Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36282

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
yournewsapp	yournewsapp	N/A	Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App <= 0.8.8.8 - Reflected Cross-Site Scripting	LOW	*-0.8.8.8		June 30, 2026
woocommerce-wholesale-prices	woocommerce-wholesale-prices	N/A	Wholesale Suite <= 2.2.4.2 - Authenticated (Shop Manager+) Privilege Escalation	LOW	*-2.2.4.2	2.2.5	June 30, 2026
video-player-youtube-vimeo	video-player-youtube-vimeo	N/A	Youtube Vimeo Video Player and Slider WP Plugin <= 3.8 - Reflected Cross-Site Scripting	LOW	*-3.8	3.9	June 30, 2026
video-blogster-lite	video-blogster-lite	N/A	Video Blogster Lite <= 1.2 - Reflected Cross-Site Scripting	LOW	*-1.2		June 30, 2026
supportboard	supportboard	N/A	Support Board <= 3.8.0 - Reflected Cross-Site Scripting	LOW	*-3.8.0	3.8.1	June 30, 2026
simple-business-directory-pro	simple-business-directory-pro	N/A	Simple Business Directory Pro <= 15.5.1 - Reflected Cross-Site Scripting	LOW	*-15.5.1	15.5.2	June 30, 2026
Security Ninja – WordPress Security & Firewall	security-ninja	88	Security Ninja – Secure Firewall & Secure Malware Scanner - 5.201 - 5.242 - Authenticated (Administrator+) Arbitrary File Read	LOW	5.201-5.242	5.243	June 30, 2026
pixter-image-digital-license	pixter-image-digital-license	N/A	Multiple Plugins by itayamar - Backdoored Software	LOW	*-1.0		June 30, 2026
lbg-universal-video-player-addon-visual-composer	lbg-universal-video-player-addon-visual-composer	93	Universal Video Player - Addon for WPBakery Page Builder <= 3.2.1 - Reflected Cross-Site Scripting	LOW	*-3.2.1	3.2.2.0	June 30, 2026
lbg-audio2-html5	lbg-audio2-html5	91	Responsive HTML5 Audio Player PRO With Playlist <= 3.5.8 - Reflected Cross-Site Scripting	LOW	*-3.5.8	3.5.9	June 30, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint <= 5.1.93 - Unauthenticated Local File Inclusion	LOW	*-5.1.93	5.1.94	June 30, 2026
js_composer	js_composer	93	WPBakery Page Builder <= 8.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Page Builder Elements	LOW	*-8.4.1	8.5	June 30, 2026
disable-right-click-powered-by-pixterme	disable-right-click-powered-by-pixterme	91	Multiple Plugins by itayamar - Backdoored Software	LOW	*-1.2		June 30, 2026
croprefine	croprefine	91	CropRefine <= 1.2.1 - Reflected Cross-Site Scripting	LOW	*-1.2.1		June 30, 2026
captionpix	captionpix	91	CaptionPix <= 1.8 - Reflected Cross-Site Scripting	LOW	*-1.8		June 30, 2026
featured-image-plus	featured-image-plus	93	Featured Image Plus – Quick & Bulk Edit with Unsplash <= 1.6.6 - Authenticated (Admin+) Server-Side Request Forgery	LOW	*-1.6.6	1.6.7	June 30, 2026
social-streams	social-streams	N/A	Social Streams <= 1.2.1 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-1.0.1		June 30, 2026
realty-portal-agent	realty-portal-agent	N/A	Realty Portal – Agent <= 0.3.9 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via rp_user_profile() Function	LOW	*-0.3.9		June 30, 2026
yanewsflash	yanewsflash	N/A	YANewsflash <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-1.0.3		June 30, 2026
omnishop	omnishop	N/A	Omnishop <= 1.0.9 - Cross-Site Request Forgery to Arbitrary User Deletion via /users/delete REST Endpoint	LOW	*-1.0.9		June 30, 2026
omnishop	omnishop	N/A	Omnishop <= 1.0.9 - Missing Registration Restriction to Unauthenticated Account Creation via /users/register REST Endpoint	LOW	*-1.0.9		June 30, 2026
commercial-real-estate-valuation-calculator	commercial-real-estate-valuation-calculator	93	Valuation Calculator <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via link Parameter	LOW	*-1.3.2	1.3.3	June 30, 2026
fleetwire-fleet-management	fleetwire-fleet-management	93	Fleetwire Fleet Management Plugin <= 1.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via fleetwire_list Shortcode	LOW	*-1.0.19	1.0.20	June 30, 2026
wp-pipes	wp-pipes	N/A	WP Pipes <= 1.4.3 - Unauthenticated Local File Inclusion	LOW	*-1.4.3		June 30, 2026
wp-links-page	wp-links-page	N/A	WP Links Page <= 4.9.6 - Authenticated (Subscriber+) SQL Injection	LOW	*-4.9.6	5.0	June 30, 2026
