Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36283

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
WP Travel Engine – Tour Booking Plugin – Tour Operator Software	wp-travel-engine	N/A	WP Travel Engine <= 6.5.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion	LOW	*-6.5.1	6.5.2	June 30, 2026
wp-marketing-automations	wp-marketing-automations	N/A	Automation By Autonami <= 3.6.0 - Open Redirect	LOW	*-3.6.0	3.6.1	June 30, 2026
wp-malware-removal	wp-malware-removal	N/A	Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal <= 16.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read	LOW	*-16.8	16.9	June 30, 2026
wp-employee-attendance-system	wp-employee-attendance-system	N/A	WP Employee Attendance System <= 3.5 - Authenticated (Administrator+) SQL Injection	LOW	*-3.5		June 30, 2026
widgetkit-pro	widgetkit-pro	N/A	WidgetKit Pro <= 1.13.1 - Reflected Cross-Site Scripting	LOW	*-1.13.1		June 30, 2026
Slim SEO – A Fast & Automated SEO Plugin For WordPress	slim-seo	91	Slim SEO <= 4.5.4 - Authenticated (Administrator+) SQL Injection	LOW	*-4.5.4	4.5.5	June 30, 2026
seriously-simple-podcasting	seriously-simple-podcasting	N/A	Seriously Simple Podcasting <= 3.13.0 - Missing Authorization	LOW	*-3.13.0	3.14.0	June 30, 2026
school-management	school-management	N/A	School Management <= 93.0.0 - Authenticated (Student+) Local File Inclusion	LOW	*-93.0.0		June 30, 2026
responsive-block-editor-addons	responsive-block-editor-addons	N/A	Responsive Blocks <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.0.5	2.0.6	June 30, 2026
responsive-add-ons	responsive-add-ons	N/A	Responsive Plus <= 3.2.2 - Cross-Site Request Forgery to Settings Update	LOW	*-3.2.2	3.2.3	June 30, 2026
profilegrid-user-profiles-groups-and-communities	profilegrid-user-profiles-groups-and-communities	N/A	ProfileGrid <= 5.9.5.2 - Authenticated (Subscriber+) Server-Side Request Forgery	LOW	*-5.9.5.2	5.9.5.3	June 30, 2026
postapanduri	postapanduri	N/A	PostaPanduri <= 2.1.3 - Unauthenticated SQL Injection	LOW	*-2.1.3	2.1.4	June 30, 2026
newsletter-optin-box	newsletter-optin-box	N/A	Noptin <= 3.8.7 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-3.8.7	4.0.0	June 30, 2026
nasa-core	nasa-core	N/A	Nasa Core < 6.4.4. - Reflected Cross-Site Scripting	LOW	[*, 6.4.4)	6.4.4	June 30, 2026
mycred	mycred	N/A	myCred <= 2.9.4.2 - Missing Authorization	LOW	*-2.9.4.2	2.9.4.3	June 30, 2026
mycred	mycred	N/A	myCred <= 2.9.4.2 - Missing Authorization	LOW	*-2.9.4.2	2.9.4.3	June 30, 2026
meks-flexible-shortcodes	meks-flexible-shortcodes	93	Meks Flexible Shortcodes <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.3.7	1.3.8	June 30, 2026
mapsvg	mapsvg	91	MapSVG < 8.7.4 - Authenticated (Contributor+) Arbitrary File Upload	LOW	[*, 8.7.4)	8.7.4	June 30, 2026
majestic-support	majestic-support	93	Majestic Support <= 1.1.0 - Missing Authorization	LOW	*-1.1.0	1.1.1	June 30, 2026
kama-clic-counter	kama-clic-counter	93	Kama Click Counter <= 4.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-4.0.3	4.0.4	June 30, 2026
if-so	if-so	93	If-So Dynamic Content Personalization <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.9.3.1	1.9.3.2	June 30, 2026
hydra-booking	hydra-booking	93	Hydra Booking <= 1.1.10 - Authenticated (Subscriber+) SQL Injection	LOW	*-1.1.10	1.1.11	June 30, 2026
hydra-booking	hydra-booking	93	Hydra Booking <= 1.1.9 - Missing Authorization	LOW	*-1.1.9	1.1.10	June 30, 2026
gym-management	gym-management	83	WPGYM <= 65.0 - Authenticated (Subscriber+) Local File Inclusion	LOW	*-65.0		June 30, 2026
game-review-block	game-review-block	93	Game Review Block <= 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter	LOW	*-4.8.1	4.8.2	June 30, 2026
fw-food-menu	fw-food-menu	89	FW Food Menu <= 6.0.0 - Unauthenticated Arbitrary File Upload	LOW	*-6.0.0		June 30, 2026
ebook-store	ebook-store	93	Ebook Store <= 5.8008 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-5.8008	5.8009	June 30, 2026
