Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36282

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
pets	pets	N/A	Pets <= 1.4.1 - Reflected Cross-Site Scripting	LOW	*-1.4.1		June 30, 2026
oik-privacy-policy	oik-privacy-policy	N/A	oik-privacy-policy <= 1.4.10 - Reflected Cross-Site Scripting	LOW	*-1.4.10	1.4.11	June 30, 2026
leadcapture	leadcapture	93	WP Lead Capturing Pages < 2.6 - Missing Authorization to Arbitrary Content Deletion	LOW	[*, 2.6)	2.6	June 30, 2026
gutenverse	gutenverse	93	Gutenverse <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text and Fun Fact Blocks	LOW	*-3.1.0	3.1.1	June 30, 2026
youtube-showcase	youtube-showcase	N/A	Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution	LOW	*-3.5.2	3.5.3	June 30, 2026
wp-ticket	wp-ticket	N/A	Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution	LOW	*-6.0.1	6.0.3	June 30, 2026
wp-easy-events	wp-easy-events	N/A	Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution	LOW	*-4.2.1	4.2.2	June 30, 2026
wp-easy-contact	wp-easy-contact	N/A	Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution	LOW	*-4.0.2	4.0.3	June 30, 2026
software-issue-manager	software-issue-manager	N/A	Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution	LOW	*-5.0.0	5.0.1	June 30, 2026
request-a-quote	request-a-quote	N/A	Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution	LOW	*-2.5.2	2.5.3	June 30, 2026
employee-staff-directory	employee-staff-directory	93	Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution	LOW	*-4.5.2	4.5.3	June 30, 2026
campus-directory	campus-directory	93	Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution	LOW	*-1.9.2	1.9.3	June 30, 2026
cleverreach-wp	cleverreach-wp	93	CleverReach WP <= 1.5.20 - Unauthenticated SQL Injection via title Parameter	LOW	*-1.5.20	1.5.21	June 30, 2026
wp-tournament-registration	wp-tournament-registration	N/A	WP Tournament Registration <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via field Parameter	LOW	*-1.3.0		June 30, 2026
esri-map-view	esri-map-view	91	esri-map-view <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via esri-map-view Shortcode	LOW	*-1.2.3		June 30, 2026
flex-guten	flex-guten	93	Flex Guten <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via thumbnailHoverEffect Parameter	LOW	*-1.2.5	1.2.6	June 30, 2026
seriously-simple-podcasting	seriously-simple-podcasting	N/A	Seriously Simple Podcasting <= 3.11.1 - Authenticated (Editor+) Stored Cross-Site Scripting	LOW	*-3.11.1	3.12.0	June 30, 2026
reveal-listing	reveal-listing	N/A	Reveal Listing <= 3.3 - Unauthenticated Privilege Escalation	LOW	*-3.3	3.4	June 30, 2026
js_composer	js_composer	93	WPBakery Page Builder for WordPress <= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-8.5	8.6	June 30, 2026
jet-reviews	jet-reviews	93	JetReviews <= 3.0.0 - Authenticated (Contributor+) Local File Inclusion	LOW	*-3.0.0	3.0.0.1	June 30, 2026
groundhogg	groundhogg	93	Groundhogg <= 4.2.2 - Authenticated (Sales Representative+) PHP Object Injection	LOW	*-4.2.2	4.2.2.1	June 30, 2026
give	give	93	GiveWP – Donation Plugin and Fundraising Platform <= 4.6.0 - Unauthenticated Donor Data Exposure	LOW	*-4.6.0	4.6.1	June 30, 2026
FileBird – WordPress Media Library Folders & File Manager	filebird	80	FileBird – WordPress Media Library Folders & File Manager <= 6.4.8 - Authenticated (Author+) SQL Injection	LOW	*-6.4.8	6.4.9	June 30, 2026
exclusive-addons-for-elementor	exclusive-addons-for-elementor	93	Exclusive Addons for Elementor <= 2.7.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown	LOW	*-2.7.9.4	2.7.9.5	June 30, 2026
boldermail	boldermail	91	Boldermail <= 2.4.0 - Authenticated (Contributor+) PHP Object Injection	LOW	*-2.4.0		June 30, 2026
bdthemes-element-pack-lite	bdthemes-element-pack-lite	93	Element Pack Elementor Addons and Templates <= 8.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map Widget Marker Content	LOW	*-8.1.5	8.1.6	June 30, 2026
