Known Plugin Vulnerabilities

Track known vulnerabilities from configured sources. Default view shows all open and closed vulnerabilities, ordered by most recently updated first.

Open Vulnerabilities

36189

Across tracked plugins

Affected Plugins

With open vulnerabilities

Critical / High

Require immediate attention

Vulnerability List

Export CSV

Vulnerability list with plugin score and patch status
Plugin	Slug	Score	Vulnerability	Severity	Affected Versions	Patched	Updated
advanced-custom-fields-font-awesome	advanced-custom-fields-font-awesome	97	Advanced Custom Fields: Font Awesome Field <= 5.0.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via JSON Field	LOW	*-5.0.2	6.0.0	June 29, 2026
advanced-access-manager	advanced-access-manager	97	Advanced Access Manager – Access Governance for WordPress <= 7.1.0 - Missing Authorization	LOW	*-7.1.0	7.1.1	June 29, 2026
Royal Addons for Elementor – Addons and Templates Kit for Elementor	royal-elementor-addons	N/A	Royal Addons for Elementor <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter	LOW	*-1.7.1058	1.7.1059	June 29, 2026
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder	user-registration	N/A	User Registration & Membership <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter	LOW	*-5.1.5	5.1.6	June 29, 2026
infusedwoopro	infusedwoopro	93	InfusedWoo Pro <= 5.1.2 - Unauthenticated Arbitrary File Read via 'url' Parameter	LOW	*-5.1.2	5.1.3	June 29, 2026
mw-wp-form	mw-wp-form	N/A	MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter	LOW	*-5.1.2	5.1.3	June 29, 2026
cc-child-pages	cc-child-pages	93	CC Child Pages <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'more' Parameter	LOW	*-2.1.1	2.1.2	June 29, 2026
infusedwoopro	infusedwoopro	93	InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters	LOW	*-5.1.2	5.1.3	June 29, 2026
taskbuilder	taskbuilder	N/A	Taskbuilder – Project Management & Task Management Tool With Kanban Board <= 5.0.6 - Authenticated (Subscriber+) Time-Based Blind SQL Injection via 'project_search' Parameter	LOW	*-5.0.6	5.0.7	June 29, 2026
bold-page-builder	bold-page-builder	86	Bold Page Builder <= 5.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode	LOW	*-5.6.8	5.6.9	June 29, 2026
display-a-meta-field-as-block	display-a-meta-field-as-block	93	Meta Field Block <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tagName' Block Attribute	LOW	*-1.5.2	1.5.3	June 29, 2026
media-sync	media-sync	93	Media Sync <= 1.4.9 - Authenticated (Author+) Path Traversal via 'sub_dir' and 'media_items' Parameters	LOW	*-1.4.9	1.5.0	June 29, 2026
infusedwoopro	infusedwoopro	93	InfusedWoo Pro <= 5.1.2 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary User Meta Update	LOW	*-5.1.2	5.1.3	June 29, 2026
infusedwoopro	infusedwoopro	93	InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe'	LOW	*-5.1.2	5.1.3	June 29, 2026
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	fluentform	78	Fluent Forms <= 6.2.0 - Authenticated (Subscriber+) Authorization Bypass via 'table' Parameter	LOW	*-6.2.0	6.2.1	June 29, 2026
Essential Addons for Elementor – Popular Elementor Templates & Widgets	essential-addons-for-elementor-lite	85	Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.13 - Authenticated (Author+) Limited Privilege Escalation via register_user	LOW	*-6.5.13	6.6.0	June 29, 2026
worker	worker	N/A	ManageWP Worker <= 4.9.31 - Unauthenticated Stored Cross-Site Scripting via 'MWP-Key-Name' Header	LOW	*-4.9.31	4.9.32	June 29, 2026
career-section	career-section	93	Career Section <= 1.7 - Unauthenticated Arbitrary File Upload	LOW	*-1.7	1.8	June 29, 2026
motors-car-dealership-classified-listings	motors-car-dealership-classified-listings	N/A	Motors – Car Dealer, Classifieds & Listing <= 1.4.107 - Authenticated (Subscriber+) Arbitrary File Deletion via 'stm_dealer_logo_path' Parameter	LOW	*-1.4.107	1.4.108	June 29, 2026
LatePoint – Calendar Booking Plugin for Appointments and Events	latepoint	83	LatePoint <= 5.3.2 - Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route	LOW	*-5.3.2	5.4.0	June 29, 2026
gls-shipping-for-woocommerce	gls-shipping-for-woocommerce	93	GLS Shipping for WooCommerce <= 1.4.0 - Reflected Cross-Site Scripting via 'failed_orders'	LOW	*-1.4.0	1.4.1	June 29, 2026
interactive-geo-maps	interactive-geo-maps	93	MapGeo - Interactive Geo Maps <= 1.6.27 - Reflected Cross-Site Scripting via 'map' Parameter	LOW	*-1.6.27	1.6.28	June 29, 2026