dc-woocommerce-multi-vendor	dc-woocommerce-multi-vendor	93	MultiVendorX <= 4.2.23 - Missing Authorization	LOW	*-4.2.23	4.2.24	June 30, 2026
CubeWP Framework	cubewp-framework	74	CubeWP Framework <= 1.1.23 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.1.23	1.1.24	June 30, 2026
cubewp-forms	cubewp-forms	91	CubeWP Forms <= 1.1.5 - Missing Authorization	LOW	*-1.1.5	1.1.6	June 30, 2026
arconix-shortcodes	arconix-shortcodes	95	Arconix Shortcodes <= 2.1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.1.17	2.1.18	June 30, 2026
arconix-faq	arconix-faq	97	Arconix FAQ <= 1.9.6 - Missing Authorization	LOW	*-1.9.6	1.9.7	June 30, 2026
advanced-settings	advanced-settings	97	Advanced Settings <= 3.0.1 - Cross-Site Request Forgery	LOW	*-3.0.1	3.0.2	June 30, 2026
advanced-sermons	advanced-sermons	97	Advanced Sermons <= 3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.6	3.7	June 30, 2026
addfreestats	addfreestats	97	AFS Analytics <= 4.21 - Missing Authorization	LOW	*-4.21	4.22	June 30, 2026
miniorange-oauth-oidc-single-sign-on	miniorange-oauth-oidc-single-sign-on	93	WordPress Single Sign-On (SSO) - Multiple Versions - Incorrect Authorization to Sensitive Information Exposure	LOW	-18.5.3, -40.5.3, -28.5.3, -48.5.3, -30.5.3, -38.5.3, *-50.5.3	18.5.4	June 30, 2026
workreap	workreap	N/A	Workreap <= 3.3.2 - Authenticated (Subscriber+) Arbitrary File Upload via 'workreap_temp_upload_to_media'	LOW	*-3.3.2	3.3.3	June 30, 2026
workreap	workreap	N/A	Workreap <= 3.3.1 - Authentication Bypass via 'workreap_verify_user_account'	LOW	*-3.3.1	3.3.2	June 30, 2026
wp-tao	wp-tao	N/A	Track, Analyze & Optimize by WP Tao <= 1.3 - Reflected Cross-Site Scripting	LOW	*-1.3	1.3.1	June 30, 2026
wp-job-portal	wp-job-portal	N/A	WP Job Portal <= 2.3.2 - Unauthenticated SQL Injection	LOW	*-2.3.2	2.3.3	June 30, 2026
wp-fsqm-pro	wp-fsqm-pro	N/A	eForm - WordPress Form Builder < 4.19.1 - Reflected Cross-Site Scripting	LOW	[*, 4.19.1)	4.19.1	June 30, 2026
wc-partial-shipment	wc-partial-shipment	N/A	Woocommerce Partial Shipment <= 3.2 - Authenticated (Subscriber+) SQL Injection	LOW	*-3.2	3.3	June 30, 2026
ultimate-reviews	ultimate-reviews	N/A	Ultimate Reviews <= 3.2.14 - Reflected Cross-Site Scripting	LOW	*-3.2.14	3.2.15	June 30, 2026
smio-push-notification	smio-push-notification	N/A	Smart Notification <= 10.3 - Unauthenticated SQL Injection	LOW	*-10.3		June 30, 2026
school-management	school-management	N/A	School Management <= 92.0.0 - Unauthenticated SQL Injection	LOW	*-92.0.0		June 30, 2026
reformer-elementor	reformer-elementor	N/A	Reformer for Elementor <= 1.0.5 - Unauthenticated Arbitrary File Upload	LOW	*-1.0.5		June 30, 2026
ova-events-manager	ova-events-manager	N/A	Ovatheme Events Manager <= 1.8.4 - Unauthenticated Arbitrary File Upload	LOW	*-1.8.4	1.8.5	June 30, 2026
elite-video-player	elite-video-player	89	Elite Video Player <= 10.0.5 - Reflected Cross-Site Scripting	LOW	*-10.0.5		June 30, 2026
axle-demo-importer	axle-demo-importer	91	Axle Demo Importer <= 1.0.3 - Authenticated (Author+) Arbitrary File Upload	LOW	*-1.0.3		June 30, 2026
wp-downloadmanager	wp-downloadmanager	N/A	WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Read	LOW	*-1.68.10	1.68.11	June 30, 2026
zotpress	zotpress	N/A	ZotPress <= 7.3.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'nickname'	LOW	*-7.3.15	7.4	June 30, 2026
Xagio SEO – AI Powered SEO	xagio-seo	64	Xagio SEO <= 7.1.0.16 - Unauthenticated Stored Cross-Site Scripting via 'HTTP_REFERER'	LOW	*-7.1.0.16	7.1.0.17	June 30, 2026
wp-event-manager	wp-event-manager	N/A	WP Event Manager <= 3.1.49 - Authenticated (Administrator+) Stored Cross-Site Scripting	LOW	*-3.1.49	3.1.50	June 30, 2026
wp-downloadmanager	wp-downloadmanager	N/A	WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion	LOW	*-1.68.10	1.68.11	June 30, 2026
