Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36283

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
cookie-script-com	cookie-script-com	93	Cookie-Script.com <= 1.2.1 - Missing Authorization	LOW	*-1.2.1	1.2.2	June 30, 2026
contentstudio	contentstudio	93	ContentStudio <= 1.3.7 - Missing Authorization	LOW	*-1.3.7	1.4.0	June 30, 2026
codepen-embed-block	codepen-embed-block	91	CodePen Embed Block <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.1.1		June 30, 2026
code-engine	code-engine	93	Code Engine <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-0.3.2	0.3.3	June 30, 2026
cliplink	cliplink	91	ClipLink <= 1.1 - Cross-Site Request Forgery	LOW	*-1.1		June 30, 2026
classified-listing	classified-listing	93	Classified Listing <= 4.2.0 - Authenticated (Contributor+) Local File Inclusion	LOW	*-4.2.0	4.2.1	June 30, 2026
chordpress	chordpress	91	Lewe ChordPress <= 3.9.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-3.9.7		June 30, 2026
buying-buddy-idx-crm	buying-buddy-idx-crm	93	Buying Buddy IDX CRM <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.3.0	2.3.1	June 30, 2026
bluff-post	bluff-post	91	Bluff Post <= 1.1.1 - Cross-Site Request Forgery	LOW	*-1.1.1		June 30, 2026
better-random-redirect	better-random-redirect	91	Better Random Redirect <= 1.3.20 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.3.20		June 30, 2026
bb-plugin	bb-plugin	93	Beaver Builder Plugin (Starter Version) <= 2.9.1 - Authenticated (Administrator+) Arbitrary File Upload	LOW	*-2.9.1	2.9.1.1	June 30, 2026
automatorwp	automatorwp	93	AutomatorWP <= 5.2.4 - Authenticated (Administrator+) SQL Injection	LOW	*-5.2.4	5.2.5	June 30, 2026
automatically-hierarchic-categories-in-menu	automatically-hierarchic-categories-in-menu	93	Automatically Hierarchic Categories in Menu <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.0.9	2.0.10	June 30, 2026
atp-call-now	atp-call-now	91	ATP Call Now <= 1.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.0.3		June 30, 2026
app-builder	app-builder	95	App Builder <= 5.5.7 - Missing Authorization	LOW	*-5.5.7	5.5.8	June 30, 2026
anonform-embedded-secure-form	anonform-embedded-secure-form	97	ANON::form embedded secure form <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.7	1.8	June 30, 2026
anant-addons-for-elementor	anant-addons-for-elementor	95	Anant Addons for Elementor <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.2.0		June 30, 2026
acf-blocks	acf-blocks	95	Gutenberg Blocks – ACF Blocks Suite <= 2.6.11 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.6.11		June 30, 2026
gutenverse-news	gutenverse-news	93	Gutenverse News <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via elementId Parameter	LOW	*-1.0.4	2.0.0	June 30, 2026
give	give	93	GiveWP – Donation Plugin and Fundraising Platform <= 4.3.0 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification	LOW	*-4.3.0	4.3.1	June 30, 2026
football-pool	football-pool	93	Football Pool <= 2.12.4 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-2.12.4	2.12.5	June 30, 2026
Download Manager	download-manager	63	Download Manager <= 3.3.18 - Authenticated (Author+) Stored Cross-site Scripting via wpdm_user_dashboard Shortcode	LOW	*-3.3.18	3.3.19	June 30, 2026
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor	elementskit-lite	95	ElementsKit Lite <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison Widget	LOW	*-3.5.2	3.5.3	June 30, 2026
Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing	woocommerce-google-adwords-conversion-tracking-tag	93	Pixel Manager for WooCommerce (PRO) <= 1.49.0 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode	LOW	*-1.49.0	1.49.1	June 30, 2026
woo-line-notify	woo-line-notify	N/A	Woocommerce Line Notify <= 1.1.7 - Reflected Cross-Site Scripting	LOW	*-1.1.7		June 30, 2026
try-on-for-woocommerce	try-on-for-woocommerce	N/A	SpecFit-Virtual Try On Woocommerce <= 10.0.21 - Reflected Cross-Site Scripting	LOW	*-10.0.21	10.0.22	June 30, 2026