wp-letsencrypt-ssl	wp-letsencrypt-ssl	N/A	WP Encryption - One Click SSL & Force HTTPS <= 7.8.5.10 - Missing Authorization to Authenticated (Subscriber+) SSL Setup Tampering	LOW	*-7.8.5.10	7.8.5.11	June 29, 2026
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	fluentform	78	Fluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter	LOW	*-6.1.21	6.2.0	June 29, 2026
Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)	burst-statistics	74	Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover	LOW	3.4.0-3.4.1.1	3.4.2	June 29, 2026
learnpress	learnpress	93	LearnPress – WordPress LMS Plugin for Create and Sell Online Courses <= 4.3.5 - Authenticated (Subscriber+) Payment Bypass to Free Course Enrollment via 'quantity' Parameter	LOW	*-4.3.5	4.3.6	June 29, 2026
Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More	envira-gallery-lite	94	Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter	LOW	*-1.12.4	1.12.5	June 29, 2026
unlimited-elements-for-elementor	unlimited-elements-for-elementor	N/A	Unlimited Elements For Elementor <= 2.0.7 - Authenticated (Contributor+) SQL Injection via 'filter_search' Parameter	LOW	*-2.0.7	2.0.8	June 29, 2026
Redirection for Contact Form 7	wpcf7-redirect	N/A	Redirection for Contact Form 7 <= 3.2.8 - Unauthenticated Stored Cross-Site Scripting	LOW	*-3.2.8	3.2.9	June 29, 2026
wp-db-backup	wp-db-backup	N/A	Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database Backup Interception	LOW	*-2.5.2	2.5.3	June 29, 2026
wp-db-backup	wp-db-backup	N/A	Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Arbitrary File Read and Deletion	LOW	*-2.5.2	2.5.3	June 29, 2026
wp-db-backup	wp-db-backup	N/A	Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database Export	LOW	*-2.5.2	2.5.3	June 29, 2026
the-plus-addons-for-elementor-page-builder	the-plus-addons-for-elementor-page-builder	N/A	The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Navigation Menu Lite Widget	LOW	*-6.4.11	6.4.12	June 29, 2026
omnisend-connect	omnisend-connect	N/A	Omnisend for WooCommerce <= 1.18.0 - Unauthenticated Omnisend Account Takeover via Predictable Connect Token	LOW	*-1.18.0	1.18.1	June 29, 2026
my-calendar	my-calendar	N/A	My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter	LOW	*-3.7.9	3.7.10	June 29, 2026
js_composer	js_composer	93	WPBakery Page Builder <= 8.7.2 - Missing Authorization	LOW	*-8.7.2	8.7.3	June 29, 2026
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory	geodirectory	66	GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.157 - Missing Authorization	LOW	*-2.8.157	2.8.158	June 29, 2026
fusion-builder	fusion-builder	93	Avada Builder <= 3.15.1 - Unauthenticated SQL Injection via 'product_order' Parameter	LOW	*-3.15.1	3.15.2	June 29, 2026
fusion-builder	fusion-builder	93	Avada Builder <= 3.15.2 - Authenticated (Subscriber+) Arbitrary File Read via 'custom_svg' Shortcode Parameter	LOW	*-3.15.2	3.15.3	June 29, 2026
tutor	tutor	N/A	Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter	LOW	*-3.9.9	3.9.10	June 29, 2026
joomsport-sports-league-results-management	joomsport-sports-league-results-management	93	JoomSport <= 5.7.7 - Unauthenticated SQL Injection via 'sortf' Parameter	LOW	*-5.7.7	5.7.8	June 29, 2026
wc-support-system	wc-support-system	N/A	ilGhera Support System for WooCommerce <= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure	LOW	*-1.3.0	1.3.1	June 29, 2026
cost-of-goods-for-woocommerce	cost-of-goods-for-woocommerce	93	Cost of Goods: Product Cost & Profit Calculator for WooCommerce <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	LOW	*-4.1.0	4.1.1	June 29, 2026
charitable	charitable	93	Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injection via 's' Search Parameter	LOW	*-1.8.10.4	1.8.10.5	June 29, 2026
broadstreet	broadstreet	93	Broadstreet <= 1.53.1 - Missing Authorization to Authenticated (Subscriber+) Advertiser Creation	LOW	*-1.53.1	1.53.2	June 29, 2026
broadstreet	broadstreet	93	Broadstreet <= 1.53.1 - Authenticated (Subscriber+) Information Disclosure	LOW	*-1.53.1	1.53.2	June 29, 2026
broadstreet	broadstreet	93	Broadstreet <= 1.53.1 - Authenticated (Admin+) Stored Cross-Site Scripting	LOW	*-1.53.1	1.53.2	June 29, 2026
blog2social	blog2social	93	Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter	LOW	*-8.9.0	8.9.1	June 29, 2026
cost-calculator-builder	cost-calculator-builder	93	Cost Calculator Builder <= 4.0.1 - Unauthenticated Price Manipulation and Insecure Direct Object Reference	LOW	*-4.0.1	4.0.2	June 29, 2026
