Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36283

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
elex-bulk-edit-products-prices-attributes-for-woocommerce-basic	elex-bulk-edit-products-prices-attributes-for-woocommerce-basic	93	ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes <= 1.4.9 - Authenticated (Subscriber+) SQL Injection	LOW	*-1.4.9	1.5.0	June 30, 2026
companion-auto-update	companion-auto-update	93	Companion Auto Update <= 3.9.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via update_delay_days parameter	LOW	*-3.9.2	3.9.3	June 30, 2026
strong-testimonials	strong-testimonials	N/A	Strong Testimonials <= 3.2.11 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Fields	LOW	*-3.2.11	3.2.12	June 30, 2026
ht-contactform	ht-contactform	93	HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Upload	LOW	*-2.2.1	2.2.2	June 30, 2026
ht-contactform	ht-contactform	93	HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Directory Traversal to Arbitrary File Move	LOW	*-2.2.1	2.2.2	June 30, 2026
ht-contactform	ht-contactform	93	HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Deletion	LOW	*-2.2.1	2.2.2	June 30, 2026
wp-smart-flexslider	wp-smart-flexslider	N/A	Smart Flexslider <= 2.5 - Reflected Cross-Site Scripting	LOW	*-2.5		June 30, 2026
wp-click-track	wp-click-track	N/A	WP-Click-Tracker <= 0.7.3 - Reflected Cross-Site Scripting	LOW	*-0.7.3		June 30, 2026
user-registration-plugin-for-woocommerce	user-registration-plugin-for-woocommerce	N/A	Custom User Registration Fields for WooCommerce <= 2.1.2 - Unauthenticated Arbitrary File Upload	LOW	*-2.1.2		June 30, 2026
restrict-file-access	restrict-file-access	N/A	Restrict File Access <= 1.1.2 - Cross-Site Request Forgery to Arbitrary File Deletion	LOW	*-1.1.2		June 30, 2026
fade-slider	fade-slider	93	Fade Slider <= 2.5 - Reflected Cross-Site Scripting	LOW	*-2.5	2.6	June 30, 2026
email-attachment-by-order-status-products	email-attachment-by-order-status-products	91	Email Attachment by Order Status & Products <= 1.0.1 - Reflected Cross-Site Scripting	LOW	*-1.0.1		June 30, 2026
coschool	coschool	87	CoSchool LMS <= 1.4.3 - Authenticated (Subscriber+) SQL Injection	LOW	*-1.4.3		June 30, 2026
jet-engine	jet-engine	93	JetEngine <= 3.7.1 - Authenticated (Contributor+) Server-Side Template Injection to Remote Code Execution	LOW	*-3.7.1	3.7.1.1	June 30, 2026
evergreen-content-poster	evergreen-content-poster	93	Evergreen Content Poster <= 1.4.5 - Cross-Site Request Forgery	LOW	*-1.4.5	1.4.6	June 30, 2026
anycomment	anycomment	93	AnyComment <= 0.3.6 - Unauthenticated Local File Inclusion	LOW	*-0.3.6		June 30, 2026
beeteam368-extensions	beeteam368-extensions	91	BeeTeam368 Extensions <= 2.3.5 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-2.3.5	2.3.6	June 30, 2026
wpbookit	wpbookit	N/A	WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload	LOW	*-1.0.4	1.0.5	June 30, 2026
wpbookit	wpbookit	N/A	WPBookit <= 1.0.4 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-1.0.4	1.0.5	June 30, 2026
wp-businessdirectory	wp-businessdirectory	N/A	WP-BusinessDirectory <= 3.1.4 - Unauthenticated SQL Injection	LOW	*-3.1.4	3.1.5	June 30, 2026
SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder	sureforms	N/A	SureForms <= 1.7.1 - Reflected Cross-Site Scripting	LOW	*-1.7.1	1.7.2	June 30, 2026
support-ticket-system-for-woocommerce	support-ticket-system-for-woocommerce	N/A	Helpdesk Support Ticket System for WooCommerce <= 2.1.0 - Unauthenticated Arbitrary File Upload	LOW	*-2.1.0		June 30, 2026
sharebang	sharebang	N/A	ShareBang, Ultimate Social Share Buttons for WordPress <= 1.4 - Reflected Cross-Site Scripting	LOW	*-1.4		June 30, 2026
rsfirewall	rsfirewall	N/A	RSFirewall! <= 1.1.42 - Authenticated (Admin+) Arbitrary File Read	LOW	*-1.1.42	1.1.43	June 30, 2026
qc-simple-link-directory	qc-simple-link-directory	N/A	Simple Link Directory < 14.8.1 - Authentication Bypass	LOW	[*, 14.8.1)	14.8.1	June 30, 2026
