Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36190

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
dadevarzan-common	dadevarzan-common	93	Dadevarzan WordPress Common <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.2.2	2.2.3	June 29, 2026
cookie-notice-and-consent-banner	cookie-notice-and-consent-banner	93	Cookie Notice & Consent Banner for GDPR & CCPA Compliance <= 1.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.7.11	1.7.12	June 29, 2026
classified-listing	classified-listing	93	Classified Listing <= 5.0.6 - Missing Authorization	LOW	*-5.0.6	5.0.7	June 29, 2026
brizy	brizy	93	Brizy <= 2.7.12 - Missing Authorization	LOW	*-2.7.12	2.7.13	June 29, 2026
booking-ultra-pro	booking-ultra-pro	91	Booking Ultra Pro <= 1.1.21 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.1.21	1.1.22	June 29, 2026
bluet-keywords-tooltip-generator	bluet-keywords-tooltip-generator	91	Tooltipy <= 5.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-5.5.6	5.5.9	June 29, 2026
atec-debug	atec-debug	93	atec Debug <= 1.2.22 - Authenticated (Administrator+) Arbitrary File Deletion	LOW	*-1.2.22	1.2.23	June 29, 2026
atec-debug	atec-debug	93	atec Debug <= 1.2.22 - Authenticated (Administrator+) Arbitrary File Read	LOW	*-1.2.22	1.2.23	June 29, 2026
atec-debug	atec-debug	93	atec Debug <= 1.2.22 - Authenticated (Administrator+) Remote Code Execution	LOW	*-1.2.22	1.2.23	June 29, 2026
assistant	assistant	97	WordPress Assistant <= 1.5.2 - Reflected Cross-Site Scripting	LOW	*-1.5.2	1.5.3	June 29, 2026
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	fluentform	78	Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 5.1.16 - 6.1.1 - Authenticated (Subscriber+) PHP Object Injection To Arbitrary File Read	LOW	5.1.16-6.1.1	6.1.2	June 29, 2026
vayu-blocks	vayu-blocks	N/A	Vayu Blocks <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes	LOW	*-1.3.9	1.3.10	June 29, 2026
ultimate-post	ultimate-post	N/A	PostX <= 4.1.36 - Missing Authorization	LOW	*-4.1.36	4.1.37	June 29, 2026
todays-date-inserter	todays-date-inserter	N/A	Today's Date Inserter <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.2.1		June 29, 2026
SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder	sureforms	N/A	SureForms – Drag and Drop Form Builder for WordPress <= 1.9.0 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.9.0	1.9.1	June 29, 2026
sprout-invoices	sprout-invoices	N/A	Client Invoicing by Sprout Invoices <= 20.8.7 - Unauthenticated PHP Object Injection	LOW	*-20.8.7	20.8.8	June 29, 2026
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App	post-smtp	87	Post SMTP <= 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Option Update	LOW	*-3.4.1	3.4.2	June 29, 2026
floating-window-music-player	floating-window-music-player	91	Floating Window Music Player <= 3.4.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-3.4.2		June 29, 2026
easy-flash-embed	easy-flash-embed	91	Easy Flash Embed <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.0		June 29, 2026
profilegrid-user-profiles-groups-and-communities	profilegrid-user-profiles-groups-and-communities	N/A	ProfileGrid – User Profiles, Groups and Communities <= 5.9.5.7 - Reflected Cross-Site Scripting	LOW	*-5.9.5.7	5.9.5.8	June 29, 2026
miraculouscore	miraculouscore	N/A	Miraculous Core < 2.0.9 - Unauthenticated Insecure Direct Object Reference	LOW	[*, 2.0.9)	2.0.9	June 29, 2026
markup-markdown	markup-markdown	93	Markup Markdown <= 3.20.9 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.20.9	3.20.10	June 29, 2026
markup-markdown	markup-markdown	93	Markup Markdown <= 3.20.9 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.20.9	3.20.10	June 29, 2026
etsy-shop	etsy-shop	93	Etsy Shop <= 3.0.6 - Reflected Cross-Site Scripting	LOW	*-3.0.6	3.0.7	June 29, 2026
constant-contact-api	constant-contact-api	91	Constant Contact for WordPress <= 4.1.1 - Unauthenticated PHP Object Injection	LOW	*-4.1.1		June 29, 2026