wp-automatic	wp-automatic	N/A	WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.115.0 - Authenticated (Author+) Arbitrary File Upload	LOW	*-3.115.0	3.116.0	June 30, 2026
wc-designer-pro	wc-designer-pro	N/A	WooCommerce Designer Pro <= 1.9.24 - Unauthenticated Arbitrary File Upload	LOW	*-1.9.24		June 30, 2026
The Events Calendar	the-events-calendar	N/A	The Events Calendar <= 6.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting	LOW	*-6.13.2	6.13.2.1	June 30, 2026
pt-luxa-addons	pt-luxa-addons	N/A	PT Luxa Addons <= 1.2.2 - Authenticated (Subscriber+) Arbitrary File Deletion	LOW	*-1.2.2		June 30, 2026
fw-gallery	fw-gallery	87	FW Gallery <= 8.0.0 - Unauthenticated Arbitrary File Deletion	LOW	*-8.0.0		June 30, 2026
CubeWP Framework	cubewp-framework	74	CubeWP – All-in-One Dynamic Content Framework <= 1.1.23 - Authenticated (Subscriber+) Privilege Escalation	LOW	*-1.1.23	1.1.24	June 30, 2026
ultimate-blocks	ultimate-blocks	N/A	Ultimate Blocks – WordPress Blocks Plugin <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets	LOW	*-3.3.3	3.3.4	June 30, 2026
premium-addons-for-elementor	premium-addons-for-elementor	N/A	Premium Addons for Elementor <= 4.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget	LOW	*-4.11.8	4.11.9	June 30, 2026
Smash Balloon Social Post Feed – Simple Social Feeds for WordPress	custom-facebook-feed	66	Smash Balloon Custom Facebook Feed <= 4.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-color` Attribute	LOW	*-4.3.1	4.3.2	June 30, 2026
elementor-pro	elementor-pro	93	Elementor Pro <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-3.29.0	3.29.1	June 30, 2026
woocommerce-abandon-cart-pro	woocommerce-abandon-cart-pro	N/A	Abandoned Cart Pro for WooCommerce <= 9.16.0 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-9.16.0	9.17.0	June 30, 2026
bunnys-print-css	bunnys-print-css	91	Bunny’s Print CSS <= 0.95 - Cross-Site Request Forgery to Settings Update	LOW	*-0.95		June 30, 2026
wp-ticketbai	wp-ticketbai	N/A	TicketBAI Facturas para WooCommerce <= 3.19 - Unauthenticated SQL Injection	LOW	*-3.19	3.21	June 30, 2026
wp-lightbox-2	wp-lightbox-2	N/A	WP Lightbox 2 <= 3.0.6.7 - Unauthenticated Stored Cross-Site Scripting	LOW	*-3.0.6.7	3.0.6.8	June 30, 2026
widget-logic	widget-logic	N/A	Widget Logic <= 6.0.5 - Authenticated (Contributor+) Remote Code Execution	LOW	*-6.0.5	6.0.6	June 30, 2026
one-login	one-login	N/A	One-Login <= 1.4 - Unauthenticated Privilege Esclation	LOW	*-1.4		June 30, 2026
membership-for-woocommerce	membership-for-woocommerce	93	Membership For WooCommerce <= 2.8.1 - Missing Authorization	LOW	*-2.8.1	2.8.2	June 30, 2026
mapsvg	mapsvg	91	MapSVG < 8.6.13 - Authenticated (Contributor+) Privilege Esclation	LOW	[*, 8.6.13)	8.6.13	June 30, 2026
lbg-audio11-html5-shoutcast_history	lbg-audio11-html5-shoutcast_history	91	CLEVER <= 2.6 - Unauthenticated Arbitrary File Download	LOW	*-2.6		June 30, 2026
contact-form-lite	contact-form-lite	93	Easy Contact Form Lite <= 1.1.28 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.1.28	1.1.29	June 30, 2026
aeroscroll-gallery	aeroscroll-gallery	95	Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery <= 1.0.12 - Unauthenticated Directory Traversal	LOW	*-1.0.12		June 30, 2026
photo-gallery-portfolio	photo-gallery-portfolio	N/A	WordPress Photo Gallery <= 1.1.0 - Reflected Cross-Site Scripting	LOW	*-1.1.0		June 30, 2026
user-registration-aide	user-registration-aide	N/A	User Registration Aide <= 1.5.3.8 - Reflected Cross-Site Scripting	LOW	*-1.5.3.8		June 30, 2026
stock-locations-for-woocommerce	stock-locations-for-woocommerce	N/A	Stock Locations for WooCommerce <= 2.8.6 - Missing Authorization	LOW	*-2.8.6	2.8.7	June 30, 2026
backup-and-move	backup-and-move	91	Backup and Move <= 0.1 - Missing Authorization	LOW	*-0.1		June 30, 2026
am-login-logo	am-login-logo	95	Logo Changer <= 1.2 - Unauthenticated Stored Cross-Site Scripting	LOW	*-1.2		June 30, 2026
