Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36307

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
lastudio-element-kit	lastudio-element-kit	93	LA-Studio Element Kit for Elementor <= 1.5.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via data-lakit-element-link Parameter	LOW	*-1.5.2	1.5.3	June 30, 2026
minimal-share-buttons	minimal-share-buttons	93	Minimal Share Buttons <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter	LOW	*-1.7.3	1.7.4	June 30, 2026
wpematico	wpematico	N/A	WPeMatico RSS Feed Fetcher <= 2.8.3 - Missing Authorization	LOW	*-2.8.3	2.8.4	June 30, 2026
wp-posts-carousel	wp-posts-carousel	N/A	WP Posts Carousel <= 1.3.12 - Authenticated (Contributor+) PHP Object Injection	LOW	*-1.3.12	1.3.13	June 30, 2026
verge3d	verge3d	N/A	Verge3D <= 4.9.3 - Reflected Cross-Site Scripting	LOW	*-4.9.3	4.9.4	June 30, 2026
responsive-add-ons	responsive-add-ons	N/A	Responsive Plus <= 3.2.0 - Missing Authorization	LOW	*-3.2.0	3.2.1	June 30, 2026
quickcab	quickcab	N/A	QuickCab <= 1.3.3 - Missing Authorization	LOW	*-1.3.3		June 30, 2026
quick-contact-form	quick-contact-form	N/A	Quick Contact Form <= 8.2.1 - Reflected Cross-Site Scripting	LOW	*-8.2.1	8.2.2	June 30, 2026
infility-global	infility-global	81	Infility Global <= 2.12.7 - Authenticated (Subscriber+) SQL Injection	LOW	*-2.12.7		June 30, 2026
cf7-salesforce	cf7-salesforce	93	Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.4 - Unauthenticated Full Path Disclosure	LOW	*-1.4.4	1.4.5	June 30, 2026
browse-as	browse-as	91	Browse As <= 0.2 - Authenticated (Subscriber+) Authentication Bypass via Cookie	LOW	*-0.2		June 30, 2026
broadstreet	broadstreet	93	Broadstreet Ads <= 1.51.7 - Reflected Cross-Site Scripting	LOW	*-1.51.7	1.51.8	June 30, 2026
apptha-slider-gallery	apptha-slider-gallery	95	Apptha Slider Gallery <= 2.5 - Unauthenticated Arbitrary File Read	LOW	*-2.5		June 30, 2026
bold-page-builder	bold-page-builder	86	Bold Builder <= 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via additional_settings Parameter	LOW	*-5.3.6	5.3.7	June 30, 2026
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy	easy-digital-downloads	78	Easy Digital Downloads <= 3.3.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via edd_receipt Shortcode	LOW	*-3.3.8.1	3.3.9	June 30, 2026
map-block-leaflet	map-block-leaflet	93	Map Block Leaflet <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter	LOW	*-3.2.1	3.2.2	June 30, 2026
instagram-feed-pro	instagram-feed-pro	93	Smash Balloon Instagram Feed <= 6.9.0 (Free) & <= 6.8.0 (Pro) - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-plugin` Attribute	LOW	*-6.8.0	6.8.1	June 30, 2026
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin	instagram-feed	65	Smash Balloon Instagram Feed <= 6.9.0 (Free) & <= 6.8.0 (Pro) - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-plugin` Attribute	LOW	*-6.9.0	6.9.1	June 30, 2026
tarteaucitronjs	tarteaucitronjs	N/A	tarteaucitron.io <= 1.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.9.4	1.9.5	June 30, 2026
skt-builder	skt-builder	N/A	SKT Page Builder <= 4.9 - Missing Authorization	LOW	*-4.9	5.0	June 30, 2026
WP Extended – The Ultimate WordPress Toolkit	wpextended	N/A	WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload	LOW	*-3.0.15	3.0.16	June 30, 2026
wp-attachments	wp-attachments	N/A	WP Attachments <= 5.0.12 - Reflected Cross-Site Scripting via attachment_id Parameter	LOW	*-5.0.12	5.1	June 30, 2026
masterstudy-lms-learning-management-system-pro	masterstudy-lms-learning-management-system-pro	93	MasterStudy LMS Pro <= 4.7.0 - Authenticated (Subscriber+) Arbitrary File Upload	LOW	*-4.7.0	4.7.1	June 30, 2026
wp-lister-for-ebay	wp-lister-for-ebay	N/A	WP-Lister Lite for eBay <= 3.8.3 - Missing Authorization	LOW	*-3.8.3	3.8.5	June 30, 2026