admin-site-enhancements	admin-site-enhancements	97	Admin and Site Enhancements <= 7.9.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG	LOW	*-7.9.7	7.9.8	June 29, 2026
amministrazione-trasparente	amministrazione-trasparente	97	Amministrazione Trasparente <= 9.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via print_r Function	LOW	*-9.0	9.1	June 29, 2026
lingotek-translation	lingotek-translation	91	Ray Enterprise Translation <= 1.7.1 - Unauthenticated Local File Inclusion	LOW	*-1.7.1	1.7.2	June 29, 2026
institutions-directory	institutions-directory	87	Institutions Directory <= 1.3.3 - Reflected Cross-Site Scripting	LOW	*-1.3.3	1.3.4	June 29, 2026
hotel-listing	hotel-listing	86	Hotel Listing <= 1.4.0 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-1.4.0		June 29, 2026
hellofollowers	hellofollowers	91	Hello Followers <= 2.5 - Reflected Cross-Site Scripting	LOW	*-2.5		June 29, 2026
epic-review	epic-review	93	Epic Review <= 1.0.2 - Reflected Cross-Site Scripting	LOW	*-1.0.2	1.0.3	June 29, 2026
acf-recent-posts-widget	acf-recent-posts-widget	95	ACF Recent Posts Widget <= 5.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-5.9.3		June 29, 2026
TablePress – Tables in WordPress made easy	tablepress	86	TablePress <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode_debug Parameter	LOW	*-3.2	3.2.1	June 29, 2026
ocean-extra	ocean-extra	N/A	Ocean Extra <= 2.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via oceanwp_library Shortcode	LOW	*-2.4.9	2.5.0	June 29, 2026
related-posts-lite	related-posts-lite	N/A	Related Posts Lite <= 1.12 - Cross-Site Request Forgery	LOW	*-1.12		June 29, 2026
yaypricing	yaypricing	N/A	YayPricing <= 3.5.3 - Missing Authorization	LOW	*-3.5.3	3.5.4	June 29, 2026
ultimate-post	ultimate-post	N/A	PostX <= 4.1.35 - Authenticated (Editor+) Privilege Escalation	LOW	*-4.1.35	4.1.36	June 29, 2026
task-manager	task-manager	N/A	Task Manager <= 3.0.2 - Unauthenticated Local File Inclusion	LOW	*-3.0.2		June 29, 2026
sunshine-photo-cart	sunshine-photo-cart	N/A	Sunshine Photo Cart <= 3.5.3 - Missing Authorization	LOW	*-3.5.3	3.5.4	June 29, 2026
nifty-backups	nifty-backups	N/A	Nifty Backups <= 1.08 - Reflected Cross-Site Scripting	LOW	*-1.08		June 29, 2026
multisite-clone-duplicator	multisite-clone-duplicator	N/A	MultiSite Clone Duplicator <= 1.5.3 - Reflected Cross-Site Scripting	LOW	*-1.5.3		June 29, 2026
cookie-notice-consent	cookie-notice-consent	93	Cookie Notice & Consent <= 1.6.4 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.6.4	1.6.5	June 29, 2026
blog-designer-pro	blog-designer-pro	86	Blog Designer PRO <= 3.4.8 - Missing Authorization	LOW	*-3.4.8		June 29, 2026
events-addon-for-elementor	events-addon-for-elementor	93	Events Addon for Elementor <= 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter and Countdown Widgets	LOW	*-2.2.9	2.3.0	June 29, 2026
list-sub-pages	list-sub-pages	93	List Subpages <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter	LOW	*-1.0.6	1.0.7	June 29, 2026
utw-importer	utw-importer	N/A	Ultimate Tag Warrior Importer <= 0.2 - Cross-Site Request Forgery	LOW	*-0.2		June 29, 2026
iats-online-forms	iats-online-forms	91	iATS Online Forms <= 1.2 - Authenticated (Contributor+) SQL Injection via order Parameter	LOW	*-1.2		June 29, 2026
osm-map-elementor	osm-map-elementor	N/A	OSM Map Widget for Elementor <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button URL	LOW	*-1.3.0	1.3.1	June 29, 2026
WP Hotel Booking	wp-hotel-booking	N/A	WP Hotel Booking <= 2.2.1 - Improper Input Validation to Authenticated (Subscriber+) Rating Manipulation	LOW	*-2.2.2	2.2.3	June 29, 2026
Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools	woocommerce-jetpack	65	Booster for WooCommerce <= 7.2.4 - Unauthenticated Double Extension Arbitrary File Upload	LOW	*-7.2.4	7.2.5	June 29, 2026
revslider	revslider	N/A	Slider Revolution <= 6.7.36 - Authenticated (Contributor+) Arbitrary File Read via 'used_svg' and 'used_images'	LOW	*-6.7.36	6.7.37	June 29, 2026
