Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36189

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
sb-woocommerce-infinite-scrol	sb-woocommerce-infinite-scrol	N/A	WooCommerce Infinite Scroll and Ajax Pagination <= 1.8 - Authenticated (Subscriber+) PHP Object Injection	LOW	*-1.8		June 28, 2026
Breeze Cache	breeze	79	Breeze Cache <= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie	LOW	*-2.5.2	2.5.3	June 28, 2026
wp-travel-pro	wp-travel-pro	95	WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators	LOW	*-10.6.0		June 28, 2026
post-snippets	post-snippets	N/A	Post Snippets <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import	LOW	*-4.0.19	4.1.1	June 28, 2026
poll-maker	poll-maker	N/A	Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action	LOW	*-6.3.7	6.3.8	June 28, 2026
acf-extended	acf-extended	97	Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter	LOW	*-0.9.2.5	0.9.2.6	June 28, 2026
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More	wpforms-lite	70	WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.10.0.4 - Missing Authorization	LOW	*-1.10.0.4	1.10.0.5	June 28, 2026
views-for-wpforms-lite	views-for-wpforms-lite	N/A	Views for WPForms – Display & Edit WPForms Entries on your site frontend <= 3.4.6 - Authenticated (Contributor+) SQL Injection	LOW	*-3.4.6	3.4.7	June 28, 2026
views-for-ninja-forms	views-for-ninja-forms	N/A	Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend <= 3.3.2 - Authenticated (Contributor+) SQL Injection	LOW	*-3.3.2	3.3.3	June 28, 2026
videowhisper-live-streaming-integration	videowhisper-live-streaming-integration	N/A	Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP < 7.1.3 - Unauthenticated PHP Object Injection	LOW	[*, 7.1.3)	7.1.3	June 28, 2026
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder	user-registration	N/A	User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 5.1.2 - Missing Authorization	LOW	*-5.1.2	5.1.3	June 28, 2026
tainacan	tainacan	N/A	Tainacan <= 1.0.3 - Unauthenticated SQL Injection	LOW	*-1.0.3	1.1.0	June 28, 2026
support_ticket	support_ticket	N/A	Support Ticket Management System <= 1.9 - Unauthenticated Privilege Escalation	LOW	*-1.9		June 28, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.10.6 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.6.10.6	1.6.11.0	June 28, 2026
quick-adsense-reloaded	quick-adsense-reloaded	N/A	Quads Ads Manager for Google AdSense <= 3.0.2 - Missing Authorization	LOW	*-3.0.2	3.0.3	June 28, 2026
ppv-live-webcams	ppv-live-webcams	N/A	Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.23 - Unauthenticated PHP Object Injection	LOW	*-7.3.23	7.3.24	June 28, 2026
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App	post-smtp	87	Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App <= 3.6.2 - Unauthenticated Stored Cross-Site Scripting	LOW	*-3.6.2	3.6.3	June 28, 2026
learning-management-system	learning-management-system	93	Masteriyo LMS – LMS Course Builder, Quizzes & Certificates <= 2.1.8 - Missing Authorization	LOW	*-2.1.8	2.1.9	June 28, 2026
geo-my-wp	geo-my-wp	93	GEO my WP <= 4.5.4 - Unauthenticated SQL Injection	LOW	*-4.5.4	4.5.5	June 28, 2026
easy-form-builder	easy-form-builder	93	Easy Form Builder by WhiteStudio — Drag & Drop Form Builder <= 4.0.6 - Unauthenticated SQL Injection	LOW	*-4.0.6	4.0.7	June 28, 2026
clover-online-orders	clover-online-orders	91	Smart Online Order for Clover <= 1.6.0 - Unauthenticated Sensitive Information Exposure	LOW	*-1.6.0	1.6.1	June 28, 2026
clover-online-orders	clover-online-orders	91	Smart Online Order for Clover <= 1.6.0 - Missing Authorization	LOW	*-1.6.0	1.6.1	June 28, 2026
CloudSecure WP Security	cloudsecure-wp-security	86	CloudSecure WP Security <= 1.4.7 - Two-Factor Authentication Bypass	LOW	*-1.4.7	1.4.8	June 28, 2026
AI Engine – The Chatbot, AI Framework & MCP for WordPress	ai-engine	82	AI Engine – The Chatbot, AI Framework & MCP for WordPress <= 3.4.9 - Authenticated (Editor+) Privilege Escalation	LOW	*-3.4.9	3.5.0	June 28, 2026