storyform	storyform	N/A	Storyform <= 0.6.14 - Reflected Cross-Site Scripting	LOW	*-0.6.14		June 30, 2026
smio-push-notification	smio-push-notification	N/A	Smart Notification <= 10.3 - Reflected Cross-Site Scripting	LOW	*-10.3		June 30, 2026
school-management	school-management	N/A	School Management <= 92.0.0 - Reflected Cross-Site Scripting	LOW	*-92.0.0		June 30, 2026
rss-feed-post-generator-echo	rss-feed-post-generator-echo	N/A	Echo RSS Feed Post Generator <= 5.4.8.1 - Reflected Cross-Site Scripting	LOW	*-5.4.8.1	5.4.9	June 30, 2026
js_composer	js_composer	93	WPBakery Page Builder <= 8.4.1 - Authenticated (Author+) Stored Cross-Site Scripting via Grid Builder	LOW	*-8.4.1	8.5	June 30, 2026
formlift	formlift	93	FormLift for Infusionsoft Web Forms <= 7.5.20 - Reflected Cross-Site Scripting	LOW	*-7.5.20	7.5.21	June 30, 2026
fastbook-responsive-appointment-booking-and-scheduling-system	fastbook-responsive-appointment-booking-and-scheduling-system	87	FastBook <= 1.1 - Reflected Cross-Site Scripting	LOW	*-1.1		June 30, 2026
easy-taxonomy-images	easy-taxonomy-images	91	Easy Taxonomy Images <= 1.0.1 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.0.1		June 30, 2026
easy-social-media	easy-social-media	91	Easy Social <= 1.3 - Reflected Cross-Site Scripting	LOW	*-1.3		June 30, 2026
bulk-youtube-post-creator	bulk-youtube-post-creator	91	Bulk YouTube Post Creator <= 1.0 - Reflected Cross-Site Scripting	LOW	*-1.0		June 30, 2026
Breeze Cache	breeze	79	Breeze <= 2.2.13 - Missing Authorization	LOW	*-2.2.13	2.2.14	June 30, 2026
all-in-one-wp-builder	all-in-one-wp-builder	95	AIO WP Builder <= 2.0.2 - Missing Authorization	LOW	*-2.0.2		June 30, 2026
AI Engine – The Chatbot, AI Framework & MCP for WordPress	ai-engine	82	AI Engine 2.8.0 - 2.8.3 - Authenticated (Subscriber+) Insufficient Authorization to Privilege Escalation via MCP	LOW	2.8.0-2.8.3	2.8.4	June 30, 2026
Ultra Addons for Contact Form 7	ultimate-addons-for-contact-form-7	70	Ultimate Addons for Contact Form 7 <= 3.5.12 - Authenticated (Administrator+) Arbitrary File Upload via 'save_options'	LOW	*-3.5.12	3.5.13	June 30, 2026
csv-me	csv-me	91	CSV Me <= 2.0 - Authenticated (Administrator+) Arbitrary File Upload	LOW	*-2.0		June 30, 2026
brid-video-easy-publish	brid-video-easy-publish	91	Target Video Easy Publish <= 3.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter	LOW	*-3.8.5	3.8.6	June 30, 2026
wp-marketing-automations	wp-marketing-automations	N/A	Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit <= 3.5.3 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation	LOW	*-3.5.3	3.6.0	June 30, 2026
pixabay-images	pixabay-images	N/A	Pixabay Images <= 3.4 - Authenticated (Author+) Arbitrary File Upload	LOW	*-3.4		June 30, 2026
valvepress-rankie	valvepress-rankie	N/A	Rankie - Wordpress Rank Tracker Plugin < 1.8.2 - Authenticated (Subscriber+) SQL Injection	LOW	[*, 1.8.2)	1.8.2	June 30, 2026
Master Slider – Responsive Touch Slider	master-slider	86	Master Slider <= 3.10.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via masterslider_pb and ms_slide Shortcodes	LOW	*-3.10.8	3.10.9	June 30, 2026
simple-logo-carousel	simple-logo-carousel	N/A	Simple Logo Carousel <= 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter	LOW	*-1.9.3	1.9.4	June 30, 2026
Drag and Drop Multiple File Upload for Contact Form 7	drag-and-drop-multiple-file-upload-contact-form-7	93	Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.9 - Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks	LOW	*-1.3.8.9	1.3.9.0	June 30, 2026
blog2social	blog2social	93	Blog2Social <= 8.4.4 - Authenticated (Subscriber+) SQL Injection via `prgSortPostType` Parameter	LOW	*-8.4.4	8.4.5	June 30, 2026
wise-chat	wise-chat	N/A	Wise Chat <= 3.3.4 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header	LOW	*-3.3.4	3.3.5	June 30, 2026