tablesome-premium	tablesome-premium	N/A	Tablesome Table Premium <= 1.1.23 - Missing Authorization	LOW	*-1.1.23		June 30, 2026
supportboard	supportboard	N/A	Support Board <= 3.8.0 - Unauthenticated Local File Inclusion	LOW	*-3.8.0	3.8.1	June 30, 2026
simple-contact-forms	simple-contact-forms	N/A	Simple Contact Forms <= 1.6.4 - Unauthenticated Local File Inclusion	LOW	*-1.6.4		June 30, 2026
post-and-page-builder	post-and-page-builder	N/A	Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.27.8 - Authenticated (Contributor+) Path Traversal	LOW	*-1.27.8	1.27.9	June 30, 2026
loginwp-pro	loginwp-pro	93	LoginWP - Pro <= 4.0.8.5 - Missing Authorization to Unauthenticated Settings Update	LOW	*-4.0.8.5	4.0.8.6	June 30, 2026
learnpress-import-export	learnpress-import-export	93	LearnPress Export Import <= 4.0.9 - Reflected Cross-Site Scripting	LOW	*-4.0.9	4.1.0	June 30, 2026
elite-video-player	elite-video-player	89	Elite Video Player <= 10.0.5 - Reflected Cross-Site Scripting	LOW	*-10.0.5	10.0.7	June 30, 2026
elex-reachship-multi-carrier-conditional-shipping	elex-reachship-multi-carrier-conditional-shipping	93	ReachShip WooCommerce Multi-Carrier & Conditional Shipping <= 4.3.1 - Authenticated (Contributor+) Arbitrary File Upload	LOW	*-4.3.1	4.3.2	June 30, 2026
css-javascript-toolbox	css-javascript-toolbox	93	CSS & JavaScript Toolbox < 12.0.3 - Authenticated (Subscriber+) Local File Inclusion	LOW	[*, 12.0.3)	12.0.3	June 30, 2026
artificial-intelligence-auto-content-generator	artificial-intelligence-auto-content-generator	95	AI Tools <= 4.0.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion	LOW	*-4.0.7		June 30, 2026
bsecure	bsecure	95	bSecure 1.3.7 - 1.7.9 - Missing Authorization to Unauthenticated Privilege Escalation via order_info REST Endpoint	LOW	1.3.7-1.7.9		June 30, 2026
latest-post-accordian-slider	latest-post-accordian-slider	91	Latest Post Accordian Slider <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-1.3		June 30, 2026
like-share-my-site	like-share-my-site	91	Like & Share My Site <= 0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-0.2		June 30, 2026
orion-login-with-sms	orion-login-with-sms	N/A	Orion Login with SMS <= 1.0.5 - Authentication Bypass via Weak OTP	LOW	*-1.0.5		June 30, 2026
birth-chart-compatibility	birth-chart-compatibility	91	Birth Chart Compatibility <= 2.0 - Unauthenticated Full Path Exposure	LOW	*-2.0		June 30, 2026
fastcgi-cache-purge-and-preload-nginx	fastcgi-cache-purge-and-preload-nginx	93	Nginx Cache Purge Preload <= 2.1.1 - Authenticated (Administrator+) Remote Code Execution	LOW	*-2.1.1	2.1.3	June 30, 2026
wp-jobhunt	wp-jobhunt	N/A	WP JobHunt <= 7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Account Deletion	LOW	*-7.2		June 30, 2026
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder	user-registration	N/A	User Registration <= 4.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via urcr_restrict Shortcode	LOW	*-4.2.4	4.3.0	June 30, 2026
crm-customer-relationship-management-by-vcita	crm-customer-relationship-management-by-vcita	93	CRM and Lead Management by vcita <= 2.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter	LOW	*-2.7.5	2.8.0	June 30, 2026
ebook-store	ebook-store	93	Ebook Store <= 5.8012 - Authenticated (Administrator+) Stored Cross-Site Scripting via Order Details	LOW	*-5.8012	5.8013	June 30, 2026
wp-members	wp-members	N/A	WP-Members <= 3.5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.5.4.1	3.5.4.2	June 30, 2026
shortcodes-ultimate	shortcodes-ultimate	N/A	Shortcodes Ultimate <= 7.4.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Title and Slide Link	LOW	*-7.4.2	7.4.3	June 30, 2026
profitori	profitori	N/A	The E-Commerce ERP <= 2.1.1.3 - Missing Authorization	LOW	*-2.1.1.3		June 30, 2026
Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App	post-smtp	87	Post SMTP <= 3.2.0 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via Email Log Exposure	LOW	*-3.2.0	3.3.0	June 30, 2026
pixel-gallery	pixel-gallery	N/A	Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery <= 1.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.6.7	1.6.8	June 30, 2026