profitori	profitori	N/A	The E-Commerce ERP <= 2.1.1.3 - Unauthenticated Privilege Escalation	LOW	*-2.1.1.3		June 30, 2026
product-xml-feeds-for-woocommerce	product-xml-feeds-for-woocommerce	N/A	Product XML Feed Manager for WooCommerce <= 2.9.2 - Missing Authorization	LOW	*-2.9.2	2.9.3	June 30, 2026
modern-events-calendar-lite	modern-events-calendar-lite	93	Modern Events Calendar Lite <= 6.3.0 - Unauthenticated SQL Injection	LOW	*-6.3.0	6.4.0	June 30, 2026
medical-prescription-attachment-plugin-for-woocommerce	medical-prescription-attachment-plugin-for-woocommerce	91	Medical Prescription Attachment Plugin for WooCommerce <= 1.2.3 - Unauthenticated Arbitrary File Upload	LOW	*-1.2.3		June 30, 2026
lbg-cleverbakery	lbg-cleverbakery	93	HTML5 Radio Player - WPBakery Page Builder Addon <= 2.5 - Unauthenticated Arbitrary File Upload	LOW	*-2.5	2.5.3	June 30, 2026
gappointments	gappointments	89	gAppointments <= 1.14.1 - Reflected Cross-Site Scripting	LOW	*-1.14.1		June 30, 2026
friends	friends	93	Friends 3.5.1 - Authenticated (Subscriber+) PHP Object Injection	LOW	3.5.1	3.5.2	June 30, 2026
exact-links	exact-links	83	URL Shortener <= 3.0.7 - Unauthenticated SQL Injection	LOW	*-3.0.7		June 30, 2026
exact-links	exact-links	83	URL Shortener <= 3.0.7 - Unauthenticated PHP Object Injection	LOW	*-3.0.7		June 30, 2026
contest-gallery	contest-gallery	93	Contest Gallery <= 26.0.6 - Reflected Cross-Site Scripting	LOW	*-26.0.6	26.0.7	June 30, 2026
click-pledge-wpjobboard	click-pledge-wpjobboard	93	WordPress-WPJobBoard <= 25.07010000-WP6.8.1-JB5.11.5 - Unauthenticated SQL Injection	LOW	* - 25.07010000-WP6.8.1-JB5.11.5	25.09000000-WP6.8.2-JB5.12.0	June 30, 2026
broken-link-notifier	broken-link-notifier	93	Broken Link Notifier <= 1.3.0 - Unauthenticated Server-Side Request Forgery	LOW	*-1.3.0	1.3.1	June 30, 2026
broken-link-notifier	broken-link-notifier	93	Broken Link Notifier <= 1.3.0 - Authenticated (Contributor+) CSV Injection	LOW	*-1.3.0	1.3.1	June 30, 2026
gym-management	gym-management	83	WPGYM - Wordpress Gym Management System < 67.8.0 - Unauthenticated SQL Injection	LOW	[*, 67.8.0)	67.8.0	June 30, 2026
woo-smart-compare	woo-smart-compare	N/A	WPC Smart Compare for WooCommerce <= 6.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-6.4.6	6.4.7	June 30, 2026
contest-gallery	contest-gallery	93	Contest Gallery <= 26.0.8 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-26.0.8	26.0.9	June 30, 2026
gb-forms-db	gb-forms-db	93	GB Forms DB <= 1.0.2 - Unauthenticated Remote Code Execution	LOW	*-1.0.2	1.0.3	June 30, 2026
wp-register-profile-with-shortcode	wp-register-profile-with-shortcode	N/A	WP Register Profile With Shortcode <= 3.6.2 - Authenticated (Contributor+) Sensitive Information Exposure	LOW	*-3.6.2	3.6.3	June 30, 2026
wish-list-for-woocommerce	wish-list-for-woocommerce	N/A	Wishlist for WooCommerce <= 3.2.3 - Missing Authorization	LOW	*-3.2.3	3.2.4	June 30, 2026
profilegrid-user-profiles-groups-and-communities	profilegrid-user-profiles-groups-and-communities	N/A	ProfileGrid <= 5.9.5.2 - Authenticated (Subscriber+) SQL Injection	LOW	*-5.9.5.2	5.9.5.3	June 30, 2026
pro-watermark	pro-watermark	N/A	Pro Bulk Watermark Plugin for WordPress <= 2.0 - Authenticated (Subscriber+) Path Traversal	LOW	*-2.0		June 30, 2026
fwduvp	fwduvp	89	Ultimate Video Player WordPress & WooCommerce Plugin <= 10.1 - Unauthenticated Server-Side Request Forgery	LOW	*-10.1		June 30, 2026
Gallery by FooGallery	foogallery	82	FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel <= 2.4.31 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting	LOW	*-2.4.31	2.4.32	June 30, 2026
billingo	billingo	91	Official Integration for Billingo <= 4.2.5 - Authenticated (Shop Manager+) Privilege Escalation	LOW	*-4.2.5		June 30, 2026
age-restriction	age-restriction	93	Premium Age Verification / Restriction for WordPress <= 3.0.2 - Unauthenticated Arbitrary File Read and Write via remote_tunnel.php	LOW	*-3.0.2		June 30, 2026
