WordPress Vulnerability Database

The most comprehensive open vulnerability database for WordPress plugins, themes, and server infrastructure.

16,259

plugins with known vulnerabilities

2,267

themes with known vulnerabilities

13,530

vulnerabilities without a fix

2,002

critical severity (score ≥ 9.0)

Official WordPress Plugin

WPVulnerability

Real-time vulnerability scanner for your WordPress dashboard. Monitors your core, plugins, themes, PHP, Apache, nginx, MariaDB, MySQL, ImageMagick, curl and more — all in one place.

10,000+Active installs

★★★★★20 reviews

5.0.1Latest version

7.1Tested with WP

Install free on WordPress.org →

Notable vulnerabilities — last 90 days

File Manager

KEV

2020-09-09All versions

CVE-2020-25213

CVE Patchstack Wordfence WPScan

Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery

KEV

2017-05-24All versions

WordPress Huge-IT Video Gallery plugin <=2.0.4 - SQL Injection vulnerability

Patchstack CVE

Static Site Exporter

KEV

2017-06-27All versions

CVE-2017-9841

CVE WPScan

Cloudflare

KEV

2017-06-27All versions

CVE-2017-9841

CVE WPScan

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

KEV

2020-04-13All versions

CVE-2020-11738

CVE Wordfence WPScan

Social Sharing Plugin – Social Warfare

KEV

2019-03-24All versions

CVE-2019-9978

CVE Wordfence WPScan

jQuery Manager for WordPress

KEV

2020-07-20All versions

jQuery Manager for WordPress <= 1.10.4 & jQuery Migrate Helper <= 1.4.1- Running Vulnerable Dependency

Wordfence CVE

JS Help Desk – AI-Powered Support & Ticketing System

Critical 10.0

2024-01-05All versions

CVE-2022-46839

CVE Patchstack Wordfence

JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin

Critical 10.0

2023-12-20All versions

CVE-2023-29384

CVE Patchstack Wordfence

WappPress – Convert Site to App Fast – WordPress to Mobile App Builder

Critical 10.0

2024-03-27All versions

CVE-2023-49815

CVE Patchstack Wordfence WPScan

Rencontre – Dating Site

Critical 10.0

2024-12-27All versions

WordPress Rencontre – Dating Site Plugin <= 3.10.1 is vulnerable to Arbitrary File Upload

Patchstack CVE Wordfence WPScan

Coupon Referral Program

Critical 10.0

2024-02-12All versions

CVE-2024-25100

CVE Wordfence Patchstack WPScan

Latest Plugin Vulnerabilities

View all →

CoDesigner – All in One Elementor WooCommerce Builder

Medium 5.9 Unfixed

2025-01-15≤ 4.31

WordPress CoDesigner plugin <= 4.29 - Cross Site Scripting (XSS) vulnerability

CVE EUVD Patchstack Wordfence

WPFunnels Pro

N/A

2026-06-04< 2.9.5

WPFunnels Pro <= 2.9.4 - Unauthenticated Stored Cross-Site Scripting

Wordfence CVE

Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution

N/A

2026-06-01< 2.1.8

Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Solution <= 2.1.7 - Missing Authorization

Wordfence CVE

Visual Link Preview

N/A

2026-06-02< 2.4.2

Visual Link Preview <= 2.4.1 - Authenticated (Subscriber+) Information Exposure

Wordfence CVE

EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more

N/A

2026-06-01< 4.5.3

EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more <= 4.5.2 - Unauthenticated Information Exposure

Wordfence CVE

WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes & Shipping Labels

N/A

2026-06-03< 4.9.5

WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes & Shipping Labels <= 4.9.4 - Unauthenticated Information Exposure

Wordfence CVE

Booking for Appointments and Events Calendar – Amelia

N/A

2026-06-02< 2.4

Booking for Appointments and Events Calendar – Amelia <= 2.3 - Authenticated (Subscriber+) Privilege Escalation

Wordfence CVE

Simple Shopping Cart

N/A

2026-06-02< 5.3.0

Simple Shopping Cart <= 5.2.9 - Unauthenticated Insecure Direct Object Reference

Wordfence CVE

Booknetic

N/A Unfixed

2026-06-01≤ 4.8.5

Booknetic <= 4.8.5 - Missing Authorization

Wordfence CVE

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)

N/A

2026-06-03< 9.5.10.1

Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) <= 9.5.10 - Missing Authorization

Wordfence CVE

Easy Invoice – Invoice Generator, PDF Quotes & Payments

N/A

2026-06-01< 2.1.20

Easy Invoice – Invoice Generator, PDF Quotes & Payments <= 2.1.19 - Unauthenticated Remote Code Execution