pta-volunteer-sign-up-sheets	pta-volunteer-sign-up-sheets	N/A	Volunteer Sign Up Sheets <= 5.5.4 - Authenticated (Admin+) Stored Cross-site Scripting	LOW	*-5.5.4	5.5.5	June 30, 2026
inprosysmedia-likes-dislikes-post	inprosysmedia-likes-dislikes-post	89	Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection	LOW	*-1.0.0		June 30, 2026
add-search-to-menu	add-search-to-menu	97	Ivory Search – WordPress Search Plugin <= 5.5.9 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-5.5.9	5.5.10	June 30, 2026
property	property	N/A	Property 1.0.5 - 1.0.6 - Missing Authorization to Authenticated (Author+) Privilege Escalation via property_package_user_role Metadata in PayPal Registration	LOW	1.0.5-1.0.6	1.0.7	June 30, 2026
essential-blocks	essential-blocks	93	Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Slider and Post Carousel Widgets	LOW	*-5.4.0	5.4.1	June 30, 2026
mstore-api	mstore-api	N/A	MStore API – Create Native Android & iOS Apps On The Cloud <= 4.17.5 - Missing Authorization to Authenticated (Subscriber+) Posts Creation	LOW	*-4.17.5	4.17.6	June 30, 2026
exclusive-addons-for-elementor	exclusive-addons-for-elementor	93	Exclusive Addons for Elementor <= 2.7.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget	LOW	*-2.7.9.1	2.7.9.2	June 30, 2026
leadinfo	leadinfo	93	Leadinfo <= 1.1 - Missing Authorization to Unauthenticated Settings Change	LOW	*-1.1	2.1	June 30, 2026
wp-job-portal	wp-job-portal	N/A	WP Job Portal <= 2.3.2 - Unauthenticated Arbitrary File Download	LOW	*-2.3.2	2.3.3	June 30, 2026
visual-header	visual-header	N/A	Visual Header <= 1.3 - Missing Authorization	LOW	*-1.3	1.5	June 30, 2026
pagelayer	pagelayer	N/A	Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 - Reflected Cross-Site Scripting via login_url Parameter	LOW	*-2.0.0	2.0.1	June 30, 2026
store-manager-connector	store-manager-connector	N/A	eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_image()	LOW	*-1.2.5	1.3.0	June 30, 2026
store-manager-connector	store-manager-connector	N/A	eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Read	LOW	*-1.2.5	1.3.0	June 30, 2026
store-manager-connector	store-manager-connector	N/A	eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Deletion	LOW	*-1.2.5	1.3.0	June 30, 2026
store-manager-connector	store-manager-connector	N/A	eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_file()	LOW	*-1.2.5	1.3.0	June 30, 2026
4stats	4stats	95	4stats <= 2.0.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-2.0.9		June 30, 2026
smart-forms	smart-forms	N/A	Smart Forms <= 2.6.98 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-2.6.98	2.6.99	June 30, 2026
pagelayer	pagelayer	N/A	Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Link	LOW	*-2.0.0	2.0.1	June 30, 2026
jobhunt-notifications	jobhunt-notifications	91	JobHunt Job Alerts <= 3.6 - Missing Authorization to Unauthenticated Arbitrary Content Deletion	LOW	*-3.6		June 30, 2026
wp-smtp	wp-smtp	N/A	Solid Mail – SMTP email and logging made by SolidWP <= 2.1.5 - Unauthenticated Stored Cross-Site Scripting via Email	LOW	*-2.1.5	2.1.6	June 30, 2026
TablePress – Tables in WordPress made easy	tablepress	86	TablePress <= 3.1.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters	LOW	*-3.1.2	3.1.3	June 30, 2026
whatscart-for-woocommerce	whatscart-for-woocommerce	N/A	WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce <= 1.1.0 - Unauthenticated SQL Injection	LOW	*-1.1.0		June 30, 2026
user-meta	user-meta	N/A	User Meta <= 3.1.2 - Reflected Cross-Site Scripting	LOW	*-3.1.2		June 30, 2026
tournamatch	tournamatch	N/A	Tournamatch <= 4.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-4.6.1	4.6.2	June 30, 2026
simple-business-directory-pro	simple-business-directory-pro	N/A	Simple Business Directory Pro < 15.6.9 - Unauthenticated Privilege Escalation	LOW	[*, 15.6.9)	15.6.9	June 30, 2026