gwolle-gb	gwolle-gb	93	Gwolle Guestbook <= 4.9.2 - Unauthenticated Stored Cross-Site Scripting via `gwolle_gb_content` Parameter	LOW	*-4.9.2	4.9.3	June 30, 2026
wpforo	wpforo	N/A	wpForo Forum <= 2.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Avatar	LOW	*-2.4.5	2.4.6	June 30, 2026
Events Manager – Calendar, Bookings, Tickets, and more!	events-manager	78	Events Manager <= 7.0.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes	LOW	*-6.6.4.4, 7.0.1-7.0.3	6.6.5	June 30, 2026
Events Manager – Calendar, Bookings, Tickets, and more!	events-manager	78	Events Manager <= 7.0.3 - Unauthenticated SQL Injection via `orderby` Parameter	LOW	*-6.6.4.4, 7.0.1-7.0.3	6.6.5	June 30, 2026
Events Manager – Calendar, Bookings, Tickets, and more!	events-manager	78	Event Manager <= 7.0.3 - Reflected Cross-Site Scripting via `calendar_header` Parameter	LOW	*-6.6.4.4, 7.0.1-7.0.3	6.6.5	June 30, 2026
wp-super-edit	wp-super-edit	N/A	Super Edit <= 2.5.4 - Reflected Cross-Site Scripting	LOW	*-2.5.4		June 30, 2026
templazee	templazee	N/A	Templazee <= 1.0.2 - Missing Authorization	LOW	*-1.0.2		June 30, 2026
Lana Downloads Manager	lana-downloads-manager	91	Lana Downloads Manager <= 1.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.10.0	1.11.0	June 30, 2026
SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder	sureforms	N/A	SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Submission Deletion	LOW	0.0-0.0.13, 1.0-1.0.6, 1.1-1.1.1, 1.2-1.2.4, 1.3-1.3.1, 1.4-1.4.4	0.0.14	June 30, 2026
SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder	sureforms	N/A	SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) Triggered via Admin Submission Deletion	LOW	0.0-0.0.13, 1.0-1.0.6, 1.1-1.1.1, 1.2-1.2.4, 1.3-1.3.1, 1.4-1.4.4	0.0.14	June 30, 2026
simple-featured-image	simple-featured-image	N/A	Simple Featured Image <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via slideshow Parameter	LOW	*-1.3.1		June 30, 2026
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor	kadence-blocks	91	Kadence Blocks – Gutenberg Blocks for Page Builder Features <= 3.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via `redirectURL` Parameter	LOW	*-3.5.10	3.5.11	June 30, 2026
wc-frontend-manager	wc-frontend-manager	N/A	WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification	LOW	*-6.7.16	6.7.17	June 30, 2026
supportboard	supportboard	N/A	Support Board <= 3.8.0 - Unauthenticated Arbitrary File Deletion	LOW	*-3.8.0	3.8.1	June 30, 2026
supportboard	supportboard	N/A	Support Board <= 3.8.0 - Unauthenticated Authorization Bypass due to Use of Default Secret Key	LOW	*-3.8.0	3.8.1	June 30, 2026
wp-pipes	wp-pipes	N/A	WP Pipes <= 1.4.3 - Unauthenticated SQL Injection	LOW	*-1.4.3		June 30, 2026
wordpress-flat-countdown	wordpress-flat-countdown	N/A	Responsive Coming Soon Landing Page / Holding Page for WordPress <= 3.0 - Authenticated (Susbcriber+) Privilege Escalation	LOW	*-3.0		June 30, 2026
shortcode-generator	shortcode-generator	N/A	Shortcode Generator <= 1.1 - Reflected Cross-Site Scripting	LOW	*-1.1		June 30, 2026
premium-seo-pack	premium-seo-pack	N/A	Premium SEO Pack <= 3.3.2 - Authenticated (Subscriber+) SQL Injection	LOW	*-3.3.2		June 30, 2026
pakke	pakke	N/A	Pakke Envíos <= 1.0.2 - Authenticated (Subscriber+) SQL Injection	LOW	*-1.0.2		June 30, 2026
learts-addons	learts-addons	93	Learts Addons < 1.7.5 - Unauthenticated SQL Injection	LOW	[*, 1.7.5)	1.7.5	June 30, 2026
internal-linking-of-related-contents	internal-linking-of-related-contents	93	Internal Linking of Related Contents <= 1.1.8 - Missing Authorization	LOW	*-1.1.8	1.1.9	June 30, 2026
gym-management	gym-management	83	WPGYM <= 65.0 - Authenticated (Subscriber+) SQL Injection	LOW	*-65.0		June 30, 2026
funnel-builder	funnel-builder	93	Funnel Builder by FunnelKit <= 3.10.2 - Authenticated (Administrator+) SQL Injection	LOW	*-3.10.2	3.11.0	June 30, 2026
extendons-registration-fields	extendons-registration-fields	89	WooCommerce Registration Fields Plugin - Custom Signup Fields <= 3.2.3 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-3.2.3		June 30, 2026