court-reservation	court-reservation	89	Court Reservation – Manage Your Court Bookings Online <= 1.10.11 - Unauthenticated SQL Injection	LOW	*-1.10.11	1.10.12	June 29, 2026
acf-extended	acf-extended	97	Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution	LOW	*-0.9.2.3	0.9.2.4	June 29, 2026
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)	google-analytics-for-wordpress	72	MonsterInsights <= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset	LOW	*-10.1.2	10.1.3	June 29, 2026
wpc-badge-management	wpc-badge-management	N/A	WPC Badge Management for WooCommerce <= 3.1.6 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'text' Attribute	LOW	*-3.1.6	3.1.7	June 29, 2026
Hustle – Email Marketing, Lead Generation, Optins, Popups	wordpress-popup	91	Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.1 - Missing Authorization	LOW	*-7.8.10.1	7.8.10.2	June 29, 2026
smart-manager-for-wp-e-commerce	smart-manager-for-wp-e-commerce	N/A	Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management <= 8.85.0 - Authenticated (Contributor+) Privilege Escalation	LOW	*-8.85.0	8.86.0	June 29, 2026
rometheme-for-elementor	rometheme-for-elementor	N/A	RTMKit Addons for Elementor <= 2.0.2 - Authenticated (Author+) Local File Inclusion via 'path'	LOW	*-2.0.2	2.0.3	June 29, 2026
rometheme-for-elementor	rometheme-for-elementor	N/A	RTMKit Addons for Elementor <= 2.0.2 - Authenticated (Author+) Missing Authorization to Widget Configuration Modification	LOW	*-2.0.2	2.0.3	June 29, 2026
Five Star Restaurant Reservations – WordPress Booking Plugin	restaurant-reservations	N/A	Five Star Restaurant Reservations – WordPress Booking Plugin <= 2.7.14 - Missing Authorization	LOW	*-2.7.14	2.7.15	June 29, 2026
profilegrid-user-profiles-groups-and-communities	profilegrid-user-profiles-groups-and-communities	N/A	ProfileGrid <= 5.9.8.4 - Authenticated (Subscriber+) SQL Injection via 'rid' Parameter	LOW	*-5.9.8.4	5.9.8.5	June 29, 2026
profilegrid-user-profiles-groups-and-communities	profilegrid-user-profiles-groups-and-communities	N/A	ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Group Settings Modification	LOW	*-5.9.8.4	5.9.8.5	June 29, 2026
profilegrid-user-profiles-groups-and-communities	profilegrid-user-profiles-groups-and-communities	N/A	ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Group Joining	LOW	*-5.9.8.4	5.9.8.5	June 29, 2026
payment-gateway-stripe-and-woocommerce-integration	payment-gateway-stripe-and-woocommerce-integration	N/A	Payment Gateway of Stripe for WooCommerce <= 5.0.7 - Missing Authorization	LOW	*-5.0.7	5.0.8	June 29, 2026
mycryptocheckout	mycryptocheckout	N/A	MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce <= 2.161 - Missing Authorization	LOW	*-2.161	2.162	June 29, 2026
hostinger-reach	hostinger-reach	93	Hostinger Reach <= 1.3.8 - Missing Authorization to Authenticated (Subscriber+) Integration API Key Update	LOW	*-1.3.8	1.3.9	June 29, 2026
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder	fluentform	78	Fluent Forms <= 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'permission_message' Shortcode Attribute	LOW	*-6.2.1	6.2.2	June 29, 2026
EventPrime – Events Calendar, Bookings and Tickets	eventprime-event-calendar-management	74	EventPrime – Events Calendar, Bookings and Tickets <= 4.3.2.0 - Missing Authorization	LOW	*-4.3.2.0	4.3.2.1	June 29, 2026
Custom Twitter Feeds – A Tweets Widget or X Feed Widget	custom-twitter-feeds	75	Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text	LOW	*-2.5.4	2.5.5	June 29, 2026
custom-css-js-php	custom-css-js-php	89	Custom css-js-php <= 2.0.7 - Unauthenticated Remote Code Execution	LOW	*-2.0.7		June 29, 2026
coreactivity	coreactivity	93	coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field	LOW	*-3.0	3.1	June 29, 2026
Checkout Files Upload for WooCommerce	checkout-files-upload-woocommerce	98	Checkout Files Upload for WooCommerce <= 2.2.5 - Unauthenticated Insecure Direct Object Reference	LOW	*-2.2.5	2.2.6	June 29, 2026
another-wordpress-classifieds-plugin	another-wordpress-classifieds-plugin	97	AWP Classifieds <= 4.4.5 - Missing Authorization	LOW	*-4.4.5	4.4.6	June 29, 2026
continually	continually	91	Continually <= 4.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'continually_embed_code' Parameter	LOW	*-4.3.1		June 29, 2026
fastbots-ai-chatbots	fastbots-ai-chatbots	91	FastBots <= 1.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings	LOW	*-1.0.12		June 29, 2026