download-counter	download-counter	91	Download Counter <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Parameter	LOW	*-1.3	1.4	June 30, 2026
wp-import-export-lite	wp-import-export-lite	N/A	WP Import Export Lite <= 3.9.29 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-3.9.29	3.9.30	June 30, 2026
wp-import-export-lite	wp-import-export-lite	N/A	WP Import Export Lite <= 3.9.28 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-3.9.28	3.9.29	June 30, 2026
employee-directory	employee-directory	91	Employee Directory <= 4.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter	LOW	*-4.5.1	4.5.2	June 30, 2026
campus-directory	campus-directory	93	Campus Directory <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter	LOW	*-1.9.1	1.9.2	June 30, 2026
wp-easy-contact	wp-easy-contact	N/A	WP Easy Contact <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter	LOW	*-4.0.1	4.0.2	June 30, 2026
use-your-drive	use-your-drive	N/A	Use-your-Drive \| Google Drive plugin for WordPress <= 3.3.1- Unauthenticated Stored Cross-Site Scripting via File Metadata	LOW	*-3.3.1	3.3.2	June 30, 2026
eventer	eventer	89	Eventer <= 3.11.2.1 - Unauthenticated Arbitrary Shortcode Execution	LOW	*-3.11.2.1	3.11.2.2	June 30, 2026
wikipedia-preview	wikipedia-preview	N/A	Wikipedia Preview <= 1.15.0 - Missing Authorization	LOW	*-1.15.0	1.16.0	June 30, 2026
jet-woo-builder	jet-woo-builder	93	JetWooBuilder <= 2.1.20.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.1.20.1	2.2.0	June 30, 2026
jet-elements	jet-elements	93	JetElements For Elementor <= 2.7.8 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.7.8	2.7.8.1	June 30, 2026
jet-blog	jet-blog	93	JetBlog <= 2.4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.4.4.1	2.4.5	June 30, 2026
javo-core	javo-core	86	Javo Core <= 3.0.0.266 - Unauthenticated Remote Code Execution	LOW	*-3.0.0.266		June 30, 2026
ocean-social-sharing	ocean-social-sharing	N/A	Ocean Social Sharing <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.2.1	2.2.2	June 30, 2026
bravepopup-pro	bravepopup-pro	93	Brave Conversion Engine (PRO) <= 0.7.7 - Authentication Bypass to Administrator	LOW	*-0.7.7	0.8.0	June 30, 2026
header-footer-elementor	header-footer-elementor	93	Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) <= 2.4.6 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update	LOW	*-2.4.6	2.4.7	June 30, 2026
mmm-unity-loader	mmm-unity-loader	91	Mmm Unity Loader <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via attributes Parameter	LOW	*-1.0		June 30, 2026
magic-edge-lite-image-background-remover	magic-edge-lite-image-background-remover	91	Magic Edge – Lite <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via height Parameter	LOW	*-1.1.6		June 30, 2026
bee-quick-gallery	bee-quick-gallery	91	Image Gallery <= 1.0.0 - Reflected Cross-Site Scripting	LOW	*-1.0.0		June 30, 2026
aio-time-clock-lite	aio-time-clock-lite	97	All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0 - Reflected Cross-Site Scripting	LOW	*-2.0	2.0.1	June 30, 2026
medical-addon-for-elementor	medical-addon-for-elementor	91	Medical Addon for Elementor <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter Widget	LOW	*-1.6.4	1.6.5	June 30, 2026
custom-word-cloud	custom-word-cloud	91	Custom Word Cloud <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via angle Parameter	LOW	*-0.3		June 30, 2026
360-sphere-images	360-sphere-images	95	360 Photo Spheres <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.3		June 30, 2026
seo-metrics-helper	seo-metrics-helper	N/A	SEO Metrics <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation	LOW	*-1.0.15	1.0.16	June 30, 2026