ajax-load-more	ajax-load-more	97	WordPress Infinite Scroll – Ajax Load More <= 7.4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting	LOW	*-7.4.0.1	7.4.1	June 30, 2026
yith-paypal-express-checkout-for-woocommerce	yith-paypal-express-checkout-for-woocommerce	N/A	YITH PayPal Express Checkout for WooCommerce <= 1.49.0 - Cross-Site Request Forgery	LOW	*-1.49.0	1.49.1	June 30, 2026
wp-dummy-content-generator	wp-dummy-content-generator	N/A	WP Dummy Content Generator <= 3.4.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion	LOW	*-3.4.6	4.0.0	June 30, 2026
ultimate-blocks	ultimate-blocks	N/A	Ultimate Blocks <= 3.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.3.6	3.3.7	June 30, 2026
social-polls-by-opinionstage	social-polls-by-opinionstage	N/A	Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.9.0 - Incorrect Authorization to Authenticated (Contributor+) Plugin Settings Update	LOW	*-19.9.0	19.10.0	June 30, 2026
cf7-zoho	cf7-zoho	93	Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.3.0 - Unauthenticated PHP Object Injection	LOW	*-1.3.0	1.3.1	June 30, 2026
wp2leads	wp2leads	N/A	WP2LEADS <= 3.5.0 - Reflected Cross-Site Scripting	LOW	*-3.5.0	3.5.1	June 30, 2026
flexo-posts-manager	flexo-posts-manager	91	flexo-posts-manager <= 1.0001 - Reflected Cross-Site Scripting	LOW	*-1.0001		June 30, 2026
wp-sms	wp-sms	N/A	SMS <= 6.9.12 - Authenticated (Administrator+) SQL Injection	LOW	*-6.9.12	7.0	June 30, 2026
flexoslider	flexoslider	91	flexoslider <= 1.0004 - Reflected Cross-Site Scripting	LOW	*-1.0004		June 30, 2026
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider	ml-slider	88	Slider, Gallery, and Carousel by MetaSlider <= 3.98.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via aria-label Parameter	LOW	*-3.98.0	3.99.0	June 30, 2026
yith-woocommerce-wishlist	yith-woocommerce-wishlist	N/A	YITH WooCommerce Wishlist <= 4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter	LOW	*-4.5.0	4.6.0	June 30, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin	simply-schedule-appointments	N/A	Simply Schedule Appointments <= 1.6.8.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes	LOW	*-1.6.8.30	1.6.8.32	June 30, 2026
streamweasels-kick-integration	streamweasels-kick-integration	N/A	StreamWeasels Kick Integration <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via status-classic-offline-text Parameter	LOW	*-1.1.3	1.1.4	June 30, 2026
Click to Chat – HoliThemes	click-to-chat-for-whatsapp	90	Click to Chat <= 4.22 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via data-no_number Parameter	LOW	*-4.22	4.23	June 30, 2026
userpro	userpro	N/A	UserPro - Community and User Profile WordPress Plugin <= 5.1.10 - Unauthenticated Arbitrary File Read	LOW	*-5.1.10		June 30, 2026
yougler-blogger-profile-page	yougler-blogger-profile-page	N/A	Yougler Blogger Profile Page <= v1.01 - Cross-Site Request Forgery to Settings Update	LOW	* - v1.01		June 30, 2026
xisearch-bar	xisearch-bar	N/A	XiSearch bar <= 2.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-2.6		June 30, 2026
wp-url-shortener	wp-url-shortener	N/A	WP URL Shortener <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-1.2		June 30, 2026
zen-social-sticky	zen-social-sticky	N/A	Zen Sticky Social <= 0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-0.3		June 30, 2026
easy-flashcards	easy-flashcards	91	Easy Flashcards <= 0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-0.1		June 30, 2026
ecava-diot-scada	ecava-diot-scada	91	DIOT SCADA with MQTT <= 1.0.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.0.5.1		June 30, 2026
ai-image-generator-lab	ai-image-generator-lab	95	AI Image Lab – Free AI Image Generator <= 1.0.6 - Cross-Site Request Forgery to API Key Update	LOW	*-1.0.6		June 30, 2026
kk-youtube-video	kk-youtube-video	91	kk Youtube Video <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-0.2		June 30, 2026