Ninja Forms – The Contact Form Builder That Grows With You	ninja-forms	69	Ninja Forms <= 3.11.0 - Unauthenticated PHP Object Injection	LOW	*-3.11.0	3.11.1	June 29, 2026
lwscache	lwscache	93	LWSCache <= 2.8.5 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Activation via lwscache_activatePlugin Function	LOW	*-2.8.5	2.9	June 29, 2026
bdvs-password-reset	bdvs-password-reset	93	Password Reset with Code <= 0.0.16 - Unauthenticated Privilege Escalation via Weak OTP Codes	LOW	*-0.0.16	0.0.17	June 29, 2026
addon-elements-for-elementor-page-builder	addon-elements-for-elementor-page-builder	97	Elementor Addon Elements <= 1.14.4 - Authenticated (Contributor+) Information Exposure	LOW	*-1.14.4	1.14.5	June 29, 2026
Dynamic AJAX Product Filters for WooCommerce	dynamic-ajax-product-filters-for-woocommerce	94	Dynamic AJAX Product Filters for WooCommerce <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter	LOW	*-1.3.7	1.3.8	June 29, 2026
Dynamic AJAX Product Filters for WooCommerce	dynamic-ajax-product-filters-for-woocommerce	94	Dynamic AJAX Product Filters for WooCommerce <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Parameter	LOW	*-1.3.7	1.3.8	June 29, 2026
rccp-free	rccp-free	N/A	RingCentral Communications 1.5 - 1.6.8 - Missing Server‑Side Verification to Authentication Bypass via ringcentral_admin_login_2fa_verify Function	LOW	1.5-1.6.8	1.7.0	June 29, 2026
ajax-search-lite	ajax-search-lite	97	Ajax Search Lite <= 4.13.1 - Missing Authorization to Unauthenticated Basic Information Exposure via ASL_Query in AJAX Search Handler	LOW	*-4.13.1	4.13.2	June 29, 2026
wp-ulike-pro	wp-ulike-pro	N/A	WP ULike Pro <= 1.9.3 - Unauthenticated Limited Arbitrary File Upload	LOW	*-1.9.3	1.9.4	June 29, 2026
softdiscover-db-file-manager	softdiscover-db-file-manager	N/A	File Manager, Code Editor, and Backup by Managefy <= 1.4.8 - Authenticated (Admin+) Path Traversal to Arbitrary File Download	LOW	*-1.4.8	1.5.0	June 29, 2026
xpro-theme-builder	xpro-theme-builder	N/A	Xpro Theme Builder <= 1.2.9 - Missing Authorization	LOW	*-1.2.9	1.2.10	June 29, 2026
xpro-elementor-addons	xpro-elementor-addons	N/A	Xpro Elementor Addons <= 1.4.17 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.4.17	1.4.18	June 29, 2026
Xagio SEO – AI Powered SEO	xagio-seo	64	Xagio SEO <= 7.1.0.5 - Unauthenticated Sensitive Information Exposure via Unprotected Back-Up Files	LOW	*-7.1.0.5	7.1.0.6	June 29, 2026
wp-thumbtack-review-slider	wp-thumbtack-review-slider	N/A	WP Thumbtack Review Slider <= 2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.6	2.7	June 29, 2026
wp-bulk-delete	wp-bulk-delete	N/A	WP Bulk Delete <= 1.3.6 - Missing Authorization	LOW	*-1.3.6	1.3.7	June 29, 2026
woocommerce-photo-reviews	woocommerce-photo-reviews	N/A	WooCommerce Photo Reviews <= 1.4.4 - Unauthenticated Arbitrary Shortcode Execution	LOW	*-1.4.4		June 29, 2026
wa-chatbox-manager	wa-chatbox-manager	N/A	Chatbox Manager <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.2.6	1.2.7	June 29, 2026
video-share-vod	video-share-vod	N/A	Video Share VOD – Turnkey Video Site Builder Script <= 2.7.6 - Cross-Site Request Forgery to Command Injection	LOW	*-2.7.6	2.7.7	June 29, 2026
userswp	userswp	N/A	UsersWP <= 1.2.42 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.2.42	1.2.43	June 29, 2026
unlimited-elements-for-elementor	unlimited-elements-for-elementor	N/A	Unlimited Elements For Elementor <= 1.5.148 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.5.148	1.5.149	June 29, 2026
uncanny-automator	uncanny-automator	N/A	Uncanny Automator <= 6.7.0.1 - Missing Authorization	LOW	*-6.7.0.1	6.8.0	June 29, 2026
uicore-elements	uicore-elements	N/A	UiCore Elements <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.3.4	1.3.5	June 29, 2026
transcoder	transcoder	N/A	Transcoder <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.4.0	1.4.1	June 29, 2026