scw-bus-seat-reservation	scw-bus-seat-reservation	N/A	Bus Ticket Booking with Seat Reservation for WooCommerce <= 1.7 - Unauthenticated SQL Injection	LOW	*-1.7		June 30, 2026
relentlosoftware	relentlosoftware	N/A	StyleAI <= 1.0.4 - Missing Authorization	LOW	*-1.0.4		June 30, 2026
redi-restaurant-reservation	redi-restaurant-reservation	N/A	ReDi Restaurant Reservation <= 24.1209 - Reflected Cross-Site Scripting	LOW	*-24.1209	25.0513	June 30, 2026
posts-table-filterable	posts-table-filterable	N/A	TableOn <= 1.0.5.1 - Unauthenticated Arbitrary Shortcode Execution	LOW	*-1.0.5.1	1.0.6	June 30, 2026
pixel-formbuilder	pixel-formbuilder	N/A	Pixel WordPress Form BuilderPlugin & Autoresponder <= 1.0.2 - Unauthenticated SQL Injection	LOW	*-1.0.2	1.0.3	June 30, 2026
miniorange-discord-integration	miniorange-discord-integration	91	miniOrange Discord Integration <= 2.2.2 - Unauthenticated Local File Inclusion	LOW	*-2.2.2		June 30, 2026
metalpriceapi	metalpriceapi	93	MetalpriceAPI <= 1.1.4 - Authenticated (Contributor+) Remote Code Execution	LOW	*-1.1.4	1.1.5	June 30, 2026
mapsvg	mapsvg	91	MapSVG <= 8.6.13 - Missing Authorization	LOW	[*, 8.6.13)	8.6.13	June 30, 2026
majestic-support	majestic-support	93	Majestic Support <= 1.1.0 - Unauthenticated SQL Injection	LOW	*-1.1.0	1.1.1	June 30, 2026
infocob-crm-forms	infocob-crm-forms	93	Infocob CRM Forms <= 2.4.0 - Authenticated (Editor+) Arbitrary File Download	LOW	*-2.4.0	2.4.1	June 30, 2026
hospital-management	hospital-management	83	Hospital Management System <= 47.0(20-11-2023) - Authenticated (Subscriber+) Privilege Escalation	LOW	* - 47.0(20-11-2023)		June 30, 2026
gdlr-hotel	gdlr-hotel	87	Goodlayers Hotel <= 3.1.4 - Unauthenticated SQL Injection	LOW	*-3.1.4		June 30, 2026
gdlr-hostel	gdlr-hostel	87	Goodlayers Hostel <= 3.1.2 - Unauthenticated SQL Injection	LOW	*-3.1.2		June 30, 2026
dzs-videogallery	dzs-videogallery	91	DZS Video Gallery <= 12.39 - Reflected Cross-Site Scripting	LOW	*-12.39	12.40	June 30, 2026
cryptocloud-crypto-payment-gateway	cryptocloud-crypto-payment-gateway	93	CryptoCloud - Crypto Payment Gateway <= 2.1.2 - Missing Authorization	LOW	*-2.1.2	2.3.2	June 30, 2026
booking-and-rental-manager-for-woocommerce	booking-and-rental-manager-for-woocommerce	93	Booking and Rental Manager <= 2.3.8 - Missing Authorization	LOW	*-2.3.8	2.3.9	June 30, 2026
advanced-database-cleaner-pro	advanced-database-cleaner-pro	97	Advanced Database Cleaner PRO <= 3.2.10 - Authenticated (Subscriber+) Limited Path Traversal	LOW	*-3.2.10	3.2.11	June 30, 2026
mapsvg	mapsvg	91	MapSVG - All Kinds of Maps and Store Locator for WordPress <= 8.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-8.6.4		June 30, 2026
hot-random-image	hot-random-image	93	Hot Random Image <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via link Parameter	LOW	*-1.9.2	1.9.3	June 30, 2026
hot-random-image	hot-random-image	93	Hot Random Image <= 1.9.2 - Path Traversal to Authenticated (Contributor+) Limited Arbitrary Image Access via path Parameter	LOW	*-1.9.2	1.9.3	June 30, 2026
wp-smart-import	wp-smart-import	N/A	WP Smart Import <= 1.1.3 - Unauthenticated Local File Inclusion	LOW	*-1.1.3	1.1.4	June 30, 2026
wp-event-manager	wp-event-manager	N/A	WP Event Manager <= 3.1.51 - Unauthenticated Local File Inclusion	LOW	*-3.1.51	3.2.0	June 30, 2026
WooCommerce	woocommerce	80	WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting	LOW	*-9.3.2, 9.4-9.4.2	9.3.4	June 30, 2026
wc-pagaleve	wc-pagaleve	N/A	Pix 4x sem juros - Pagaleve <= 1.6.9 - Unauthenticated PHP Object Injection	LOW	*-1.6.9	1.6.10	June 30, 2026
tourmaster	tourmaster	N/A	Tourmaster <= 5.3.8 - Unauthenticated Local File Inclusion	LOW	*-5.3.8	5.3.9	June 30, 2026
nasa-core	nasa-core	N/A	Nasa Core <= 6.3.2 - Unauthenticated Local File Inclusion	LOW	*-6.3.2		June 30, 2026