learnpress-import-export	learnpress-import-export	93	LearnPress Export Import <= 4.1.2 - Unauthenticated Local File Inclusion	LOW	*-4.1.2	4.1.3	June 30, 2026
favorites	favorites	91	Favorites <= 2.3.6 - Unauthenticated Local File Inclusion	LOW	*-2.3.6		June 30, 2026
extensions-for-cf7	extensions-for-cf7	93	Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) <= 3.2.8 - Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion	LOW	*-3.2.8	3.2.9	June 30, 2026
customer-area	customer-area	89	Customer Area <= 8.2.7 - Unauthenticated Local File Inclusion	LOW	*-8.2.7		June 30, 2026
cm-map-locations	cm-map-locations	93	CM Map Locations <= 2.1.6 - Reflected Cross-Site Scripting	LOW	*-2.1.6	2.1.7	June 30, 2026
cbx-restaurant-booking	cbx-restaurant-booking	91	CBX Restaurant Booking <= 1.2.1 - Cross-Site Request Forgery to Plugin Reset	LOW	*-1.2.1		June 30, 2026
shortcodes-ultimate	shortcodes-ultimate	N/A	WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes	LOW	*-7.4.2	7.4.3	June 30, 2026
shortcodes-ultimate	shortcodes-ultimate	N/A	Shortcodes Ultimate <= 7.4.2 - Cross-Site Request Forgery to Arbitrary Shortcode Execution	LOW	*-7.4.2	7.4.3	June 30, 2026
gutentor	gutentor	91	Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets	LOW	*-3.4.8	3.4.9	June 30, 2026
simple-stripe-checkout	simple-stripe-checkout	N/A	Simple Stripe Checkout <= 1.1.28 - Reflected Cross-Site Scripting	LOW	*-1.1.28		June 30, 2026
breeze-checkout	breeze-checkout	91	Breeze Checkout <= 1.4.0 - Missing Authorization	LOW	*-1.4.0		June 30, 2026
bbpress-notify-nospam	bbpress-notify-nospam	93	bbPress Notify <= 2.19.5 - Reflected Cross-Site Scripting	LOW	*-2.19.5	2.20	June 30, 2026
trx_addons	trx_addons	N/A	ThemeREX Addons <= 2.35.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trx_addons_get_svg_from_file Function	LOW	*-2.35.1.1	2.35.2.2	June 30, 2026
mrkv-vchasno-kasa	mrkv-vchasno-kasa	N/A	Vchasno Kasa <= 1.0.3 - Unauthenticated Log File Clearing	LOW	*-1.0.3	1.0.4	June 30, 2026
integration-for-contact-form-7-and-google-sheets	integration-for-contact-form-7-and-google-sheets	93	Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection via verify_field_val Function	LOW	*-1.1.1	1.1.2	June 30, 2026
integration-for-contact-form-7-and-pipedrive	integration-for-contact-form-7-and-pipedrive	93	Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 - Unauthenticated PHP Object Injection via verify_field_val Function	LOW	*-1.2.3	1.2.4	June 30, 2026
live-stream-badger	live-stream-badger	91	Live Stream Badger <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.4.3		June 30, 2026
epaybg-payments	epaybg-payments	91	EPay.bg Payments <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-0.1		June 30, 2026
avishi-wp-paypal-payment-button	avishi-wp-paypal-payment-button	91	Avishi WP PayPal Payment Button <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-2.0		June 30, 2026
martinus-partnersky-system	martinus-partnersky-system	91	Partnerský systém Martinus <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.7.1		June 30, 2026
temporarily-hidden-content	temporarily-hidden-content	N/A	Temporarily Hidden Content <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.0.6		June 30, 2026
stepbyteservice-openstreetmap	stepbyteservice-openstreetmap	N/A	OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.2.0		June 30, 2026
mrkv-vchasno-kasa	mrkv-vchasno-kasa	N/A	Vchasno Kasa <= 1.0.3 - Missing Authorization to Unauthenticated Invoice Generation	LOW	*-1.0.3	1.0.4	June 30, 2026
leadbi	leadbi	89	LeadBI Plugin for WordPress <= 1.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting	LOW	*-1.7		June 30, 2026
jet-search	jet-search	93	JetSearch <= 3.5.10 - Reflected Cross-Site Scripting	LOW	*-3.5.10	3.5.10.1	June 30, 2026
attachment-manager	attachment-manager	91	Attachment Manager <= 2.1.2 - Unauthenticated Arbitrary File Deletion	LOW	*-2.1.2		June 30, 2026
b1-accounting	b1-accounting	93	B1.lt for WooCommerce <= 2.2.56 - Authenticated (Subscriber+) SQL Injection	LOW	*-2.2.56	2.2.57	June 30, 2026