sumomemberships	sumomemberships	N/A	SUMO Memberships for WooCommerce < 7.8.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion	LOW	[*, 7.8.0)	7.8.0	June 29, 2026
stopbadbots	stopbadbots	N/A	Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection <= 11.58 - Insufficient Authorization to Unauthenticated Blocklist Bypass	LOW	*-11.58	11.59	June 29, 2026
solace-extra	solace-extra	N/A	Solace Extra <= 1.3.2 - Authenticated (Admin+) Server-Side Request Forgery	LOW	*-1.3.2	1.3.3	June 29, 2026
small-package-quotes-usps-edition	small-package-quotes-usps-edition	N/A	Small Package Quotes – USPS Edition <= 1.3.9 - Authenticated (Administrator+) PHP Object Injection	LOW	*-1.3.9	1.3.10	June 29, 2026
simple-page-access-restriction	simple-page-access-restriction	N/A	Simple Page Access Restriction <= 1.0.32 - Cross-Site Request Forgery	LOW	*-1.0.32	1.0.33	June 29, 2026
simple-download-monitor	simple-download-monitor	N/A	Simple Download Monitor <= 3.9.33 - Simple Download Monitor <= 3.9.33 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality	LOW	*-3.9.33	3.9.34	June 29, 2026
simple-download-monitor	simple-download-monitor	N/A	Simple Download Monitor <= 3.9.34 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.9.34	3.9.35	June 29, 2026
pronamic-google-maps	pronamic-google-maps	N/A	Pronamic Google Maps <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.4.1	2.4.2	June 29, 2026
podlove-podcasting-plugin-for-wordpress	podlove-podcasting-plugin-for-wordpress	N/A	Podlove Podcast Publisher <= 4.2.5 - Open Redirect	LOW	*-4.2.5	4.2.6	June 29, 2026
pdf-for-elementor-forms	pdf-for-elementor-forms	N/A	PDF for Elementor Forms + Drag And Drop Template Builder <= 6.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-6.2.0	6.3.0	June 29, 2026
otter-blocks	otter-blocks	N/A	Otter - Gutenberg Block <= 3.1.0 - Unauthenticated Sensitive Information Exposure	LOW	*-3.1.0	3.1.1	June 29, 2026
nest-addons	nest-addons	N/A	Nest Addons <= 1.6.3 - Unauthenticated SQL Injection	LOW	*-1.6.3	1.6.4	June 29, 2026
Event Booking Manager for WooCommerce	mage-eventpress	82	WpEvently <= 4.4.8 - Authenticated (Contributor+) PHP Object Injection	LOW	*-4.4.8	4.4.9	June 29, 2026
jquery-archive-list-widget	jquery-archive-list-widget	93	JS Archive List <= 6.1.5 - Unauthenticated SQL Injection	LOW	*-6.1.5	6.1.6	June 29, 2026
invition-print-ship	invition-print-ship	89	Printeers Print & Ship <= 1.17.0 - Unauthenticated Path Traversal	LOW	*-1.17.0		June 29, 2026
instant-breaking-news	instant-breaking-news	93	Instant Breaking News <= 1.0 - Cross-Site Request Forgery	LOW	*-1.0	1.0.1	June 29, 2026
houzez-crm	houzez-crm	93	Houzez CRM <= 1.4.7 - Missing Authorization	LOW	*-1.4.7	1.5.0	June 29, 2026
Epeken All Kurir for Woocommerce	epeken-all-kurir	67	Epeken All Kurir <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.0.1	2.0.2	June 29, 2026
elementinvader-addons-for-elementor	elementinvader-addons-for-elementor	93	ElementInvader Addons for Elementor <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.3.6	1.3.7	June 29, 2026
booking-system-trafft	booking-system-trafft	93	Booking System Trafft <= 1.0.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-1.0.14	1.0.15	June 29, 2026
Booking Calendar	booking	71	Booking Calendar <= 10.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-10.14.1	10.14.2	June 29, 2026
bold-page-builder	bold-page-builder	86	Bold Page Builder <= 5.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-5.4.3	5.4.4	June 29, 2026
beaver-builder-lite-version	beaver-builder-lite-version	93	Beaver Builder Plugin (Lite Version) <= 2.9.2.1 - Reflected Cross-Site Scripting	LOW	*-2.9.2.1	2.9.3.1	June 29, 2026
aftership-woocommerce-tracking	aftership-woocommerce-tracking	97	AfterShip Tracking <= 1.17.17 - Missing Authorization	LOW	*-1.17.17	1.17.18	June 29, 2026
lazy-load-for-videos	lazy-load-for-videos	93	Lazy Load for Videos <= 2.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via data-video-title and href Attributes	LOW	*-2.18.7	2.18.8	June 29, 2026