miniorange-login-openid	miniorange-login-openid	91	WordPress Social Login and Register <= 7.6.10 - Unauthenticated Local File Inclusion	LOW	*-7.6.10	7.7.0	June 30, 2026
knowledgebase-helpdesk-pro	knowledgebase-helpdesk-pro	91	KBx Pro Ultimate < 8.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion	LOW	[*, 8.0.5)	8.0.5	June 30, 2026
jp-students-result-system-premium	jp-students-result-system-premium	91	JP Students Result Management System Premium 1.1.7 - Unauthenticated Arbitrary File Upload	LOW	1.1.7		June 30, 2026
excel-like-price-change-for-woocommerce-and-wp-e-commerce-light	excel-like-price-change-for-woocommerce-and-wp-e-commerce-light	85	Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Unauthenticated Remote Code Execution	LOW	*-2.4.37		June 30, 2026
essential-real-estate	essential-real-estate	87	Essential Real Estate <= 5.2.1 - Unauthenticated Local File Inclusion	LOW	*-5.2.1		June 30, 2026
dzs-videogallery	dzs-videogallery	91	DZS Video Gallery <= 12.39 - Authenticated (Subscriber+) PHP Object Injection	LOW	*-12.39	12.40	June 30, 2026
blog-designer-pro	blog-designer-pro	86	Blog Designer PRO for WordPress <= 3.4.7 - Unauthenticated Local File Inclusion	LOW	*-3.4.7		June 30, 2026
binary-mlm-plan	binary-mlm-plan	91	Binary MLM Plan <= 3.0 - Unauthenticated SQL Injection	LOW	*-3.0	5.0	June 30, 2026
ap-plugin-scripteo	ap-plugin-scripteo	85	Ads Pro Plugin <= 4.89 - Unauthenticated Local File Inclusion	LOW	*-4.89		June 30, 2026
Slim SEO – A Fast & Automated SEO Plugin For WordPress	slim-seo	91	Slim SEO <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via slim_seo_breadcrumbs Shortcode	LOW	*-4.5.3	4.5.4	June 30, 2026
dpepress	dpepress	91	DPEPress <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-0.3		June 30, 2026
raisely-donation-form	raisely-donation-form	N/A	Raisely Donation Form <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via raisely_donation_form Shortcode	LOW	*-1.1	1.2	June 30, 2026
wp-youtube-video-optimizer	wp-youtube-video-optimizer	N/A	WP YouTube Video Optimizer <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.2		June 30, 2026
splitit-installment-payments	splitit-installment-payments	N/A	Splitit <= 4.2.8 - Missing Authorization to Multiple Administrative Actions	LOW	*-4.2.8	4.2.9	June 30, 2026
animated-buttons	animated-buttons	95	Animated Buttons <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-1.0.0		June 30, 2026
wecantrack	wecantrack	N/A	Affiliate Sales in Google Analytics and other tools <= 2.0.0 - Open Redirect	LOW	*-2.0.0	2.0.1	June 30, 2026
network-posts-extended	network-posts-extended	N/A	Network Posts Extended <= 7.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via post_height Parameter	LOW	*-7.7.1		June 30, 2026
wppedia	wppedia	N/A	Glossary by WPPedia <= 1.3.0 - Authenticated (Administrator+) PHP Object Injection	LOW	*-1.3.0		June 30, 2026
wp-post-modules-el	wp-post-modules-el	N/A	WP Post Modules for Elementor <= 2.5.0 - Reflected Cross-Site Scripting	LOW	*-2.5.0		June 30, 2026
theplus_elementor_addon	theplus_elementor_addon	N/A	The Plus Addons for Elementor Pro <= 6.3.6 - Missing Authorization	LOW	*-6.3.6	6.3.7	June 30, 2026
school-management	school-management	N/A	School Management <= 92.0.0 - Reflected Cross-Site Scripting	LOW	*-92.0.0		June 30, 2026
school-management	school-management	N/A	School Management <= 92.0.0 - Authenticated (Subscriber+) SQL Injection	LOW	*-92.0.0		June 30, 2026
inprosysmedia-likes-dislikes-post	inprosysmedia-likes-dislikes-post	89	Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection	LOW	*-1.0.0		June 30, 2026
hospital-management	hospital-management	83	Hospital Management System <= 47.0(20-11-2023) - Authenticated (Subscriber+) Arbitrary File Upload	LOW	* - 47.0(20-11-2023)		June 30, 2026
gdlr-hotel	gdlr-hotel	87	Goodlayers Hotel <= 3.1.4 - Unauthenticated PHP Object Injection	LOW	*-3.1.4		June 30, 2026