extendons-registration-fields	extendons-registration-fields	89	WooCommerce Registration Fields Plugin - Custom Signup Fields <= 3.2.3 - Reflected Cross-Site Scripting	LOW	*-3.2.3		June 30, 2026
auto-login-after-registration	auto-login-after-registration	91	Auto Login After Registration <= 1.0.0 - Reflected Cross-Site Scripting	LOW	*-1.0.0		June 30, 2026
business-reviews-wp	business-reviews-wp	93	Widget for Google Reviews <= 1.0.15 - Authenticated (Subscriber+) Directory Traversal to Local File Inclusion	LOW	*-1.0.15	1.0.16	June 30, 2026
foobox-image-lightbox	foobox-image-lightbox	93	Lightbox & Modal Popup WordPress Plugin – FooBox <= 2.7.34 - Authenticated (Author+) Stored Cross-Site Scripting	LOW	*-2.7.34	2.7.35	June 30, 2026
Essential Addons for Elementor – Popular Elementor Templates & Widgets	essential-addons-for-elementor-lite	85	Essential Addons for Elementor – Popular Elementor Templates and Widgets <= 6.1.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Calendar` And `Business Reviews` Widgets	LOW	*-6.1.19	6.1.20	June 30, 2026
AI Engine – The Chatbot, AI Framework & MCP for WordPress	ai-engine	82	AI Engine <= 2.8.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via `mwai_chatbot` Shortcode `id` Parameter	LOW	*-2.8.4	2.8.5	June 30, 2026
wpcode-content-ratio	wpcode-content-ratio	N/A	WPCode Content Ratio <= 2.0 - Reflected Cross-Site Scripting	LOW	*-2.0		June 30, 2026
wp-auto-spinner	wp-auto-spinner	N/A	Wordpress Auto Spinner <= 3.25.0 - Reflected Cross-Site Scripting	LOW	*-3.25.0		June 30, 2026
ultimate-push-notifications	ultimate-push-notifications	N/A	Ultimate Push Notifications <= 1.1.9 - Missing Authorization	LOW	*-1.1.9		June 30, 2026
torod	torod	N/A	Torod <= 1.9 - Unauthenticated SQL Injection	LOW	*-1.9		June 30, 2026
tennis-court-bookings	tennis-court-bookings	N/A	Tennis Court Bookings <= 1.2.7 - Reflected Cross-Site Scripting	LOW	*-1.2.7		June 30, 2026
superstorefinder-wp	superstorefinder-wp	N/A	Super Store Finder < 6.8 - Unauthenticated Local File Inclusion	LOW	[*, 7.8)	7.8	June 30, 2026
site-chat-on-telegram	site-chat-on-telegram	N/A	Site Chat on Telegram <= 1.0.4 - Unauthenticated PHP Object Injection	LOW	*-1.0.4	1.0.6	June 30, 2026
responsive-contact-form	responsive-contact-form	N/A	Multi-language Responsive Contact Form <= 2.8 - Missing Authorization	LOW	*-2.8		June 30, 2026
pw-woocommerce-on-sale	pw-woocommerce-on-sale	N/A	PW WooCommerce On Sale! <= 1.39 - Missing Authorization	LOW	*-1.39	1.40	June 30, 2026
profiler-what-slowing-down	profiler-what-slowing-down	N/A	Profiler - What Slowing Down Your WP <= 1.0.0 - Missing Authorization	LOW	*-1.0.0		June 30, 2026
pay-with-contact-form-7	pay-with-contact-form-7	N/A	Pay with Contact Form 7 <= 1.0.4 - Reflected Cross-Site Scripting	LOW	*-1.0.4		June 30, 2026
media-folder	media-folder	91	Media Folder <= 1.0.0 - Reflected Cross-Site Scripting	LOW	*-1.0.0		June 30, 2026
manuall-dofollow	manuall-dofollow	91	SMu Manual DoFollow <= 1.8.1 - Reflected Cross-Site Scripting	LOW	*-1.8.1		June 30, 2026
loginwp-pro	loginwp-pro	93	LoginWP - Pro <= 4.0.8.5 - Missing Authorization	LOW	*-4.0.8.5	4.0.8.6	June 30, 2026
infility-global	infility-global	81	Infility Global <= 2.13.4 - Reflected Cross-Site Scripting	LOW	*-2.13.4	2.13.5	June 30, 2026
guest-support	guest-support	93	Guest Support – Complete customer support ticket system for WordPress <= 1.2.2 - Missing Authorization to Unauthenticated Ticket Deletion	LOW	*-1.2.2	1.2.3	June 30, 2026
dot-htmlphpxml-etc-pages	dot-htmlphpxml-etc-pages	89	Dot html,php,xml etc pages <= 1.0 - Reflected Cross-Site Scripting	LOW	*-1.0		June 30, 2026
css3_web_pricing_tables_grids	css3_web_pricing_tables_grids	93	CSS3 Compare Pricing Tables for WordPress <= 11.6 - Reflected Cross-Site Scripting	LOW	*-11.6	11.7	June 30, 2026
coschool	coschool	87	CoSchool LMS <= 1.4.3 - Unauthenticated PHP Object Injection	LOW	*-1.4.3		June 30, 2026