image-resizer-on-the-fly	image-resizer-on-the-fly	91	Image Resizer On The Fly <= 1.1 - Unauthenticated Arbitrary File Deletion	LOW	*-1.1		June 30, 2026
restrict-file-access	restrict-file-access	N/A	Restrict File Access <= 1.1.2 - Authenticated (Subscriber+) Arbitrary File Read	LOW	*-1.1.2		June 30, 2026
automatorwp	automatorwp	93	AutomatorWP <= 5.2.5 - Authenticated (Administrator+) SQL Injection via field_conditions	LOW	*-5.2.5	5.2.6	June 30, 2026
File Manager Pro – Filester	filester	78	File Manager Pro – Filester <= 1.8.8 - Authenticated (Administrator+) Arbitrary File Upload	LOW	*-1.8.8	1.8.9	June 30, 2026
wp-wizard-cloak	wp-wizard-cloak	N/A	Wizard Cloak <= 1.0.1 - Reflected Cross-Site Scripting	LOW	*-1.0.1		June 30, 2026
sharable-password-protected-posts	sharable-password-protected-posts	N/A	Sharable Password Protected Posts <= 1.1.0 - Unauthenticated Password protected Post Exposure	LOW	*-1.1.0	1.1.1	June 30, 2026
premmerce-user-roles	premmerce-user-roles	N/A	Premmerce User Roles <= 1.0.13 - Missing Authorization	LOW	*-1.0.13	1.0.14	June 30, 2026
auto-attachments	auto-attachments	91	Auto Attachments <= 1.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-1.8.5		June 30, 2026
traffic-monitor	traffic-monitor	N/A	Traffic Monitor <= 3.2.2 - Missing Authorization to Unauthenticated Settings Update	LOW	*-3.2.2	3.2.3	June 30, 2026
irm-newsroom	irm-newsroom	93	IRM Newsroom <= 1.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmcalendarview' Shortcode	LOW	*-1.2.19	1.2.20	June 30, 2026
irm-newsroom	irm-newsroom	93	IRM Newsroom <= 1.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmeventlist' Shortcode	LOW	*-1.2.19	1.2.20	June 30, 2026
irm-newsroom	irm-newsroom	93	IRM Newsroom <= 1.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmflat' Shortcode	LOW	*-1.2.19	1.2.20	June 30, 2026
color-palette	color-palette	91	Color Palette <= 4.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via hex Parameter	LOW	*-4.3.2		June 30, 2026
import-export-with-custom-rest-api	import-export-with-custom-rest-api	91	REST API \| Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function	LOW	1.0.0-2.0.3		June 30, 2026
indieblocks	indieblocks	93	IndieBlocks <= 0.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via kind Parameter	LOW	*-0.13.2	0.13.3	June 30, 2026
telegram-for-wp	telegram-for-wp	N/A	Telegram for WP <= 1.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.6.1		June 30, 2026
wp2html	wp2html	N/A	WP2HTML <= 1.0.2 - Cross-Site Request Forgery to Settings Update	LOW	*-1.0.2	1.0.3	June 30, 2026
link-shield	link-shield	89	Link Shield <= 0.5.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-0.5.4		June 30, 2026
digital-marketing-agency-templates-for-elementor	digital-marketing-agency-templates-for-elementor	91	Digital Marketing and Agency Templates Addons for Elementor <= 1.1.1 - Cross-Site Request Forgery to Import	LOW	*-1.1.1		June 30, 2026
wp-sliding-logindashboard-panel	wp-sliding-logindashboard-panel	N/A	WP Sliding Login/Dashboard Panel <= 2.1.1 - Cross-Site Request Forgery to Settings Update	LOW	*-2.1.1		June 30, 2026
contact-us-page-contact-people	contact-us-page-contact-people	89	Contact Us Page – Contact People <= 3.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via style Parameter	LOW	*-3.7.4		June 30, 2026
acf-onyx-poll	acf-onyx-poll	97	ACF Onyx Poll <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter	LOW	*-1.1.9	1.2.0	June 30, 2026
wpvr	wpvr	N/A	WP VR <= 8.5.26 - Authenticated (Contributor+) Arbitrary File Upload	LOW	*-8.5.26	8.5.27	June 30, 2026
wpecounter	wpecounter	N/A	WP Views Counter <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.0.3	2.0.4	June 30, 2026
wpcrm	wpcrm	N/A	WPCRM - CRM for Contact form CF7 & WooCommerce <= 3.2.0 - Unauthenticated SQL Injection	LOW	*-3.2.0		June 30, 2026
wpadverts	wpadverts	N/A	WPAdverts <= 2.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.2.4	2.2.5	June 30, 2026