b1-accounting	b1-accounting	93	B1.lt for WooCommerce <= 2.2.57 - Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Injection	LOW	*-2.2.57	2.2.58	June 30, 2026
useful-tab-block-responsive-amp-compatible	useful-tab-block-responsive-amp-compatible	N/A	Useful Tab Block – Responsive & AMP-Compatible <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter	LOW	*-1.3.2		June 30, 2026
testimonial-post-type	testimonial-post-type	N/A	Testimonial Post type <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play Parameter	LOW	*-1.2.1		June 30, 2026
vertical-scroll-image-slideshow-gallery	vertical-scroll-image-slideshow-gallery	N/A	Vertical scroll image slideshow gallery <= 11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter	LOW	*-11.1		June 30, 2026
crowdfunding-for-woocommerce	crowdfunding-for-woocommerce	91	Crowdfunding for WooCommerce <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter	LOW	*-3.1.14		June 30, 2026
block-editor-gallery-slider	block-editor-gallery-slider	93	Block Editor Gallery Slider <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Limited Post Meta Update	LOW	*-1.1.1	1.1.2	June 30, 2026
terms-descriptions	terms-descriptions	N/A	Terms descriptions <= 3.4.8 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-3.4.8	3.4.9	June 30, 2026
zuppler-online-ordering	zuppler-online-ordering	N/A	Zuppler Online Ordering <= 2.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-2.1.0		June 30, 2026
Forminator Forms – Contact Form, Payment Form & Custom Form Builder	forminator	92	Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 - Authenticated (Administrator+) SQL Injection via `order_by` Parameter	LOW	*-1.45.0	1.45.1	June 30, 2026
biteship	biteship	91	Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship <= 3.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) View Order Tracking Details	LOW	*-3.2.0		June 30, 2026
aapanel-wp-toolkit	aapanel-wp-toolkit	97	aapanel WP Toolkit 1.0 - 1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via auto_login() Function	LOW	1.0-1.1	1.2	June 30, 2026
ruven-themes-shortcodes	ruven-themes-shortcodes	N/A	Ruven Themes: Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.0		June 30, 2026
map-my-locations	map-my-locations	91	Map My Locations <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.1		June 30, 2026
copymatic	copymatic	91	Copymatic – AI Content Writer & Generator <= 2.1 - Cross-Site Request Forgery to Settings Update	LOW	*-2.1		June 30, 2026
knowledgebase	knowledgebase	93	Knowledge Base <= 2.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Slug	LOW	*-2.3.1	2.3.2	June 30, 2026
woocommerce-refund-and-exchange	woocommerce-refund-and-exchange	N/A	WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet <= 3.2.6 - Unauthenticated Arbitrary File Upload	LOW	*-3.2.6	3.2.7	June 30, 2026
school-management	school-management	N/A	School Management System for Wordpress <= 93.1.0 - Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update	LOW	*-93.1.0	1.93.1 (02-07-2025)	June 30, 2026
masterstudy-lms-learning-management-system-pro	masterstudy-lms-learning-management-system-pro	93	MasterStudy LMS – Online Courses, eLearning PRO Plus <= 4.7.9 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-4.7.9	4.7.10	June 30, 2026
loginpress-pro	loginpress-pro	93	LoginPress Pro <= 5.0.1 - Authentication Bypass via WordPress.com OAuth provider	LOW	*-5.0.1	5.0.2	June 30, 2026
listly	listly	91	Listly: Listicles For WordPress <= 2.7 - Unauthenticated Arbitrary Transient Deletion	LOW	*-2.7		June 30, 2026
lbg-universal-video-player-addon-visual-composer	lbg-universal-video-player-addon-visual-composer	93	Universal Video Player - Addon for WPBakery Page Builder <= 3.2.1 - Reflected Cross-Site Scripting	LOW	*-3.2.1	3.2.2.0	June 30, 2026
lbg-audio8-html5-radio-ads	lbg-audio8-html5-radio-ads	93	SHOUT - HTML5 Radio Player With Ads - ShoutCast and IceCast Support <= 3.5.4 - Reflected Cross-Site Scripting	LOW	*-3.5.4	3.5.5	June 30, 2026
lbg-audio5-html5-shoutcast-sticky	lbg-audio5-html5-shoutcast-sticky	93	Apollo - Sticky Full Width HTML5 Audio Player <= 3.4 - Reflected Cross-Site Scripting	LOW	*-3.4	3.6.4	June 30, 2026