LOW

elex-bulk-edit-products-prices-attributes-for-woocommerce-basic

Score: 93/100 ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes <= 1.4.9 - Authenticated (Subscriber+) SQL Injection Affected: *-1.4.9 Patched: 1.5.0 Updated: June 30, 2026

LOW

companion-auto-update

Score: 93/100 Companion Auto Update <= 3.9.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via update_delay_days parameter Affected: *-3.9.2 Patched: 3.9.3 Updated: June 30, 2026

LOW

strong-testimonials

Score: N/A Strong Testimonials <= 3.2.11 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Fields Affected: *-3.2.11 Patched: 3.2.12 Updated: June 30, 2026

LOW

Score: 93/100 HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Upload Affected: *-2.2.1 Patched: 2.2.2 Updated: June 30, 2026

LOW

ht-contactform

Score: 93/100 HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Directory Traversal to Arbitrary File Move Affected: *-2.2.1 Patched: 2.2.2 Updated: June 30, 2026

LOW

ht-contactform

Score: 93/100 HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Deletion Affected: *-2.2.1 Patched: 2.2.2 Updated: June 30, 2026

LOW

wp-smart-flexslider

Score: N/A Smart Flexslider <= 2.5 - Reflected Cross-Site Scripting Affected: *-2.5 Patched: Updated: June 30, 2026

LOW

wp-click-track

Score: N/A WP-Click-Tracker <= 0.7.3 - Reflected Cross-Site Scripting Affected: *-0.7.3 Patched: Updated: June 30, 2026

LOW

user-registration-plugin-for-woocommerce

Score: N/A Custom User Registration Fields for WooCommerce <= 2.1.2 - Unauthenticated Arbitrary File Upload Affected: *-2.1.2 Patched: Updated: June 30, 2026

LOW

restrict-file-access

Score: N/A Restrict File Access <= 1.1.2 - Cross-Site Request Forgery to Arbitrary File Deletion Affected: *-1.1.2 Patched: Updated: June 30, 2026

LOW

fade-slider

Score: 93/100 Fade Slider <= 2.5 - Reflected Cross-Site Scripting Affected: *-2.5 Patched: 2.6 Updated: June 30, 2026

LOW

email-attachment-by-order-status-products

Score: 91/100 Email Attachment by Order Status & Products <= 1.0.1 - Reflected Cross-Site Scripting Affected: *-1.0.1 Patched: Updated: June 30, 2026

LOW

coschool

Score: 87/100 CoSchool LMS <= 1.4.3 - Authenticated (Subscriber+) SQL Injection Affected: *-1.4.3 Patched: Updated: June 30, 2026

LOW

jet-engine

Score: 93/100 JetEngine <= 3.7.1 - Authenticated (Contributor+) Server-Side Template Injection to Remote Code Execution Affected: *-3.7.1 Patched: 3.7.1.1 Updated: June 30, 2026

LOW

evergreen-content-poster

Score: 93/100 Evergreen Content Poster <= 1.4.5 - Cross-Site Request Forgery Affected: *-1.4.5 Patched: 1.4.6 Updated: June 30, 2026

LOW

anycomment

Score: 93/100 AnyComment <= 0.3.6 - Unauthenticated Local File Inclusion Affected: *-0.3.6 Patched: Updated: June 30, 2026

LOW

beeteam368-extensions

Score: 91/100 BeeTeam368 Extensions <= 2.3.5 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-2.3.5 Patched: 2.3.6 Updated: June 30, 2026

LOW

wpbookit

Score: N/A WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload Affected: *-1.0.4 Patched: 1.0.5 Updated: June 30, 2026

LOW

wpbookit

Score: N/A WPBookit <= 1.0.4 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-1.0.4 Patched: 1.0.5 Updated: June 30, 2026

LOW

wp-businessdirectory

Score: N/A WP-BusinessDirectory <= 3.1.4 - Unauthenticated SQL Injection Affected: *-3.1.4 Patched: 3.1.5 Updated: June 30, 2026

LOW

SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder

sureforms

Score: N/A SureForms <= 1.7.1 - Reflected Cross-Site Scripting Affected: *-1.7.1 Patched: 1.7.2 Updated: June 30, 2026

LOW

support-ticket-system-for-woocommerce

Score: N/A Helpdesk Support Ticket System for WooCommerce <= 2.1.0 - Unauthenticated Arbitrary File Upload Affected: *-2.1.0 Patched: Updated: June 30, 2026

LOW

sharebang

Score: N/A ShareBang, Ultimate Social Share Buttons for WordPress <= 1.4 - Reflected Cross-Site Scripting Affected: *-1.4 Patched: Updated: June 30, 2026

LOW

rsfirewall

Score: N/A RSFirewall! <= 1.1.42 - Authenticated (Admin+) Arbitrary File Read Affected: *-1.1.42 Patched: 1.1.43 Updated: June 30, 2026

LOW

qc-simple-link-directory

Score: N/A Simple Link Directory < 14.8.1 - Authentication Bypass Affected: [*, 14.8.1) Patched: 14.8.1 Updated: June 30, 2026

LOW

profitori

Score: N/A The E-Commerce ERP <= 2.1.1.3 - Unauthenticated Privilege Escalation Affected: *-2.1.1.3 Patched: Updated: June 30, 2026

LOW

product-xml-feeds-for-woocommerce

Score: N/A Product XML Feed Manager for WooCommerce <= 2.9.2 - Missing Authorization Affected: *-2.9.2 Patched: 2.9.3 Updated: June 30, 2026

LOW

modern-events-calendar-lite

Score: 93/100 Modern Events Calendar Lite <= 6.3.0 - Unauthenticated SQL Injection Affected: *-6.3.0 Patched: 6.4.0 Updated: June 30, 2026

LOW

medical-prescription-attachment-plugin-for-woocommerce

Score: 91/100 Medical Prescription Attachment Plugin for WooCommerce <= 1.2.3 - Unauthenticated Arbitrary File Upload Affected: *-1.2.3 Patched: Updated: June 30, 2026