LOW

lastudio-element-kit

Score: 93/100 LA-Studio Element Kit for Elementor <= 1.5.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via data-lakit-element-link Parameter Affected: *-1.5.2 Patched: 1.5.3 Updated: June 30, 2026

LOW

minimal-share-buttons

Score: 93/100 Minimal Share Buttons <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter Affected: *-1.7.3 Patched: 1.7.4 Updated: June 30, 2026

LOW

wpematico

Score: N/A WPeMatico RSS Feed Fetcher <= 2.8.3 - Missing Authorization Affected: *-2.8.3 Patched: 2.8.4 Updated: June 30, 2026

LOW

wp-posts-carousel

Score: N/A WP Posts Carousel <= 1.3.12 - Authenticated (Contributor+) PHP Object Injection Affected: *-1.3.12 Patched: 1.3.13 Updated: June 30, 2026

LOW

verge3d

Score: N/A Verge3D <= 4.9.3 - Reflected Cross-Site Scripting Affected: *-4.9.3 Patched: 4.9.4 Updated: June 30, 2026

LOW

responsive-add-ons

Score: N/A Responsive Plus <= 3.2.0 - Missing Authorization Affected: *-3.2.0 Patched: 3.2.1 Updated: June 30, 2026

LOW

quickcab

Score: N/A QuickCab <= 1.3.3 - Missing Authorization Affected: *-1.3.3 Patched: Updated: June 30, 2026

LOW

quick-contact-form

Score: N/A Quick Contact Form <= 8.2.1 - Reflected Cross-Site Scripting Affected: *-8.2.1 Patched: 8.2.2 Updated: June 30, 2026

LOW

infility-global

Score: 81/100 Infility Global <= 2.12.7 - Authenticated (Subscriber+) SQL Injection Affected: *-2.12.7 Patched: Updated: June 30, 2026

LOW

cf7-salesforce

Score: 93/100 Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.4 - Unauthenticated Full Path Disclosure Affected: *-1.4.4 Patched: 1.4.5 Updated: June 30, 2026

LOW

browse-as

Score: 91/100 Browse As <= 0.2 - Authenticated (Subscriber+) Authentication Bypass via Cookie Affected: *-0.2 Patched: Updated: June 30, 2026

LOW

broadstreet

Score: 93/100 Broadstreet Ads <= 1.51.7 - Reflected Cross-Site Scripting Affected: *-1.51.7 Patched: 1.51.8 Updated: June 30, 2026

LOW

apptha-slider-gallery

Score: 95/100 Apptha Slider Gallery <= 2.5 - Unauthenticated Arbitrary File Read Affected: *-2.5 Patched: Updated: June 30, 2026

LOW

bold-page-builder

Score: 86/100 Bold Builder <= 5.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via additional_settings Parameter Affected: *-5.3.6 Patched: 5.3.7 Updated: June 30, 2026

LOW

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

easy-digital-downloads

Score: 78/100 Easy Digital Downloads <= 3.3.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via edd_receipt Shortcode Affected: *-3.3.8.1 Patched: 3.3.9 Updated: June 30, 2026

LOW

map-block-leaflet

Score: 93/100 Map Block Leaflet <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter Affected: *-3.2.1 Patched: 3.2.2 Updated: June 30, 2026

LOW

instagram-feed-pro

Score: 93/100 Smash Balloon Instagram Feed <= 6.9.0 (Free) & <= 6.8.0 (Pro) - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-plugin` Attribute Affected: *-6.8.0 Patched: 6.8.1 Updated: June 30, 2026

LOW

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

instagram-feed

Score: 65/100 Smash Balloon Instagram Feed <= 6.9.0 (Free) & <= 6.8.0 (Pro) - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-plugin` Attribute Affected: *-6.9.0 Patched: 6.9.1 Updated: June 30, 2026

LOW

tarteaucitronjs

Score: N/A tarteaucitron.io <= 1.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.9.4 Patched: 1.9.5 Updated: June 30, 2026

LOW

skt-builder

Score: N/A SKT Page Builder <= 4.9 - Missing Authorization Affected: *-4.9 Patched: 5.0 Updated: June 30, 2026

LOW

WP Extended – The Ultimate WordPress Toolkit

wpextended

Score: N/A WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload Affected: *-3.0.15 Patched: 3.0.16 Updated: June 30, 2026

LOW

wp-attachments

Score: N/A WP Attachments <= 5.0.12 - Reflected Cross-Site Scripting via attachment_id Parameter Affected: *-5.0.12 Patched: 5.1 Updated: June 30, 2026

LOW

masterstudy-lms-learning-management-system-pro

Score: 93/100 MasterStudy LMS Pro <= 4.7.0 - Authenticated (Subscriber+) Arbitrary File Upload Affected: *-4.7.0 Patched: 4.7.1 Updated: June 30, 2026

LOW

wp-lister-for-ebay

Score: N/A WP-Lister Lite for eBay <= 3.8.3 - Missing Authorization Affected: *-3.8.3 Patched: 3.8.5 Updated: June 30, 2026

LOW

pta-volunteer-sign-up-sheets

Score: N/A Volunteer Sign Up Sheets <= 5.5.4 - Authenticated (Admin+) Stored Cross-site Scripting Affected: *-5.5.4 Patched: 5.5.5 Updated: June 30, 2026

LOW

inprosysmedia-likes-dislikes-post

Score: 89/100 Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

add-search-to-menu

Score: 97/100 Ivory Search – WordPress Search Plugin <= 5.5.9 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-5.5.9 Patched: 5.5.10 Updated: June 30, 2026

LOW

property

Score: N/A Property 1.0.5 - 1.0.6 - Missing Authorization to Authenticated (Author+) Privilege Escalation via property_package_user_role Metadata in PayPal Registration Affected: 1.0.5-1.0.6 Patched: 1.0.7 Updated: June 30, 2026