sassy-social-share	sassy-social-share	N/A	Social Sharing Plugin – Sassy Social Share <= 3.3.75 - Reflected Cross-Site Scripting via 'heateor_mastodon_share' Parameter	LOW	*-3.3.75	3.3.76	June 30, 2026
Event Booking Manager for WooCommerce	mage-eventpress	82	WpEvently <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-4.4.2	4.4.3	June 30, 2026
Essential Addons for Elementor – Popular Elementor Templates & Widgets	essential-addons-for-elementor-lite	85	Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.1.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Event Calendar Widget	LOW	*-6.1.12	6.1.13	June 30, 2026
Essential Addons for Elementor – Popular Elementor Templates & Widgets	essential-addons-for-elementor-lite	85	Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.1.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Pricing Table Widget	LOW	*-6.1.12	6.1.13	June 30, 2026
ltl-freight-quotes-freightview-edition	ltl-freight-quotes-freightview-edition	93	LTL Freight Quotes – Freightview Edition <= 1.0.11, LTL Freight Quotes – Daylight Edition <=2.2.6 and LTL Freight Quotes – Day & Ross Edition <= 2.1.10 - Unauthenticated Stored Cross-Site Scripting via `expiry_date` Parameter	LOW	*-1.0.11	1.0.12	June 30, 2026
ltl-freight-quotes-daylight-edition	ltl-freight-quotes-daylight-edition	93	LTL Freight Quotes – Freightview Edition <= 1.0.11, LTL Freight Quotes – Daylight Edition <=2.2.6 and LTL Freight Quotes – Day & Ross Edition <= 2.1.10 - Unauthenticated Stored Cross-Site Scripting via `expiry_date` Parameter	LOW	*-2.2.6	2.2.7	June 30, 2026
ltl-freight-quotes-day-ross-edition	ltl-freight-quotes-day-ross-edition	93	LTL Freight Quotes – Freightview Edition <= 1.0.11, LTL Freight Quotes – Daylight Edition <=2.2.6 and LTL Freight Quotes – Day & Ross Edition <= 2.1.10 - Unauthenticated Stored Cross-Site Scripting via `expiry_date` Parameter	LOW	*-2.1.10	2.1.11	June 30, 2026
profiler-what-slowing-down	profiler-what-slowing-down	N/A	Profiler – What Slowing Down Your WP <= 1.0.0 - Missing Authentication to Unauthenticated Arbitrary Plugin Reactivation via State Restoration	LOW	*-1.0.0		June 30, 2026
wp-map-block	wp-map-block	N/A	WP Map Block <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.0.2	2.0.3	June 30, 2026
responsive-lightbox	responsive-lightbox	N/A	Responsive Lightbox & Gallery <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.5.1	2.5.2	June 30, 2026
product-quantity-for-woocommerce	product-quantity-for-woocommerce	N/A	Min Max Step Quantity Limits Manager for WooCommerce <= 5.1.0 - Cross-Site Request Forgery	LOW	*-5.1.0	5.1.1	June 30, 2026
easy-fancybox	easy-fancybox	93	Firelight Lightbox <= 2.3.15 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-2.3.15	2.3.16	June 30, 2026
civi-framework	civi-framework	93	Civi Framework <= 2.1.6.3 - Cross-Site Request Forgery	LOW	*-2.1.6.3	2.1.6.4	June 30, 2026
buddypress-docs	buddypress-docs	93	BuddyPress Docs <= 2.2.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Document Read/Update	LOW	*-2.2.4	2.2.5	June 30, 2026
audio-editor-recorder	audio-editor-recorder	93	Audio Editor & Recorder <= 2.2.1 - Missing Authorization	LOW	*-2.2.1	2.2.2	June 30, 2026
domain-for-sale	domain-for-sale	93	Domain For Sale <= 3.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Parameter	LOW	*-3.0.10	3.0.11	June 30, 2026
Simple History – Track, Log, and Audit WordPress Changes	simple-history	77	Simple History <= 5.8.1 - Authenticated (Administrator+) Sensitive Information Exposure via Detective Mode	LOW	*-5.8.1	5.8.2	June 30, 2026
stageshow	stageshow	N/A	StageShow <= 10.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via anchor Parameter	LOW	*-10.0.3		June 30, 2026
devformatter	devformatter	91	Developer Formatter <= 2015.0.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Custom CSS	LOW	*-2015.0.2.1		June 30, 2026
paged-gallery	paged-gallery	N/A	Paged Gallery <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-0.7		June 30, 2026