easy-sticky-sidebar	easy-sticky-sidebar	93	WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons <= 1.7.0 - Missing Authorization to Unauthenticated Sticky Status Update	LOW	*-1.7.0	1.7.1	June 30, 2026
qi-addons-for-elementor	qi-addons-for-elementor	N/A	Qi Addons for Elementor <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via TypeOut Text Widget	LOW	*-1.9.2	1.9.3	June 30, 2026
wp-jobs2careers	wp-jobs2careers	N/A	WP Talroo <= 2.4 - Reflected Cross-Site Scripting	LOW	*-2.4		June 30, 2026
woffice-core	woffice-core	N/A	Woffice Core <= 5.4.26 - Authenticated (Contributor+) Arbitrary File Deletion	LOW	*-5.4.26	5.4.27	June 30, 2026
shortpixel-adaptive-images	shortpixel-adaptive-images	N/A	ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization <= 3.10.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via API URL	LOW	*-3.10.4	3.10.5	June 30, 2026
preserve-code-formatting	preserve-code-formatting	N/A	Preserve Code Formatting <= 4.0.1 - Authenticated (Contributor+) PHP Object Injection	LOW	*-4.0.1	5.0	June 30, 2026
bitfire	bitfire	93	BitFire <= 4.5 - Unauthenticated Information Exposure	LOW	*-4.5	4.6	June 30, 2026
blockspare	blockspare	93	BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites <= 3.2.13.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Carousel and Image Slider Widgets	LOW	*-3.2.13.1	3.2.13.2	June 30, 2026
sina-extension-for-elementor	sina-extension-for-elementor	N/A	Sina Extension for Elementor <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Sina Posts`, `Sina Blog Post` and `Sina Table` Widgets	LOW	*-3.7.0	3.7.1	June 30, 2026
the-plus-addons-for-elementor-page-builder	the-plus-addons-for-elementor-page-builder	N/A	The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-6.3.10	6.3.11	June 30, 2026
stratum	stratum	N/A	Stratum – Elementor Widgets <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Google Maps and Image Hotspot Widgets	LOW	*-1.6.0	1.6.1	June 30, 2026
idonate	idonate	89	IDonate 2.0.0 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via admin_donor_profile_view Function	LOW	2.0.0-2.1.9	2.1.10	June 30, 2026
contest-gallery	contest-gallery	93	Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI <= 26.1.0 - Unauthenticated Stored Cross-Site Scripting	LOW	*-26.1.0	26.1.1	June 30, 2026
searchpro	searchpro	N/A	BerqWP <= 2.2.42 - Unauthenticated Arbitrary File Upload	LOW	*-2.2.42	2.2.44	June 30, 2026
sf-booking	sf-booking	N/A	Service Finder Bookings <= 6.0 - Authentication Bypass via User Switch Cookie	LOW	*-6.0	6.1	June 30, 2026
aone-sms	aone-sms	95	Service Finder SMS System <= 2.0.0 - Unauthenticated Privilege Escalation	LOW	*-2.0.0		June 30, 2026
wp-store-locator	wp-store-locator	N/A	Store Locator <= 2.2.260 - Authenticated (Contributor+) PHP Object Injection	LOW	*-2.2.260	2.2.261	June 30, 2026
woozone-contextual	woozone-contextual	N/A	Amazon Native Shopping Recommendations <= 1.3 - Unauthenticated SQL Injection	LOW	*-1.3		June 30, 2026
suredash	suredash	N/A	SureDash <= 1.1.0 - Authenticated (Subscriber+) Information Disclosure	LOW	*-1.1.0	1.2.0	June 30, 2026
supportboard	supportboard	N/A	Support Board < 3.8.7 - Reflected Cross-Site Scripting	LOW	[*, 3.8.7)	3.8.7	June 30, 2026
superstorefinder-wp	superstorefinder-wp	N/A	Super Store Finder <= 7.5 - Unauthenticated SQL Injection	LOW	*-7.5	7.6	June 30, 2026
storekeeper-for-woocommerce	storekeeper-for-woocommerce	N/A	StoreKeeper for WooCommerce <= 14.4.4 - Unauthenticated Arbitrary File Upload	LOW	*-14.4.4	14.4.5	June 30, 2026
product-xml-feeds-for-woocommerce	product-xml-feeds-for-woocommerce	N/A	Product XML Feed Manager for WooCommerce <= 2.9.3 - Authenticated (Contributor+) Remote Code Execution	LOW	*-2.9.3	2.9.4	June 30, 2026
pressforward	pressforward	N/A	PressForward <= 5.9.1 - Authenticated (Subscriber+) Server-Side Request Forgery	LOW	*-5.9.1		June 30, 2026