motors-car-dealership-classified-listings	motors-car-dealership-classified-listings	N/A	Motors – Car Dealership & Classified Listings Plugin <= 1.4.103 - Missing Authorization to Authenticated (Subscriber+) Payment Bypass via 'stm_payment_status' Parameter	LOW	*-1.4.103	1.4.104	June 29, 2026
wp-seo-structured-data-schema	wp-seo-structured-data-schema	N/A	WP SEO Structured Data Schema <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_kcseo_ative_tab' Parameter	LOW	*-2.8.1		June 29, 2026
bj-lazy-load	bj-lazy-load	91	BJ Lazy Load <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom HTML Block	LOW	*-1.0.9		June 29, 2026
rate-star-review	rate-star-review	N/A	Rate Star Review Vote <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification via 'rating_id' Parameter	LOW	*-1.6.4	1.6.5	June 29, 2026
ai-copilot-content-generator	ai-copilot-content-generator	95	AI Chatbot & Workflow Automation by AIWU <= 1.4.17 - Unauthenticated SQL Injection in getListForTbl()	LOW	*-1.4.17		June 29, 2026
nextdate	nextdate	N/A	Next Date <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute	LOW	*-1.0		June 29, 2026
sp-blog-designer	sp-blog-designer	N/A	SP Blog Designer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'design' Attribute	LOW	*-1.0.0		June 29, 2026
woo-commerce-min-weight	woo-commerce-min-weight	N/A	Woo Commerce Minimum Weight <= 3.0.1 - Cross-Site Request Forgery via Settings Update Form	LOW	*-3.0.1		June 29, 2026
graphic-web-design-inc	graphic-web-design-inc	91	GWD Connect <= 2.9 - Unauthenticated Limited Code Execution via update_agent	LOW	*-2.9		June 29, 2026
wp-google-maps-integration	wp-google-maps-integration	N/A	WP Google Maps Integration <= 1.2 - Reflected Cross-Site Scripting via 'page' Parameter	LOW	*-1.2		June 29, 2026
azonpost	azonpost	91	AzonPost <= 1.3 - Reflected Cross-Site Scripting	LOW	*-1.3		June 29, 2026
slek-gateway-for-woocommerce	slek-gateway-for-woocommerce	N/A	Slek Gateway for WooCommerce <= 1.0 - Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields	LOW	*-1.0		June 29, 2026
zawgyi-embed	zawgyi-embed	N/A	Zawgyi Embed <= 2.1.1 - Cross-Site Request Forgery via 'zawgyi_forceCSS' Parameter	LOW	*-2.1.1		June 29, 2026
awesome-pricing-tables-lite-by-optimalplugins	awesome-pricing-tables-lite-by-optimalplugins	91	Pricing Tables for WP <= 1.1.0 - Reflected Cross-Site Scripting via 'page' Parameter	LOW	*-1.1.0		June 29, 2026
wp-redirection	wp-redirection	N/A	WP-Redirection <= 1.0.3 - Cross-Site Request Forgery to Settings Update	LOW	*-1.0.3		June 29, 2026
tm-wordpress-redirection	tm-wordpress-redirection	N/A	Tm – WordPress Redirection <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting	LOW	*-1.2		June 29, 2026
forms-rb	forms-rb	91	Forms Rb <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via 'form_id' Parameter	LOW	*-1.1.9		June 29, 2026
shortcodely	shortcodely	N/A	Shortcodely <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'widget_area' Shortcode Attribute	LOW	*-1.0.1		June 29, 2026
skysa-text-ticker-app	skysa-text-ticker-app	N/A	Skysa Text Ticker App <= 1.4 - Cross-Site Request Forgery to Settings Modification via 'Save Settings' Form	LOW	*-1.4		June 29, 2026
voyage-plus	voyage-plus	N/A	Voyage Plus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post-content' Shortcode	LOW	*-1.0.6		June 29, 2026
hel-online-classroom	hel-online-classroom	91	HEL Online Classroom: AI-powered Online Classrooms <= 1.0.3 - Missing Authorization to Unauthenticated Arbitrary Classroom Deletion via 'id' Parameter	LOW	*-1.0.3		June 29, 2026
coinbase-commerce-for-contact-form-7	coinbase-commerce-for-contact-form-7	91	Coinbase Commerce for Contact Form 7 <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) API Key Modification via 'cccf7_api_key' Parameter	LOW	*-1.1.2		June 29, 2026
fancy-image-show	fancy-image-show	91	Fancy Image Show <= 9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes	LOW	*-9.1		June 29, 2026
smart-appointment-booking	smart-appointment-booking	N/A	Smart Appointment & Booking <= 1.0.8 - Missing Authorization to Unauthenticated Arbitrary Booking Cancellation	LOW	*-1.0.8	2.0.0	June 29, 2026
bootstrap-shortcode	bootstrap-shortcode	91	Bootstrap Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'box' Shortcode	LOW	*-1.0		June 29, 2026
advanced-social-media-icons	advanced-social-media-icons	95	Advanced Social Media Icons <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'social' Shortcode	LOW	*-1.2		June 29, 2026
lifepress	lifepress	91	LifePress <= 2.2.2 - Unauthenticated Stored Cross-Site Scripting via 'n' Parameter via lp_update_mds AJAX Action	LOW	*-2.2.2		June 29, 2026

