WordPress Security Audit Checklist for Production Sites
A WordPress security audit checklist should produce clear remediation actions, not a long report nobody executes. Use this guide to review core, plugins, themes, privileg...
Read guideVulnTitan Plugin
Scan WordPress with VulnTitan.
Free plugin for live checks. Pro adds scheduled scans, malware detection, integrity monitoring, alerts and guided remediation.
-
Tiled Gallery Carousel Without JetPack <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-image-title'
The Tiled Gallery Carousel Without JetPack plugin for WordPress is vulnerable to stored cross-site scripting via the 'data-image-title' parameter in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PublishedJun 01, 2026Affected ProductTiled Gallery Carousel Without JetPackPlugin · tiled-gallery-carousel-without-jetpackAffected windowVersions up to 3.1Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 3.1Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 3.1Safe / patched versionsNo safe version is published yet. -
Easy Cart <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_to_cart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectp_add_to_cart() function uses sanitize_text_field() on shortcode attributes like 'itemid', 'product_name', 'product_desc', 'product_qty', and 'price' before inserting them into double-quoted HTML attributes. While sanitize_text_field() strips HTML tags, it does not escape double quote characters, allowing an attacker to break out of the HTML attribute context and inject arbitrary event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PublishedJun 01, 2026Affected ProductEasy CartPlugin · easy-cartAffected windowVersions up to 1.8Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.8Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.8Safe / patched versionsNo safe version is published yet. -
FPW Category Thumbnails <= 1.9.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'id' Parameter
The FPW Category Thumbnails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'fpw_fs_get_file' AJAX action in all versions up to, and including, 1.9.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the plugin's settings page.
PublishedJun 01, 2026Affected ProductFPW Category ThumbnailsPlugin · fpw-category-thumbnailsAffected windowVersions up to 1.9.5Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.9.5Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.9.5Safe / patched versionsNo safe version is published yet. -
ZeM STL <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The ZeM STL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [zemstl] shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'url', 'color', and 'bgcolor' parameters. These attribute values are directly interpolated into HTML attribute context without being passed through esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PublishedJun 01, 2026Affected ProductZeM STLPlugin · zem-stl-viewerAffected windowVersions up to 1.0Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.0Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.0Safe / patched versionsNo safe version is published yet. -
BirdSeed <= 2.2.0 - Cross-Site Request Forgery via BirdSeed Token Change
The BirdSeed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing nonce validation in the birdseed_plugin_settings_page() function. The function processes the 'birdseed_token' GET parameter and saves it to the database via update_option() without verifying a nonce. This makes it possible for unauthenticated attackers to change the plugin's BirdSeed token setting via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
PublishedJun 01, 2026Affected ProductBirdSeedPlugin · birdseedAffected windowVersions up to 2.2.0Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 2.2.0Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 2.2.0Safe / patched versionsNo safe version is published yet. -
Word Replacer <= 0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Replacement' Parameter
The Word Replacer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'replacement' parameter in all versions up to, and including, 0.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PublishedJun 01, 2026Affected ProductWord ReplacerPlugin · word-replacerAffected windowVersions up to 0.4Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 0.4Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 0.4Safe / patched versionsNo safe version is published yet. -
hiWeb Migration Simple <= 2.0.0.1 - Reflected Cross-Site Scripting via 'new_domain' Parameter
The hiWeb Migration Simple plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'new_domain' parameter in all versions up to, and including, 2.0.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
PublishedJun 01, 2026Affected ProducthiWeb Migration SimplePlugin · hiweb-migration-simpleAffected windowVersions up to 2.0.0.1Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 2.0.0.1Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 2.0.0.1Safe / patched versionsNo safe version is published yet. -
rognone <= 0.6.2 - Reflected Cross-Site Scripting via 'a' Parameter
The rognone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'a' parameter in versions up to, and including, 0.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PublishedJun 01, 2026Affected ProductrognonePlugin · rognoneAffected windowVersions up to 0.6.2Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 0.6.2Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 0.6.2Safe / patched versionsNo safe version is published yet. -
rognone <= 0.6.2 - Reflected Cross-Site Scripting via 'mode' Parameter
The rognone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mode' parameter in versions up to, and including, 0.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PublishedJun 01, 2026Affected ProductrognonePlugin · rognoneAffected windowVersions up to 0.6.2Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 0.6.2Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 0.6.2Safe / patched versionsNo safe version is published yet. -
wp-nano-ad <= 1.31 - Authenticated (Administrator+) Stored Cross-Site Scripting via blogrole_link Parameter
The WP Nano AD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘blogrole_link’ parameter in all versions up to, and including, 1.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PublishedJun 01, 2026Affected ProductWP Nano ADPlugin · wp-nano-adAffected windowVersions up to 1.31Expand for exact coverage and remediation detail.Patch statusNo safe release listedVendor patch has not been published in the feed yet.Recommended next stepMonitor vendor releaseReduce exposure until the vendor ships a safe release.Affected if you're usingVersions up to 1.31Check the full report if you need exact branch-by-branch coverage.Patch availableNoNo fixed release is listed in the feed yet.Fixed inNot publishedWatch for a vendor release before treating the issue as fixed.What to doNo known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Affected versionsVersions up to 1.31Safe / patched versionsNo safe version is published yet.
Coverage Hubs
Browse high-interest plugin and theme vulnerability hubs.
Use hub pages to review all indexed records for a single WordPress plugin or theme instead of scanning the global feed one advisory at a time.
Download Manager Pro
· plugin
Royal Addons for Elementor – Addons and Templates Kit for Elementor
· plugin
Ninja Forms – The Contact Form Builder That Grows With You
· plugin
GiveWP – Donation Plugin and Fundraising Platform
· plugin
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
· plugin
Tutor LMS – eLearning and online course solution
· plugin
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
· plugin
Photo Gallery by 10Web – Mobile-Friendly Image Gallery
· plugin
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker
· plugin
Essential Addons for Elementor – Popular Elementor Templates & Widgets
· plugin
Security Guides
Start with the WordPress security topics already showing search demand.
Browse practical guides for WordPress security audit, WooCommerce security, hardening, brute force protection, monitoring, and incident response.
WooCommerce Security Checklist for WordPress Stores
Use this WooCommerce security checklist to review payment-related plugins, customer account exposure, checkout integrity, and patch response before a vulnerability impact...
Read guideWordPress Security Hardening Checklist for 2026
Use this WordPress security hardening checklist for 2026 to review patch cadence, privileged access, XML-RPC exposure, backup readiness, and daily vulnerability monitorin...
Read guidePrevent Brute Force Attacks in WordPress: Best Practices
If you need to prevent brute force attacks in WordPress, the goal is to make credential abuse expensive and noisy for attackers. Brute force attacks are still one of the...
Read guideWordPress Security Monitoring: Metrics That Matter
WordPress security monitoring should drive action, not dashboard vanity. Focus on metrics that influence patching speed, detection quality, and incident outcomes.
Read guideWordPress Incident Response Plan Template for Security Teams
This WordPress incident response plan template helps security teams move from detection to containment, patching, recovery, and post-incident review when a plugin or them...
Read guide