mapsvg	mapsvg	91	MapSVG < 8.6.12 - Authenticated (Contributor+) Arbitrary File Download	LOW	[*, 8.6.12)	8.6.12	June 30, 2026
gmap-targeting	gmap-targeting	93	Google Map Targeting <= 1.1.6 - Authenticated (Subscriber+) Local File Inclusion	LOW	*-1.1.6	1.1.7	June 30, 2026
delucks-seo	delucks-seo	89	DELUCKS SEO <= 2.6.0 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-2.6.0	2.6.1	June 30, 2026
cubeportfolio	cubeportfolio	91	Cube Portfolio <= 1.16.8 - Authenticated (Subscriber+) SQL Injection	LOW	*-1.16.8		June 30, 2026
buddypress-xprofile-image-field	buddypress-xprofile-image-field	93	BuddyPress XProfile Custom Image Field <= 3.0.1 - Unauthenticated Arbitrary File Deletion	LOW	*-3.0.1	3.1.0	June 30, 2026
give	give	93	GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting	LOW	*-4.5.0	4.6.0	June 30, 2026
customer-reviews-woocommerce	customer-reviews-woocommerce	93	Customer Reviews for WooCommerce <= 5.80.2 - Unauthenticated Stored Cross-Site Scripting via `author` Parameter	LOW	*-5.80.2	5.81.0	June 30, 2026
AI Engine – The Chatbot, AI Framework & MCP for WordPress	ai-engine	82	AI Engine 2.9.3 - 2.9.4 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	2.9.3-2.9.4	2.9.5	June 30, 2026
yith-woocommerce-popup	yith-woocommerce-popup	N/A	YITH WooCommerce Popup <= 1.48.0 - Cross-Site Request Forgery	LOW	*-1.48.0	1.48.1	June 30, 2026
wplr-sync	wplr-sync	N/A	Photo Engine <= 6.4.3 - Cross-Site Request Forgery	LOW	*-6.4.3	6.4.4	June 30, 2026
wpfunnels	wpfunnels	N/A	WPFunnels <= 3.5.26 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.5.26	3.5.27	June 30, 2026
wp-modal-popup-with-cookie-integration	wp-modal-popup-with-cookie-integration	N/A	WP Modal Popup with Cookie Integration <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.4	2.5	June 30, 2026
wp-gravity-forms-spreadsheets	wp-gravity-forms-spreadsheets	N/A	Connector for Gravity Forms and Google Sheets <= 1.2.4 - Open Redirect	LOW	*-1.2.4	1.2.5	June 30, 2026
wp-gravity-forms-spreadsheets	wp-gravity-forms-spreadsheets	N/A	Connector for Gravity Forms and Google Sheets <= 1.2.4 - Cross-Site Request Forgery	LOW	*-1.2.4	1.2.5	June 30, 2026
thebooking	thebooking	N/A	TheBooking <= 1.4.4 - Missing Authorization	LOW	*-1.4.4		June 30, 2026
real-estate-listing-realtyna-wpl	real-estate-listing-realtyna-wpl	N/A	Realtyna Organic IDX plugin <= 5.0.0 - Unauthenticated Local File Inclusion	LOW	*-5.0.0	5.0.1	June 30, 2026
product-configurator-for-woocommerce	product-configurator-for-woocommerce	N/A	Product Configurator for WooCommerce <= 1.4.4 - Cross-Site Request Forgery	LOW	*-1.4.4	1.5.0	June 30, 2026
oik	oik	N/A	oik <= 4.15.2 - Cross-Site Request Forgery	LOW	*-4.15.2	4.15.3	June 30, 2026
ninjascanner	ninjascanner	N/A	NinjaScanner – Virus & Malware scan <= 3.2.5 - Authenticated (Administrator+) Arbitrary File Deletion	LOW	*-3.2.5	3.2.6	June 30, 2026
mycred	mycred	N/A	myCred <= 2.9.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.9.4.3	2.9.4.4	June 30, 2026
mycred	mycred	N/A	myCred <= 2.9.4.3 - Authenticated (Subscriber+) Race Condition	LOW	*-2.9.4.3	2.9.4.4	June 30, 2026
motors-car-dealership-classified-listings	motors-car-dealership-classified-listings	N/A	Motors <= 1.4.80 - Unauthenticated Insecure Direct Object Reference	LOW	*-1.4.80	1.4.81	June 30, 2026
meeting-scheduler-by-vcita	meeting-scheduler-by-vcita	93	Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-4.5.3	4.5.5	June 30, 2026
magical-posts-display	magical-posts-display	93	Magical Posts Display <= 1.2.52 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.2.52	1.2.53	June 30, 2026
Event Booking Manager for WooCommerce	mage-eventpress	82	WpEvently <= 4.4.6 - Missing Authorization	LOW	*-4.4.6	4.4.7	June 30, 2026
learning-management-system	learning-management-system	93	Masteriyo - LMS <= 1.18.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.18.3	1.18.4	June 30, 2026