LOW

cookie-script-com

Score: 93/100 Cookie-Script.com <= 1.2.1 - Missing Authorization Affected: *-1.2.1 Patched: 1.2.2 Updated: June 30, 2026

LOW

contentstudio

Score: 93/100 ContentStudio <= 1.3.7 - Missing Authorization Affected: *-1.3.7 Patched: 1.4.0 Updated: June 30, 2026

LOW

codepen-embed-block

Score: 91/100 CodePen Embed Block <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.1.1 Patched: Updated: June 30, 2026

LOW

code-engine

Score: 93/100 Code Engine <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-0.3.2 Patched: 0.3.3 Updated: June 30, 2026

LOW

cliplink

Score: 91/100 ClipLink <= 1.1 - Cross-Site Request Forgery Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

classified-listing

Score: 93/100 Classified Listing <= 4.2.0 - Authenticated (Contributor+) Local File Inclusion Affected: *-4.2.0 Patched: 4.2.1 Updated: June 30, 2026

LOW

chordpress

Score: 91/100 Lewe ChordPress <= 3.9.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-3.9.7 Patched: Updated: June 30, 2026

LOW

buying-buddy-idx-crm

Score: 93/100 Buying Buddy IDX CRM <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.3.0 Patched: 2.3.1 Updated: June 30, 2026

LOW

bluff-post

Score: 91/100 Bluff Post <= 1.1.1 - Cross-Site Request Forgery Affected: *-1.1.1 Patched: Updated: June 30, 2026

LOW

better-random-redirect

Score: 91/100 Better Random Redirect <= 1.3.20 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.3.20 Patched: Updated: June 30, 2026

LOW

bb-plugin

Score: 93/100 Beaver Builder Plugin (Starter Version) <= 2.9.1 - Authenticated (Administrator+) Arbitrary File Upload Affected: *-2.9.1 Patched: 2.9.1.1 Updated: June 30, 2026

LOW

automatorwp

Score: 93/100 AutomatorWP <= 5.2.4 - Authenticated (Administrator+) SQL Injection Affected: *-5.2.4 Patched: 5.2.5 Updated: June 30, 2026

LOW

automatically-hierarchic-categories-in-menu

Score: 93/100 Automatically Hierarchic Categories in Menu <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.0.9 Patched: 2.0.10 Updated: June 30, 2026

LOW

atp-call-now

Score: 91/100 ATP Call Now <= 1.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.0.3 Patched: Updated: June 30, 2026

LOW

app-builder

Score: 95/100 App Builder <= 5.5.7 - Missing Authorization Affected: *-5.5.7 Patched: 5.5.8 Updated: June 30, 2026

LOW

anonform-embedded-secure-form

Score: 97/100 ANON::form embedded secure form <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.7 Patched: 1.8 Updated: June 30, 2026

LOW

anant-addons-for-elementor

Score: 95/100 Anant Addons for Elementor <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2.0 Patched: Updated: June 30, 2026

LOW

acf-blocks

Score: 95/100 Gutenberg Blocks – ACF Blocks Suite <= 2.6.11 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.6.11 Patched: Updated: June 30, 2026

LOW

gutenverse-news

Score: 93/100 Gutenverse News <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via elementId Parameter Affected: *-1.0.4 Patched: 2.0.0 Updated: June 30, 2026

LOW

Score: 93/100 GiveWP – Donation Plugin and Fundraising Platform <= 4.3.0 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification Affected: *-4.3.0 Patched: 4.3.1 Updated: June 30, 2026

LOW

football-pool

Score: 93/100 Football Pool <= 2.12.4 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-2.12.4 Patched: 2.12.5 Updated: June 30, 2026

LOW

Download Manager

download-manager

Score: 63/100 Download Manager <= 3.3.18 - Authenticated (Author+) Stored Cross-site Scripting via wpdm_user_dashboard Shortcode Affected: *-3.3.18 Patched: 3.3.19 Updated: June 30, 2026

LOW

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

elementskit-lite

Score: 95/100 ElementsKit Lite <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison Widget Affected: *-3.5.2 Patched: 3.5.3 Updated: June 30, 2026

LOW

Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing

woocommerce-google-adwords-conversion-tracking-tag

Score: 93/100 Pixel Manager for WooCommerce (PRO) <= 1.49.0 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode Affected: *-1.49.0 Patched: 1.49.1 Updated: June 30, 2026

LOW

woo-line-notify

Score: N/A Woocommerce Line Notify <= 1.1.7 - Reflected Cross-Site Scripting Affected: *-1.1.7 Patched: Updated: June 30, 2026

LOW

try-on-for-woocommerce

Score: N/A SpecFit-Virtual Try On Woocommerce <= 10.0.21 - Reflected Cross-Site Scripting Affected: *-10.0.21 Patched: 10.0.22 Updated: June 30, 2026

LOW

storyform

Score: N/A Storyform <= 0.6.14 - Reflected Cross-Site Scripting Affected: *-0.6.14 Patched: Updated: June 30, 2026

LOW

smio-push-notification

Score: N/A Smart Notification <= 10.3 - Reflected Cross-Site Scripting Affected: *-10.3 Patched: Updated: June 30, 2026

LOW

school-management

Score: N/A School Management <= 92.0.0 - Reflected Cross-Site Scripting Affected: *-92.0.0 Patched: Updated: June 30, 2026

LOW

rss-feed-post-generator-echo

Score: N/A Echo RSS Feed Post Generator <= 5.4.8.1 - Reflected Cross-Site Scripting Affected: *-5.4.8.1 Patched: 5.4.9 Updated: June 30, 2026

