VulnTitan Plugin

Scan WordPress with VulnTitan.

Free plugin for live checks. Pro adds scheduled scans, malware detection, integrity monitoring, alerts and guided remediation.

Free visibility. Pro automation. Download Free Upgrade to Pro
Live Database

Latest vulnerability records

Search by title, slug or version, then narrow the feed by asset type and severity.

35,586 results Updated continuously

Records stay compact by default so the feed is easier to scan. Expand any advisory when you need remediation and full version coverage.

  • Plugin High Patched: Yes CVSS 7.2/10
    ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process

    The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.

    Published
    Apr 22, 2026
    Affected Product
    ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
    Plugin · google-analytics-dashboard-for-wp
    Affected window
    Versions up to 9.1.2
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 9.1.3
    Recommended next step
    Update to 9.1.3
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 9.1.2
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    9.1.3
    Update to this version or a newer safe release.
    What to do

    Update to version 9.1.3, or a newer patched version

    Affected versions
    Versions up to 9.1.2
    Safe / patched versions
    9.1.3
  • Plugin Medium Patched: Yes CVSS 6.4/10
    WP Store Locator <= 2.2.261 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_address' Post Meta

    The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window.

    Published
    Apr 22, 2026
    Affected Product
    WP Store Locator
    Plugin · wp-store-locator
    Affected window
    Versions up to 2.2.261
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 2.3.0
    Recommended next step
    Update to 2.3.0
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 2.2.261
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    2.3.0
    Update to this version or a newer safe release.
    What to do

    Update to version 2.3.0, or a newer patched version

    Affected versions
    Versions up to 2.2.261
    Safe / patched versions
    2.3.0
  • Plugin Critical Patched: Yes CVSS 9.8/10
    Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote

    The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.

    Published
    Apr 22, 2026
    Affected Product
    Breeze Cache
    Plugin · breeze
    Affected window
    Versions up to 2.4.4
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 2.4.5
    Recommended next step
    Update to 2.4.5
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 2.4.4
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    2.4.5
    Update to this version or a newer safe release.
    What to do

    Update to version 2.4.5, or a newer patched version

    Affected versions
    Versions up to 2.4.4
    Safe / patched versions
    2.4.5
  • Plugin Medium Patched: Yes CVSS 5.4/10
    Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML

    The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    Published
    Apr 22, 2026
    Affected Product
    Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor
    Plugin · gutentor
    Affected window
    Versions up to 3.5.5
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 3.5.6
    Recommended next step
    Update to 3.5.6
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 3.5.5
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    3.5.6
    Update to this version or a newer safe release.
    What to do

    Update to version 3.5.6, or a newer patched version

    Affected versions
    Versions up to 3.5.5
    Safe / patched versions
    3.5.6
  • Plugin Medium Patched: Yes CVSS 6.4/10
    Social Rocket – Social Sharing Plugin <= 1.3.4.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via id

    The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    Published
    Apr 22, 2026
    Affected Product
    Social Rocket – Social Sharing Plugin
    Plugin · social-rocket
    Affected window
    Versions up to 1.3.4.2
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 1.3.5
    Recommended next step
    Update to 1.3.5
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 1.3.4.2
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    1.3.5
    Update to this version or a newer safe release.
    What to do

    Update to version 1.3.5, or a newer patched version

    Affected versions
    Versions up to 1.3.4.2
    Safe / patched versions
    1.3.5
  • Plugin Medium Patched: Yes CVSS 6.4/10
    Gutentools <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Slider Block Attributes

    The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    Published
    Apr 21, 2026
    Affected Product
    Gutentools
    Plugin · gutentools
    Affected window
    Versions up to 1.1.3
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 1.1.4
    Recommended next step
    Update to 1.1.4
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 1.1.3
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    1.1.4
    Update to this version or a newer safe release.
    What to do

    Update to version 1.1.4, or a newer patched version

    Affected versions
    Versions up to 1.1.3
    Safe / patched versions
    1.1.4
  • Plugin Medium Patched: Yes CVSS 6.4/10
    Gallagher Website Design <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'prefix' Shortcode Attribute

    The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    Published
    Apr 21, 2026
    Affected Product
    Gallagher Website Design
    Plugin · gallagher-website-design
    Affected window
    Versions up to 2.6.4
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 2.6.5
    Recommended next step
    Update to 2.6.5
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 2.6.4
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    2.6.5
    Update to this version or a newer safe release.
    What to do

    Update to version 2.6.5, or a newer patched version

    Affected versions
    Versions up to 2.6.4
    Safe / patched versions
    2.6.5
  • Plugin Medium Patched: Yes CVSS 4.3/10
    Emailchef <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion

    The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action.

    Published
    Apr 21, 2026
    Affected Product
    Emailchef
    Plugin · emailchef
    Affected window
    Versions up to 3.5.1
    Expand for exact coverage and remediation detail.
    Patch status
    Patched release available
    Fixed in 3.5.2
    Recommended next step
    Update to 3.5.2
    Move to a safe release and validate after update.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 3.5.1
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    Yes
    A fixed release is listed for this issue.
    Fixed in
    3.5.2
    Update to this version or a newer safe release.
    What to do

    Update to version 3.5.2, or a newer patched version

    Affected versions
    Versions up to 3.5.1
    Safe / patched versions
    3.5.2
  • Plugin Medium Patched: No CVSS 4.4/10
    Short Comment Filter <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Minimum Count' Setting

    The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input's value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability.

    Published
    Apr 21, 2026
    Affected Product
    Short Comment Filter
    Plugin · short-comment-filter
    Affected window
    Versions up to 2.2
    Expand for exact coverage and remediation detail.
    Patch status
    No safe release listed
    Vendor patch has not been published in the feed yet.
    Recommended next step
    Monitor vendor release
    Reduce exposure until the vendor ships a safe release.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 2.2
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    No
    No fixed release is listed in the feed yet.
    Fixed in
    Not published
    Watch for a vendor release before treating the issue as fixed.
    What to do

    No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

    Affected versions
    Versions up to 2.2
    Safe / patched versions
    No safe version is published yet.
  • Plugin Medium Patched: No CVSS 4.4/10
    Private WP suite <= 0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Exceptions' Setting

    The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Exceptions' setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

    Published
    Apr 21, 2026
    Affected Product
    Private WP suite
    Plugin · private-wp-suite
    Affected window
    Versions up to 0.4.1
    Expand for exact coverage and remediation detail.
    Patch status
    No safe release listed
    Vendor patch has not been published in the feed yet.
    Recommended next step
    Monitor vendor release
    Reduce exposure until the vendor ships a safe release.
    Detailed remediation and version lists stay hidden until expanded.
    Affected if you're using
    Versions up to 0.4.1
    Check the full report if you need exact branch-by-branch coverage.
    Patch available
    No
    No fixed release is listed in the feed yet.
    Fixed in
    Not published
    Watch for a vendor release before treating the issue as fixed.
    What to do

    No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

    Affected versions
    Versions up to 0.4.1
    Safe / patched versions
    No safe version is published yet.
Coverage Hubs

Browse high-interest plugin and theme vulnerability hubs.

Use hub pages to review all indexed records for a single WordPress plugin or theme instead of scanning the global feed one advisory at a time.

35,586 indexed records 14,448 tracked plugins 1,572 tracked themes
Security Guides

Start with the WordPress security topics already showing search demand.

Browse practical guides for WordPress security audit, WooCommerce security, hardening, brute force protection, monitoring, and incident response.

Browse Blog