LOW

pets

Score: N/A Pets <= 1.4.1 - Reflected Cross-Site Scripting Affected: *-1.4.1 Patched: Updated: June 30, 2026

LOW

oik-privacy-policy

Score: N/A oik-privacy-policy <= 1.4.10 - Reflected Cross-Site Scripting Affected: *-1.4.10 Patched: 1.4.11 Updated: June 30, 2026

LOW

leadcapture

Score: 93/100 WP Lead Capturing Pages < 2.6 - Missing Authorization to Arbitrary Content Deletion Affected: [*, 2.6) Patched: 2.6 Updated: June 30, 2026

LOW

gutenverse

Score: 93/100 Gutenverse <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text and Fun Fact Blocks Affected: *-3.1.0 Patched: 3.1.1 Updated: June 30, 2026

LOW

youtube-showcase

Score: N/A Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution Affected: *-3.5.2 Patched: 3.5.3 Updated: June 30, 2026

LOW

wp-ticket

Score: N/A Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution Affected: *-6.0.1 Patched: 6.0.3 Updated: June 30, 2026

LOW

wp-easy-events

Score: N/A Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution Affected: *-4.2.1 Patched: 4.2.2 Updated: June 30, 2026

LOW

wp-easy-contact

Score: N/A Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution Affected: *-4.0.2 Patched: 4.0.3 Updated: June 30, 2026

LOW

software-issue-manager

Score: N/A Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution Affected: *-5.0.0 Patched: 5.0.1 Updated: June 30, 2026

LOW

request-a-quote

Score: N/A Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution Affected: *-2.5.2 Patched: 2.5.3 Updated: June 30, 2026

LOW

employee-staff-directory

Score: 93/100 Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution Affected: *-4.5.2 Patched: 4.5.3 Updated: June 30, 2026

LOW

campus-directory

Score: 93/100 Multiple Plugins by emarket-design <= Multiple Versions - Unauthenticated Limited Remote Code Execution Affected: *-1.9.2 Patched: 1.9.3 Updated: June 30, 2026

LOW

cleverreach-wp

Score: 93/100 CleverReach WP <= 1.5.20 - Unauthenticated SQL Injection via title Parameter Affected: *-1.5.20 Patched: 1.5.21 Updated: June 30, 2026

LOW

wp-tournament-registration

Score: N/A WP Tournament Registration <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via field Parameter Affected: *-1.3.0 Patched: Updated: June 30, 2026

LOW

esri-map-view

Score: 91/100 esri-map-view <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via esri-map-view Shortcode Affected: *-1.2.3 Patched: Updated: June 30, 2026

LOW

flex-guten

Score: 93/100 Flex Guten <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via thumbnailHoverEffect Parameter Affected: *-1.2.5 Patched: 1.2.6 Updated: June 30, 2026

LOW

seriously-simple-podcasting

Score: N/A Seriously Simple Podcasting <= 3.11.1 - Authenticated (Editor+) Stored Cross-Site Scripting Affected: *-3.11.1 Patched: 3.12.0 Updated: June 30, 2026

LOW

reveal-listing

Score: N/A Reveal Listing <= 3.3 - Unauthenticated Privilege Escalation Affected: *-3.3 Patched: 3.4 Updated: June 30, 2026

LOW

js_composer

Score: 93/100 WPBakery Page Builder for WordPress <= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-8.5 Patched: 8.6 Updated: June 30, 2026

LOW

jet-reviews

Score: 93/100 JetReviews <= 3.0.0 - Authenticated (Contributor+) Local File Inclusion Affected: *-3.0.0 Patched: 3.0.0.1 Updated: June 30, 2026

LOW

groundhogg

Score: 93/100 Groundhogg <= 4.2.2 - Authenticated (Sales Representative+) PHP Object Injection Affected: *-4.2.2 Patched: 4.2.2.1 Updated: June 30, 2026

LOW

give

Score: 93/100 GiveWP – Donation Plugin and Fundraising Platform <= 4.6.0 - Unauthenticated Donor Data Exposure Affected: *-4.6.0 Patched: 4.6.1 Updated: June 30, 2026

LOW

FileBird – WordPress Media Library Folders & File Manager

filebird

Score: 80/100 FileBird – WordPress Media Library Folders & File Manager <= 6.4.8 - Authenticated (Author+) SQL Injection Affected: *-6.4.8 Patched: 6.4.9 Updated: June 30, 2026

LOW

exclusive-addons-for-elementor

Score: 93/100 Exclusive Addons for Elementor <= 2.7.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Affected: *-2.7.9.4 Patched: 2.7.9.5 Updated: June 30, 2026

LOW

boldermail

Score: 91/100 Boldermail <= 2.4.0 - Authenticated (Contributor+) PHP Object Injection Affected: *-2.4.0 Patched: Updated: June 30, 2026

LOW

Score: 93/100 Element Pack Elementor Addons and Templates <= 8.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map Widget Marker Content Affected: *-8.1.5 Patched: 8.1.6 Updated: June 30, 2026

LOW

download-counter

Score: 91/100 Download Counter <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Parameter Affected: *-1.3 Patched: 1.4 Updated: June 30, 2026

LOW

wp-import-export-lite

Score: N/A WP Import Export Lite <= 3.9.29 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-3.9.29 Patched: 3.9.30 Updated: June 30, 2026

LOW

wp-import-export-lite

Score: N/A WP Import Export Lite <= 3.9.28 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-3.9.28 Patched: 3.9.29 Updated: June 30, 2026

LOW

employee-directory

Score: 91/100 Employee Directory <= 4.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter Affected: *-4.5.1 Patched: 4.5.2 Updated: June 30, 2026

LOW

campus-directory

Score: 93/100 Campus Directory <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter Affected: *-1.9.1 Patched: 1.9.2 Updated: June 30, 2026

