VulnTitan Plugin

Scan WordPress with VulnTitan.

Free plugin for live checks. Pro adds scheduled scans, malware detection, integrity monitoring, alerts and guided remediation.

Free visibility. Pro automation. Download Free Upgrade to Pro
Live Database

Latest vulnerability records

Search by title, slug or version, then narrow the feed by asset type and severity.

35,988 results Updated continuously

Records stay compact by default so the feed is easier to scan. Expand any advisory when you need remediation and full version coverage.

  • Plugin High Patched: Yes CVSS 8.8/10
    Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber+) Arbitrary File Upload via _get_media_url

    The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload files that may be executable, which makes remote code execution possible. The vulnerability was partially patched in version 7.0.10 and fully patched in version 7.0.11.

    Published
    May 06, 2026
    Affected Product
    Slider Revolution
    Plugin · revslider
    Affected window
    7.0.0 through 7.0.10
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 7.0.11
    Recommended next step
    Update to 7.0.11
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    7.0.0 through 7.0.10
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    7.0.11
    Update to this version or a newer safe release.
    What to do

    Update to version 7.0.11, or a newer patched version

    Affected versions
    7.0.0 through 7.0.10
    Safe / patched versions
    7.0.11
  • Plugin High Patched: Yes CVSS 8.1/10
    WP-Optimize <= 4.5.2 - Authenticated (Author+) Arbitrary File Deletion via 'original-file' Post Meta

    The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unscheduled_original_file_deletion function in all versions up to, and including, 4.5.2 This makes it possible for authenticated attackers, with author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This is possible because 'original-file' is a public (non-protected) meta key — it does not begin with an underscore — allowing Authors to freely create or modify it on their own attachment posts via the standard Edit Media form or the REST API.

    Published
    May 06, 2026
    Affected Product
    WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance
    Plugin · wp-optimize
    Affected window
    Versions up to 4.5.2
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 4.5.3
    Recommended next step
    Update to 4.5.3
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 4.5.2
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    4.5.3
    Update to this version or a newer safe release.
    What to do

    Update to version 4.5.3, or a newer patched version

    Affected versions
    Versions up to 4.5.2
    Safe / patched versions
    4.5.3
  • Plugin High Patched: Yes CVSS 7.5/10
    BetterDocs Pro <= 3.7.0 - Unauthenticated SQL Injection via Encyclopedia 'limit' Parameter

    The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to, and including, 3.7.0. This is due to the `limit` POST parameter being interpolated directly into a SQL query string before being passed to `$wpdb->prepare()`, which only parameterizes other variables. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Encyclopedia feature must be enabled in BetterDocs Pro settings for the vulnerability to be exploitable.

    Published
    May 06, 2026
    Affected Product
    BetterDocs Pro
    Plugin · betterdocs-pro
    Affected window
    Versions up to 3.7.0
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 3.7.1
    Recommended next step
    Update to 3.7.1
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 3.7.0
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    3.7.1
    Update to this version or a newer safe release.
    What to do

    Update to version 3.7.1, or a newer patched version

    Affected versions
    Versions up to 3.7.0
    Safe / patched versions
    3.7.1
  • Plugin Medium Patched: Yes CVSS 6.5/10
    Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook

    The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration.

    Published
    May 06, 2026
    Affected Product
    Forminator Forms – Contact Form, Payment Form & Custom Form Builder
    Plugin · forminator
    Affected window
    Versions up to 1.53.0
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 1.53.0.1
    Recommended next step
    Update to 1.53.0.1
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 1.53.0
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    1.53.0.1
    Update to this version or a newer safe release.
    What to do

    Update to version 1.53.0.1, or a newer patched version

    Affected versions
    Versions up to 1.53.0
    Safe / patched versions
    1.53.0.1
  • Plugin Medium Patched: Yes CVSS 6.5/10
    Appointment Booking Calendar <= 1.6.10.6 - Unauthenticated Arbitrary Appointment View, Modification and Deletion

    The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce_permissions_check() method combined with the public exposure of a site-wide reusable nonce. The plugin exposes a public_nonce value through the /wp-json/ssa/v1/embed-inner endpoint, which is accessible to unauthenticated users. The appointment deletion endpoint at /wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk use a permission check that accepts requests containing both an X-WP-Nonce header (with any arbitrary value) and an X-PUBLIC-Nonce header (with the valid public nonce). When the X-WP-Nonce validation fails, the function falls back to validating the X-PUBLIC-Nonce without properly rejecting the request. Since the public_nonce is exposed to all unauthenticated visitors and is site-wide (not user-specific or appointment-specific), attackers can obtain it and use it to view details of arbitrary appointments, including the public_edit_url, or delete arbitrary appointments by ID. This makes it possible for unauthenticated attackers to view, delete or modify any appointment in the system, disclosing sensitive appointment data, causing service disruption, and loss of booking records.