LOW

WP Travel Engine – Tour Booking Plugin – Tour Operator Software

wp-travel-engine

Score: N/A WP Travel Engine <= 6.5.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion Affected: *-6.5.1 Patched: 6.5.2 Updated: June 30, 2026

LOW

wp-marketing-automations

Score: N/A Automation By Autonami <= 3.6.0 - Open Redirect Affected: *-3.6.0 Patched: 3.6.1 Updated: June 30, 2026

LOW

Score: N/A Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal <= 16.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read Affected: *-16.8 Patched: 16.9 Updated: June 30, 2026

LOW

wp-employee-attendance-system

Score: N/A WP Employee Attendance System <= 3.5 - Authenticated (Administrator+) SQL Injection Affected: *-3.5 Patched: Updated: June 30, 2026

LOW

widgetkit-pro

Score: N/A WidgetKit Pro <= 1.13.1 - Reflected Cross-Site Scripting Affected: *-1.13.1 Patched: Updated: June 30, 2026

LOW

Slim SEO – A Fast & Automated SEO Plugin For WordPress

slim-seo

Score: 91/100 Slim SEO <= 4.5.4 - Authenticated (Administrator+) SQL Injection Affected: *-4.5.4 Patched: 4.5.5 Updated: June 30, 2026

LOW

seriously-simple-podcasting

Score: N/A Seriously Simple Podcasting <= 3.13.0 - Missing Authorization Affected: *-3.13.0 Patched: 3.14.0 Updated: June 30, 2026

LOW

school-management

Score: N/A School Management <= 93.0.0 - Authenticated (Student+) Local File Inclusion Affected: *-93.0.0 Patched: Updated: June 30, 2026

LOW

responsive-block-editor-addons

Score: N/A Responsive Blocks <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.0.5 Patched: 2.0.6 Updated: June 30, 2026

LOW

responsive-add-ons

Score: N/A Responsive Plus <= 3.2.2 - Cross-Site Request Forgery to Settings Update Affected: *-3.2.2 Patched: 3.2.3 Updated: June 30, 2026

LOW

profilegrid-user-profiles-groups-and-communities

Score: N/A ProfileGrid <= 5.9.5.2 - Authenticated (Subscriber+) Server-Side Request Forgery Affected: *-5.9.5.2 Patched: 5.9.5.3 Updated: June 30, 2026

LOW

postapanduri

Score: N/A PostaPanduri <= 2.1.3 - Unauthenticated SQL Injection Affected: *-2.1.3 Patched: 2.1.4 Updated: June 30, 2026

LOW

newsletter-optin-box

Score: N/A Noptin <= 3.8.7 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-3.8.7 Patched: 4.0.0 Updated: June 30, 2026

LOW

nasa-core

Score: N/A Nasa Core < 6.4.4. - Reflected Cross-Site Scripting Affected: [*, 6.4.4) Patched: 6.4.4 Updated: June 30, 2026

LOW

mycred

Score: N/A myCred <= 2.9.4.2 - Missing Authorization Affected: *-2.9.4.2 Patched: 2.9.4.3 Updated: June 30, 2026

LOW

mycred

Score: N/A myCred <= 2.9.4.2 - Missing Authorization Affected: *-2.9.4.2 Patched: 2.9.4.3 Updated: June 30, 2026

LOW

meks-flexible-shortcodes

Score: 93/100 Meks Flexible Shortcodes <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.3.7 Patched: 1.3.8 Updated: June 30, 2026

LOW

mapsvg

Score: 91/100 MapSVG < 8.7.4 - Authenticated (Contributor+) Arbitrary File Upload Affected: [*, 8.7.4) Patched: 8.7.4 Updated: June 30, 2026

LOW

majestic-support

Score: 93/100 Majestic Support <= 1.1.0 - Missing Authorization Affected: *-1.1.0 Patched: 1.1.1 Updated: June 30, 2026

LOW

kama-clic-counter

Score: 93/100 Kama Click Counter <= 4.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-4.0.3 Patched: 4.0.4 Updated: June 30, 2026

LOW

if-so

Score: 93/100 If-So Dynamic Content Personalization <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.9.3.1 Patched: 1.9.3.2 Updated: June 30, 2026

LOW

hydra-booking

Score: 93/100 Hydra Booking <= 1.1.10 - Authenticated (Subscriber+) SQL Injection Affected: *-1.1.10 Patched: 1.1.11 Updated: June 30, 2026

LOW

hydra-booking

Score: 93/100 Hydra Booking <= 1.1.9 - Missing Authorization Affected: *-1.1.9 Patched: 1.1.10 Updated: June 30, 2026

LOW

gym-management

Score: 83/100 WPGYM <= 65.0 - Authenticated (Subscriber+) Local File Inclusion Affected: *-65.0 Patched: Updated: June 30, 2026

LOW

game-review-block

Score: 93/100 Game Review Block <= 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter Affected: *-4.8.1 Patched: 4.8.2 Updated: June 30, 2026

LOW

fw-food-menu

Score: 89/100 FW Food Menu <= 6.0.0 - Unauthenticated Arbitrary File Upload Affected: *-6.0.0 Patched: Updated: June 30, 2026

LOW

ebook-store

Score: 93/100 Ebook Store <= 5.8008 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-5.8008 Patched: 5.8009 Updated: June 30, 2026

LOW

dc-woocommerce-multi-vendor

Score: 93/100 MultiVendorX <= 4.2.23 - Missing Authorization Affected: *-4.2.23 Patched: 4.2.24 Updated: June 30, 2026