LOW

wp-easy-contact

Score: N/A WP Easy Contact <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter Affected: *-4.0.1 Patched: 4.0.2 Updated: June 30, 2026

LOW

use-your-drive

Score: N/A Use-your-Drive | Google Drive plugin for WordPress <= 3.3.1- Unauthenticated Stored Cross-Site Scripting via File Metadata Affected: *-3.3.1 Patched: 3.3.2 Updated: June 30, 2026

LOW

eventer

Score: 89/100 Eventer <= 3.11.2.1 - Unauthenticated Arbitrary Shortcode Execution Affected: *-3.11.2.1 Patched: 3.11.2.2 Updated: June 30, 2026

LOW

wikipedia-preview

Score: N/A Wikipedia Preview <= 1.15.0 - Missing Authorization Affected: *-1.15.0 Patched: 1.16.0 Updated: June 30, 2026

LOW

jet-woo-builder

Score: 93/100 JetWooBuilder <= 2.1.20.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.1.20.1 Patched: 2.2.0 Updated: June 30, 2026

LOW

jet-elements

Score: 93/100 JetElements For Elementor <= 2.7.8 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.7.8 Patched: 2.7.8.1 Updated: June 30, 2026

LOW

jet-blog

Score: 93/100 JetBlog <= 2.4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.4.4.1 Patched: 2.4.5 Updated: June 30, 2026

LOW

javo-core

Score: 86/100 Javo Core <= 3.0.0.266 - Unauthenticated Remote Code Execution Affected: *-3.0.0.266 Patched: Updated: June 30, 2026

LOW

ocean-social-sharing

Score: N/A Ocean Social Sharing <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.2.1 Patched: 2.2.2 Updated: June 30, 2026

LOW

bravepopup-pro

Score: 93/100 Brave Conversion Engine (PRO) <= 0.7.7 - Authentication Bypass to Administrator Affected: *-0.7.7 Patched: 0.8.0 Updated: June 30, 2026

LOW

header-footer-elementor

Score: 93/100 Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) <= 2.4.6 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update Affected: *-2.4.6 Patched: 2.4.7 Updated: June 30, 2026

LOW

mmm-unity-loader

Score: 91/100 Mmm Unity Loader <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via attributes Parameter Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

magic-edge-lite-image-background-remover

Score: 91/100 Magic Edge – Lite <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via height Parameter Affected: *-1.1.6 Patched: Updated: June 30, 2026

LOW

bee-quick-gallery

Score: 91/100 Image Gallery <= 1.0.0 - Reflected Cross-Site Scripting Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

aio-time-clock-lite

Score: 97/100 All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier <= 2.0 - Reflected Cross-Site Scripting Affected: *-2.0 Patched: 2.0.1 Updated: June 30, 2026

LOW

medical-addon-for-elementor

Score: 91/100 Medical Addon for Elementor <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter Widget Affected: *-1.6.4 Patched: 1.6.5 Updated: June 30, 2026

LOW

custom-word-cloud

Score: 91/100 Custom Word Cloud <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via angle Parameter Affected: *-0.3 Patched: Updated: June 30, 2026

LOW

360-sphere-images

Score: 95/100 360 Photo Spheres <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.3 Patched: Updated: June 30, 2026

LOW

seo-metrics-helper

Score: N/A SEO Metrics <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation Affected: *-1.0.15 Patched: 1.0.16 Updated: June 30, 2026

LOW

easy-sticky-sidebar

Score: 93/100 WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons <= 1.7.0 - Missing Authorization to Unauthenticated Sticky Status Update Affected: *-1.7.0 Patched: 1.7.1 Updated: June 30, 2026

LOW

qi-addons-for-elementor

Score: N/A Qi Addons for Elementor <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via TypeOut Text Widget Affected: *-1.9.2 Patched: 1.9.3 Updated: June 30, 2026

LOW

wp-jobs2careers

Score: N/A WP Talroo <= 2.4 - Reflected Cross-Site Scripting Affected: *-2.4 Patched: Updated: June 30, 2026

LOW

woffice-core

Score: N/A Woffice Core <= 5.4.26 - Authenticated (Contributor+) Arbitrary File Deletion Affected: *-5.4.26 Patched: 5.4.27 Updated: June 30, 2026

LOW

shortpixel-adaptive-images

Score: N/A ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization <= 3.10.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via API URL Affected: *-3.10.4 Patched: 3.10.5 Updated: June 30, 2026

LOW

preserve-code-formatting

Score: N/A Preserve Code Formatting <= 4.0.1 - Authenticated (Contributor+) PHP Object Injection Affected: *-4.0.1 Patched: 5.0 Updated: June 30, 2026

LOW

bitfire

Score: 93/100 BitFire <= 4.5 - Unauthenticated Information Exposure Affected: *-4.5 Patched: 4.6 Updated: June 30, 2026