LOW

lbg-cleverbakery

Score: 93/100 HTML5 Radio Player - WPBakery Page Builder Addon <= 2.5 - Unauthenticated Arbitrary File Upload Affected: *-2.5 Patched: 2.5.3 Updated: June 30, 2026

LOW

gappointments

Score: 89/100 gAppointments <= 1.14.1 - Reflected Cross-Site Scripting Affected: *-1.14.1 Patched: Updated: June 30, 2026

LOW

friends

Score: 93/100 Friends 3.5.1 - Authenticated (Subscriber+) PHP Object Injection Affected: 3.5.1 Patched: 3.5.2 Updated: June 30, 2026

LOW

exact-links

Score: 83/100 URL Shortener <= 3.0.7 - Unauthenticated SQL Injection Affected: *-3.0.7 Patched: Updated: June 30, 2026

LOW

exact-links

Score: 83/100 URL Shortener <= 3.0.7 - Unauthenticated PHP Object Injection Affected: *-3.0.7 Patched: Updated: June 30, 2026

LOW

contest-gallery

Score: 93/100 Contest Gallery <= 26.0.6 - Reflected Cross-Site Scripting Affected: *-26.0.6 Patched: 26.0.7 Updated: June 30, 2026

LOW

click-pledge-wpjobboard

Score: 93/100 WordPress-WPJobBoard <= 25.07010000-WP6.8.1-JB5.11.5 - Unauthenticated SQL Injection Affected: * - 25.07010000-WP6.8.1-JB5.11.5 Patched: 25.09000000-WP6.8.2-JB5.12.0 Updated: June 30, 2026

LOW

broken-link-notifier

Score: 93/100 Broken Link Notifier <= 1.3.0 - Unauthenticated Server-Side Request Forgery Affected: *-1.3.0 Patched: 1.3.1 Updated: June 30, 2026

LOW

broken-link-notifier

Score: 93/100 Broken Link Notifier <= 1.3.0 - Authenticated (Contributor+) CSV Injection Affected: *-1.3.0 Patched: 1.3.1 Updated: June 30, 2026

LOW

gym-management

Score: 83/100 WPGYM - Wordpress Gym Management System < 67.8.0 - Unauthenticated SQL Injection Affected: [*, 67.8.0) Patched: 67.8.0 Updated: June 30, 2026

LOW

woo-smart-compare

Score: N/A WPC Smart Compare for WooCommerce <= 6.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-6.4.6 Patched: 6.4.7 Updated: June 30, 2026

LOW

contest-gallery

Score: 93/100 Contest Gallery <= 26.0.8 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-26.0.8 Patched: 26.0.9 Updated: June 30, 2026

LOW

gb-forms-db

Score: 93/100 GB Forms DB <= 1.0.2 - Unauthenticated Remote Code Execution Affected: *-1.0.2 Patched: 1.0.3 Updated: June 30, 2026

LOW

wp-register-profile-with-shortcode

Score: N/A WP Register Profile With Shortcode <= 3.6.2 - Authenticated (Contributor+) Sensitive Information Exposure Affected: *-3.6.2 Patched: 3.6.3 Updated: June 30, 2026

LOW

wish-list-for-woocommerce

Score: N/A Wishlist for WooCommerce <= 3.2.3 - Missing Authorization Affected: *-3.2.3 Patched: 3.2.4 Updated: June 30, 2026

LOW

profilegrid-user-profiles-groups-and-communities

Score: N/A ProfileGrid <= 5.9.5.2 - Authenticated (Subscriber+) SQL Injection Affected: *-5.9.5.2 Patched: 5.9.5.3 Updated: June 30, 2026

LOW

pro-watermark

Score: N/A Pro Bulk Watermark Plugin for WordPress <= 2.0 - Authenticated (Subscriber+) Path Traversal Affected: *-2.0 Patched: Updated: June 30, 2026

LOW

fwduvp

Score: 89/100 Ultimate Video Player WordPress & WooCommerce Plugin <= 10.1 - Unauthenticated Server-Side Request Forgery Affected: *-10.1 Patched: Updated: June 30, 2026

LOW

Gallery by FooGallery

foogallery

Score: 82/100 FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel <= 2.4.31 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting Affected: *-2.4.31 Patched: 2.4.32 Updated: June 30, 2026

LOW

billingo

Score: 91/100 Official Integration for Billingo <= 4.2.5 - Authenticated (Shop Manager+) Privilege Escalation Affected: *-4.2.5 Patched: Updated: June 30, 2026

LOW

age-restriction

Score: 93/100 Premium Age Verification / Restriction for WordPress <= 3.0.2 - Unauthenticated Arbitrary File Read and Write via remote_tunnel.php Affected: *-3.0.2 Patched: Updated: June 30, 2026

LOW

gwolle-gb

Score: 93/100 Gwolle Guestbook <= 4.9.2 - Unauthenticated Stored Cross-Site Scripting via `gwolle_gb_content` Parameter Affected: *-4.9.2 Patched: 4.9.3 Updated: June 30, 2026

LOW

wpforo

Score: N/A wpForo Forum <= 2.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Avatar Affected: *-2.4.5 Patched: 2.4.6 Updated: June 30, 2026

LOW

Events Manager – Calendar, Bookings, Tickets, and more!