LOW

yournewsapp

Score: N/A Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App <= 0.8.8.8 - Reflected Cross-Site Scripting Affected: *-0.8.8.8 Patched: Updated: June 30, 2026

LOW

woocommerce-wholesale-prices

Score: N/A Wholesale Suite <= 2.2.4.2 - Authenticated (Shop Manager+) Privilege Escalation Affected: *-2.2.4.2 Patched: 2.2.5 Updated: June 30, 2026

LOW

video-player-youtube-vimeo

Score: N/A Youtube Vimeo Video Player and Slider WP Plugin <= 3.8 - Reflected Cross-Site Scripting Affected: *-3.8 Patched: 3.9 Updated: June 30, 2026

LOW

video-blogster-lite

Score: N/A Video Blogster Lite <= 1.2 - Reflected Cross-Site Scripting Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

supportboard

Score: N/A Support Board <= 3.8.0 - Reflected Cross-Site Scripting Affected: *-3.8.0 Patched: 3.8.1 Updated: June 30, 2026

LOW

simple-business-directory-pro

Score: N/A Simple Business Directory Pro <= 15.5.1 - Reflected Cross-Site Scripting Affected: *-15.5.1 Patched: 15.5.2 Updated: June 30, 2026

LOW

Security Ninja – WordPress Security & Firewall

security-ninja

Score: 88/100 Security Ninja – Secure Firewall & Secure Malware Scanner - 5.201 - 5.242 - Authenticated (Administrator+) Arbitrary File Read Affected: 5.201-5.242 Patched: 5.243 Updated: June 30, 2026

LOW

pixter-image-digital-license

Score: N/A Multiple Plugins by itayamar - Backdoored Software Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

lbg-universal-video-player-addon-visual-composer

Score: 93/100 Universal Video Player - Addon for WPBakery Page Builder <= 3.2.1 - Reflected Cross-Site Scripting Affected: *-3.2.1 Patched: 3.2.2.0 Updated: June 30, 2026

LOW

lbg-audio2-html5

Score: 91/100 Responsive HTML5 Audio Player PRO With Playlist <= 3.5.8 - Reflected Cross-Site Scripting Affected: *-3.5.8 Patched: 3.5.9 Updated: June 30, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint <= 5.1.93 - Unauthenticated Local File Inclusion Affected: *-5.1.93 Patched: 5.1.94 Updated: June 30, 2026

LOW

js_composer

Score: 93/100 WPBakery Page Builder <= 8.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Page Builder Elements Affected: *-8.4.1 Patched: 8.5 Updated: June 30, 2026

LOW

disable-right-click-powered-by-pixterme

Score: 91/100 Multiple Plugins by itayamar - Backdoored Software Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

croprefine

Score: 91/100 CropRefine <= 1.2.1 - Reflected Cross-Site Scripting Affected: *-1.2.1 Patched: Updated: June 30, 2026

LOW

captionpix

Score: 91/100 CaptionPix <= 1.8 - Reflected Cross-Site Scripting Affected: *-1.8 Patched: Updated: June 30, 2026

LOW

featured-image-plus

Score: 93/100 Featured Image Plus – Quick & Bulk Edit with Unsplash <= 1.6.6 - Authenticated (Admin+) Server-Side Request Forgery Affected: *-1.6.6 Patched: 1.6.7 Updated: June 30, 2026

LOW

social-streams

Score: N/A Social Streams <= 1.2.1 - Authenticated (Subscriber+) Privilege Escalation Affected: *-1.0.1 Patched: Updated: June 30, 2026

LOW

realty-portal-agent

Score: N/A Realty Portal – Agent <= 0.3.9 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via rp_user_profile() Function Affected: *-0.3.9 Patched: Updated: June 30, 2026

LOW

yanewsflash

Score: N/A YANewsflash <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-1.0.3 Patched: Updated: June 30, 2026

LOW

omnishop

Score: N/A Omnishop <= 1.0.9 - Cross-Site Request Forgery to Arbitrary User Deletion via /users/delete REST Endpoint Affected: *-1.0.9 Patched: Updated: June 30, 2026

LOW

omnishop

Score: N/A Omnishop <= 1.0.9 - Missing Registration Restriction to Unauthenticated Account Creation via /users/register REST Endpoint Affected: *-1.0.9 Patched: Updated: June 30, 2026

LOW

commercial-real-estate-valuation-calculator

Score: 93/100 Valuation Calculator <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via link Parameter Affected: *-1.3.2 Patched: 1.3.3 Updated: June 30, 2026

LOW

fleetwire-fleet-management

Score: 93/100 Fleetwire Fleet Management Plugin <= 1.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via fleetwire_list Shortcode Affected: *-1.0.19 Patched: 1.0.20 Updated: June 30, 2026

LOW

wp-pipes

Score: N/A WP Pipes <= 1.4.3 - Unauthenticated Local File Inclusion Affected: *-1.4.3 Patched: Updated: June 30, 2026

LOW

wp-links-page

Score: N/A WP Links Page <= 4.9.6 - Authenticated (Subscriber+) SQL Injection Affected: *-4.9.6 Patched: 5.0 Updated: June 30, 2026

LOW

tablesome-premium

Score: N/A Tablesome Table Premium <= 1.1.23 - Missing Authorization Affected: *-1.1.23 Patched: Updated: June 30, 2026

LOW

supportboard

Score: N/A Support Board <= 3.8.0 - Unauthenticated Local File Inclusion Affected: *-3.8.0 Patched: 3.8.1 Updated: June 30, 2026

LOW

simple-contact-forms

Score: N/A Simple Contact Forms <= 1.6.4 - Unauthenticated Local File Inclusion Affected: *-1.6.4 Patched: Updated: June 30, 2026