LOW

blockspare

Score: 93/100 BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites <= 3.2.13.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Carousel and Image Slider Widgets Affected: *-3.2.13.1 Patched: 3.2.13.2 Updated: June 30, 2026

LOW

sina-extension-for-elementor

Score: N/A Sina Extension for Elementor <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Sina Posts`, `Sina Blog Post` and `Sina Table` Widgets Affected: *-3.7.0 Patched: 3.7.1 Updated: June 30, 2026

LOW

the-plus-addons-for-elementor-page-builder

Score: N/A The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-6.3.10 Patched: 6.3.11 Updated: June 30, 2026

LOW

stratum

Score: N/A Stratum – Elementor Widgets <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Google Maps and Image Hotspot Widgets Affected: *-1.6.0 Patched: 1.6.1 Updated: June 30, 2026

LOW

idonate

Score: 89/100 IDonate 2.0.0 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via admin_donor_profile_view Function Affected: 2.0.0-2.1.9 Patched: 2.1.10 Updated: June 30, 2026

LOW

contest-gallery

Score: 93/100 Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI <= 26.1.0 - Unauthenticated Stored Cross-Site Scripting Affected: *-26.1.0 Patched: 26.1.1 Updated: June 30, 2026

LOW

searchpro

Score: N/A BerqWP <= 2.2.42 - Unauthenticated Arbitrary File Upload Affected: *-2.2.42 Patched: 2.2.44 Updated: June 30, 2026

LOW

sf-booking

Score: N/A Service Finder Bookings <= 6.0 - Authentication Bypass via User Switch Cookie Affected: *-6.0 Patched: 6.1 Updated: June 30, 2026

LOW

aone-sms

Score: 95/100 Service Finder SMS System <= 2.0.0 - Unauthenticated Privilege Escalation Affected: *-2.0.0 Patched: Updated: June 30, 2026

LOW

wp-store-locator

Score: N/A Store Locator <= 2.2.260 - Authenticated (Contributor+) PHP Object Injection Affected: *-2.2.260 Patched: 2.2.261 Updated: June 30, 2026

LOW

woozone-contextual

Score: N/A Amazon Native Shopping Recommendations <= 1.3 - Unauthenticated SQL Injection Affected: *-1.3 Patched: Updated: June 30, 2026

LOW

suredash

Score: N/A SureDash <= 1.1.0 - Authenticated (Subscriber+) Information Disclosure Affected: *-1.1.0 Patched: 1.2.0 Updated: June 30, 2026

LOW

supportboard

Score: N/A Support Board < 3.8.7 - Reflected Cross-Site Scripting Affected: [*, 3.8.7) Patched: 3.8.7 Updated: June 30, 2026

LOW

superstorefinder-wp

Score: N/A Super Store Finder <= 7.5 - Unauthenticated SQL Injection Affected: *-7.5 Patched: 7.6 Updated: June 30, 2026

LOW

storekeeper-for-woocommerce

Score: N/A StoreKeeper for WooCommerce <= 14.4.4 - Unauthenticated Arbitrary File Upload Affected: *-14.4.4 Patched: 14.4.5 Updated: June 30, 2026

LOW

product-xml-feeds-for-woocommerce

Score: N/A Product XML Feed Manager for WooCommerce <= 2.9.3 - Authenticated (Contributor+) Remote Code Execution Affected: *-2.9.3 Patched: 2.9.4 Updated: June 30, 2026

LOW

pressforward

Score: N/A PressForward <= 5.9.1 - Authenticated (Subscriber+) Server-Side Request Forgery Affected: *-5.9.1 Patched: Updated: June 30, 2026

LOW

mapsvg

Score: 91/100 MapSVG < 8.6.12 - Authenticated (Contributor+) Arbitrary File Download Affected: [*, 8.6.12) Patched: 8.6.12 Updated: June 30, 2026

LOW

gmap-targeting

Score: 93/100 Google Map Targeting <= 1.1.6 - Authenticated (Subscriber+) Local File Inclusion Affected: *-1.1.6 Patched: 1.1.7 Updated: June 30, 2026

LOW

delucks-seo

Score: 89/100 DELUCKS SEO <= 2.6.0 - Authenticated (Subscriber+) Privilege Escalation Affected: *-2.6.0 Patched: 2.6.1 Updated: June 30, 2026

LOW

cubeportfolio

Score: 91/100 Cube Portfolio <= 1.16.8 - Authenticated (Subscriber+) SQL Injection Affected: *-1.16.8 Patched: Updated: June 30, 2026

LOW

buddypress-xprofile-image-field

Score: 93/100 BuddyPress XProfile Custom Image Field <= 3.0.1 - Unauthenticated Arbitrary File Deletion Affected: *-3.0.1 Patched: 3.1.0 Updated: June 30, 2026

