha

Score: 93/100 Easy Email Subscription <= 1.3 - Authenticated (Admin+) SQL Injection via uid Affected: *-1.3 Patched: 1.3.1 Updated: June 30, 2026

LOW

WP Hotel Booking

wp-hotel-booking

Score: N/A Hotel Booking <= 2.2.8 - Cross-Site Request Forgery Affected: *-2.2.8 Patched: 2.2.9 Updated: June 30, 2026

LOW

WP Hotel Booking

wp-hotel-booking

Score: N/A Hotel Booking <= 2.2.7 - Unauthenticated Information Exposure Affected: *-2.2.7 Patched: 2.2.8 Updated: June 30, 2026

LOW

WP Hotel Booking

wp-hotel-booking

Score: N/A Hotel Booking <= 2.2.8 - Authenticated (Editor+) Stored Cross-Site Scripting Affected: *-2.2.8 Patched: 2.2.9 Updated: June 30, 2026

LOW

virtual-hdm-for-taxservice-am

Score: N/A Tax Service Electronic HDM <= 1.2.0 - Unauthenticated Arbitrary SQL Injection Affected: *-1.2.0 Patched: 1.2.1 Updated: June 30, 2026

LOW

feather-login-page

Score: 91/100 Feather Login Page <= 1.1.7 - Cross-Site Request Forgery Affected: *-1.1.7 Patched: Updated: June 30, 2026

LOW

auxin-portfolio

Score: 93/100 Premium Portfolio Features for Phlox theme <= 2.3.10 - Unauthenticated Local File Inclusion via args[extra_template_path] Affected: *-2.3.10 Patched: 2.3.12 Updated: June 30, 2026

LOW

ad-inserter

Score: 97/100 Ad Inserter <= 2.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Field Affected: *-2.8.7 Patched: 2.8.8 Updated: June 30, 2026

LOW

visual-link-preview

Score: N/A Visual Link Preview <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via visual-link-preview Shortcode Affected: *-2.2.7 Patched: 2.2.8 Updated: June 30, 2026

LOW

wp-marketing-automations

Score: N/A FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Unauthenticated Sensitive Information Exposure Affected: *-3.6.4.1 Patched: 3.6.4.2 Updated: June 30, 2026

LOW

graphina-elementor-charts-and-graphs

Score: 93/100 Graphina – Elementor Charts and Graphs <= 3.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Widgets Affected: *-3.1.8 Patched: 3.1.9 Updated: June 30, 2026

LOW

The Events Calendar

the-events-calendar

Score: N/A The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure Affected: *-6.15.9 Patched: 6.15.10 Updated: June 30, 2026

LOW

wp-marketing-automations

Score: N/A FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending Affected: *-3.6.4.1 Patched: 3.6.4.2 Updated: June 30, 2026

LOW

kiotvietsync

Score: 83/100 KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update Affected: *-1.8.5 Patched: Updated: June 30, 2026

LOW

kiotvietsync

Score: 83/100 KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass Affected: *-1.8.5 Patched: Updated: June 30, 2026

LOW

Depicter — Popup & Slider Builder

depicter

Score: 95/100 Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload Affected: *-4.0.4 Patched: 4.0.5 Updated: June 30, 2026

LOW

b-carousel-block

Score: 93/100 B Carousel Block – Responsive Image and Content Carousel <= 1.1.5 - Missing Authorization to Authenticated (Subscriber+) Server-Side Request Forgery Affected: *-1.1.5 Patched: 1.1.6 Updated: June 30, 2026

LOW

integrate-google-drive

Score: 91/100 File Manager for Google Drive – Integrate Google Drive with WordPress <= 1.5.3 - Unauthenticated Sensitive Information Exposure Affected: *-1.5.3 Patched: 1.5.4 Updated: June 30, 2026

LOW

document-emberdder

Score: 93/100 Document Embedder – Embed PDFs, Word, Excel, and Other Files <= 2.0.0 - Missing Authorization to Unauthenticated Document Manipulation Affected: *-2.0.0 Patched: 2.0.1 Updated: June 30, 2026

LOW

wpematico

Score: N/A WPeMatico RSS Feed Fetcher <= 2.8.11 - Authenticated (Subscriber+) Server-Side Request Forgery via wpematico_test_feed Affected: *-2.8.11 Patched: 2.8.12 Updated: June 30, 2026

LOW

AI Engine – The Chatbot, AI Framework & MCP for WordPress

ai-engine

Score: 82/100 AI Engine <= 3.1.3 - Unauthenticated Sensitive Information Exposure to Privilege Escalation Affected: *-3.1.3 Patched: 3.1.4 Updated: June 30, 2026

LOW

The Events Calendar

the-events-calendar

Score: N/A The Events Calendar 6.15.1.1 - 6.15.9 - Unauthenticated SQL Injection via s Affected: 6.15.1.1-6.15.9 Patched: 6.15.10 Updated: June 30, 2026

LOW

Spectra Gutenberg Blocks – Website Builder for the Block Editor

ultimate-addons-for-gutenberg

Score: N/A Spectra <= 2.19.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom CSS Affected: *-2.19.14 Patched: 2.19.15 Updated: June 30, 2026

LOW

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

paid-member-subscriptions

Score: N/A Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.16.4 - Missing Authorization to Unauthenticated Arbitrary Member Subscription Auto Renewal Affected: *-2.16.4 Patched: 2.16.5 Updated: June 30, 2026

LOW

sms4wp

Score: N/A SMS for WordPress <= 1.1.8 - Reflected Cross-Site Scripting Affected: *-1.1.8 Patched: Updated: June 30, 2026

LOW

features

Score: 91/100 Features <= 0.0.2 - Missing Authorization to Authenticated (Subscriber+) Option Reset Affected: *-0.0.2 Patched: Updated: June 30, 2026

LOW

everest-forms-pro

Score: 93/100 Everest Forms (Pro) <= 1.9.7 - Unauthenticated PHP Object Injection via PHAR Deserialization in Form Signature Affected: *-1.9.7 Patched: 1.9.8 Updated: June 30, 2026

LOW

zoloblocks

Score: N/A ZoloBlocks <= 2.3.11 - Missing Authorization Affected: *-2.3.11 Patched: 2.3.12 Updated: June 30, 2026

Showing 5201 to 5300 of 36282 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 02:21 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List