LOW

js_composer

Score: 93/100 WPBakery Page Builder <= 8.4.1 - Authenticated (Author+) Stored Cross-Site Scripting via Grid Builder Affected: *-8.4.1 Patched: 8.5 Updated: June 30, 2026

LOW

formlift

Score: 93/100 FormLift for Infusionsoft Web Forms <= 7.5.20 - Reflected Cross-Site Scripting Affected: *-7.5.20 Patched: 7.5.21 Updated: June 30, 2026

LOW

fastbook-responsive-appointment-booking-and-scheduling-system

Score: 87/100 FastBook <= 1.1 - Reflected Cross-Site Scripting Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

easy-taxonomy-images

Score: 91/100 Easy Taxonomy Images <= 1.0.1 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.0.1 Patched: Updated: June 30, 2026

LOW

easy-social-media

Score: 91/100 Easy Social <= 1.3 - Reflected Cross-Site Scripting Affected: *-1.3 Patched: Updated: June 30, 2026

LOW

bulk-youtube-post-creator

Score: 91/100 Bulk YouTube Post Creator <= 1.0 - Reflected Cross-Site Scripting Affected: *-1.0 Patched: Updated: June 30, 2026

LOW

Breeze Cache

breeze

Score: 79/100 Breeze <= 2.2.13 - Missing Authorization Affected: *-2.2.13 Patched: 2.2.14 Updated: June 30, 2026

LOW

all-in-one-wp-builder

Score: 95/100 AIO WP Builder <= 2.0.2 - Missing Authorization Affected: *-2.0.2 Patched: Updated: June 30, 2026

LOW

AI Engine – The Chatbot, AI Framework & MCP for WordPress

ai-engine

Score: 82/100 AI Engine 2.8.0 - 2.8.3 - Authenticated (Subscriber+) Insufficient Authorization to Privilege Escalation via MCP Affected: 2.8.0-2.8.3 Patched: 2.8.4 Updated: June 30, 2026

LOW

Ultra Addons for Contact Form 7

ultimate-addons-for-contact-form-7

Score: 70/100 Ultimate Addons for Contact Form 7 <= 3.5.12 - Authenticated (Administrator+) Arbitrary File Upload via 'save_options' Affected: *-3.5.12 Patched: 3.5.13 Updated: June 30, 2026

LOW

csv-me

Score: 91/100 CSV Me <= 2.0 - Authenticated (Administrator+) Arbitrary File Upload Affected: *-2.0 Patched: Updated: June 30, 2026

LOW

brid-video-easy-publish

Score: 91/100 Target Video Easy Publish <= 3.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter Affected: *-3.8.5 Patched: 3.8.6 Updated: June 30, 2026

LOW

wp-marketing-automations

Score: N/A Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit <= 3.5.3 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation Affected: *-3.5.3 Patched: 3.6.0 Updated: June 30, 2026

LOW

pixabay-images

Score: N/A Pixabay Images <= 3.4 - Authenticated (Author+) Arbitrary File Upload Affected: *-3.4 Patched: Updated: June 30, 2026

LOW

valvepress-rankie

Score: N/A Rankie - Wordpress Rank Tracker Plugin < 1.8.2 - Authenticated (Subscriber+) SQL Injection Affected: [*, 1.8.2) Patched: 1.8.2 Updated: June 30, 2026

LOW

Master Slider – Responsive Touch Slider

master-slider

Score: 86/100 Master Slider <= 3.10.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via masterslider_pb and ms_slide Shortcodes Affected: *-3.10.8 Patched: 3.10.9 Updated: June 30, 2026

LOW

simple-logo-carousel

Score: N/A Simple Logo Carousel <= 1.9.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter Affected: *-1.9.3 Patched: 1.9.4 Updated: June 30, 2026

LOW

Drag and Drop Multiple File Upload for Contact Form 7

drag-and-drop-multiple-file-upload-contact-form-7

Score: 93/100 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.9 - Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks Affected: *-1.3.8.9 Patched: 1.3.9.0 Updated: June 30, 2026

LOW

blog2social

Score: 93/100 Blog2Social <= 8.4.4 - Authenticated (Subscriber+) SQL Injection via `prgSortPostType` Parameter Affected: *-8.4.4 Patched: 8.4.5 Updated: June 30, 2026

LOW

wise-chat

Score: N/A Wise Chat <= 3.3.4 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header Affected: *-3.3.4 Patched: 3.3.5 Updated: June 30, 2026

LOW

ajax-load-more

Score: 97/100 WordPress Infinite Scroll – Ajax Load More <= 7.4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting Affected: *-7.4.0.1 Patched: 7.4.1 Updated: June 30, 2026

LOW

yith-paypal-express-checkout-for-woocommerce

Score: N/A YITH PayPal Express Checkout for WooCommerce <= 1.49.0 - Cross-Site Request Forgery Affected: *-1.49.0 Patched: 1.49.1 Updated: June 30, 2026