LOW

dadevarzan-common

Score: 93/100 Dadevarzan WordPress Common <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.2.2 Patched: 2.2.3 Updated: June 29, 2026

LOW

cookie-notice-and-consent-banner

Score: 93/100 Cookie Notice & Consent Banner for GDPR & CCPA Compliance <= 1.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.7.11 Patched: 1.7.12 Updated: June 29, 2026

LOW

classified-listing

Score: 93/100 Classified Listing <= 5.0.6 - Missing Authorization Affected: *-5.0.6 Patched: 5.0.7 Updated: June 29, 2026

LOW

brizy

Score: 93/100 Brizy <= 2.7.12 - Missing Authorization Affected: *-2.7.12 Patched: 2.7.13 Updated: June 29, 2026

LOW

booking-ultra-pro

Score: 91/100 Booking Ultra Pro <= 1.1.21 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.1.21 Patched: 1.1.22 Updated: June 29, 2026

LOW

bluet-keywords-tooltip-generator

Score: 91/100 Tooltipy <= 5.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-5.5.6 Patched: 5.5.9 Updated: June 29, 2026

LOW

atec-debug

Score: 93/100 atec Debug <= 1.2.22 - Authenticated (Administrator+) Arbitrary File Deletion Affected: *-1.2.22 Patched: 1.2.23 Updated: June 29, 2026

LOW

atec-debug

Score: 93/100 atec Debug <= 1.2.22 - Authenticated (Administrator+) Arbitrary File Read Affected: *-1.2.22 Patched: 1.2.23 Updated: June 29, 2026

LOW

atec-debug

Score: 93/100 atec Debug <= 1.2.22 - Authenticated (Administrator+) Remote Code Execution Affected: *-1.2.22 Patched: 1.2.23 Updated: June 29, 2026

LOW

assistant

Score: 97/100 WordPress Assistant <= 1.5.2 - Reflected Cross-Site Scripting Affected: *-1.5.2 Patched: 1.5.3 Updated: June 29, 2026

LOW

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

Score: 78/100 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 5.1.16 - 6.1.1 - Authenticated (Subscriber+) PHP Object Injection To Arbitrary File Read Affected: 5.1.16-6.1.1 Patched: 6.1.2 Updated: June 29, 2026

LOW

vayu-blocks

Score: N/A Vayu Blocks <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes Affected: *-1.3.9 Patched: 1.3.10 Updated: June 29, 2026

LOW

ultimate-post

Score: N/A PostX <= 4.1.36 - Missing Authorization Affected: *-4.1.36 Patched: 4.1.37 Updated: June 29, 2026

LOW

todays-date-inserter

Score: N/A Today's Date Inserter <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2.1 Patched: Updated: June 29, 2026

LOW

SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder

sureforms

Score: N/A SureForms – Drag and Drop Form Builder for WordPress <= 1.9.0 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.9.0 Patched: 1.9.1 Updated: June 29, 2026

LOW

sprout-invoices

Score: N/A Client Invoicing by Sprout Invoices <= 20.8.7 - Unauthenticated PHP Object Injection Affected: *-20.8.7 Patched: 20.8.8 Updated: June 29, 2026

LOW

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

Score: 87/100 Post SMTP <= 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Option Update Affected: *-3.4.1 Patched: 3.4.2 Updated: June 29, 2026

LOW

floating-window-music-player

Score: 91/100 Floating Window Music Player <= 3.4.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-3.4.2 Patched: Updated: June 29, 2026

LOW

easy-flash-embed

Score: 91/100 Easy Flash Embed <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 29, 2026

LOW

profilegrid-user-profiles-groups-and-communities

Score: N/A ProfileGrid – User Profiles, Groups and Communities <= 5.9.5.7 - Reflected Cross-Site Scripting Affected: *-5.9.5.7 Patched: 5.9.5.8 Updated: June 29, 2026

LOW

miraculouscore

Score: N/A Miraculous Core < 2.0.9 - Unauthenticated Insecure Direct Object Reference Affected: [*, 2.0.9) Patched: 2.0.9 Updated: June 29, 2026

LOW

markup-markdown

Score: 93/100 Markup Markdown <= 3.20.9 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.20.9 Patched: 3.20.10 Updated: June 29, 2026

LOW

markup-markdown

Score: 93/100 Markup Markdown <= 3.20.9 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.20.9 Patched: 3.20.10 Updated: June 29, 2026

LOW

etsy-shop

Score: 93/100 Etsy Shop <= 3.0.6 - Reflected Cross-Site Scripting Affected: *-3.0.6 Patched: 3.0.7 Updated: June 29, 2026

LOW

constant-contact-api

Score: 91/100 Constant Contact for WordPress <= 4.1.1 - Unauthenticated PHP Object Injection Affected: *-4.1.1 Patched: Updated: June 29, 2026

LOW

admin-site-enhancements

Score: 97/100 Admin and Site Enhancements <= 7.9.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Affected: *-7.9.7 Patched: 7.9.8 Updated: June 29, 2026

LOW

amministrazione-trasparente

Score: 97/100 Amministrazione Trasparente <= 9.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via print_r Function Affected: *-9.0 Patched: 9.1 Updated: June 29, 2026

LOW

lingotek-translation

Score: 91/100 Ray Enterprise Translation <= 1.7.1 - Unauthenticated Local File Inclusion Affected: *-1.7.1 Patched: 1.7.2 Updated: June 29, 2026

LOW

institutions-directory

Score: 87/100 Institutions Directory <= 1.3.3 - Reflected Cross-Site Scripting Affected: *-1.3.3 Patched: 1.3.4 Updated: June 29, 2026

LOW

hotel-listing

Score: 86/100 Hotel Listing <= 1.4.0 - Authenticated (Subscriber+) Privilege Escalation Affected: *-1.4.0 Patched: Updated: June 29, 2026

LOW

hellofollowers

Score: 91/100 Hello Followers <= 2.5 - Reflected Cross-Site Scripting Affected: *-2.5 Patched: Updated: June 29, 2026