LOW

essential-blocks

Score: 93/100 Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 5.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Slider and Post Carousel Widgets Affected: *-5.4.0 Patched: 5.4.1 Updated: June 30, 2026

LOW

mstore-api

Score: N/A MStore API – Create Native Android & iOS Apps On The Cloud <= 4.17.5 - Missing Authorization to Authenticated (Subscriber+) Posts Creation Affected: *-4.17.5 Patched: 4.17.6 Updated: June 30, 2026

LOW

exclusive-addons-for-elementor

Score: 93/100 Exclusive Addons for Elementor <= 2.7.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget Affected: *-2.7.9.1 Patched: 2.7.9.2 Updated: June 30, 2026

LOW

leadinfo

Score: 93/100 Leadinfo <= 1.1 - Missing Authorization to Unauthenticated Settings Change Affected: *-1.1 Patched: 2.1 Updated: June 30, 2026

LOW

wp-job-portal

Score: N/A WP Job Portal <= 2.3.2 - Unauthenticated Arbitrary File Download Affected: *-2.3.2 Patched: 2.3.3 Updated: June 30, 2026

LOW

visual-header

Score: N/A Visual Header <= 1.3 - Missing Authorization Affected: *-1.3 Patched: 1.5 Updated: June 30, 2026

LOW

pagelayer

Score: N/A Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 - Reflected Cross-Site Scripting via login_url Parameter Affected: *-2.0.0 Patched: 2.0.1 Updated: June 30, 2026

LOW

store-manager-connector

Score: N/A eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_image() Affected: *-1.2.5 Patched: 1.3.0 Updated: June 30, 2026

LOW

store-manager-connector

Score: N/A eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Read Affected: *-1.2.5 Patched: 1.3.0 Updated: June 30, 2026

LOW

store-manager-connector

Score: N/A eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Deletion Affected: *-1.2.5 Patched: 1.3.0 Updated: June 30, 2026

LOW

store-manager-connector

Score: N/A eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_file() Affected: *-1.2.5 Patched: 1.3.0 Updated: June 30, 2026

LOW

4stats

Score: 95/100 4stats <= 2.0.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-2.0.9 Patched: Updated: June 30, 2026

LOW

smart-forms

Score: N/A Smart Forms <= 2.6.98 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-2.6.98 Patched: 2.6.99 Updated: June 30, 2026

LOW

pagelayer

Score: N/A Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Link Affected: *-2.0.0 Patched: 2.0.1 Updated: June 30, 2026

LOW

jobhunt-notifications

Score: 91/100 JobHunt Job Alerts <= 3.6 - Missing Authorization to Unauthenticated Arbitrary Content Deletion Affected: *-3.6 Patched: Updated: June 30, 2026

LOW

wp-smtp

Score: N/A Solid Mail – SMTP email and logging made by SolidWP <= 2.1.5 - Unauthenticated Stored Cross-Site Scripting via Email Affected: *-2.1.5 Patched: 2.1.6 Updated: June 30, 2026

LOW

TablePress – Tables in WordPress made easy

tablepress

Score: 86/100 TablePress <= 3.1.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters Affected: *-3.1.2 Patched: 3.1.3 Updated: June 30, 2026

LOW

whatscart-for-woocommerce

Score: N/A WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce <= 1.1.0 - Unauthenticated SQL Injection Affected: *-1.1.0 Patched: Updated: June 30, 2026

LOW

user-meta

Score: N/A User Meta <= 3.1.2 - Reflected Cross-Site Scripting Affected: *-3.1.2 Patched: Updated: June 30, 2026

LOW

tournamatch

Score: N/A Tournamatch <= 4.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-4.6.1 Patched: 4.6.2 Updated: June 30, 2026

LOW

simple-business-directory-pro

Score: N/A Simple Business Directory Pro < 15.6.9 - Unauthenticated Privilege Escalation Affected: [*, 15.6.9) Patched: 15.6.9 Updated: June 30, 2026

LOW

scw-bus-seat-reservation

Score: N/A Bus Ticket Booking with Seat Reservation for WooCommerce <= 1.7 - Unauthenticated SQL Injection Affected: *-1.7 Patched: Updated: June 30, 2026

LOW

relentlosoftware

Score: N/A StyleAI <= 1.0.4 - Missing Authorization Affected: *-1.0.4 Patched: Updated: June 30, 2026

LOW

redi-restaurant-reservation

Score: N/A ReDi Restaurant Reservation <= 24.1209 - Reflected Cross-Site Scripting Affected: *-24.1209 Patched: 25.0513 Updated: June 30, 2026

LOW

posts-table-filterable

Score: N/A TableOn <= 1.0.5.1 - Unauthenticated Arbitrary Shortcode Execution Affected: *-1.0.5.1 Patched: 1.0.6 Updated: June 30, 2026