LOW

post-and-page-builder

Score: N/A Post and Page Builder by BoldGrid – Visual Drag and Drop Editor <= 1.27.8 - Authenticated (Contributor+) Path Traversal Affected: *-1.27.8 Patched: 1.27.9 Updated: June 30, 2026

LOW

loginwp-pro

Score: 93/100 LoginWP - Pro <= 4.0.8.5 - Missing Authorization to Unauthenticated Settings Update Affected: *-4.0.8.5 Patched: 4.0.8.6 Updated: June 30, 2026

LOW

learnpress-import-export

Score: 93/100 LearnPress Export Import <= 4.0.9 - Reflected Cross-Site Scripting Affected: *-4.0.9 Patched: 4.1.0 Updated: June 30, 2026

LOW

elite-video-player

Score: 89/100 Elite Video Player <= 10.0.5 - Reflected Cross-Site Scripting Affected: *-10.0.5 Patched: 10.0.7 Updated: June 30, 2026

LOW

elex-reachship-multi-carrier-conditional-shipping

Score: 93/100 ReachShip WooCommerce Multi-Carrier & Conditional Shipping <= 4.3.1 - Authenticated (Contributor+) Arbitrary File Upload Affected: *-4.3.1 Patched: 4.3.2 Updated: June 30, 2026

LOW

css-javascript-toolbox

Score: 93/100 CSS & JavaScript Toolbox < 12.0.3 - Authenticated (Subscriber+) Local File Inclusion Affected: [*, 12.0.3) Patched: 12.0.3 Updated: June 30, 2026

LOW

artificial-intelligence-auto-content-generator

Score: 95/100 AI Tools <= 4.0.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion Affected: *-4.0.7 Patched: Updated: June 30, 2026

LOW

bsecure

Score: 95/100 bSecure 1.3.7 - 1.7.9 - Missing Authorization to Unauthenticated Privilege Escalation via order_info REST Endpoint Affected: 1.3.7-1.7.9 Patched: Updated: June 30, 2026

LOW

latest-post-accordian-slider

Score: 91/100 Latest Post Accordian Slider <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-1.3 Patched: Updated: June 30, 2026

LOW

like-share-my-site

Score: 91/100 Like & Share My Site <= 0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-0.2 Patched: Updated: June 30, 2026

LOW

orion-login-with-sms

Score: N/A Orion Login with SMS <= 1.0.5 - Authentication Bypass via Weak OTP Affected: *-1.0.5 Patched: Updated: June 30, 2026

LOW

birth-chart-compatibility

Score: 91/100 Birth Chart Compatibility <= 2.0 - Unauthenticated Full Path Exposure Affected: *-2.0 Patched: Updated: June 30, 2026

LOW

fastcgi-cache-purge-and-preload-nginx

Score: 93/100 Nginx Cache Purge Preload <= 2.1.1 - Authenticated (Administrator+) Remote Code Execution Affected: *-2.1.1 Patched: 2.1.3 Updated: June 30, 2026

LOW

wp-jobhunt

Score: N/A WP JobHunt <= 7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Account Deletion Affected: *-7.2 Patched: Updated: June 30, 2026

LOW

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Score: N/A User Registration <= 4.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via urcr_restrict Shortcode Affected: *-4.2.4 Patched: 4.3.0 Updated: June 30, 2026

LOW

crm-customer-relationship-management-by-vcita

Score: 93/100 CRM and Lead Management by vcita <= 2.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter Affected: *-2.7.5 Patched: 2.8.0 Updated: June 30, 2026

LOW

ebook-store

Score: 93/100 Ebook Store <= 5.8012 - Authenticated (Administrator+) Stored Cross-Site Scripting via Order Details Affected: *-5.8012 Patched: 5.8013 Updated: June 30, 2026

LOW

wp-members

Score: N/A WP-Members <= 3.5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.5.4.1 Patched: 3.5.4.2 Updated: June 30, 2026

LOW

shortcodes-ultimate

Score: N/A Shortcodes Ultimate <= 7.4.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Title and Slide Link Affected: *-7.4.2 Patched: 7.4.3 Updated: June 30, 2026

LOW

profitori

Score: N/A The E-Commerce ERP <= 2.1.1.3 - Missing Authorization Affected: *-2.1.1.3 Patched: Updated: June 30, 2026

LOW

Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App

post-smtp

Score: 87/100 Post SMTP <= 3.2.0 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via Email Log Exposure Affected: *-3.2.0 Patched: 3.3.0 Updated: June 30, 2026

LOW

pixel-gallery

Score: N/A Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery <= 1.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.6.7 Patched: 1.6.8 Updated: June 30, 2026

LOW

learnpress-import-export

Score: 93/100 LearnPress Export Import <= 4.1.2 - Unauthenticated Local File Inclusion Affected: *-4.1.2 Patched: 4.1.3 Updated: June 30, 2026