LOW

advanced-custom-fields-font-awesome

Score: 97/100 Advanced Custom Fields: Font Awesome Field <= 5.0.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via JSON Field Affected: *-5.0.2 Patched: 6.0.0 Updated: June 29, 2026

LOW

advanced-access-manager

Score: 97/100 Advanced Access Manager – Access Governance for WordPress <= 7.1.0 - Missing Authorization Affected: *-7.1.0 Patched: 7.1.1 Updated: June 29, 2026

LOW

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

Score: N/A Royal Addons for Elementor <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter Affected: *-1.7.1058 Patched: 1.7.1059 Updated: June 29, 2026

LOW

User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

user-registration

Score: N/A User Registration & Membership <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter Affected: *-5.1.5 Patched: 5.1.6 Updated: June 29, 2026

LOW

infusedwoopro

Score: 93/100 InfusedWoo Pro <= 5.1.2 - Unauthenticated Arbitrary File Read via 'url' Parameter Affected: *-5.1.2 Patched: 5.1.3 Updated: June 29, 2026

LOW

Score: N/A MW WP Form <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'post_id' Query Parameter Affected: *-5.1.2 Patched: 5.1.3 Updated: June 29, 2026

LOW

cc-child-pages

Score: 93/100 CC Child Pages <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'more' Parameter Affected: *-2.1.1 Patched: 2.1.2 Updated: June 29, 2026

LOW

infusedwoopro

Score: 93/100 InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters Affected: *-5.1.2 Patched: 5.1.3 Updated: June 29, 2026

LOW

taskbuilder

Score: N/A Taskbuilder – Project Management & Task Management Tool With Kanban Board <= 5.0.6 - Authenticated (Subscriber+) Time-Based Blind SQL Injection via 'project_search' Parameter Affected: *-5.0.6 Patched: 5.0.7 Updated: June 29, 2026

LOW

bold-page-builder

Score: 86/100 Bold Page Builder <= 5.6.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_button Shortcode Affected: *-5.6.8 Patched: 5.6.9 Updated: June 29, 2026

LOW

display-a-meta-field-as-block

Score: 93/100 Meta Field Block <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tagName' Block Attribute Affected: *-1.5.2 Patched: 1.5.3 Updated: June 29, 2026

LOW

media-sync

Score: 93/100 Media Sync <= 1.4.9 - Authenticated (Author+) Path Traversal via 'sub_dir' and 'media_items' Parameters Affected: *-1.4.9 Patched: 1.5.0 Updated: June 29, 2026

LOW

infusedwoopro

Score: 93/100 InfusedWoo Pro <= 5.1.2 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary User Meta Update Affected: *-5.1.2 Patched: 5.1.3 Updated: June 29, 2026

LOW

infusedwoopro

Score: 93/100 InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe' Affected: *-5.1.2 Patched: 5.1.3 Updated: June 29, 2026

LOW

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

Score: 78/100 Fluent Forms <= 6.2.0 - Authenticated (Subscriber+) Authorization Bypass via 'table' Parameter Affected: *-6.2.0 Patched: 6.2.1 Updated: June 29, 2026

LOW

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Score: 85/100 Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.13 - Authenticated (Author+) Limited Privilege Escalation via register_user Affected: *-6.5.13 Patched: 6.6.0 Updated: June 29, 2026

LOW

worker

Score: N/A ManageWP Worker <= 4.9.31 - Unauthenticated Stored Cross-Site Scripting via 'MWP-Key-Name' Header Affected: *-4.9.31 Patched: 4.9.32 Updated: June 29, 2026

LOW

career-section

Score: 93/100 Career Section <= 1.7 - Unauthenticated Arbitrary File Upload Affected: *-1.7 Patched: 1.8 Updated: June 29, 2026

LOW

motors-car-dealership-classified-listings

Score: N/A Motors – Car Dealer, Classifieds & Listing <= 1.4.107 - Authenticated (Subscriber+) Arbitrary File Deletion via 'stm_dealer_logo_path' Parameter Affected: *-1.4.107 Patched: 1.4.108 Updated: June 29, 2026

LOW

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Score: 83/100 LatePoint <= 5.3.2 - Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route Affected: *-5.3.2 Patched: 5.4.0 Updated: June 29, 2026

LOW

gls-shipping-for-woocommerce

Score: 93/100 GLS Shipping for WooCommerce <= 1.4.0 - Reflected Cross-Site Scripting via 'failed_orders' Affected: *-1.4.0 Patched: 1.4.1 Updated: June 29, 2026

LOW

interactive-geo-maps

Score: 93/100 MapGeo - Interactive Geo Maps <= 1.6.27 - Reflected Cross-Site Scripting via 'map' Parameter Affected: *-1.6.27 Patched: 1.6.28 Updated: June 29, 2026

LOW

wp-letsencrypt-ssl

Score: N/A WP Encryption - One Click SSL & Force HTTPS <= 7.8.5.10 - Missing Authorization to Authenticated (Subscriber+) SSL Setup Tampering Affected: *-7.8.5.10 Patched: 7.8.5.11 Updated: June 29, 2026

LOW

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

Score: 78/100 Fluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter Affected: *-6.1.21 Patched: 6.2.0 Updated: June 29, 2026

LOW

Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative)

burst-statistics

Score: 74/100 Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover Affected: 3.4.0-3.4.1.1 Patched: 3.4.2 Updated: June 29, 2026

LOW

learnpress

Score: 93/100 LearnPress – WordPress LMS Plugin for Create and Sell Online Courses <= 4.3.5 - Authenticated (Subscriber+) Payment Bypass to Free Course Enrollment via 'quantity' Parameter Affected: *-4.3.5 Patched: 4.3.6 Updated: June 29, 2026

LOW

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

envira-gallery-lite

Score: 94/100 Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter Affected: *-1.12.4 Patched: 1.12.5 Updated: June 29, 2026

LOW

unlimited-elements-for-elementor

Score: N/A Unlimited Elements For Elementor <= 2.0.7 - Authenticated (Contributor+) SQL Injection via 'filter_search' Parameter Affected: *-2.0.7 Patched: 2.0.8 Updated: June 29, 2026