events-manager

Score: 78/100 Events Manager <= 7.0.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes Affected: *-6.6.4.4, 7.0.1-7.0.3 Patched: 6.6.5 Updated: June 30, 2026

LOW

Events Manager – Calendar, Bookings, Tickets, and more!

events-manager

Score: 78/100 Events Manager <= 7.0.3 - Unauthenticated SQL Injection via `orderby` Parameter Affected: *-6.6.4.4, 7.0.1-7.0.3 Patched: 6.6.5 Updated: June 30, 2026

LOW

Events Manager – Calendar, Bookings, Tickets, and more!

events-manager

Score: 78/100 Event Manager <= 7.0.3 - Reflected Cross-Site Scripting via `calendar_header` Parameter Affected: *-6.6.4.4, 7.0.1-7.0.3 Patched: 6.6.5 Updated: June 30, 2026

LOW

wp-super-edit

Score: N/A Super Edit <= 2.5.4 - Reflected Cross-Site Scripting Affected: *-2.5.4 Patched: Updated: June 30, 2026

LOW

templazee

Score: N/A Templazee <= 1.0.2 - Missing Authorization Affected: *-1.0.2 Patched: Updated: June 30, 2026

LOW

Lana Downloads Manager

lana-downloads-manager

Score: 91/100 Lana Downloads Manager <= 1.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.10.0 Patched: 1.11.0 Updated: June 30, 2026

LOW

SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder

sureforms

Score: N/A SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Submission Deletion Affected: 0.0-0.0.13, 1.0-1.0.6, 1.1-1.1.1, 1.2-1.2.4, 1.3-1.3.1, 1.4-1.4.4 Patched: 0.0.14 Updated: June 30, 2026

LOW

SureForms – Contact Form, Payment Form, Survey & Other Custom Form Builder

sureforms

Score: N/A SureForms – Drag and Drop Form Builder for WordPress <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) Triggered via Admin Submission Deletion Affected: 0.0-0.0.13, 1.0-1.0.6, 1.1-1.1.1, 1.2-1.2.4, 1.3-1.3.1, 1.4-1.4.4 Patched: 0.0.14 Updated: June 30, 2026

LOW

simple-featured-image

Score: N/A Simple Featured Image <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via slideshow Parameter Affected: *-1.3.1 Patched: Updated: June 30, 2026

LOW

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

kadence-blocks

Score: 91/100 Kadence Blocks – Gutenberg Blocks for Page Builder Features <= 3.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via `redirectURL` Parameter Affected: *-3.5.10 Patched: 3.5.11 Updated: June 30, 2026

LOW

wc-frontend-manager

Score: N/A WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.16 - Missing Authorization to Unauthenticated Plugin Settings Modification Affected: *-6.7.16 Patched: 6.7.17 Updated: June 30, 2026

LOW

supportboard

Score: N/A Support Board <= 3.8.0 - Unauthenticated Arbitrary File Deletion Affected: *-3.8.0 Patched: 3.8.1 Updated: June 30, 2026

LOW

supportboard

Score: N/A Support Board <= 3.8.0 - Unauthenticated Authorization Bypass due to Use of Default Secret Key Affected: *-3.8.0 Patched: 3.8.1 Updated: June 30, 2026

LOW

wp-pipes

Score: N/A WP Pipes <= 1.4.3 - Unauthenticated SQL Injection Affected: *-1.4.3 Patched: Updated: June 30, 2026

LOW

wordpress-flat-countdown

Score: N/A Responsive Coming Soon Landing Page / Holding Page for WordPress <= 3.0 - Authenticated (Susbcriber+) Privilege Escalation Affected: *-3.0 Patched: Updated: June 30, 2026

LOW

shortcode-generator

Score: N/A Shortcode Generator <= 1.1 - Reflected Cross-Site Scripting Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

premium-seo-pack

Score: N/A Premium SEO Pack <= 3.3.2 - Authenticated (Subscriber+) SQL Injection Affected: *-3.3.2 Patched: Updated: June 30, 2026

LOW

pakke

Score: N/A Pakke Envíos <= 1.0.2 - Authenticated (Subscriber+) SQL Injection Affected: *-1.0.2 Patched: Updated: June 30, 2026

LOW

learts-addons

Score: 93/100 Learts Addons < 1.7.5 - Unauthenticated SQL Injection Affected: [*, 1.7.5) Patched: 1.7.5 Updated: June 30, 2026

LOW

internal-linking-of-related-contents

Score: 93/100 Internal Linking of Related Contents <= 1.1.8 - Missing Authorization Affected: *-1.1.8 Patched: 1.1.9 Updated: June 30, 2026

LOW

gym-management

Score: 83/100 WPGYM <= 65.0 - Authenticated (Subscriber+) SQL Injection Affected: *-65.0 Patched: Updated: June 30, 2026

LOW

funnel-builder

Score: 93/100 Funnel Builder by FunnelKit <= 3.10.2 - Authenticated (Administrator+) SQL Injection Affected: *-3.10.2 Patched: 3.11.0 Updated: June 30, 2026

LOW

extendons-registration-fields

Score: 89/100 WooCommerce Registration Fields Plugin - Custom Signup Fields <= 3.2.3 - Authenticated (Subscriber+) Privilege Escalation Affected: *-3.2.3 Patched: Updated: June 30, 2026