advanced-ip-blocker	advanced-ip-blocker	N/A	Advanced IP Blocker <= 8.10.7 - Unauthenticated Stored Cross-Site Scripting	LOW	*-8.10.7	8.10.8	June 28, 2026
shariff	shariff	N/A	Shariff Wrapper <= 4.6.20 - Authenticated (Contributor+) Cross-Site Scripting	LOW	*-4.6.20	4.6.21	June 28, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Appointment Booking Calendar <= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification via Bulk Appointments REST API Endpoint	LOW	*-1.6.11.8	1.6.11.9	June 28, 2026
photo-gallery	photo-gallery	N/A	Photo Gallery by 10Web <= 1.8.40 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute	LOW	*-1.8.40	1.8.41	June 28, 2026
visualizer	visualizer	N/A	Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions	LOW	*-3.11.14	3.11.15	June 28, 2026
Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance	accessibility-checker	89	Equalize Digital Accessibility Checker <= 1.42.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Accessibility Issue Modification via edac_insert_ignore_data AJAX Action	LOW	*-1.42.0	1.42.1	June 28, 2026
pdf-embedder	pdf-embedder	N/A	PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page	LOW	*-4.9.3	5.0.0	June 28, 2026
geo-my-wp	geo-my-wp	93	GEO my WP <= 4.5.4 - Unauthenticated SQL Injection via 'distance' / 'lat' / 'lng' Parameters	LOW	*-4.5.4	4.5.5	June 28, 2026
peachpay-for-woocommerce	peachpay-for-woocommerce	N/A	PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink	LOW	*-1.120.46	1.120.47	June 28, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_where_sql' Parameter	LOW	*-1.6.11.8	1.6.11.9	June 28, 2026
SlimStat Analytics	wp-slimstat	N/A	SlimStat Analytics <= 5.4.11 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header	LOW	*-5.4.11	5.4.12	June 28, 2026
a3 Lazy Load	a3-lazy-load	95	a3 Lazy Load <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Element	LOW	*-2.7.6	2.7.7	June 28, 2026
stops-core-theme-and-plugin-updates	stops-core-theme-and-plugin-updates	N/A	Easy Updates Manager <= 9.0.20 - Reflected Cross-Site Scripting via 'paged' Parameter	LOW	*-9.0.20	9.0.21	June 28, 2026
ht-contactform	ht-contactform	93	HT Contact Form <= 2.8.2 - Unauthenticated Stored Cross-Site Scripting via File Upload Field	LOW	*-2.8.2	2.8.3	June 28, 2026
wp-contact-form-7-db-handler	wp-contact-form-7-db-handler	N/A	WP Contact Form 7 DB Handler <= 3.0 - Cross-Site Request Forgery to Arbitrary File Deletion via 'contact_form' Parameter	LOW	*-3.0	3.1	June 28, 2026
geo-mashup	geo-mashup	93	Geo Mashup <= 1.13.19 - Missing Authorization to Unauthenticated Plugin Settings Disclosure via 'geo_mashup_content' Parameter	LOW	*-1.13.19	1.13.20	June 28, 2026
gutenbee	gutenbee	93	GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_and_ext Filter	LOW	*-2.20.1	2.20.2	June 28, 2026
smtp2go	smtp2go	N/A	SMTP2GO for WordPress <= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Log Read/Truncate	LOW	*-1.16.0	1.17.0	June 28, 2026
crawlomatic-multipage-scraper-post-generator	crawlomatic-multipage-scraper-post-generator	93	Crawlomatic Multipage Scraper Post Generator <= 2.7.2 - Authenticated (Author+) Remote Code Execution via 'callback_raw' Shortcode Attribute	LOW	*-2.7.2	2.7.3	June 28, 2026
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy	easy-digital-downloads	78	Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter	LOW	*-3.6.7	3.6.8	June 28, 2026
new-dev-livesmart-video-chat	new-dev-livesmart-video-chat	N/A	LiveSmart Video Chat <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.2	1.3	June 28, 2026
mp-timetable	mp-timetable	N/A	Timetable and Event Schedule by MotoPress <= 2.4.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via action_get_event_data Function	LOW	*-2.4.16	2.4.17	June 28, 2026
login-recaptcha	login-recaptcha	93	Login No Captcha reCAPTCHA <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting via PHP_SELF	LOW	*-1.8.0	1.8.1	June 28, 2026
Independent Analytics – WordPress Analytics Plugin	independent-analytics	69	Independent Analytics <= 2.14.9 - Unauthenticated Server-Side Request Forgery via Tracking Route	LOW	*-2.14.9	2.14.10	June 28, 2026