LOW

pixel-formbuilder

Score: N/A Pixel WordPress Form BuilderPlugin & Autoresponder <= 1.0.2 - Unauthenticated SQL Injection Affected: *-1.0.2 Patched: 1.0.3 Updated: June 30, 2026

LOW

miniorange-discord-integration

Score: 91/100 miniOrange Discord Integration <= 2.2.2 - Unauthenticated Local File Inclusion Affected: *-2.2.2 Patched: Updated: June 30, 2026

LOW

metalpriceapi

Score: 93/100 MetalpriceAPI <= 1.1.4 - Authenticated (Contributor+) Remote Code Execution Affected: *-1.1.4 Patched: 1.1.5 Updated: June 30, 2026

LOW

mapsvg

Score: 91/100 MapSVG <= 8.6.13 - Missing Authorization Affected: [*, 8.6.13) Patched: 8.6.13 Updated: June 30, 2026

LOW

majestic-support

Score: 93/100 Majestic Support <= 1.1.0 - Unauthenticated SQL Injection Affected: *-1.1.0 Patched: 1.1.1 Updated: June 30, 2026

LOW

infocob-crm-forms

Score: 93/100 Infocob CRM Forms <= 2.4.0 - Authenticated (Editor+) Arbitrary File Download Affected: *-2.4.0 Patched: 2.4.1 Updated: June 30, 2026

LOW

hospital-management

Score: 83/100 Hospital Management System <= 47.0(20-11-2023) - Authenticated (Subscriber+) Privilege Escalation Affected: * - 47.0(20-11-2023) Patched: Updated: June 30, 2026

LOW

gdlr-hotel

Score: 87/100 Goodlayers Hotel <= 3.1.4 - Unauthenticated SQL Injection Affected: *-3.1.4 Patched: Updated: June 30, 2026

LOW

gdlr-hostel

Score: 87/100 Goodlayers Hostel <= 3.1.2 - Unauthenticated SQL Injection Affected: *-3.1.2 Patched: Updated: June 30, 2026

LOW

dzs-videogallery

Score: 91/100 DZS Video Gallery <= 12.39 - Reflected Cross-Site Scripting Affected: *-12.39 Patched: 12.40 Updated: June 30, 2026

LOW

cryptocloud-crypto-payment-gateway

Score: 93/100 CryptoCloud - Crypto Payment Gateway <= 2.1.2 - Missing Authorization Affected: *-2.1.2 Patched: 2.3.2 Updated: June 30, 2026

LOW

booking-and-rental-manager-for-woocommerce

Score: 93/100 Booking and Rental Manager <= 2.3.8 - Missing Authorization Affected: *-2.3.8 Patched: 2.3.9 Updated: June 30, 2026

LOW

advanced-database-cleaner-pro

Score: 97/100 Advanced Database Cleaner PRO <= 3.2.10 - Authenticated (Subscriber+) Limited Path Traversal Affected: *-3.2.10 Patched: 3.2.11 Updated: June 30, 2026

LOW

mapsvg

Score: 91/100 MapSVG - All Kinds of Maps and Store Locator for WordPress <= 8.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-8.6.4 Patched: Updated: June 30, 2026

LOW

hot-random-image

Score: 93/100 Hot Random Image <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via link Parameter Affected: *-1.9.2 Patched: 1.9.3 Updated: June 30, 2026

LOW

hot-random-image

Score: 93/100 Hot Random Image <= 1.9.2 - Path Traversal to Authenticated (Contributor+) Limited Arbitrary Image Access via path Parameter Affected: *-1.9.2 Patched: 1.9.3 Updated: June 30, 2026

LOW

wp-smart-import

Score: N/A WP Smart Import <= 1.1.3 - Unauthenticated Local File Inclusion Affected: *-1.1.3 Patched: 1.1.4 Updated: June 30, 2026

LOW

wp-event-manager

Score: N/A WP Event Manager <= 3.1.51 - Unauthenticated Local File Inclusion Affected: *-3.1.51 Patched: 3.2.0 Updated: June 30, 2026

LOW

WooCommerce

woocommerce

Score: 80/100 WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting Affected: *-9.3.2, 9.4-9.4.2 Patched: 9.3.4 Updated: June 30, 2026

LOW

wc-pagaleve

Score: N/A Pix 4x sem juros - Pagaleve <= 1.6.9 - Unauthenticated PHP Object Injection Affected: *-1.6.9 Patched: 1.6.10 Updated: June 30, 2026

LOW

tourmaster

Score: N/A Tourmaster <= 5.3.8 - Unauthenticated Local File Inclusion Affected: *-5.3.8 Patched: 5.3.9 Updated: June 30, 2026

LOW

nasa-core

Score: N/A Nasa Core <= 6.3.2 - Unauthenticated Local File Inclusion Affected: *-6.3.2 Patched: Updated: June 30, 2026

LOW

miniorange-login-openid

Score: 91/100 WordPress Social Login and Register <= 7.6.10 - Unauthenticated Local File Inclusion Affected: *-7.6.10 Patched: 7.7.0 Updated: June 30, 2026