LOW

extendons-registration-fields

Score: 89/100 WooCommerce Registration Fields Plugin - Custom Signup Fields <= 3.2.3 - Reflected Cross-Site Scripting Affected: *-3.2.3 Patched: Updated: June 30, 2026

LOW

auto-login-after-registration

Score: 91/100 Auto Login After Registration <= 1.0.0 - Reflected Cross-Site Scripting Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

business-reviews-wp

Score: 93/100 Widget for Google Reviews <= 1.0.15 - Authenticated (Subscriber+) Directory Traversal to Local File Inclusion Affected: *-1.0.15 Patched: 1.0.16 Updated: June 30, 2026

LOW

foobox-image-lightbox

Score: 93/100 Lightbox & Modal Popup WordPress Plugin – FooBox <= 2.7.34 - Authenticated (Author+) Stored Cross-Site Scripting Affected: *-2.7.34 Patched: 2.7.35 Updated: June 30, 2026

LOW

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Score: 85/100 Essential Addons for Elementor – Popular Elementor Templates and Widgets <= 6.1.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Calendar` And `Business Reviews` Widgets Affected: *-6.1.19 Patched: 6.1.20 Updated: June 30, 2026

LOW

AI Engine – The Chatbot, AI Framework & MCP for WordPress

ai-engine

Score: 82/100 AI Engine <= 2.8.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via `mwai_chatbot` Shortcode `id` Parameter Affected: *-2.8.4 Patched: 2.8.5 Updated: June 30, 2026

LOW

wpcode-content-ratio

Score: N/A WPCode Content Ratio <= 2.0 - Reflected Cross-Site Scripting Affected: *-2.0 Patched: Updated: June 30, 2026

LOW

wp-auto-spinner

Score: N/A Wordpress Auto Spinner <= 3.25.0 - Reflected Cross-Site Scripting Affected: *-3.25.0 Patched: Updated: June 30, 2026

LOW

ultimate-push-notifications

Score: N/A Ultimate Push Notifications <= 1.1.9 - Missing Authorization Affected: *-1.1.9 Patched: Updated: June 30, 2026

LOW

torod

Score: N/A Torod <= 1.9 - Unauthenticated SQL Injection Affected: *-1.9 Patched: Updated: June 30, 2026

LOW

tennis-court-bookings

Score: N/A Tennis Court Bookings <= 1.2.7 - Reflected Cross-Site Scripting Affected: *-1.2.7 Patched: Updated: June 30, 2026

LOW

superstorefinder-wp

Score: N/A Super Store Finder < 6.8 - Unauthenticated Local File Inclusion Affected: [*, 7.8) Patched: 7.8 Updated: June 30, 2026

LOW

site-chat-on-telegram

Score: N/A Site Chat on Telegram <= 1.0.4 - Unauthenticated PHP Object Injection Affected: *-1.0.4 Patched: 1.0.6 Updated: June 30, 2026

LOW

responsive-contact-form

Score: N/A Multi-language Responsive Contact Form <= 2.8 - Missing Authorization Affected: *-2.8 Patched: Updated: June 30, 2026

LOW

pw-woocommerce-on-sale

Score: N/A PW WooCommerce On Sale! <= 1.39 - Missing Authorization Affected: *-1.39 Patched: 1.40 Updated: June 30, 2026

LOW

profiler-what-slowing-down

Score: N/A Profiler - What Slowing Down Your WP <= 1.0.0 - Missing Authorization Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

pay-with-contact-form-7

Score: N/A Pay with Contact Form 7 <= 1.0.4 - Reflected Cross-Site Scripting Affected: *-1.0.4 Patched: Updated: June 30, 2026

LOW

media-folder

Score: 91/100 Media Folder <= 1.0.0 - Reflected Cross-Site Scripting Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

manuall-dofollow

Score: 91/100 SMu Manual DoFollow <= 1.8.1 - Reflected Cross-Site Scripting Affected: *-1.8.1 Patched: Updated: June 30, 2026

LOW

loginwp-pro

Score: 93/100 LoginWP - Pro <= 4.0.8.5 - Missing Authorization Affected: *-4.0.8.5 Patched: 4.0.8.6 Updated: June 30, 2026

LOW

infility-global

Score: 81/100 Infility Global <= 2.13.4 - Reflected Cross-Site Scripting Affected: *-2.13.4 Patched: 2.13.5 Updated: June 30, 2026

LOW

guest-support

Score: 93/100 Guest Support – Complete customer support ticket system for WordPress <= 1.2.2 - Missing Authorization to Unauthenticated Ticket Deletion Affected: *-1.2.2 Patched: 1.2.3 Updated: June 30, 2026

LOW

dot-htmlphpxml-etc-pages

Score: 89/100 Dot html,php,xml etc pages <= 1.0 - Reflected Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

css3_web_pricing_tables_grids

Score: 93/100 CSS3 Compare Pricing Tables for WordPress <= 11.6 - Reflected Cross-Site Scripting Affected: *-11.6 Patched: 11.7 Updated: June 30, 2026

LOW

coschool

Score: 87/100 CoSchool LMS <= 1.4.3 - Unauthenticated PHP Object Injection Affected: *-1.4.3 Patched: Updated: June 30, 2026

Showing 7701 to 7800 of 36283 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 06:49 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List