VulnTitan VulnTitan Security command center
VulnTitan Plugin

Scan WordPress with VulnTitan.

Free plugin for live checks. Pro adds scheduled scans, malware detection, integrity monitoring, alerts and guided remediation.

Free visibility. Pro automation. Download Free Upgrade to Pro
Live Database

Latest vulnerability records

Search by title, slug or version, then narrow the feed by asset type and severity.

34,892 results Updated continuously

Records stay compact by default so the feed is easier to scan. Expand any advisory when you need remediation and full version coverage.

  • Plugin Medium Patched: Yes CVSS 4.3/10
    Database for Contact Form 7, WPforms, Elementor forms <= 1.4.9 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode

    The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract all form submissions - including names, emails, phone numbers.

    Published
    Mar 31, 2026
    Affected Product
    Database for Contact Form 7, WPforms, Elementor forms
    Plugin · contact-form-entries
    Affected window
    Versions up to 1.4.9
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 1.5.0
    Recommended next step
    Update to 1.5.0
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 1.4.9
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    1.5.0
    Update to this version or a newer safe release.
    What to do

    Update to version 1.5.0, or a newer patched version

    Affected versions
    Versions up to 1.4.9
    Safe / patched versions
    1.5.0
    CVE-2026-3831 1 source
    Open Full Report
  • Plugin Medium Patched: Yes CVSS 6.5/10
    Amelia <= 2.1.2 - Authenticated (Manager+) SQL Injection via 'sort' Parameter

    The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL Injection via the `sort` parameter in the payments listing endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied `sort` parameter and lack of sufficient preparation on the existing SQL query in `PaymentRepository.php`, where the sort field is interpolated directly into an ORDER BY clause without sanitization or whitelist validation. PDO prepared statements do not protect ORDER BY column names. GET requests also skip Amelia's nonce validation entirely. This makes it possible for authenticated attackers, with Manager-level (`wpamelia-manager`) access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection.

    Published
    Mar 31, 2026
    Affected Product
    Booking for Appointments and Events Calendar – Amelia
    Plugin · ameliabooking
    Affected window
    Versions up to 2.1.2
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 2.1.3
    Recommended next step
    Update to 2.1.3
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 2.1.2
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    2.1.3
    Update to this version or a newer safe release.
    What to do

    Update to version 2.1.3, or a newer patched version

    Affected versions
    Versions up to 2.1.2
    Safe / patched versions
    2.1.3
    CVE-2026-4668 1 source
    Open Full Report
  • Plugin Medium Patched: Yes CVSS 6.4/10
    WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'max_width' Shortcode Attribute

    The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'max_width' attribute of the `su_box` shortcode in all versions up to, and including, 7.4.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    Published
    Mar 31, 2026
    Affected Product
    WP Shortcodes Plugin — Shortcodes Ultimate
    Plugin · shortcodes-ultimate
    Affected window
    Versions up to 7.4.10
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 7.5.0
    Recommended next step
    Update to 7.5.0
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 7.4.10
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    7.5.0
    Update to this version or a newer safe release.
    What to do

    Update to version 7.5.0, or a newer patched version

    Affected versions
    Versions up to 7.4.10
    Safe / patched versions
    7.5.0
    CVE-2026-2480 1 source
    Open Full Report
  • Plugin High Patched: Yes CVSS 7.2/10
    Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI

    The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$_SERVER['REQUEST_URI']’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

    Published
    Mar 30, 2026
    Affected Product
    Query Monitor – The developer tools panel for WordPress
    Plugin · query-monitor
    Affected window
    Versions up to 3.20.3
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 3.20.4
    Recommended next step
    Update to 3.20.4
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 3.20.3
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    3.20.4
    Update to this version or a newer safe release.
    What to do

    Update to version 3.20.4, or a newer patched version

    Affected versions
    Versions up to 3.20.3
    Safe / patched versions
    3.20.4
    CVE-2026-4267 1 source
    Open Full Report
  • Plugin Medium Patched: Yes CVSS 5.4/10
    Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update

    The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

    Published
    Mar 30, 2026
    Affected Product
    Minify HTML
    Plugin · minify-html-markup
    Affected window
    Versions up to 2.1.12
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 2.1.13
    Recommended next step
    Update to 2.1.13
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 2.1.12
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    2.1.13
    Update to this version or a newer safe release.
    What to do

    Update to version 2.1.13, or a newer patched version

    Affected versions
    Versions up to 2.1.12
    Safe / patched versions
    2.1.13
    CVE-2026-3191 1 source
    Open Full Report
  • Plugin Medium Patched: Yes CVSS 4.3/10
    User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field

    The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.15.5 via the wppb_save_avatar_value() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to reassign ownership of arbitrary posts and attachments by changing 'post_author'.