LOW

epic-review

Score: 93/100 Epic Review <= 1.0.2 - Reflected Cross-Site Scripting Affected: *-1.0.2 Patched: 1.0.3 Updated: June 29, 2026

LOW

acf-recent-posts-widget

Score: 95/100 ACF Recent Posts Widget <= 5.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-5.9.3 Patched: Updated: June 29, 2026

LOW

TablePress – Tables in WordPress made easy

tablepress

Score: 86/100 TablePress <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode_debug Parameter Affected: *-3.2 Patched: 3.2.1 Updated: June 29, 2026

LOW

ocean-extra

Score: N/A Ocean Extra <= 2.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via oceanwp_library Shortcode Affected: *-2.4.9 Patched: 2.5.0 Updated: June 29, 2026

LOW

related-posts-lite

Score: N/A Related Posts Lite <= 1.12 - Cross-Site Request Forgery Affected: *-1.12 Patched: Updated: June 29, 2026

LOW

yaypricing

Score: N/A YayPricing <= 3.5.3 - Missing Authorization Affected: *-3.5.3 Patched: 3.5.4 Updated: June 29, 2026

LOW

ultimate-post

Score: N/A PostX <= 4.1.35 - Authenticated (Editor+) Privilege Escalation Affected: *-4.1.35 Patched: 4.1.36 Updated: June 29, 2026

LOW

task-manager

Score: N/A Task Manager <= 3.0.2 - Unauthenticated Local File Inclusion Affected: *-3.0.2 Patched: Updated: June 29, 2026

LOW

sunshine-photo-cart

Score: N/A Sunshine Photo Cart <= 3.5.3 - Missing Authorization Affected: *-3.5.3 Patched: 3.5.4 Updated: June 29, 2026

LOW

nifty-backups

Score: N/A Nifty Backups <= 1.08 - Reflected Cross-Site Scripting Affected: *-1.08 Patched: Updated: June 29, 2026

LOW

multisite-clone-duplicator

Score: N/A MultiSite Clone Duplicator <= 1.5.3 - Reflected Cross-Site Scripting Affected: *-1.5.3 Patched: Updated: June 29, 2026

LOW

cookie-notice-consent

Score: 93/100 Cookie Notice & Consent <= 1.6.4 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.6.4 Patched: 1.6.5 Updated: June 29, 2026

LOW

blog-designer-pro

Score: 86/100 Blog Designer PRO <= 3.4.8 - Missing Authorization Affected: *-3.4.8 Patched: Updated: June 29, 2026

LOW

events-addon-for-elementor

Score: 93/100 Events Addon for Elementor <= 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter and Countdown Widgets Affected: *-2.2.9 Patched: 2.3.0 Updated: June 29, 2026

LOW

list-sub-pages

Score: 93/100 List Subpages <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter Affected: *-1.0.6 Patched: 1.0.7 Updated: June 29, 2026

LOW

utw-importer

Score: N/A Ultimate Tag Warrior Importer <= 0.2 - Cross-Site Request Forgery Affected: *-0.2 Patched: Updated: June 29, 2026

LOW

iats-online-forms

Score: 91/100 iATS Online Forms <= 1.2 - Authenticated (Contributor+) SQL Injection via order Parameter Affected: *-1.2 Patched: Updated: June 29, 2026

LOW

osm-map-elementor

Score: N/A OSM Map Widget for Elementor <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button URL Affected: *-1.3.0 Patched: 1.3.1 Updated: June 29, 2026

LOW

WP Hotel Booking

wp-hotel-booking

Score: N/A WP Hotel Booking <= 2.2.1 - Improper Input Validation to Authenticated (Subscriber+) Rating Manipulation Affected: *-2.2.2 Patched: 2.2.3 Updated: June 29, 2026

LOW

Booster for WooCommerce – PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools

woocommerce-jetpack

Score: 65/100 Booster for WooCommerce <= 7.2.4 - Unauthenticated Double Extension Arbitrary File Upload Affected: *-7.2.4 Patched: 7.2.5 Updated: June 29, 2026

LOW

revslider

Score: N/A Slider Revolution <= 6.7.36 - Authenticated (Contributor+) Arbitrary File Read via 'used_svg' and 'used_images' Affected: *-6.7.36 Patched: 6.7.37 Updated: June 29, 2026

LOW

Ninja Forms – The Contact Form Builder That Grows With You

ninja-forms

Score: 69/100 Ninja Forms <= 3.11.0 - Unauthenticated PHP Object Injection Affected: *-3.11.0 Patched: 3.11.1 Updated: June 29, 2026

LOW

lwscache

Score: 93/100 LWSCache <= 2.8.5 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Activation via lwscache_activatePlugin Function Affected: *-2.8.5 Patched: 2.9 Updated: June 29, 2026

LOW

bdvs-password-reset

Score: 93/100 Password Reset with Code <= 0.0.16 - Unauthenticated Privilege Escalation via Weak OTP Codes Affected: *-0.0.16 Patched: 0.0.17 Updated: June 29, 2026