LOW

CubeWP Framework

cubewp-framework

Score: 74/100 CubeWP Framework <= 1.1.23 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.1.23 Patched: 1.1.24 Updated: June 30, 2026

LOW

cubewp-forms

Score: 91/100 CubeWP Forms <= 1.1.5 - Missing Authorization Affected: *-1.1.5 Patched: 1.1.6 Updated: June 30, 2026

LOW

arconix-shortcodes

Score: 95/100 Arconix Shortcodes <= 2.1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.1.17 Patched: 2.1.18 Updated: June 30, 2026

LOW

arconix-faq

Score: 97/100 Arconix FAQ <= 1.9.6 - Missing Authorization Affected: *-1.9.6 Patched: 1.9.7 Updated: June 30, 2026

LOW

advanced-settings

Score: 97/100 Advanced Settings <= 3.0.1 - Cross-Site Request Forgery Affected: *-3.0.1 Patched: 3.0.2 Updated: June 30, 2026

LOW

advanced-sermons

Score: 97/100 Advanced Sermons <= 3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.6 Patched: 3.7 Updated: June 30, 2026

LOW

addfreestats

Score: 97/100 AFS Analytics <= 4.21 - Missing Authorization Affected: *-4.21 Patched: 4.22 Updated: June 30, 2026

LOW

miniorange-oauth-oidc-single-sign-on

Score: 93/100 WordPress Single Sign-On (SSO) - Multiple Versions - Incorrect Authorization to Sensitive Information Exposure Affected: *-18.5.3, *-40.5.3, *-28.5.3, *-48.5.3, *-30.5.3, *-38.5.3, *-50.5.3 Patched: 18.5.4 Updated: June 30, 2026

LOW

workreap

Score: N/A Workreap <= 3.3.2 - Authenticated (Subscriber+) Arbitrary File Upload via 'workreap_temp_upload_to_media' Affected: *-3.3.2 Patched: 3.3.3 Updated: June 30, 2026

LOW

workreap

Score: N/A Workreap <= 3.3.1 - Authentication Bypass via 'workreap_verify_user_account' Affected: *-3.3.1 Patched: 3.3.2 Updated: June 30, 2026

LOW

wp-tao

Score: N/A Track, Analyze & Optimize by WP Tao <= 1.3 - Reflected Cross-Site Scripting Affected: *-1.3 Patched: 1.3.1 Updated: June 30, 2026

LOW

wp-job-portal

Score: N/A WP Job Portal <= 2.3.2 - Unauthenticated SQL Injection Affected: *-2.3.2 Patched: 2.3.3 Updated: June 30, 2026

LOW

wp-fsqm-pro

Score: N/A eForm - WordPress Form Builder < 4.19.1 - Reflected Cross-Site Scripting Affected: [*, 4.19.1) Patched: 4.19.1 Updated: June 30, 2026

LOW

wc-partial-shipment

Score: N/A Woocommerce Partial Shipment <= 3.2 - Authenticated (Subscriber+) SQL Injection Affected: *-3.2 Patched: 3.3 Updated: June 30, 2026

LOW

ultimate-reviews

Score: N/A Ultimate Reviews <= 3.2.14 - Reflected Cross-Site Scripting Affected: *-3.2.14 Patched: 3.2.15 Updated: June 30, 2026

LOW

smio-push-notification

Score: N/A Smart Notification <= 10.3 - Unauthenticated SQL Injection Affected: *-10.3 Patched: Updated: June 30, 2026

LOW

school-management

Score: N/A School Management <= 92.0.0 - Unauthenticated SQL Injection Affected: *-92.0.0 Patched: Updated: June 30, 2026

LOW

reformer-elementor

Score: N/A Reformer for Elementor <= 1.0.5 - Unauthenticated Arbitrary File Upload Affected: *-1.0.5 Patched: Updated: June 30, 2026

LOW

ova-events-manager

Score: N/A Ovatheme Events Manager <= 1.8.4 - Unauthenticated Arbitrary File Upload Affected: *-1.8.4 Patched: 1.8.5 Updated: June 30, 2026

LOW

elite-video-player

Score: 89/100 Elite Video Player <= 10.0.5 - Reflected Cross-Site Scripting Affected: *-10.0.5 Patched: Updated: June 30, 2026

LOW

axle-demo-importer

Score: 91/100 Axle Demo Importer <= 1.0.3 - Authenticated (Author+) Arbitrary File Upload Affected: *-1.0.3 Patched: Updated: June 30, 2026

LOW

wp-downloadmanager

Score: N/A WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Read Affected: *-1.68.10 Patched: 1.68.11 Updated: June 30, 2026

LOW

zotpress

Score: N/A ZotPress <= 7.3.15 - Authenticated (Author+) Stored Cross-Site Scripting via 'nickname' Affected: *-7.3.15 Patched: 7.4 Updated: June 30, 2026