acf-frontend-form-element	acf-frontend-form-element	97	Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via 'user_id' URL Query Parameter	LOW	*-3.29.2	3.29.3	June 28, 2026
woocommerce-currency-switcher	woocommerce-currency-switcher	N/A	FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter	LOW	*-1.4.6	1.4.7	June 28, 2026
Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder	everest-forms	68	Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder <= 3.4.7 - Missing Authorization to Authenticated (Subscriber+) Email Sending	LOW	*-3.4.7	3.4.8	June 28, 2026
wp-meta-and-date-remover	wp-meta-and-date-remover	N/A	WP Meta and Date Remover <= 2.3.6 - Missing Authorization	LOW	*-2.3.6	2.3.7	June 28, 2026
VikBooking Hotel Booking Engine & PMS	vikbooking	95	VikBooking Hotel Booking Engine & PMS <= 1.8.10 - Unauthenticated Arbitrary File Deletion	LOW	*-1.8.10	1.8.11	June 28, 2026
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder	user-registration	N/A	User Registration & Membership <= 5.1.5 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Media Deletion via 'profile-pic-url' Parameter	LOW	*-5.1.5	5.1.6	June 28, 2026
the-post-grid	the-post-grid	N/A	The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.9.2 - Missing Authorization	LOW	*-7.9.2	7.9.3	June 28, 2026
svg-support	svg-support	N/A	SVG Support <= 2.5.14 - Missing Authorization	LOW	*-2.5.14	2.5.15	June 28, 2026
seedprod-coming-soon-pro-5	seedprod-coming-soon-pro-5	N/A	SeedProd Pro < 6.19.5 - Authenticated (Contributor+) Local File Inclusion	LOW	[*, 6.19.5)	6.19.5	June 28, 2026
product-import-export-for-woo	product-import-export-for-woo	N/A	Product Import Export for WooCommerce – Import Export Product CSV Suite <= 2.5.6 - Missing Authorization	LOW	*-2.5.6	2.5.7	June 28, 2026
Master Slider – Responsive Touch Slider	master-slider	86	Master Slider – Responsive Touch Slider <= 3.10.8 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.10.8	3.10.9	June 28, 2026
generateblocks	generateblocks	93	GenerateBlocks <= 2.1.0 - Authenticated (Contributor+) Information Disclosure	LOW	*-2.1.0	2.1.1	June 28, 2026
facebook-for-woocommerce	facebook-for-woocommerce	95	Meta for WooCommerce <= 3.7.0 - Unauthenticated Open Redirect	LOW	*-3.7.0	3.7.1	June 28, 2026
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor	elementskit-lite	95	ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor <= 3.9.6 - Missing Authorization	LOW	*-3.9.6	3.9.7	June 28, 2026
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor	elementskit-lite	95	ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor <= 3.9.6 - Missing Authorization	LOW	*-3.9.6	3.9.7	June 28, 2026
duplicate-wp-page-post	duplicate-wp-page-post	89	Duplicate Page and Post <= 2.9.5 - Authenticated (Contributor+) SQL Injection	LOW	*-2.9.5		June 28, 2026
display-a-meta-field-as-block	display-a-meta-field-as-block	93	Meta Field Block <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure	LOW	*-1.5.1	1.5.2	June 28, 2026
clover-online-orders	clover-online-orders	91	Smart Online Order for Clover <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.6.0	1.6.1	June 28, 2026
Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages	bp-better-messages	75	Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots <= 2.14.16 - Unauthenticated Insecure Direct Object Reference	LOW	*-2.14.16	2.15.0	June 28, 2026
ar-vr-3d-model-try-on	ar-vr-3d-model-try-on	N/A	3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint	LOW	*-2.0.1	2.0.2	June 28, 2026
advanced-custom-fields-font-awesome	advanced-custom-fields-font-awesome	97	Advanced Custom Fields: Font Awesome Field <= 5.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-5.0.2	6.0.0	June 28, 2026
advanced-custom-fields	advanced-custom-fields	97	Advanced Custom Fields (ACF®) <= 6.8.1 - Missing Authorization	LOW	*-6.8.1	6.8.2	June 28, 2026
adminimize	adminimize	97	Adminimize <= 1.11.11 - Missing Authorization	LOW	*-1.11.11	1.11.12	June 28, 2026
acf-frontend-form-element	acf-frontend-form-element	97	Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection	LOW	*-3.29.2	3.29.3	June 28, 2026