LOW

give

Score: 93/100 GiveWP – Donation Plugin and Fundraising Platform <= 4.5.0 - Authenticated (GiveWP worker+) Stored Cross-Site Scripting Affected: *-4.5.0 Patched: 4.6.0 Updated: June 30, 2026

LOW

customer-reviews-woocommerce

Score: 93/100 Customer Reviews for WooCommerce <= 5.80.2 - Unauthenticated Stored Cross-Site Scripting via `author` Parameter Affected: *-5.80.2 Patched: 5.81.0 Updated: June 30, 2026

LOW

AI Engine – The Chatbot, AI Framework & MCP for WordPress

ai-engine

Score: 82/100 AI Engine 2.9.3 - 2.9.4 - Authenticated (Subscriber+) Arbitrary File Upload Affected: 2.9.3-2.9.4 Patched: 2.9.5 Updated: June 30, 2026

LOW

yith-woocommerce-popup

Score: N/A YITH WooCommerce Popup <= 1.48.0 - Cross-Site Request Forgery Affected: *-1.48.0 Patched: 1.48.1 Updated: June 30, 2026

LOW

wplr-sync

Score: N/A Photo Engine <= 6.4.3 - Cross-Site Request Forgery Affected: *-6.4.3 Patched: 6.4.4 Updated: June 30, 2026

LOW

wpfunnels

Score: N/A WPFunnels <= 3.5.26 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.5.26 Patched: 3.5.27 Updated: June 30, 2026

LOW

wp-modal-popup-with-cookie-integration

Score: N/A WP Modal Popup with Cookie Integration <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.4 Patched: 2.5 Updated: June 30, 2026

LOW

wp-gravity-forms-spreadsheets

Score: N/A Connector for Gravity Forms and Google Sheets <= 1.2.4 - Open Redirect Affected: *-1.2.4 Patched: 1.2.5 Updated: June 30, 2026

LOW

wp-gravity-forms-spreadsheets

Score: N/A Connector for Gravity Forms and Google Sheets <= 1.2.4 - Cross-Site Request Forgery Affected: *-1.2.4 Patched: 1.2.5 Updated: June 30, 2026

LOW

thebooking

Score: N/A TheBooking <= 1.4.4 - Missing Authorization Affected: *-1.4.4 Patched: Updated: June 30, 2026

LOW

real-estate-listing-realtyna-wpl

Score: N/A Realtyna Organic IDX plugin <= 5.0.0 - Unauthenticated Local File Inclusion Affected: *-5.0.0 Patched: 5.0.1 Updated: June 30, 2026

LOW

product-configurator-for-woocommerce

Score: N/A Product Configurator for WooCommerce <= 1.4.4 - Cross-Site Request Forgery Affected: *-1.4.4 Patched: 1.5.0 Updated: June 30, 2026

LOW

oik

Score: N/A oik <= 4.15.2 - Cross-Site Request Forgery Affected: *-4.15.2 Patched: 4.15.3 Updated: June 30, 2026

LOW

ninjascanner

Score: N/A NinjaScanner – Virus & Malware scan <= 3.2.5 - Authenticated (Administrator+) Arbitrary File Deletion Affected: *-3.2.5 Patched: 3.2.6 Updated: June 30, 2026

LOW

mycred

Score: N/A myCred <= 2.9.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.9.4.3 Patched: 2.9.4.4 Updated: June 30, 2026

LOW

mycred

Score: N/A myCred <= 2.9.4.3 - Authenticated (Subscriber+) Race Condition Affected: *-2.9.4.3 Patched: 2.9.4.4 Updated: June 30, 2026

LOW

motors-car-dealership-classified-listings

Score: N/A Motors <= 1.4.80 - Unauthenticated Insecure Direct Object Reference Affected: *-1.4.80 Patched: 1.4.81 Updated: June 30, 2026

LOW

meeting-scheduler-by-vcita

Score: 93/100 Online Booking & Scheduling Calendar for WordPress by vcita <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-4.5.3 Patched: 4.5.5 Updated: June 30, 2026

LOW

magical-posts-display

Score: 93/100 Magical Posts Display <= 1.2.52 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2.52 Patched: 1.2.53 Updated: June 30, 2026

LOW

Event Booking Manager for WooCommerce

mage-eventpress

Score: 82/100 WpEvently <= 4.4.6 - Missing Authorization Affected: *-4.4.6 Patched: 4.4.7 Updated: June 30, 2026

LOW

learning-management-system

Score: 93/100 Masteriyo - LMS <= 1.18.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.18.3 Patched: 1.18.4 Updated: June 30, 2026

Showing 7301 to 7400 of 36282 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 00:54 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List