LOW

Xagio SEO – AI Powered SEO

xagio-seo

Score: 64/100 Xagio SEO <= 7.1.0.16 - Unauthenticated Stored Cross-Site Scripting via 'HTTP_REFERER' Affected: *-7.1.0.16 Patched: 7.1.0.17 Updated: June 30, 2026

LOW

wp-event-manager

Score: N/A WP Event Manager <= 3.1.49 - Authenticated (Administrator+) Stored Cross-Site Scripting Affected: *-3.1.49 Patched: 3.1.50 Updated: June 30, 2026

LOW

wp-downloadmanager

Score: N/A WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion Affected: *-1.68.10 Patched: 1.68.11 Updated: June 30, 2026

LOW

wp-automatic

Score: N/A WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.115.0 - Authenticated (Author+) Arbitrary File Upload Affected: *-3.115.0 Patched: 3.116.0 Updated: June 30, 2026

LOW

wc-designer-pro

Score: N/A WooCommerce Designer Pro <= 1.9.24 - Unauthenticated Arbitrary File Upload Affected: *-1.9.24 Patched: Updated: June 30, 2026

LOW

The Events Calendar

the-events-calendar

Score: N/A The Events Calendar <= 6.13.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting Affected: *-6.13.2 Patched: 6.13.2.1 Updated: June 30, 2026

LOW

pt-luxa-addons

Score: N/A PT Luxa Addons <= 1.2.2 - Authenticated (Subscriber+) Arbitrary File Deletion Affected: *-1.2.2 Patched: Updated: June 30, 2026

LOW

fw-gallery

Score: 87/100 FW Gallery <= 8.0.0 - Unauthenticated Arbitrary File Deletion Affected: *-8.0.0 Patched: Updated: June 30, 2026

LOW

CubeWP Framework

cubewp-framework

Score: 74/100 CubeWP – All-in-One Dynamic Content Framework <= 1.1.23 - Authenticated (Subscriber+) Privilege Escalation Affected: *-1.1.23 Patched: 1.1.24 Updated: June 30, 2026

LOW

ultimate-blocks

Score: N/A Ultimate Blocks – WordPress Blocks Plugin <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets Affected: *-3.3.3 Patched: 3.3.4 Updated: June 30, 2026

LOW

premium-addons-for-elementor

Score: N/A Premium Addons for Elementor <= 4.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget Affected: *-4.11.8 Patched: 4.11.9 Updated: June 30, 2026

LOW

Smash Balloon Social Post Feed – Simple Social Feeds for WordPress

custom-facebook-feed

Score: 66/100 Smash Balloon Custom Facebook Feed <= 4.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-color` Attribute Affected: *-4.3.1 Patched: 4.3.2 Updated: June 30, 2026

LOW

elementor-pro

Score: 93/100 Elementor Pro <= 3.29.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-3.29.0 Patched: 3.29.1 Updated: June 30, 2026

LOW

woocommerce-abandon-cart-pro

Score: N/A Abandoned Cart Pro for WooCommerce <= 9.16.0 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-9.16.0 Patched: 9.17.0 Updated: June 30, 2026

LOW

bunnys-print-css

Score: 91/100 Bunny’s Print CSS <= 0.95 - Cross-Site Request Forgery to Settings Update Affected: *-0.95 Patched: Updated: June 30, 2026

LOW

wp-ticketbai

Score: N/A TicketBAI Facturas para WooCommerce <= 3.19 - Unauthenticated SQL Injection Affected: *-3.19 Patched: 3.21 Updated: June 30, 2026

LOW

wp-lightbox-2

Score: N/A WP Lightbox 2 <= 3.0.6.7 - Unauthenticated Stored Cross-Site Scripting Affected: *-3.0.6.7 Patched: 3.0.6.8 Updated: June 30, 2026

LOW

widget-logic

Score: N/A Widget Logic <= 6.0.5 - Authenticated (Contributor+) Remote Code Execution Affected: *-6.0.5 Patched: 6.0.6 Updated: June 30, 2026

LOW

one-login

Score: N/A One-Login <= 1.4 - Unauthenticated Privilege Esclation Affected: *-1.4 Patched: Updated: June 30, 2026

LOW

membership-for-woocommerce

Score: 93/100 Membership For WooCommerce <= 2.8.1 - Missing Authorization Affected: *-2.8.1 Patched: 2.8.2 Updated: June 30, 2026

LOW

mapsvg

Score: 91/100 MapSVG < 8.6.13 - Authenticated (Contributor+) Privilege Esclation Affected: [*, 8.6.13) Patched: 8.6.13 Updated: June 30, 2026

LOW

lbg-audio11-html5-shoutcast_history

Score: 91/100 CLEVER <= 2.6 - Unauthenticated Arbitrary File Download Affected: *-2.6 Patched: Updated: June 30, 2026

LOW

contact-form-lite

Score: 93/100 Easy Contact Form Lite <= 1.1.28 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.1.28 Patched: 1.1.29 Updated: June 30, 2026