3d-flipbook-dflip-lite	3d-flipbook-dflip-lite	97	DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.4.29 - Missing Authorization	LOW	*-2.4.29	2.4.30	June 28, 2026
xpro-elementor-addons-pro	xpro-elementor-addons-pro	N/A	Xpro Elementor Addons - Pro <= 1.4.7 - Authenticated (Contributor+) Arbitrary File Read via Draw SVG	LOW	*-1.4.7	1.4.8	June 28, 2026
minhnhut-link-gateway	minhnhut-link-gateway	N/A	MinhNhut Link Gateway <= 3.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting via Plugin Settings	LOW	*-3.6.1		June 28, 2026
minhnhut-link-gateway	minhnhut-link-gateway	N/A	MinhNhut Link Gateway <= 3.6.1 - Reflected Cross-Site Scripting via 'url' Parameter	LOW	*-3.6.1		June 28, 2026
mylinksdump	mylinksdump	N/A	myLinksDump <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'link_title' Parameter	LOW	*-1.6		June 28, 2026
rexcrawler	rexcrawler	N/A	rexCrawler <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings	LOW	*-1.0.15		June 28, 2026
wp-promoter	wp-promoter	N/A	WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter	LOW	*-1.3		June 28, 2026
metamagic	metamagic	N/A	MetaMagic SEO Plugin <= 1.6 - Cross-Site Request Forgery to Plugin Settings Update via Settings Page	LOW	*-1.6		June 28, 2026
github-shortcode	github-shortcode	N/A	Github Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-0.1		June 28, 2026
WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager	insert-headers-and-footers	86	WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost	LOW	*-2.3.5	2.3.6	June 28, 2026
enable-jquery-migrate-helper	enable-jquery-migrate-helper	89	Enable jQuery Migrate Helper <= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade	LOW	*-1.4.1		June 28, 2026
addons-for-visual-composer	addons-for-visual-composer	93	WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-3.9.4		June 28, 2026
addons-for-beaver-builder	addons-for-beaver-builder	93	Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Missing Authorization	LOW	*-3.9.2		June 28, 2026
livemesh-siteorigin-widgets	livemesh-siteorigin-widgets	91	Livemesh SiteOrigin Widgets <= 3.9.2 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-3.9.2		June 28, 2026
addons-for-visual-composer	addons-for-visual-composer	93	WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-3.9.4		June 28, 2026
envialosimple-email-marketing-y-newsletters-gratis	envialosimple-email-marketing-y-newsletters-gratis	91	EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter	LOW	*-2.4.5		June 28, 2026
affiliate-toolkit-starter	affiliate-toolkit-starter	95	affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution	LOW	*-3.8.4		June 28, 2026
shortcode-buddy	shortcode-buddy	N/A	Shortcode Buddy <= 0.1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-0.1.9.5		June 28, 2026
iwr-tooltip	iwr-tooltip	N/A	iWR Tooltip <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.0		June 28, 2026
bitform	bitform	N/A	BitForm <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.1.0		June 28, 2026
listen-shortcode	listen-shortcode	N/A	Listen Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.0		June 28, 2026
hk-shortcode	hk-shortcode	N/A	hk_shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute	LOW	*-1.0		June 28, 2026
iq-quotation-page	iq-quotation-page	N/A	Instant-Quote.co Quotation Page <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.3.4		June 28, 2026
responsive-video-embedder	responsive-video-embedder	N/A	Responsive Video Embedder <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-0.1		June 28, 2026
easy-prism-syntax-highlighter	easy-prism-syntax-highlighter	N/A	Easy Prism Syntax Highlighter <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.0.2		June 28, 2026
content-slideshow	content-slideshow	N/A	Content Slideshow <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-2.4.1		June 28, 2026
animate-your-content	animate-your-content	N/A	Animate Your Content <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.0.0		June 28, 2026
formidable-kinetic	formidable-kinetic	N/A	Formidable Kinetic <= 1.1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-1.1.01		June 28, 2026