    Published
    May 06, 2026
    Affected Product
    Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin
    Plugin · simply-schedule-appointments
    Affected window
    Versions up to 1.6.10.6
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 1.6.11
    Recommended next step
    Update to 1.6.11
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 1.6.10.6
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    1.6.11
    Update to this version or a newer safe release.
    What to do

    Update to version 1.6.11, or a newer patched version

    Affected versions
    Versions up to 1.6.10.6
    Safe / patched versions
    1.6.11
  • Plugin Medium Patched: Yes CVSS 5.3/10
    Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter

    The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions — including export, delete, clone, delete-entries, publish/draft, and bulk variants — after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack module-management permissions. Because `processRequest()` is invoked during the `admin_menu` action hook — which fires before WordPress enforces page-level capability checks — a user whose Forminator role is restricted to Templates or Reports can craft a valid POST request targeting any published module and successfully trigger the vulnerable actions. This makes it possible for authenticated attackers with subscriber-level access (or any custom low-privilege Forminator role) to export the complete internal configuration of arbitrary forms/polls/quizzes (including notification routing, integration credentials, and conditional logic), delete modules, delete all submissions/votes, clone modules, or bulk-change publish/draft status.

    Published
    May 06, 2026
    Affected Product
    Forminator Forms – Contact Form, Payment Form & Custom Form Builder
    Plugin · forminator
    Affected window
    Versions up to 1.51.1
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 1.52
    Recommended next step
    Update to 1.52
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 1.51.1
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    1.52
    Update to this version or a newer safe release.
    What to do

    Update to version 1.52, or a newer patched version

    Affected versions
    Versions up to 1.51.1
    Safe / patched versions
    1.52
  • Plugin High Patched: Yes CVSS 7.5/10
    Gravity Bookings <= 2.5.9 - Unauthenticated SQL Injection via 'category_id' Parameter

    The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

    Published
    May 05, 2026
    Affected Product
    Gravity Bookings
    Plugin · gf-bookings-premium
    Affected window
    Versions up to 2.5.9
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 2.6
    Recommended next step
    Update to 2.6
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 2.5.9
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    2.6
    Update to this version or a newer safe release.
    What to do

    Update to version 2.6, or a newer patched version

    Affected versions
    Versions up to 2.5.9
    Safe / patched versions
    2.6
  • Plugin High Patched: Yes CVSS 7.2/10
    LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter

    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.

    Published
    May 05, 2026
    Affected Product
    LatePoint – Calendar Booking Plugin for Appointments and Events
    Plugin · latepoint
    Affected window
    Versions up to 5.5.0
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 5.5.1
    Recommended next step
    Update to 5.5.1
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 5.5.0
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    5.5.1
    Update to this version or a newer safe release.
    What to do

    Update to version 5.5.1, or a newer patched version

    Affected versions
    Versions up to 5.5.0
    Safe / patched versions
    5.5.1
  • Plugin Medium Patched: Yes CVSS 6.4/10
    LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update

    The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.

    Published
    May 05, 2026
    Affected Product
    LatePoint – Calendar Booking Plugin for Appointments and Events
    Plugin · latepoint
    Affected window
    Versions up to 5.5.0
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 5.5.1
    Recommended next step
    Update to 5.5.1
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 5.5.0
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    5.5.1
    Update to this version or a newer safe release.
    What to do

    Update to version 5.5.1, or a newer patched version

    Affected versions
    Versions up to 5.5.0
    Safe / patched versions
    5.5.1
  • Plugin High Patched: Yes CVSS 7.2/10
    LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'first_name' Parameter

    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'first_name' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    Published
    May 05, 2026
    Affected Product
    LatePoint – Calendar Booking Plugin for Appointments and Events
    Plugin · latepoint
    Affected window
    Versions up to 5.5.0
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 5.5.1
    Recommended next step
    Update to 5.5.1
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 5.5.0
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    5.5.1
    Update to this version or a newer safe release.
    What to do

    Update to version 5.5.1, or a newer patched version

    Affected versions
    Versions up to 5.5.0
    Safe / patched versions
    5.5.1
Coverage Hubs

Browse high-interest plugin and theme vulnerability hubs.

Use hub pages to review all indexed records for a single WordPress plugin or theme instead of scanning the global feed one advisory at a time.

35,988 indexed records 14,495 tracked plugins 1,629 tracked themes
Security Guides

Start with the WordPress security topics already showing search demand.

Browse practical guides for WordPress security audit, WooCommerce security, hardening, brute force protection, monitoring, and incident response.

Browse Blog