    Published
    Mar 30, 2026
    Affected Product
    User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
    Plugin · profile-builder
    Affected window
    Versions up to 3.15.5
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 3.15.6
    Recommended next step
    Update to 3.15.6
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 3.15.5
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    3.15.6
    Update to this version or a newer safe release.
    What to do

    Update to version 3.15.6, or a newer patched version

    Affected versions
    Versions up to 3.15.5
    Safe / patched versions
    3.15.6
    CVE-2026-3139 1 source
    Open Full Report
  • Plugin Medium Patched: No CVSS 6.1/10
    Auto Post Scheduler <= 1.84 - Cross-Site Request Forgery to Stored Cross-Site Scripting via aps_options_page

    The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.84. This is due to missing nonce validation on the 'aps_options_page' function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

    Published
    Mar 30, 2026
    Affected Product
    Auto Post Scheduler
    Plugin · auto-post-scheduler
    Affected window
    Versions up to 1.84
    Expand for exact coverage and remediation detail.
    Patch status
    No safe release listed
    Vendor patch has not been published in the feed yet.
    Recommended next step
    Monitor vendor release
    Reduce exposure until the vendor ships a safe release.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 1.84
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    No
    No fixed release is listed in the feed yet.
    Fixed in
    Not published
    Watch for a vendor release before treating the issue as fixed.
    What to do

    No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

    Affected versions
    Versions up to 1.84
    Safe / patched versions
    No safe version is published yet.
    CVE-2026-1877 1 source
    Open Full Report
  • Plugin Medium Patched: Yes CVSS 6.4/10
    Ibtana - WordPress Website Builder <= 1.2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

    The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ive' shortcode in all versions up to, and including, 1.2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    Published
    Mar 30, 2026
    Affected Product
    Ibtana – WordPress Website Builder
    Plugin · ibtana-visual-editor
    Affected window
    Versions up to 1.2.5.7
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 1.2.5.8
    Recommended next step
    Update to 1.2.5.8
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 1.2.5.7
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    1.2.5.8
    Update to this version or a newer safe release.
    What to do

    Update to version 1.2.5.8, or a newer patched version

    Affected versions
    Versions up to 1.2.5.7
    Safe / patched versions
    1.2.5.8
    CVE-2026-1834 1 source
    Open Full Report
  • Plugin Medium Patched: Yes CVSS 5.3/10
    Truebooker - Appointment Booking and Scheduler Plugin <= 1.1.4 - Sensitive Information Exposure via Views Files

    The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed views php files via direct access.

    Published
    Mar 30, 2026
    Affected Product
    Truebooker – Appointment Booking and Scheduler System
    Plugin · truebooker-appointment-booking
    Affected window
    Versions up to 1.1.4
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 1.1.5
    Recommended next step
    Update to 1.1.5
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 1.1.4
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    1.1.5
    Update to this version or a newer safe release.
    What to do

    Update to version 1.1.5, or a newer patched version

    Affected versions
    Versions up to 1.1.4
    Safe / patched versions
    1.1.5
    CVE-2026-1797 1 source
    Open Full Report
  • Plugin Medium Patched: Yes CVSS 6.5/10
    WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax

    The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings.

    Published
    Mar 30, 2026
    Affected Product
    WooPayments: Integrated WooCommerce Payments
    Plugin · woocommerce-payments
    Affected window
    Versions up to 10.5.1
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 10.6.0
    Recommended next step
    Update to 10.6.0
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 10.5.1
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    10.6.0
    Update to this version or a newer safe release.
    What to do

    Update to version 10.6.0, or a newer patched version

    Affected versions
    Versions up to 10.5.1
    Safe / patched versions
    10.6.0
    CVE-2026-1710 1 source
    Open Full Report
Coverage Hubs

Browse high-interest plugin and theme vulnerability hubs.

Use hub pages to review all indexed records for a single WordPress plugin or theme instead of scanning the global feed one advisory at a time.

34,892 indexed records 14,308 tracked plugins 1,501 tracked themes
Ninja Forms – The Contact Form Builder That Grows With You · plugin Download Manager Pro · plugin Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin · plugin GiveWP – Donation Plugin and Fundraising Platform · plugin Royal Addons for Elementor – Addons and Templates Kit for Elementor · plugin LearnPress – WordPress LMS Plugin for Create and Sell Online Courses · plugin Photo Gallery by 10Web – Mobile-Friendly Image Gallery · plugin Tutor LMS – eLearning and online course solution · plugin Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker · plugin Essential Addons for Elementor – Popular Elementor Templates & Widgets · plugin
Security Guides

Start with the WordPress security topics already showing search demand.

Browse practical guides for WordPress security audit, WooCommerce security, hardening, brute force protection, monitoring, and incident response.

Browse Blog