LOW

sb-woocommerce-infinite-scrol

Score: N/A WooCommerce Infinite Scroll and Ajax Pagination <= 1.8 - Authenticated (Subscriber+) PHP Object Injection Affected: *-1.8 Patched: Updated: June 28, 2026

LOW

Breeze Cache

breeze

Score: 79/100 Breeze Cache <= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie Affected: *-2.5.2 Patched: 2.5.3 Updated: June 28, 2026

LOW

wp-travel-pro

Score: 95/100 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators Affected: *-10.6.0 Patched: Updated: June 28, 2026

LOW

post-snippets

Score: N/A Post Snippets <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import Affected: *-4.0.19 Patched: 4.1.1 Updated: June 28, 2026

LOW

Score: N/A Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action Affected: *-6.3.7 Patched: 6.3.8 Updated: June 28, 2026

LOW

acf-extended

Score: 97/100 Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter Affected: *-0.9.2.5 Patched: 0.9.2.6 Updated: June 28, 2026

LOW

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

Score: 70/100 WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More <= 1.10.0.4 - Missing Authorization Affected: *-1.10.0.4 Patched: 1.10.0.5 Updated: June 28, 2026

LOW

views-for-wpforms-lite

Score: N/A Views for WPForms – Display & Edit WPForms Entries on your site frontend <= 3.4.6 - Authenticated (Contributor+) SQL Injection Affected: *-3.4.6 Patched: 3.4.7 Updated: June 28, 2026

LOW

views-for-ninja-forms

Score: N/A Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend <= 3.3.2 - Authenticated (Contributor+) SQL Injection Affected: *-3.3.2 Patched: 3.3.3 Updated: June 28, 2026

LOW

videowhisper-live-streaming-integration

Score: N/A Broadcast Live Video – Live Streaming : WebRTC, HLS, RTSP, RTMP < 7.1.3 - Unauthenticated PHP Object Injection Affected: [*, 7.1.3) Patched: 7.1.3 Updated: June 28, 2026

LOW

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Score: N/A User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder <= 5.1.2 - Missing Authorization Affected: *-5.1.2 Patched: 5.1.3 Updated: June 28, 2026

LOW

tainacan

Score: N/A Tainacan <= 1.0.3 - Unauthenticated SQL Injection Affected: *-1.0.3 Patched: 1.1.0 Updated: June 28, 2026

LOW

support_ticket

Score: N/A Support Ticket Management System <= 1.9 - Unauthenticated Privilege Escalation Affected: *-1.9 Patched: Updated: June 28, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.10.6 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.6.10.6 Patched: 1.6.11.0 Updated: June 28, 2026

LOW

quick-adsense-reloaded

Score: N/A Quads Ads Manager for Google AdSense <= 3.0.2 - Missing Authorization Affected: *-3.0.2 Patched: 3.0.3 Updated: June 28, 2026

LOW

ppv-live-webcams

Score: N/A Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.23 - Unauthenticated PHP Object Injection Affected: *-7.3.23 Patched: 7.3.24 Updated: June 28, 2026

LOW

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

Score: 87/100 Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App <= 3.6.2 - Unauthenticated Stored Cross-Site Scripting Affected: *-3.6.2 Patched: 3.6.3 Updated: June 28, 2026

LOW

learning-management-system

Score: 93/100 Masteriyo LMS – LMS Course Builder, Quizzes & Certificates <= 2.1.8 - Missing Authorization Affected: *-2.1.8 Patched: 2.1.9 Updated: June 28, 2026

LOW

geo-my-wp

Score: 93/100 GEO my WP <= 4.5.4 - Unauthenticated SQL Injection Affected: *-4.5.4 Patched: 4.5.5 Updated: June 28, 2026

LOW

easy-form-builder

Score: 93/100 Easy Form Builder by WhiteStudio — Drag & Drop Form Builder <= 4.0.6 - Unauthenticated SQL Injection Affected: *-4.0.6 Patched: 4.0.7 Updated: June 28, 2026

LOW

clover-online-orders

Score: 91/100 Smart Online Order for Clover <= 1.6.0 - Unauthenticated Sensitive Information Exposure Affected: *-1.6.0 Patched: 1.6.1 Updated: June 28, 2026

LOW

clover-online-orders

Score: 91/100 Smart Online Order for Clover <= 1.6.0 - Missing Authorization Affected: *-1.6.0 Patched: 1.6.1 Updated: June 28, 2026

LOW

CloudSecure WP Security

cloudsecure-wp-security

Score: 86/100 CloudSecure WP Security <= 1.4.7 - Two-Factor Authentication Bypass Affected: *-1.4.7 Patched: 1.4.8 Updated: June 28, 2026

LOW

AI Engine – The Chatbot, AI Framework & MCP for WordPress

ai-engine

Score: 82/100 AI Engine – The Chatbot, AI Framework & MCP for WordPress <= 3.4.9 - Authenticated (Editor+) Privilege Escalation Affected: *-3.4.9 Patched: 3.5.0 Updated: June 28, 2026

LOW

advanced-ip-blocker

Score: N/A Advanced IP Blocker <= 8.10.7 - Unauthenticated Stored Cross-Site Scripting Affected: *-8.10.7 Patched: 8.10.8 Updated: June 28, 2026

LOW

shariff

Score: N/A Shariff Wrapper <= 4.6.20 - Authenticated (Contributor+) Cross-Site Scripting Affected: *-4.6.20 Patched: 4.6.21 Updated: June 28, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Appointment Booking Calendar <= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification via Bulk Appointments REST API Endpoint Affected: *-1.6.11.8 Patched: 1.6.11.9 Updated: June 28, 2026