LOW

wp-dummy-content-generator

Score: N/A WP Dummy Content Generator <= 3.4.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Deletion Affected: *-3.4.6 Patched: 4.0.0 Updated: June 30, 2026

LOW

ultimate-blocks

Score: N/A Ultimate Blocks <= 3.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.3.6 Patched: 3.3.7 Updated: June 30, 2026

LOW

social-polls-by-opinionstage

Score: N/A Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.9.0 - Incorrect Authorization to Authenticated (Contributor+) Plugin Settings Update Affected: *-19.9.0 Patched: 19.10.0 Updated: June 30, 2026

LOW

cf7-zoho

Score: 93/100 Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.3.0 - Unauthenticated PHP Object Injection Affected: *-1.3.0 Patched: 1.3.1 Updated: June 30, 2026

LOW

wp2leads

Score: N/A WP2LEADS <= 3.5.0 - Reflected Cross-Site Scripting Affected: *-3.5.0 Patched: 3.5.1 Updated: June 30, 2026

LOW

flexo-posts-manager

Score: 91/100 flexo-posts-manager <= 1.0001 - Reflected Cross-Site Scripting Affected: *-1.0001 Patched: Updated: June 30, 2026

LOW

wp-sms

Score: N/A SMS <= 6.9.12 - Authenticated (Administrator+) SQL Injection Affected: *-6.9.12 Patched: 7.0 Updated: June 30, 2026

LOW

flexoslider

Score: 91/100 flexoslider <= 1.0004 - Reflected Cross-Site Scripting Affected: *-1.0004 Patched: Updated: June 30, 2026

LOW

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

ml-slider

Score: 88/100 Slider, Gallery, and Carousel by MetaSlider <= 3.98.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via aria-label Parameter Affected: *-3.98.0 Patched: 3.99.0 Updated: June 30, 2026

LOW

yith-woocommerce-wishlist

Score: N/A YITH WooCommerce Wishlist <= 4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter Affected: *-4.5.0 Patched: 4.6.0 Updated: June 30, 2026

LOW

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

simply-schedule-appointments

Score: N/A Simply Schedule Appointments <= 1.6.8.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes Affected: *-1.6.8.30 Patched: 1.6.8.32 Updated: June 30, 2026

LOW

streamweasels-kick-integration

Score: N/A StreamWeasels Kick Integration <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via status-classic-offline-text Parameter Affected: *-1.1.3 Patched: 1.1.4 Updated: June 30, 2026

LOW

Click to Chat – HoliThemes

click-to-chat-for-whatsapp

Score: 90/100 Click to Chat <= 4.22 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via data-no_number Parameter Affected: *-4.22 Patched: 4.23 Updated: June 30, 2026

LOW

userpro

Score: N/A UserPro - Community and User Profile WordPress Plugin <= 5.1.10 - Unauthenticated Arbitrary File Read Affected: *-5.1.10 Patched: Updated: June 30, 2026

LOW

yougler-blogger-profile-page

Score: N/A Yougler Blogger Profile Page <= v1.01 - Cross-Site Request Forgery to Settings Update Affected: * - v1.01 Patched: Updated: June 30, 2026

LOW

xisearch-bar

Score: N/A XiSearch bar <= 2.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-2.6 Patched: Updated: June 30, 2026

LOW

wp-url-shortener

Score: N/A WP URL Shortener <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

zen-social-sticky

Score: N/A Zen Sticky Social <= 0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-0.3 Patched: Updated: June 30, 2026

LOW

easy-flashcards

Score: 91/100 Easy Flashcards <= 0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-0.1 Patched: Updated: June 30, 2026

LOW

ecava-diot-scada

Score: 91/100 DIOT SCADA with MQTT <= 1.0.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0.5.1 Patched: Updated: June 30, 2026

LOW

ai-image-generator-lab

Score: 95/100 AI Image Lab – Free AI Image Generator <= 1.0.6 - Cross-Site Request Forgery to API Key Update Affected: *-1.0.6 Patched: Updated: June 30, 2026

LOW

kk-youtube-video

Score: 91/100 kk Youtube Video <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-0.2 Patched: Updated: June 30, 2026

LOW

image-resizer-on-the-fly

Score: 91/100 Image Resizer On The Fly <= 1.1 - Unauthenticated Arbitrary File Deletion Affected: *-1.1 Patched: Updated: June 30, 2026

LOW

restrict-file-access

Score: N/A Restrict File Access <= 1.1.2 - Authenticated (Subscriber+) Arbitrary File Read Affected: *-1.1.2 Patched: Updated: June 30, 2026