LOW

addon-elements-for-elementor-page-builder

Score: 97/100 Elementor Addon Elements <= 1.14.4 - Authenticated (Contributor+) Information Exposure Affected: *-1.14.4 Patched: 1.14.5 Updated: June 29, 2026

LOW

Dynamic AJAX Product Filters for WooCommerce

dynamic-ajax-product-filters-for-woocommerce

Score: 94/100 Dynamic AJAX Product Filters for WooCommerce <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter Affected: *-1.3.7 Patched: 1.3.8 Updated: June 29, 2026

LOW

Dynamic AJAX Product Filters for WooCommerce

dynamic-ajax-product-filters-for-woocommerce

Score: 94/100 Dynamic AJAX Product Filters for WooCommerce <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Parameter Affected: *-1.3.7 Patched: 1.3.8 Updated: June 29, 2026

LOW

rccp-free

Score: N/A RingCentral Communications 1.5 - 1.6.8 - Missing Server‑Side Verification to Authentication Bypass via ringcentral_admin_login_2fa_verify Function Affected: 1.5-1.6.8 Patched: 1.7.0 Updated: June 29, 2026

LOW

ajax-search-lite

Score: 97/100 Ajax Search Lite <= 4.13.1 - Missing Authorization to Unauthenticated Basic Information Exposure via ASL_Query in AJAX Search Handler Affected: *-4.13.1 Patched: 4.13.2 Updated: June 29, 2026

LOW

wp-ulike-pro

Score: N/A WP ULike Pro <= 1.9.3 - Unauthenticated Limited Arbitrary File Upload Affected: *-1.9.3 Patched: 1.9.4 Updated: June 29, 2026

LOW

softdiscover-db-file-manager

Score: N/A File Manager, Code Editor, and Backup by Managefy <= 1.4.8 - Authenticated (Admin+) Path Traversal to Arbitrary File Download Affected: *-1.4.8 Patched: 1.5.0 Updated: June 29, 2026

LOW

xpro-theme-builder

Score: N/A Xpro Theme Builder <= 1.2.9 - Missing Authorization Affected: *-1.2.9 Patched: 1.2.10 Updated: June 29, 2026

LOW

xpro-elementor-addons

Score: N/A Xpro Elementor Addons <= 1.4.17 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.4.17 Patched: 1.4.18 Updated: June 29, 2026

LOW

Xagio SEO – AI Powered SEO

xagio-seo

Score: 64/100 Xagio SEO <= 7.1.0.5 - Unauthenticated Sensitive Information Exposure via Unprotected Back-Up Files Affected: *-7.1.0.5 Patched: 7.1.0.6 Updated: June 29, 2026

LOW

wp-thumbtack-review-slider

Score: N/A WP Thumbtack Review Slider <= 2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.6 Patched: 2.7 Updated: June 29, 2026

LOW

wp-bulk-delete

Score: N/A WP Bulk Delete <= 1.3.6 - Missing Authorization Affected: *-1.3.6 Patched: 1.3.7 Updated: June 29, 2026

LOW

woocommerce-photo-reviews

Score: N/A WooCommerce Photo Reviews <= 1.4.4 - Unauthenticated Arbitrary Shortcode Execution Affected: *-1.4.4 Patched: Updated: June 29, 2026

LOW

wa-chatbox-manager

Score: N/A Chatbox Manager <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2.6 Patched: 1.2.7 Updated: June 29, 2026

LOW

video-share-vod

Score: N/A Video Share VOD – Turnkey Video Site Builder Script <= 2.7.6 - Cross-Site Request Forgery to Command Injection Affected: *-2.7.6 Patched: 2.7.7 Updated: June 29, 2026

LOW

userswp

Score: N/A UsersWP <= 1.2.42 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2.42 Patched: 1.2.43 Updated: June 29, 2026

LOW

unlimited-elements-for-elementor

Score: N/A Unlimited Elements For Elementor <= 1.5.148 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.5.148 Patched: 1.5.149 Updated: June 29, 2026

LOW

uncanny-automator

Score: N/A Uncanny Automator <= 6.7.0.1 - Missing Authorization Affected: *-6.7.0.1 Patched: 6.8.0 Updated: June 29, 2026

LOW

uicore-elements

Score: N/A UiCore Elements <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.3.4 Patched: 1.3.5 Updated: June 29, 2026

LOW

transcoder

Score: N/A Transcoder <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.4.0 Patched: 1.4.1 Updated: June 29, 2026

LOW

sumomemberships

Score: N/A SUMO Memberships for WooCommerce < 7.8.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion Affected: [*, 7.8.0) Patched: 7.8.0 Updated: June 29, 2026

LOW

stopbadbots

Score: N/A Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection <= 11.58 - Insufficient Authorization to Unauthenticated Blocklist Bypass Affected: *-11.58 Patched: 11.59 Updated: June 29, 2026