LOW

photo-gallery

Score: N/A Photo Gallery by 10Web <= 1.8.40 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute Affected: *-1.8.40 Patched: 1.8.41 Updated: June 28, 2026

LOW

visualizer

Score: N/A Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions Affected: *-3.11.14 Patched: 3.11.15 Updated: June 28, 2026

LOW

Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance

accessibility-checker

Score: 89/100 Equalize Digital Accessibility Checker <= 1.42.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Accessibility Issue Modification via edac_insert_ignore_data AJAX Action Affected: *-1.42.0 Patched: 1.42.1 Updated: June 28, 2026

LOW

pdf-embedder

Score: N/A PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page Affected: *-4.9.3 Patched: 5.0.0 Updated: June 28, 2026

LOW

geo-my-wp

Score: 93/100 GEO my WP <= 4.5.4 - Unauthenticated SQL Injection via 'distance' / 'lat' / 'lng' Parameters Affected: *-4.5.4 Patched: 4.5.5 Updated: June 28, 2026

LOW

peachpay-for-woocommerce

Score: N/A PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink Affected: *-1.120.46 Patched: 1.120.47 Updated: June 28, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_where_sql' Parameter Affected: *-1.6.11.8 Patched: 1.6.11.9 Updated: June 28, 2026

LOW

SlimStat Analytics

wp-slimstat

Score: N/A SlimStat Analytics <= 5.4.11 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header Affected: *-5.4.11 Patched: 5.4.12 Updated: June 28, 2026

LOW

a3 Lazy Load

a3-lazy-load

Score: 95/100 a3 Lazy Load <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Element Affected: *-2.7.6 Patched: 2.7.7 Updated: June 28, 2026

LOW

stops-core-theme-and-plugin-updates

Score: N/A Easy Updates Manager <= 9.0.20 - Reflected Cross-Site Scripting via 'paged' Parameter Affected: *-9.0.20 Patched: 9.0.21 Updated: June 28, 2026

LOW

ht-contactform

Score: 93/100 HT Contact Form <= 2.8.2 - Unauthenticated Stored Cross-Site Scripting via File Upload Field Affected: *-2.8.2 Patched: 2.8.3 Updated: June 28, 2026

LOW

wp-contact-form-7-db-handler

Score: N/A WP Contact Form 7 DB Handler <= 3.0 - Cross-Site Request Forgery to Arbitrary File Deletion via 'contact_form' Parameter Affected: *-3.0 Patched: 3.1 Updated: June 28, 2026

LOW

geo-mashup

Score: 93/100 Geo Mashup <= 1.13.19 - Missing Authorization to Unauthenticated Plugin Settings Disclosure via 'geo_mashup_content' Parameter Affected: *-1.13.19 Patched: 1.13.20 Updated: June 28, 2026

LOW

gutenbee

Score: 93/100 GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_and_ext Filter Affected: *-2.20.1 Patched: 2.20.2 Updated: June 28, 2026

LOW

smtp2go

Score: N/A SMTP2GO for WordPress <= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Log Read/Truncate Affected: *-1.16.0 Patched: 1.17.0 Updated: June 28, 2026

LOW

crawlomatic-multipage-scraper-post-generator

Score: 93/100 Crawlomatic Multipage Scraper Post Generator <= 2.7.2 - Authenticated (Author+) Remote Code Execution via 'callback_raw' Shortcode Attribute Affected: *-2.7.2 Patched: 2.7.3 Updated: June 28, 2026

LOW

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

easy-digital-downloads

Score: 78/100 Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter Affected: *-3.6.7 Patched: 3.6.8 Updated: June 28, 2026

LOW

new-dev-livesmart-video-chat

Score: N/A LiveSmart Video Chat <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2 Patched: 1.3 Updated: June 28, 2026

LOW

mp-timetable

Score: N/A Timetable and Event Schedule by MotoPress <= 2.4.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via action_get_event_data Function Affected: *-2.4.16 Patched: 2.4.17 Updated: June 28, 2026

LOW

login-recaptcha

Score: 93/100 Login No Captcha reCAPTCHA <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting via PHP_SELF Affected: *-1.8.0 Patched: 1.8.1 Updated: June 28, 2026

LOW

Independent Analytics – WordPress Analytics Plugin

independent-analytics

Score: 69/100 Independent Analytics <= 2.14.9 - Unauthenticated Server-Side Request Forgery via Tracking Route Affected: *-2.14.9 Patched: 2.14.10 Updated: June 28, 2026

LOW

acf-frontend-form-element

Score: 97/100 Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via 'user_id' URL Query Parameter Affected: *-3.29.2 Patched: 3.29.3 Updated: June 28, 2026