LOW

aeroscroll-gallery

Score: 95/100 Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery <= 1.0.12 - Unauthenticated Directory Traversal Affected: *-1.0.12 Patched: Updated: June 30, 2026

LOW

photo-gallery-portfolio

Score: N/A WordPress Photo Gallery <= 1.1.0 - Reflected Cross-Site Scripting Affected: *-1.1.0 Patched: Updated: June 30, 2026

LOW

user-registration-aide

Score: N/A User Registration Aide <= 1.5.3.8 - Reflected Cross-Site Scripting Affected: *-1.5.3.8 Patched: Updated: June 30, 2026

LOW

stock-locations-for-woocommerce

Score: N/A Stock Locations for WooCommerce <= 2.8.6 - Missing Authorization Affected: *-2.8.6 Patched: 2.8.7 Updated: June 30, 2026

LOW

backup-and-move

Score: 91/100 Backup and Move <= 0.1 - Missing Authorization Affected: *-0.1 Patched: Updated: June 30, 2026

LOW

am-login-logo

Score: 95/100 Logo Changer <= 1.2 - Unauthenticated Stored Cross-Site Scripting Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

sassy-social-share

Score: N/A Social Sharing Plugin – Sassy Social Share <= 3.3.75 - Reflected Cross-Site Scripting via 'heateor_mastodon_share' Parameter Affected: *-3.3.75 Patched: 3.3.76 Updated: June 30, 2026

LOW

Event Booking Manager for WooCommerce

mage-eventpress

Score: 82/100 WpEvently <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-4.4.2 Patched: 4.4.3 Updated: June 30, 2026

LOW

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Score: 85/100 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.1.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Event Calendar Widget Affected: *-6.1.12 Patched: 6.1.13 Updated: June 30, 2026

LOW

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Score: 85/100 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.1.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Pricing Table Widget Affected: *-6.1.12 Patched: 6.1.13 Updated: June 30, 2026

LOW

ltl-freight-quotes-freightview-edition

Score: 93/100 LTL Freight Quotes – Freightview Edition <= 1.0.11, LTL Freight Quotes – Daylight Edition <=2.2.6 and LTL Freight Quotes – Day & Ross Edition <= 2.1.10 - Unauthenticated Stored Cross-Site Scripting via `expiry_date` Parameter Affected: *-1.0.11 Patched: 1.0.12 Updated: June 30, 2026

LOW

ltl-freight-quotes-daylight-edition

LOW

ltl-freight-quotes-day-ross-edition

LOW

profiler-what-slowing-down

Score: N/A Profiler – What Slowing Down Your WP <= 1.0.0 - Missing Authentication to Unauthenticated Arbitrary Plugin Reactivation via State Restoration Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

wp-map-block

Score: N/A WP Map Block <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.0.2 Patched: 2.0.3 Updated: June 30, 2026

LOW

responsive-lightbox

Score: N/A Responsive Lightbox & Gallery <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.5.1 Patched: 2.5.2 Updated: June 30, 2026

LOW

product-quantity-for-woocommerce

Score: N/A Min Max Step Quantity Limits Manager for WooCommerce <= 5.1.0 - Cross-Site Request Forgery Affected: *-5.1.0 Patched: 5.1.1 Updated: June 30, 2026

LOW

easy-fancybox

Score: 93/100 Firelight Lightbox <= 2.3.15 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-2.3.15 Patched: 2.3.16 Updated: June 30, 2026

LOW

civi-framework

Score: 93/100 Civi Framework <= 2.1.6.3 - Cross-Site Request Forgery Affected: *-2.1.6.3 Patched: 2.1.6.4 Updated: June 30, 2026

LOW

buddypress-docs

Score: 93/100 BuddyPress Docs <= 2.2.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Document Read/Update Affected: *-2.2.4 Patched: 2.2.5 Updated: June 30, 2026

LOW

audio-editor-recorder

Score: 93/100 Audio Editor & Recorder <= 2.2.1 - Missing Authorization Affected: *-2.2.1 Patched: 2.2.2 Updated: June 30, 2026

LOW

domain-for-sale

Score: 93/100 Domain For Sale <= 3.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Parameter Affected: *-3.0.10 Patched: 3.0.11 Updated: June 30, 2026

LOW

Simple History – Track, Log, and Audit WordPress Changes

simple-history

Score: 77/100 Simple History <= 5.8.1 - Authenticated (Administrator+) Sensitive Information Exposure via Detective Mode Affected: *-5.8.1 Patched: 5.8.2 Updated: June 30, 2026

LOW

stageshow

Score: N/A StageShow <= 10.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via anchor Parameter Affected: *-10.0.3 Patched: Updated: June 30, 2026

LOW

devformatter

Score: 91/100 Developer Formatter <= 2015.0.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Custom CSS Affected: *-2015.0.2.1 Patched: Updated: June 30, 2026

LOW

paged-gallery

Score: N/A Paged Gallery <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-0.7 Patched: Updated: June 30, 2026

Showing 8301 to 8400 of 36283 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 14:48 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List