LOW

Redirection for Contact Form 7

wpcf7-redirect

Score: N/A Redirection for Contact Form 7 <= 3.2.8 - Unauthenticated Stored Cross-Site Scripting Affected: *-3.2.8 Patched: 3.2.9 Updated: June 29, 2026

LOW

wp-db-backup

Score: N/A Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database Backup Interception Affected: *-2.5.2 Patched: 2.5.3 Updated: June 29, 2026

LOW

wp-db-backup

Score: N/A Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Arbitrary File Read and Deletion Affected: *-2.5.2 Patched: 2.5.3 Updated: June 29, 2026

LOW

wp-db-backup

Score: N/A Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database Export Affected: *-2.5.2 Patched: 2.5.3 Updated: June 29, 2026

LOW

the-plus-addons-for-elementor-page-builder

Score: N/A The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Navigation Menu Lite Widget Affected: *-6.4.11 Patched: 6.4.12 Updated: June 29, 2026

LOW

omnisend-connect

Score: N/A Omnisend for WooCommerce <= 1.18.0 - Unauthenticated Omnisend Account Takeover via Predictable Connect Token Affected: *-1.18.0 Patched: 1.18.1 Updated: June 29, 2026

LOW

my-calendar

Score: N/A My Calendar <= 3.7.9 - Authenticated (Custom+) Missing Authorization to Unauthorized Event Publication via 'event_approved' Parameter Affected: *-3.7.9 Patched: 3.7.10 Updated: June 29, 2026

LOW

js_composer

Score: 93/100 WPBakery Page Builder <= 8.7.2 - Missing Authorization Affected: *-8.7.2 Patched: 8.7.3 Updated: June 29, 2026

LOW

GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

geodirectory

Score: 66/100 GeoDirectory – WP Business Directory Plugin and Classified Listings Directory <= 2.8.157 - Missing Authorization Affected: *-2.8.157 Patched: 2.8.158 Updated: June 29, 2026

LOW

fusion-builder

Score: 93/100 Avada Builder <= 3.15.1 - Unauthenticated SQL Injection via 'product_order' Parameter Affected: *-3.15.1 Patched: 3.15.2 Updated: June 29, 2026

LOW

fusion-builder

Score: 93/100 Avada Builder <= 3.15.2 - Authenticated (Subscriber+) Arbitrary File Read via 'custom_svg' Shortcode Parameter Affected: *-3.15.2 Patched: 3.15.3 Updated: June 29, 2026

LOW

tutor

Score: N/A Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter Affected: *-3.9.9 Patched: 3.9.10 Updated: June 29, 2026

LOW

joomsport-sports-league-results-management

Score: 93/100 JoomSport <= 5.7.7 - Unauthenticated SQL Injection via 'sortf' Parameter Affected: *-5.7.7 Patched: 5.7.8 Updated: June 29, 2026

LOW

wc-support-system

Score: N/A ilGhera Support System for WooCommerce <= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure Affected: *-1.3.0 Patched: 1.3.1 Updated: June 29, 2026

LOW

cost-of-goods-for-woocommerce

Score: 93/100 Cost of Goods: Product Cost & Profit Calculator for WooCommerce <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Affected: *-4.1.0 Patched: 4.1.1 Updated: June 29, 2026

LOW

charitable

Score: 93/100 Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injection via 's' Search Parameter Affected: *-1.8.10.4 Patched: 1.8.10.5 Updated: June 29, 2026

LOW

broadstreet

Score: 93/100 Broadstreet <= 1.53.1 - Missing Authorization to Authenticated (Subscriber+) Advertiser Creation Affected: *-1.53.1 Patched: 1.53.2 Updated: June 29, 2026

LOW

broadstreet

Score: 93/100 Broadstreet <= 1.53.1 - Authenticated (Subscriber+) Information Disclosure Affected: *-1.53.1 Patched: 1.53.2 Updated: June 29, 2026

LOW

broadstreet

Score: 93/100 Broadstreet <= 1.53.1 - Authenticated (Admin+) Stored Cross-Site Scripting Affected: *-1.53.1 Patched: 1.53.2 Updated: June 29, 2026

LOW

blog2social

Score: 93/100 Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter Affected: *-8.9.0 Patched: 8.9.1 Updated: June 29, 2026

LOW

cost-calculator-builder

Score: 93/100 Cost Calculator Builder <= 4.0.1 - Unauthenticated Price Manipulation and Insecure Direct Object Reference Affected: *-4.0.1 Patched: 4.0.2 Updated: June 29, 2026

LOW

court-reservation

Score: 89/100 Court Reservation – Manage Your Court Bookings Online <= 1.10.11 - Unauthenticated SQL Injection Affected: *-1.10.11 Patched: 1.10.12 Updated: June 29, 2026

LOW

acf-extended

Score: 97/100 Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution Affected: *-0.9.2.3 Patched: 0.9.2.4 Updated: June 29, 2026

LOW

MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy)

google-analytics-for-wordpress

Score: 72/100 MonsterInsights <= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset Affected: *-10.1.2 Patched: 10.1.3 Updated: June 29, 2026

LOW

wpc-badge-management

Score: N/A WPC Badge Management for WooCommerce <= 3.1.6 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'text' Attribute Affected: *-3.1.6 Patched: 3.1.7 Updated: June 29, 2026