LOW

woocommerce-currency-switcher

Score: N/A FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter Affected: *-1.4.6 Patched: 1.4.7 Updated: June 28, 2026

LOW

Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder

everest-forms

Score: 68/100 Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder <= 3.4.7 - Missing Authorization to Authenticated (Subscriber+) Email Sending Affected: *-3.4.7 Patched: 3.4.8 Updated: June 28, 2026

LOW

wp-meta-and-date-remover

Score: N/A WP Meta and Date Remover <= 2.3.6 - Missing Authorization Affected: *-2.3.6 Patched: 2.3.7 Updated: June 28, 2026

LOW

VikBooking Hotel Booking Engine & PMS

vikbooking

Score: 95/100 VikBooking Hotel Booking Engine & PMS <= 1.8.10 - Unauthenticated Arbitrary File Deletion Affected: *-1.8.10 Patched: 1.8.11 Updated: June 28, 2026

LOW

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Score: N/A User Registration & Membership <= 5.1.5 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Media Deletion via 'profile-pic-url' Parameter Affected: *-5.1.5 Patched: 5.1.6 Updated: June 28, 2026

LOW

the-post-grid

Score: N/A The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.9.2 - Missing Authorization Affected: *-7.9.2 Patched: 7.9.3 Updated: June 28, 2026

LOW

svg-support

Score: N/A SVG Support <= 2.5.14 - Missing Authorization Affected: *-2.5.14 Patched: 2.5.15 Updated: June 28, 2026

LOW

seedprod-coming-soon-pro-5

Score: N/A SeedProd Pro < 6.19.5 - Authenticated (Contributor+) Local File Inclusion Affected: [*, 6.19.5) Patched: 6.19.5 Updated: June 28, 2026

LOW

product-import-export-for-woo

Score: N/A Product Import Export for WooCommerce – Import Export Product CSV Suite <= 2.5.6 - Missing Authorization Affected: *-2.5.6 Patched: 2.5.7 Updated: June 28, 2026

LOW

Master Slider – Responsive Touch Slider

master-slider

Score: 86/100 Master Slider – Responsive Touch Slider <= 3.10.8 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.10.8 Patched: 3.10.9 Updated: June 28, 2026

LOW

generateblocks

Score: 93/100 GenerateBlocks <= 2.1.0 - Authenticated (Contributor+) Information Disclosure Affected: *-2.1.0 Patched: 2.1.1 Updated: June 28, 2026

LOW

facebook-for-woocommerce

Score: 95/100 Meta for WooCommerce <= 3.7.0 - Unauthenticated Open Redirect Affected: *-3.7.0 Patched: 3.7.1 Updated: June 28, 2026

LOW

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

elementskit-lite

Score: 95/100 ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor <= 3.9.6 - Missing Authorization Affected: *-3.9.6 Patched: 3.9.7 Updated: June 28, 2026

LOW

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

elementskit-lite

Score: 95/100 ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor <= 3.9.6 - Missing Authorization Affected: *-3.9.6 Patched: 3.9.7 Updated: June 28, 2026

LOW

duplicate-wp-page-post

Score: 89/100 Duplicate Page and Post <= 2.9.5 - Authenticated (Contributor+) SQL Injection Affected: *-2.9.5 Patched: Updated: June 28, 2026

LOW

display-a-meta-field-as-block

Score: 93/100 Meta Field Block <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure Affected: *-1.5.1 Patched: 1.5.2 Updated: June 28, 2026

LOW

clover-online-orders

Score: 91/100 Smart Online Order for Clover <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.6.0 Patched: 1.6.1 Updated: June 28, 2026

LOW

Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages

bp-better-messages

Score: 75/100 Better Messages – Chat Rooms, Group Chat, Private Messages & AI Chat Bots <= 2.14.16 - Unauthenticated Insecure Direct Object Reference Affected: *-2.14.16 Patched: 2.15.0 Updated: June 28, 2026

LOW

ar-vr-3d-model-try-on

Score: N/A 3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint Affected: *-2.0.1 Patched: 2.0.2 Updated: June 28, 2026

LOW

advanced-custom-fields-font-awesome

Score: 97/100 Advanced Custom Fields: Font Awesome Field <= 5.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-5.0.2 Patched: 6.0.0 Updated: June 28, 2026

LOW

advanced-custom-fields

Score: 97/100 Advanced Custom Fields (ACF®) <= 6.8.1 - Missing Authorization Affected: *-6.8.1 Patched: 6.8.2 Updated: June 28, 2026

LOW

adminimize

Score: 97/100 Adminimize <= 1.11.11 - Missing Authorization Affected: *-1.11.11 Patched: 1.11.12 Updated: June 28, 2026