Wordfence CVE

Presto Player

Medium 6.4

2026-06-12< 4.2.1

CVE-2026-9125

CVE Wordfence

Backup and Staging by WP Time Capsule

High 7.5

2026-05-30< 1.22.26

Backup and Staging by WP Time Capsule <= 1.22.25 - Missing Authorization

Wordfence CVE

SlimStat Analytics

N/A

2026-06-01< 5.4.0

SlimStat Analytics < 5.4.0 - Unauthenticated PHP Object Injection

Wordfence CVE

Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions

N/A

2026-06-01< 8.4.2

Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions <= 8.4.1 - Missing Authorization

Wordfence CVE

Support Board for WordPress

N/A

2026-06-01< 3.8.9

Support Board < 3.8.9 - Unauthenticated Privilege Escalation

Wordfence CVE

Speed Optimizer – The All-In-One Performance-Boosting Plugin

N/A

2026-06-11< 7.7.9

WordPress Speed Optimizer Plugin < 7.7.9 is vulnerable to Cross Site Scripting (XSS)

Patchstack CVE

Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer

N/A

2026-05-18< 2.4.2

CVE-2026-3220

CVE

Hippoo Mobile App for WooCommerce

Critical 9.8

2026-06-11< 1.9.5

CVE-2026-49060

CVE EUVD

Fediverse Embeds

Medium 5.3 Unfixed

2026-06-11≤ 1.5.9

CVE-2026-46698

CVE

Latest Theme Vulnerabilities

View all →

XStore

N/A

2026-06-10< 9.7.3

CVE-2026-3326

CVE

Blocksy

High 8.8

2026-06-09< 2.1.42

CVE-2026-8365

CVE Wordfence Wordfence

Enfold - Responsive Multi-Purpose Theme

N/A

2026-06-01< 7.1.5

Enfold - Responsive Multi-Purpose Theme <= 7.1.4 - Reflected Cross-Site Scripting

Wordfence CVE Wordfence

Seotheme

Critical 9.8 Unfixed

2026-06-08< 100

CVE-2023-54352

CVE

Travelscape

Critical 9.8 Unfixed

2026-06-08≤ 1.0.3

CVE-2024-58349

CVE

Moderno

N/A

2026-06-04< 1.43

WordPress Moderno Theme < 1.43 is vulnerable to a high priority PHP Object Injection

Patchstack Wordfence CVE

Zoner - Real Estate

Medium 5.4 Unfixed

2026-06-04≤ 4.1.1

CVE-2019-25742

CVE

Nexio

N/A Unfixed

2026-05-26≤ 1.10.0

Nexio <= 1.10.0 - Unauthenticated Local File Inclusion

Wordfence CVE

CopyPress

N/A Unfixed

2026-05-26≤ 1.4.5

CopyPress <= 1.4.5 - Unauthenticated Local File Inclusion

Wordfence CVE

Kelly Young

N/A Unfixed

2026-05-26≤ 1.1.0

Kelly Young <= 1.1.0 - Unauthenticated Local File Inclusion

Wordfence CVE

Ingenioso

N/A Unfixed

2026-05-26≤ 1.14.0

Ingenioso <= 1.14.0 - Unauthenticated Local File Inclusion

Wordfence CVE

Rosaleen

N/A Unfixed

2026-05-26≤ 2.8

Rosaleen <= 2.8 - Unauthenticated Local File Inclusion

Wordfence CVE

Abelle

N/A Unfixed

2026-05-26≤ 1.22

Abelle <= 1.22 - Unauthenticated Local File Inclusion

Wordfence CVE

Plumbing

N/A Unfixed

2026-05-26≤ 1.6

Plumbing <= 1.6 - Unauthenticated PHP Object Injection

Wordfence CVE

Snow Club

N/A Unfixed

2026-05-26≤ 1.1

Snow Club <= 1.1 - Unauthenticated Local File Inclusion

Wordfence CVE

SeaFood Company

N/A Unfixed

2026-05-26≤ 1.4

SeaFood Company <= 1.4 - Unauthenticated PHP Object Injection

Wordfence CVE

Printo

N/A Unfixed

2026-05-27≤ 1.11

Printo <= 1.11 - Unauthenticated Local File Inclusion

Wordfence CVE

Granola

N/A Unfixed

2026-05-27≤ 1.13

Granola <= 1.13 - Unauthenticated Local File Inclusion

Wordfence CVE

JobCareer

N/A Unfixed

2026-05-26≤ 7.3

JobCareer <= 7.3 - Authenticated (Subscriber+) Arbitrary File Deletion

Wordfence CVE

Spike

N/A Unfixed

2026-05-27≤ 1.2

Spike <= 1.2 - Unauthenticated Local File Inclusion

Wordfence CVE

Latest WordPress Core Vulnerabilities

View all →

WordPress 3.1-RC4

Medium 6.1

2026-03-10All versions