LOW

favorites

Score: 91/100 Favorites <= 2.3.6 - Unauthenticated Local File Inclusion Affected: *-2.3.6 Patched: Updated: June 30, 2026

LOW

extensions-for-cf7

Score: 93/100 Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) <= 3.2.8 - Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion Affected: *-3.2.8 Patched: 3.2.9 Updated: June 30, 2026

LOW

customer-area

Score: 89/100 Customer Area <= 8.2.7 - Unauthenticated Local File Inclusion Affected: *-8.2.7 Patched: Updated: June 30, 2026

LOW

cm-map-locations

Score: 93/100 CM Map Locations <= 2.1.6 - Reflected Cross-Site Scripting Affected: *-2.1.6 Patched: 2.1.7 Updated: June 30, 2026

LOW

cbx-restaurant-booking

Score: 91/100 CBX Restaurant Booking <= 1.2.1 - Cross-Site Request Forgery to Plugin Reset Affected: *-1.2.1 Patched: Updated: June 30, 2026

LOW

shortcodes-ultimate

Score: N/A WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes Affected: *-7.4.2 Patched: 7.4.3 Updated: June 30, 2026

LOW

shortcodes-ultimate

Score: N/A Shortcodes Ultimate <= 7.4.2 - Cross-Site Request Forgery to Arbitrary Shortcode Execution Affected: *-7.4.2 Patched: 7.4.3 Updated: June 30, 2026

LOW

gutentor

Score: 91/100 Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets Affected: *-3.4.8 Patched: 3.4.9 Updated: June 30, 2026

LOW

simple-stripe-checkout

Score: N/A Simple Stripe Checkout <= 1.1.28 - Reflected Cross-Site Scripting Affected: *-1.1.28 Patched: Updated: June 30, 2026

LOW

breeze-checkout

Score: 91/100 Breeze Checkout <= 1.4.0 - Missing Authorization Affected: *-1.4.0 Patched: Updated: June 30, 2026

LOW

bbpress-notify-nospam

Score: 93/100 bbPress Notify <= 2.19.5 - Reflected Cross-Site Scripting Affected: *-2.19.5 Patched: 2.20 Updated: June 30, 2026

LOW

trx_addons

Score: N/A ThemeREX Addons <= 2.35.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trx_addons_get_svg_from_file Function Affected: *-2.35.1.1 Patched: 2.35.2.2 Updated: June 30, 2026

LOW

mrkv-vchasno-kasa

Score: N/A Vchasno Kasa <= 1.0.3 - Unauthenticated Log File Clearing Affected: *-1.0.3 Patched: 1.0.4 Updated: June 30, 2026

LOW

integration-for-contact-form-7-and-google-sheets

Score: 93/100 Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection via verify_field_val Function Affected: *-1.1.1 Patched: 1.1.2 Updated: June 30, 2026

LOW

integration-for-contact-form-7-and-pipedrive

Score: 93/100 Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 - Unauthenticated PHP Object Injection via verify_field_val Function Affected: *-1.2.3 Patched: 1.2.4 Updated: June 30, 2026

LOW

live-stream-badger

Score: 91/100 Live Stream Badger <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.4.3 Patched: Updated: June 30, 2026

LOW

epaybg-payments

Score: 91/100 EPay.bg Payments <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-0.1 Patched: Updated: June 30, 2026

LOW

avishi-wp-paypal-payment-button

Score: 91/100 Avishi WP PayPal Payment Button <= 2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-2.0 Patched: Updated: June 30, 2026

LOW

martinus-partnersky-system

Score: 91/100 Partnerský systém Martinus <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.7.1 Patched: Updated: June 30, 2026

LOW

temporarily-hidden-content

Score: N/A Temporarily Hidden Content <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0.6 Patched: Updated: June 30, 2026

LOW

stepbyteservice-openstreetmap

Score: N/A OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2.0 Patched: Updated: June 30, 2026

LOW

mrkv-vchasno-kasa

Score: N/A Vchasno Kasa <= 1.0.3 - Missing Authorization to Unauthenticated Invoice Generation Affected: *-1.0.3 Patched: 1.0.4 Updated: June 30, 2026

LOW

leadbi

Score: 89/100 LeadBI Plugin for WordPress <= 1.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting Affected: *-1.7 Patched: Updated: June 30, 2026

LOW

jet-search

Score: 93/100 JetSearch <= 3.5.10 - Reflected Cross-Site Scripting Affected: *-3.5.10 Patched: 3.5.10.1 Updated: June 30, 2026

LOW

attachment-manager

Score: 91/100 Attachment Manager <= 2.1.2 - Unauthenticated Arbitrary File Deletion Affected: *-2.1.2 Patched: Updated: June 30, 2026

LOW

b1-accounting

Score: 93/100 B1.lt for WooCommerce <= 2.2.56 - Authenticated (Subscriber+) SQL Injection Affected: *-2.2.56 Patched: 2.2.57 Updated: June 30, 2026