LOW

Hustle – Email Marketing, Lead Generation, Optins, Popups

wordpress-popup

Score: 91/100 Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.1 - Missing Authorization Affected: *-7.8.10.1 Patched: 7.8.10.2 Updated: June 29, 2026

LOW

smart-manager-for-wp-e-commerce

Score: N/A Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management <= 8.85.0 - Authenticated (Contributor+) Privilege Escalation Affected: *-8.85.0 Patched: 8.86.0 Updated: June 29, 2026

LOW

rometheme-for-elementor

Score: N/A RTMKit Addons for Elementor <= 2.0.2 - Authenticated (Author+) Local File Inclusion via 'path' Affected: *-2.0.2 Patched: 2.0.3 Updated: June 29, 2026

LOW

rometheme-for-elementor

Score: N/A RTMKit Addons for Elementor <= 2.0.2 - Authenticated (Author+) Missing Authorization to Widget Configuration Modification Affected: *-2.0.2 Patched: 2.0.3 Updated: June 29, 2026

LOW

Five Star Restaurant Reservations – WordPress Booking Plugin

restaurant-reservations

Score: N/A Five Star Restaurant Reservations – WordPress Booking Plugin <= 2.7.14 - Missing Authorization Affected: *-2.7.14 Patched: 2.7.15 Updated: June 29, 2026

LOW

profilegrid-user-profiles-groups-and-communities

Score: N/A ProfileGrid <= 5.9.8.4 - Authenticated (Subscriber+) SQL Injection via 'rid' Parameter Affected: *-5.9.8.4 Patched: 5.9.8.5 Updated: June 29, 2026

LOW

profilegrid-user-profiles-groups-and-communities

Score: N/A ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Group Settings Modification Affected: *-5.9.8.4 Patched: 5.9.8.5 Updated: June 29, 2026

LOW

profilegrid-user-profiles-groups-and-communities

Score: N/A ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Group Joining Affected: *-5.9.8.4 Patched: 5.9.8.5 Updated: June 29, 2026

LOW

payment-gateway-stripe-and-woocommerce-integration

Score: N/A Payment Gateway of Stripe for WooCommerce <= 5.0.7 - Missing Authorization Affected: *-5.0.7 Patched: 5.0.8 Updated: June 29, 2026

LOW

mycryptocheckout

Score: N/A MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce <= 2.161 - Missing Authorization Affected: *-2.161 Patched: 2.162 Updated: June 29, 2026

LOW

hostinger-reach

Score: 93/100 Hostinger Reach <= 1.3.8 - Missing Authorization to Authenticated (Subscriber+) Integration API Key Update Affected: *-1.3.8 Patched: 1.3.9 Updated: June 29, 2026

LOW

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

Score: 78/100 Fluent Forms <= 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'permission_message' Shortcode Attribute Affected: *-6.2.1 Patched: 6.2.2 Updated: June 29, 2026

LOW

EventPrime – Events Calendar, Bookings and Tickets

eventprime-event-calendar-management

Score: 74/100 EventPrime – Events Calendar, Bookings and Tickets <= 4.3.2.0 - Missing Authorization Affected: *-4.3.2.0 Patched: 4.3.2.1 Updated: June 29, 2026

LOW

Custom Twitter Feeds – A Tweets Widget or X Feed Widget

custom-twitter-feeds

Score: 75/100 Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text Affected: *-2.5.4 Patched: 2.5.5 Updated: June 29, 2026

LOW

custom-css-js-php

Score: 89/100 Custom css-js-php <= 2.0.7 - Unauthenticated Remote Code Execution Affected: *-2.0.7 Patched: Updated: June 29, 2026

LOW

coreactivity

Score: 93/100 coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field Affected: *-3.0 Patched: 3.1 Updated: June 29, 2026

LOW

Checkout Files Upload for WooCommerce

checkout-files-upload-woocommerce

Score: 98/100 Checkout Files Upload for WooCommerce <= 2.2.5 - Unauthenticated Insecure Direct Object Reference Affected: *-2.2.5 Patched: 2.2.6 Updated: June 29, 2026

LOW

another-wordpress-classifieds-plugin

Score: 97/100 AWP Classifieds <= 4.4.5 - Missing Authorization Affected: *-4.4.5 Patched: 4.4.6 Updated: June 29, 2026

LOW

continually

Score: 91/100 Continually <= 4.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'continually_embed_code' Parameter Affected: *-4.3.1 Patched: Updated: June 29, 2026

LOW

fastbots-ai-chatbots

Score: 91/100 FastBots <= 1.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings Affected: *-1.0.12 Patched: Updated: June 29, 2026

LOW

motors-car-dealership-classified-listings

Score: N/A Motors – Car Dealership & Classified Listings Plugin <= 1.4.103 - Missing Authorization to Authenticated (Subscriber+) Payment Bypass via 'stm_payment_status' Parameter Affected: *-1.4.103 Patched: 1.4.104 Updated: June 29, 2026

LOW

wp-seo-structured-data-schema

Score: N/A WP SEO Structured Data Schema <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_kcseo_ative_tab' Parameter Affected: *-2.8.1 Patched: Updated: June 29, 2026

LOW

bj-lazy-load

Score: 91/100 BJ Lazy Load <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom HTML Block Affected: *-1.0.9 Patched: Updated: June 29, 2026