LOW

solace-extra

Score: N/A Solace Extra <= 1.3.2 - Authenticated (Admin+) Server-Side Request Forgery Affected: *-1.3.2 Patched: 1.3.3 Updated: June 29, 2026

LOW

small-package-quotes-usps-edition

Score: N/A Small Package Quotes – USPS Edition <= 1.3.9 - Authenticated (Administrator+) PHP Object Injection Affected: *-1.3.9 Patched: 1.3.10 Updated: June 29, 2026

LOW

simple-page-access-restriction

Score: N/A Simple Page Access Restriction <= 1.0.32 - Cross-Site Request Forgery Affected: *-1.0.32 Patched: 1.0.33 Updated: June 29, 2026

LOW

simple-download-monitor

Score: N/A Simple Download Monitor <= 3.9.33 - Simple Download Monitor <= 3.9.33 – Authenticated (Contributor+) SQL Injection via order parameter in Log Export functionality Affected: *-3.9.33 Patched: 3.9.34 Updated: June 29, 2026

LOW

simple-download-monitor

Score: N/A Simple Download Monitor <= 3.9.34 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.9.34 Patched: 3.9.35 Updated: June 29, 2026

LOW

pronamic-google-maps

Score: N/A Pronamic Google Maps <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.4.1 Patched: 2.4.2 Updated: June 29, 2026

LOW

podlove-podcasting-plugin-for-wordpress

Score: N/A Podlove Podcast Publisher <= 4.2.5 - Open Redirect Affected: *-4.2.5 Patched: 4.2.6 Updated: June 29, 2026

LOW

pdf-for-elementor-forms

Score: N/A PDF for Elementor Forms + Drag And Drop Template Builder <= 6.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-6.2.0 Patched: 6.3.0 Updated: June 29, 2026

LOW

otter-blocks

Score: N/A Otter - Gutenberg Block <= 3.1.0 - Unauthenticated Sensitive Information Exposure Affected: *-3.1.0 Patched: 3.1.1 Updated: June 29, 2026

LOW

nest-addons

Score: N/A Nest Addons <= 1.6.3 - Unauthenticated SQL Injection Affected: *-1.6.3 Patched: 1.6.4 Updated: June 29, 2026

LOW

Event Booking Manager for WooCommerce

mage-eventpress

Score: 82/100 WpEvently <= 4.4.8 - Authenticated (Contributor+) PHP Object Injection Affected: *-4.4.8 Patched: 4.4.9 Updated: June 29, 2026

LOW

jquery-archive-list-widget

Score: 93/100 JS Archive List <= 6.1.5 - Unauthenticated SQL Injection Affected: *-6.1.5 Patched: 6.1.6 Updated: June 29, 2026

LOW

invition-print-ship

Score: 89/100 Printeers Print & Ship <= 1.17.0 - Unauthenticated Path Traversal Affected: *-1.17.0 Patched: Updated: June 29, 2026

LOW

instant-breaking-news

Score: 93/100 Instant Breaking News <= 1.0 - Cross-Site Request Forgery Affected: *-1.0 Patched: 1.0.1 Updated: June 29, 2026

LOW

houzez-crm

Score: 93/100 Houzez CRM <= 1.4.7 - Missing Authorization Affected: *-1.4.7 Patched: 1.5.0 Updated: June 29, 2026

LOW

Epeken All Kurir for Woocommerce

epeken-all-kurir

Score: 67/100 Epeken All Kurir <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.0.1 Patched: 2.0.2 Updated: June 29, 2026

LOW

elementinvader-addons-for-elementor

Score: 93/100 ElementInvader Addons for Elementor <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.3.6 Patched: 1.3.7 Updated: June 29, 2026

LOW

booking-system-trafft

Score: 93/100 Booking System Trafft <= 1.0.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-1.0.14 Patched: 1.0.15 Updated: June 29, 2026

LOW

Booking Calendar

booking

Score: 71/100 Booking Calendar <= 10.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-10.14.1 Patched: 10.14.2 Updated: June 29, 2026

LOW

bold-page-builder

Score: 86/100 Bold Page Builder <= 5.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-5.4.3 Patched: 5.4.4 Updated: June 29, 2026

LOW

beaver-builder-lite-version

Score: 93/100 Beaver Builder Plugin (Lite Version) <= 2.9.2.1 - Reflected Cross-Site Scripting Affected: *-2.9.2.1 Patched: 2.9.3.1 Updated: June 29, 2026

LOW

aftership-woocommerce-tracking

Score: 97/100 AfterShip Tracking <= 1.17.17 - Missing Authorization Affected: *-1.17.17 Patched: 1.17.18 Updated: June 29, 2026

LOW

lazy-load-for-videos

Score: 93/100 Lazy Load for Videos <= 2.18.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via data-video-title and href Attributes Affected: *-2.18.7 Patched: 2.18.8 Updated: June 29, 2026

Showing 6701 to 6800 of 36190 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 29, 2026 at 16:13 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List