LOW

b1-accounting

Score: 93/100 B1.lt for WooCommerce <= 2.2.57 - Missing Authorization to Authenticated (Subscriber+) Arbitrary SQL Injection Affected: *-2.2.57 Patched: 2.2.58 Updated: June 30, 2026

LOW

useful-tab-block-responsive-amp-compatible

Score: N/A Useful Tab Block – Responsive & AMP-Compatible <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter Affected: *-1.3.2 Patched: Updated: June 30, 2026

LOW

testimonial-post-type

Score: N/A Testimonial Post type <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play Parameter Affected: *-1.2.1 Patched: Updated: June 30, 2026

LOW

vertical-scroll-image-slideshow-gallery

Score: N/A Vertical scroll image slideshow gallery <= 11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter Affected: *-11.1 Patched: Updated: June 30, 2026

LOW

crowdfunding-for-woocommerce

Score: 91/100 Crowdfunding for WooCommerce <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter Affected: *-3.1.14 Patched: Updated: June 30, 2026

LOW

block-editor-gallery-slider

Score: 93/100 Block Editor Gallery Slider <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Limited Post Meta Update Affected: *-1.1.1 Patched: 1.1.2 Updated: June 30, 2026

LOW

terms-descriptions

Score: N/A Terms descriptions <= 3.4.8 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-3.4.8 Patched: 3.4.9 Updated: June 30, 2026

LOW

zuppler-online-ordering

Score: N/A Zuppler Online Ordering <= 2.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-2.1.0 Patched: Updated: June 30, 2026

LOW

Forminator Forms – Contact Form, Payment Form & Custom Form Builder

forminator

Score: 92/100 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 - Authenticated (Administrator+) SQL Injection via `order_by` Parameter Affected: *-1.45.0 Patched: 1.45.1 Updated: June 30, 2026

LOW

biteship

Score: 91/100 Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo – Biteship <= 3.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) View Order Tracking Details Affected: *-3.2.0 Patched: Updated: June 30, 2026

LOW

aapanel-wp-toolkit

Score: 97/100 aapanel WP Toolkit 1.0 - 1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via auto_login() Function Affected: 1.0-1.1 Patched: 1.2 Updated: June 30, 2026

LOW

ruven-themes-shortcodes

Score: N/A Ruven Themes: Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

map-my-locations

Score: 91/100 Map My Locations <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

copymatic

Score: 91/100 Copymatic – AI Content Writer & Generator <= 2.1 - Cross-Site Request Forgery to Settings Update Affected: *-2.1 Patched: Updated: June 30, 2026

LOW

knowledgebase

Score: 93/100 Knowledge Base <= 2.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Slug Affected: *-2.3.1 Patched: 2.3.2 Updated: June 30, 2026

LOW

woocommerce-refund-and-exchange

Score: N/A WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet <= 3.2.6 - Unauthenticated Arbitrary File Upload Affected: *-3.2.6 Patched: 3.2.7 Updated: June 30, 2026

LOW

school-management

Score: N/A School Management System for Wordpress <= 93.1.0 - Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update Affected: *-93.1.0 Patched: 1.93.1 (02-07-2025) Updated: June 30, 2026

LOW

masterstudy-lms-learning-management-system-pro

Score: 93/100 MasterStudy LMS – Online Courses, eLearning PRO Plus <= 4.7.9 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-4.7.9 Patched: 4.7.10 Updated: June 30, 2026

LOW

loginpress-pro

Score: 93/100 LoginPress Pro <= 5.0.1 - Authentication Bypass via WordPress.com OAuth provider Affected: *-5.0.1 Patched: 5.0.2 Updated: June 30, 2026

LOW

listly

Score: 91/100 Listly: Listicles For WordPress <= 2.7 - Unauthenticated Arbitrary Transient Deletion Affected: *-2.7 Patched: Updated: June 30, 2026

LOW

lbg-universal-video-player-addon-visual-composer

Score: 93/100 Universal Video Player - Addon for WPBakery Page Builder <= 3.2.1 - Reflected Cross-Site Scripting Affected: *-3.2.1 Patched: 3.2.2.0 Updated: June 30, 2026

LOW

lbg-audio8-html5-radio-ads

Score: 93/100 SHOUT - HTML5 Radio Player With Ads - ShoutCast and IceCast Support <= 3.5.4 - Reflected Cross-Site Scripting Affected: *-3.5.4 Patched: 3.5.5 Updated: June 30, 2026

LOW

lbg-audio5-html5-shoutcast-sticky

Score: 93/100 Apollo - Sticky Full Width HTML5 Audio Player <= 3.4 - Reflected Cross-Site Scripting Affected: *-3.4 Patched: 3.6.4 Updated: June 30, 2026

Showing 7501 to 7600 of 36282 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 03:59 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List