LOW

rate-star-review

Score: N/A Rate Star Review Vote <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification via 'rating_id' Parameter Affected: *-1.6.4 Patched: 1.6.5 Updated: June 29, 2026

LOW

ai-copilot-content-generator

Score: 95/100 AI Chatbot & Workflow Automation by AIWU <= 1.4.17 - Unauthenticated SQL Injection in getListForTbl() Affected: *-1.4.17 Patched: Updated: June 29, 2026

LOW

nextdate

Score: N/A Next Date <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute Affected: *-1.0 Patched: Updated: June 29, 2026

LOW

sp-blog-designer

Score: N/A SP Blog Designer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'design' Attribute Affected: *-1.0.0 Patched: Updated: June 29, 2026

LOW

woo-commerce-min-weight

Score: N/A Woo Commerce Minimum Weight <= 3.0.1 - Cross-Site Request Forgery via Settings Update Form Affected: *-3.0.1 Patched: Updated: June 29, 2026

LOW

graphic-web-design-inc

Score: 91/100 GWD Connect <= 2.9 - Unauthenticated Limited Code Execution via update_agent Affected: *-2.9 Patched: Updated: June 29, 2026

LOW

wp-google-maps-integration

Score: N/A WP Google Maps Integration <= 1.2 - Reflected Cross-Site Scripting via 'page' Parameter Affected: *-1.2 Patched: Updated: June 29, 2026

LOW

azonpost

Score: 91/100 AzonPost <= 1.3 - Reflected Cross-Site Scripting Affected: *-1.3 Patched: Updated: June 29, 2026

LOW

slek-gateway-for-woocommerce

Score: N/A Slek Gateway for WooCommerce <= 1.0 - Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields Affected: *-1.0 Patched: Updated: June 29, 2026

LOW

zawgyi-embed

Score: N/A Zawgyi Embed <= 2.1.1 - Cross-Site Request Forgery via 'zawgyi_forceCSS' Parameter Affected: *-2.1.1 Patched: Updated: June 29, 2026

LOW

awesome-pricing-tables-lite-by-optimalplugins

Score: 91/100 Pricing Tables for WP <= 1.1.0 - Reflected Cross-Site Scripting via 'page' Parameter Affected: *-1.1.0 Patched: Updated: June 29, 2026

LOW

wp-redirection

Score: N/A WP-Redirection <= 1.0.3 - Cross-Site Request Forgery to Settings Update Affected: *-1.0.3 Patched: Updated: June 29, 2026

LOW

tm-wordpress-redirection

Score: N/A Tm – WordPress Redirection <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting Affected: *-1.2 Patched: Updated: June 29, 2026

LOW

forms-rb

Score: 91/100 Forms Rb <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via 'form_id' Parameter Affected: *-1.1.9 Patched: Updated: June 29, 2026

LOW

shortcodely

Score: N/A Shortcodely <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'widget_area' Shortcode Attribute Affected: *-1.0.1 Patched: Updated: June 29, 2026

LOW

skysa-text-ticker-app

Score: N/A Skysa Text Ticker App <= 1.4 - Cross-Site Request Forgery to Settings Modification via 'Save Settings' Form Affected: *-1.4 Patched: Updated: June 29, 2026

LOW

voyage-plus

Score: N/A Voyage Plus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post-content' Shortcode Affected: *-1.0.6 Patched: Updated: June 29, 2026

LOW

hel-online-classroom

Score: 91/100 HEL Online Classroom: AI-powered Online Classrooms <= 1.0.3 - Missing Authorization to Unauthenticated Arbitrary Classroom Deletion via 'id' Parameter Affected: *-1.0.3 Patched: Updated: June 29, 2026

LOW

coinbase-commerce-for-contact-form-7

Score: 91/100 Coinbase Commerce for Contact Form 7 <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) API Key Modification via 'cccf7_api_key' Parameter Affected: *-1.1.2 Patched: Updated: June 29, 2026

LOW

fancy-image-show

Score: 91/100 Fancy Image Show <= 9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Affected: *-9.1 Patched: Updated: June 29, 2026

LOW

smart-appointment-booking

Score: N/A Smart Appointment & Booking <= 1.0.8 - Missing Authorization to Unauthenticated Arbitrary Booking Cancellation Affected: *-1.0.8 Patched: 2.0.0 Updated: June 29, 2026

LOW

bootstrap-shortcode

Score: 91/100 Bootstrap Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'box' Shortcode Affected: *-1.0 Patched: Updated: June 29, 2026

LOW

advanced-social-media-icons

Score: 95/100 Advanced Social Media Icons <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'social' Shortcode Affected: *-1.2 Patched: Updated: June 29, 2026

LOW

lifepress

Score: 91/100 LifePress <= 2.2.2 - Unauthenticated Stored Cross-Site Scripting via 'n' Parameter via lp_update_mds AJAX Action Affected: *-2.2.2 Patched: Updated: June 29, 2026

Showing 801 to 900 of 36189 results

Download: CSV JSON

Important: Review Required

Vulnerability data is aggregated from automated feeds and public sources. Results may include false positives or outdated information. Always verify details and apply updates in a staging environment before deploying to production.

Data updated daily from trusted sources. Last updated: June 29, 2026 at 02:57 UTC.

Known Plugin Vulnerabilities

Open Vulnerabilities

Affected Plugins

Critical / High

Recently Updated

Vulnerability List