LOW

automatorwp

Score: 93/100 AutomatorWP <= 5.2.5 - Authenticated (Administrator+) SQL Injection via field_conditions Affected: *-5.2.5 Patched: 5.2.6 Updated: June 30, 2026

LOW

File Manager Pro – Filester

filester

Score: 78/100 File Manager Pro – Filester <= 1.8.8 - Authenticated (Administrator+) Arbitrary File Upload Affected: *-1.8.8 Patched: 1.8.9 Updated: June 30, 2026

LOW

wp-wizard-cloak

Score: N/A Wizard Cloak <= 1.0.1 - Reflected Cross-Site Scripting Affected: *-1.0.1 Patched: Updated: June 30, 2026

LOW

sharable-password-protected-posts

Score: N/A Sharable Password Protected Posts <= 1.1.0 - Unauthenticated Password protected Post Exposure Affected: *-1.1.0 Patched: 1.1.1 Updated: June 30, 2026

LOW

premmerce-user-roles

Score: N/A Premmerce User Roles <= 1.0.13 - Missing Authorization Affected: *-1.0.13 Patched: 1.0.14 Updated: June 30, 2026

LOW

auto-attachments

Score: 91/100 Auto Attachments <= 1.8.5 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-1.8.5 Patched: Updated: June 30, 2026

LOW

traffic-monitor

Score: N/A Traffic Monitor <= 3.2.2 - Missing Authorization to Unauthenticated Settings Update Affected: *-3.2.2 Patched: 3.2.3 Updated: June 30, 2026

LOW

irm-newsroom

Score: 93/100 IRM Newsroom <= 1.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmcalendarview' Shortcode Affected: *-1.2.19 Patched: 1.2.20 Updated: June 30, 2026

LOW

irm-newsroom

Score: 93/100 IRM Newsroom <= 1.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmeventlist' Shortcode Affected: *-1.2.19 Patched: 1.2.20 Updated: June 30, 2026

LOW

irm-newsroom

Score: 93/100 IRM Newsroom <= 1.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmflat' Shortcode Affected: *-1.2.19 Patched: 1.2.20 Updated: June 30, 2026

LOW

color-palette

Score: 91/100 Color Palette <= 4.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via hex Parameter Affected: *-4.3.2 Patched: Updated: June 30, 2026

LOW

import-export-with-custom-rest-api

Score: 91/100 REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function Affected: 1.0.0-2.0.3 Patched: Updated: June 30, 2026

LOW

indieblocks

Score: 93/100 IndieBlocks <= 0.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via kind Parameter Affected: *-0.13.2 Patched: 0.13.3 Updated: June 30, 2026

LOW

telegram-for-wp

Score: N/A Telegram for WP <= 1.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.6.1 Patched: Updated: June 30, 2026

LOW

wp2html

Score: N/A WP2HTML <= 1.0.2 - Cross-Site Request Forgery to Settings Update Affected: *-1.0.2 Patched: 1.0.3 Updated: June 30, 2026

LOW

link-shield

Score: 89/100 Link Shield <= 0.5.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-0.5.4 Patched: Updated: June 30, 2026

LOW

digital-marketing-agency-templates-for-elementor

Score: 91/100 Digital Marketing and Agency Templates Addons for Elementor <= 1.1.1 - Cross-Site Request Forgery to Import Affected: *-1.1.1 Patched: Updated: June 30, 2026

LOW

wp-sliding-logindashboard-panel

Score: N/A WP Sliding Login/Dashboard Panel <= 2.1.1 - Cross-Site Request Forgery to Settings Update Affected: *-2.1.1 Patched: Updated: June 30, 2026

LOW

contact-us-page-contact-people

Score: 89/100 Contact Us Page – Contact People <= 3.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via style Parameter Affected: *-3.7.4 Patched: Updated: June 30, 2026

LOW

acf-onyx-poll

Score: 97/100 ACF Onyx Poll <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter Affected: *-1.1.9 Patched: 1.2.0 Updated: June 30, 2026

LOW

wpvr

Score: N/A WP VR <= 8.5.26 - Authenticated (Contributor+) Arbitrary File Upload Affected: *-8.5.26 Patched: 8.5.27 Updated: June 30, 2026

LOW

wpecounter

Score: N/A WP Views Counter <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.0.3 Patched: 2.0.4 Updated: June 30, 2026

LOW

wpcrm

Score: N/A WPCRM - CRM for Contact form CF7 & WooCommerce <= 3.2.0 - Unauthenticated SQL Injection Affected: *-3.2.0 Patched: Updated: June 30, 2026

LOW

wpadverts

Score: N/A WPAdverts <= 2.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.2.4 Patched: 2.2.5 Updated: June 30, 2026

Showing 8201 to 8300 of 36283 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 13:30 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List