LOW

acf-frontend-form-element

Score: 97/100 Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection Affected: *-3.29.2 Patched: 3.29.3 Updated: June 28, 2026

LOW

3d-flipbook-dflip-lite

Score: 97/100 DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer <= 2.4.29 - Missing Authorization Affected: *-2.4.29 Patched: 2.4.30 Updated: June 28, 2026

LOW

xpro-elementor-addons-pro

Score: N/A Xpro Elementor Addons - Pro <= 1.4.7 - Authenticated (Contributor+) Arbitrary File Read via Draw SVG Affected: *-1.4.7 Patched: 1.4.8 Updated: June 28, 2026

LOW

minhnhut-link-gateway

Score: N/A MinhNhut Link Gateway <= 3.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting via Plugin Settings Affected: *-3.6.1 Patched: Updated: June 28, 2026

LOW

minhnhut-link-gateway

Score: N/A MinhNhut Link Gateway <= 3.6.1 - Reflected Cross-Site Scripting via 'url' Parameter Affected: *-3.6.1 Patched: Updated: June 28, 2026

LOW

mylinksdump

Score: N/A myLinksDump <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'link_title' Parameter Affected: *-1.6 Patched: Updated: June 28, 2026

LOW

rexcrawler

Score: N/A rexCrawler <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Affected: *-1.0.15 Patched: Updated: June 28, 2026

LOW

wp-promoter

Score: N/A WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter Affected: *-1.3 Patched: Updated: June 28, 2026

LOW

metamagic

Score: N/A MetaMagic SEO Plugin <= 1.6 - Cross-Site Request Forgery to Plugin Settings Update via Settings Page Affected: *-1.6 Patched: Updated: June 28, 2026

LOW

github-shortcode

Score: N/A Github Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-0.1 Patched: Updated: June 28, 2026

LOW

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

insert-headers-and-footers

Score: 86/100 WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost Affected: *-2.3.5 Patched: 2.3.6 Updated: June 28, 2026

LOW

enable-jquery-migrate-helper

Score: 89/100 Enable jQuery Migrate Helper <= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade Affected: *-1.4.1 Patched: Updated: June 28, 2026

LOW

addons-for-visual-composer

Score: 93/100 WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-3.9.4 Patched: Updated: June 28, 2026

LOW

addons-for-beaver-builder

Score: 93/100 Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Missing Authorization Affected: *-3.9.2 Patched: Updated: June 28, 2026

LOW

livemesh-siteorigin-widgets

Score: 91/100 Livemesh SiteOrigin Widgets <= 3.9.2 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-3.9.2 Patched: Updated: June 28, 2026

LOW

addons-for-visual-composer

Score: 93/100 WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-3.9.4 Patched: Updated: June 28, 2026

LOW

envialosimple-email-marketing-y-newsletters-gratis

Score: 91/100 EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter Affected: *-2.4.5 Patched: Updated: June 28, 2026

LOW

affiliate-toolkit-starter

Score: 95/100 affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution Affected: *-3.8.4 Patched: Updated: June 28, 2026

LOW

shortcode-buddy

Score: N/A Shortcode Buddy <= 0.1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-0.1.9.5 Patched: Updated: June 28, 2026

LOW

iwr-tooltip

Score: N/A iWR Tooltip <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0 Patched: Updated: June 28, 2026

LOW

bitform

Score: N/A BitForm <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.1.0 Patched: Updated: June 28, 2026

LOW

listen-shortcode

Score: N/A Listen Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0 Patched: Updated: June 28, 2026

LOW

hk-shortcode

Score: N/A hk_shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute Affected: *-1.0 Patched: Updated: June 28, 2026

LOW

iq-quotation-page

Score: N/A Instant-Quote.co Quotation Page <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.3.4 Patched: Updated: June 28, 2026

LOW

responsive-video-embedder

Score: N/A Responsive Video Embedder <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-0.1 Patched: Updated: June 28, 2026

LOW

easy-prism-syntax-highlighter

Score: N/A Easy Prism Syntax Highlighter <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0.2 Patched: Updated: June 28, 2026

LOW

content-slideshow

Score: N/A Content Slideshow <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-2.4.1 Patched: Updated: June 28, 2026

LOW

animate-your-content

Score: N/A Animate Your Content <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.0.0 Patched: Updated: June 28, 2026

LOW

formidable-kinetic

Score: N/A Formidable Kinetic <= 1.1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-1.1.01 Patched: Updated: June 28, 2026

Showing 501 to 600 of 36189 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 28, 2026 at 22:33 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List