LOW

knowledgebase-helpdesk-pro

Score: 91/100 KBx Pro Ultimate < 8.0.5 - Authenticated (Subscriber+) Arbitrary File Deletion Affected: [*, 8.0.5) Patched: 8.0.5 Updated: June 30, 2026

LOW

jp-students-result-system-premium

Score: 91/100 JP Students Result Management System Premium 1.1.7 - Unauthenticated Arbitrary File Upload Affected: 1.1.7 Patched: Updated: June 30, 2026

LOW

excel-like-price-change-for-woocommerce-and-wp-e-commerce-light

Score: 85/100 Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Unauthenticated Remote Code Execution Affected: *-2.4.37 Patched: Updated: June 30, 2026

LOW

essential-real-estate

Score: 87/100 Essential Real Estate <= 5.2.1 - Unauthenticated Local File Inclusion Affected: *-5.2.1 Patched: Updated: June 30, 2026

LOW

dzs-videogallery

Score: 91/100 DZS Video Gallery <= 12.39 - Authenticated (Subscriber+) PHP Object Injection Affected: *-12.39 Patched: 12.40 Updated: June 30, 2026

LOW

blog-designer-pro

Score: 86/100 Blog Designer PRO for WordPress <= 3.4.7 - Unauthenticated Local File Inclusion Affected: *-3.4.7 Patched: Updated: June 30, 2026

LOW

binary-mlm-plan

Score: 91/100 Binary MLM Plan <= 3.0 - Unauthenticated SQL Injection Affected: *-3.0 Patched: 5.0 Updated: June 30, 2026

LOW

ap-plugin-scripteo

Score: 85/100 Ads Pro Plugin <= 4.89 - Unauthenticated Local File Inclusion Affected: *-4.89 Patched: Updated: June 30, 2026

LOW

Slim SEO – A Fast & Automated SEO Plugin For WordPress

slim-seo

Score: 91/100 Slim SEO <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via slim_seo_breadcrumbs Shortcode Affected: *-4.5.3 Patched: 4.5.4 Updated: June 30, 2026

LOW

dpepress

Score: 91/100 DPEPress <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-0.3 Patched: Updated: June 30, 2026

LOW

raisely-donation-form

Score: N/A Raisely Donation Form <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via raisely_donation_form Shortcode Affected: *-1.1 Patched: 1.2 Updated: June 30, 2026

LOW

wp-youtube-video-optimizer

Score: N/A WP YouTube Video Optimizer <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.2 Patched: Updated: June 30, 2026

LOW

splitit-installment-payments

Score: N/A Splitit <= 4.2.8 - Missing Authorization to Multiple Administrative Actions Affected: *-4.2.8 Patched: 4.2.9 Updated: June 30, 2026

LOW

animated-buttons

Score: 95/100 Animated Buttons <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

wecantrack

Score: N/A Affiliate Sales in Google Analytics and other tools <= 2.0.0 - Open Redirect Affected: *-2.0.0 Patched: 2.0.1 Updated: June 30, 2026

LOW

network-posts-extended

Score: N/A Network Posts Extended <= 7.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via post_height Parameter Affected: *-7.7.1 Patched: Updated: June 30, 2026

LOW

wppedia

Score: N/A Glossary by WPPedia <= 1.3.0 - Authenticated (Administrator+) PHP Object Injection Affected: *-1.3.0 Patched: Updated: June 30, 2026

LOW

wp-post-modules-el

Score: N/A WP Post Modules for Elementor <= 2.5.0 - Reflected Cross-Site Scripting Affected: *-2.5.0 Patched: Updated: June 30, 2026

LOW

theplus_elementor_addon

Score: N/A The Plus Addons for Elementor Pro <= 6.3.6 - Missing Authorization Affected: *-6.3.6 Patched: 6.3.7 Updated: June 30, 2026

LOW

school-management

Score: N/A School Management <= 92.0.0 - Reflected Cross-Site Scripting Affected: *-92.0.0 Patched: Updated: June 30, 2026

LOW

school-management

Score: N/A School Management <= 92.0.0 - Authenticated (Subscriber+) SQL Injection Affected: *-92.0.0 Patched: Updated: June 30, 2026

LOW

inprosysmedia-likes-dislikes-post

Score: 89/100 Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection Affected: *-1.0.0 Patched: Updated: June 30, 2026

LOW

hospital-management

Score: 83/100 Hospital Management System <= 47.0(20-11-2023) - Authenticated (Subscriber+) Arbitrary File Upload Affected: * - 47.0(20-11-2023) Patched: Updated: June 30, 2026

LOW

gdlr-hotel

Score: 87/100 Goodlayers Hotel <= 3.1.4 - Unauthenticated PHP Object Injection Affected: *-3.1.4 Patched: Updated: June 30, 2026

Showing 8701 to 8800 of 36307 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 30, 2026 at 19:38 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List