VulnTitan Plugin

Scan WordPress with VulnTitan.

Free plugin for live checks. Pro adds scheduled scans, malware detection, integrity monitoring, alerts and guided remediation.

Free visibility. Pro automation. Download Free Upgrade to Pro
Live Database

Latest vulnerability records

Search by title, slug or version, then narrow the feed by asset type and severity.

35,982 results Updated continuously

Records stay compact by default so the feed is easier to scan. Expand any advisory when you need remediation and full version coverage.

  • Plugin High Patched: Yes CVSS 7.5/10
    Gravity Bookings <= 2.5.9 - Unauthenticated SQL Injection via 'category_id' Parameter

    The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

    Published
    May 05, 2026
    Affected Product
    Gravity Bookings
    Plugin · gf-bookings-premium
    Affected window
    Versions up to 2.5.9
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 2.6
    Recommended next step
    Update to 2.6
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 2.5.9
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    2.6
    Update to this version or a newer safe release.
    What to do

    Update to version 2.6, or a newer patched version

    Affected versions
    Versions up to 2.5.9
    Safe / patched versions
    2.6
  • Plugin High Patched: Yes CVSS 7.2/10
    LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter

    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.

    Published
    May 05, 2026
    Affected Product
    LatePoint – Calendar Booking Plugin for Appointments and Events
    Plugin · latepoint
    Affected window
    Versions up to 5.5.0
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 5.5.1
    Recommended next step
    Update to 5.5.1
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 5.5.0
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    5.5.1
    Update to this version or a newer safe release.
    What to do

    Update to version 5.5.1, or a newer patched version

    Affected versions
    Versions up to 5.5.0
    Safe / patched versions
    5.5.1
  • Plugin Medium Patched: Yes CVSS 6.4/10
    LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update

    The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.

    Published
    May 05, 2026
    Affected Product
    LatePoint – Calendar Booking Plugin for Appointments and Events
    Plugin · latepoint
    Affected window
    Versions up to 5.5.0
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 5.5.1
    Recommended next step
    Update to 5.5.1
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 5.5.0
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    5.5.1
    Update to this version or a newer safe release.
    What to do

    Update to version 5.5.1, or a newer patched version

    Affected versions
    Versions up to 5.5.0
    Safe / patched versions
    5.5.1
  • Plugin High Patched: Yes CVSS 7.2/10
    LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'first_name' Parameter

    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'first_name' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    Published
    May 05, 2026
    Affected Product
    LatePoint – Calendar Booking Plugin for Appointments and Events
    Plugin · latepoint
    Affected window
    Versions up to 5.5.0
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 5.5.1
    Recommended next step
    Update to 5.5.1
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 5.5.0
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    5.5.1
    Update to this version or a newer safe release.
    What to do

    Update to version 5.5.1, or a newer patched version

    Affected versions
    Versions up to 5.5.0
    Safe / patched versions
    5.5.1
  • Plugin Medium Patched: Yes CVSS 4.9/10
    Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal in Email Attachment

    The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve ".\..\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator access to read arbitrary files readable by the web-server user — including wp-config.php with its database credentials and authentication salts — by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape /../../ as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled.

    Published
    May 05, 2026
    Affected Product
    Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
    Plugin · fluentform
    Affected window
    Versions up to 6.2.1
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 6.2.2
    Recommended next step
    Update to 6.2.2
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 6.2.1
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    6.2.2
    Update to this version or a newer safe release.
    What to do

    Update to version 6.2.2, or a newer patched version

    Affected versions
    Versions up to 6.2.1
    Safe / patched versions
    6.2.2
  • Plugin Medium Patched: Yes CVSS 6.4/10
    Affiliate Program Suite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode

    The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'slicewp_affiliate_url' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    Published
    May 05, 2026
    Affected Product
    Affiliate Program Suite — SliceWP Affiliates
    Plugin · slicewp
    Affected window
    Versions up to 1.2.7
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 1.2.8
    Recommended next step
    Update to 1.2.8
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 1.2.7
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    1.2.8
    Update to this version or a newer safe release.
    What to do

    Update to version 1.2.8, or a newer patched version

    Affected versions
    Versions up to 1.2.7
    Safe / patched versions
    1.2.8
  • Plugin Medium Patched: Yes CVSS 4.3/10
    Ninja Tables <= 5.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation

    The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion.

    Published
    May 05, 2026
    Affected Product
    Ninja Tables – Easy Data Table Builder
    Plugin · ninja-tables
    Affected window
    Versions up to 5.2.6
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 5.2.7
    Recommended next step
    Update to 5.2.7
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 5.2.6
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    5.2.7
    Update to this version or a newer safe release.
    What to do

    Update to version 5.2.7, or a newer patched version

    Affected versions
    Versions up to 5.2.6
    Safe / patched versions
    5.2.7
  • Plugin Medium Patched: Yes CVSS 5.3/10
    Mercado Pago payments for WooCommerce <= 8.7.11 - Missing Authorization to Unauthenticated PIX Payment QR Code Image Disclosure

    The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references.

    Published
    May 05, 2026
    Affected Product
    Mercado Pago payments for WooCommerce
    Plugin · woocommerce-mercadopago
    Affected window
    Versions up to 8.7.11
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 8.7.12
    Recommended next step
    Update to 8.7.12
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 8.7.11
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    8.7.12
    Update to this version or a newer safe release.
    What to do

    Update to version 8.7.12, or a newer patched version

    Affected versions
    Versions up to 8.7.11
    Safe / patched versions
    8.7.12
  • Plugin Medium Patched: Yes CVSS 6.5/10
    All-in-One WP Migration Unlimited Extension <= 2.83 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Backup Schedule Creation and Backup File Download

    The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user capabilities before saving schedule data. This makes it possible for authenticated attackers, with subscriber-level access and above, to create scheduled export jobs and send backup notifications to attacker-controlled email addresses. Because such notifications include the random backup filename, full site backups can subsequently be downloaded from the target site, resulting in sensitive information exposure.

    Published
    May 05, 2026
    Affected Product
    All-in-One WP Migration Unlimited Extension
    Plugin · all-in-one-wp-migration-unlimited-extension
    Affected window
    Versions up to 2.83
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 2.84
    Recommended next step
    Update to 2.84
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 2.83
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    2.84
    Update to this version or a newer safe release.
    What to do

    Update to version 2.84, or a newer patched version

    Affected versions
    Versions up to 2.83
    Safe / patched versions
    2.84
  • Theme High Patched: Yes CVSS 8.8/10
    Betheme <= 28.4 - Authenticated (Author+) Arbitrary File Upload to Remote Code Execution via Icon Pack Upload

    The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files (including PHP) and achieve remote code execution via the Icons icon-pack upload flow.

    Published
    May 04, 2026
    Affected Product
    Betheme
    Theme · betheme
    Affected window
    Versions up to 28.4
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 28.4.1
    Recommended next step
    Update to 28.4.1
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 28.4
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    28.4.1
    Update to this version or a newer safe release.
    What to do

    Update to version 28.4.1, or a newer patched version

    Affected versions
    Versions up to 28.4
    Safe / patched versions
    28.4.1
Coverage Hubs

Browse high-interest plugin and theme vulnerability hubs.

Use hub pages to review all indexed records for a single WordPress plugin or theme instead of scanning the global feed one advisory at a time.

35,982 indexed records 14,494 tracked plugins 1,629 tracked themes
Security Guides

Start with the WordPress security topics already showing search demand.

Browse practical guides for WordPress security audit, WooCommerce security, hardening, brute force protection, monitoring, and incident response.

Browse Blog