| CVE-2026-3090 | Post SMTP <= 3.8.0 - Unauthenticated Stored Cross-Site Scripting via 'event_type' — Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppCWE-79 | 7.2 | High | 2026-03-18 |
| CVE-2026-2559 | Post SMTP <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite — Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppCWE-862 | 5.3 | Medium | 2026-03-18 |
| CVE-2026-1674 | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder <= 1.6.0 - Authenticated (Contributor+) Limited Options Update in save_gutena_forms_schema() — Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form BuilderCWE-862 | 6.5 | Medium | 2026-03-04 |
| CVE-2026-0550 | myCred <= 2.9.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode — Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCredCWE-79 | 6.4 | Medium | 2026-02-14 |
| CVE-2026-0832 | New User Approve <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure — New User ApproveCWE-862 | 7.3 | High | 2026-01-28 |
| CVE-2025-12718 | Quick Contact Form <= 8.2.6 - Unauthenticated Open Mail Relay — Quick Contact FormCWE-20 | 5.8 | Medium | 2026-01-17 |
| CVE-2025-12361 | myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7.1 - Missing Authorization to Sensitive Information Exposure — Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCredCWE-862 | 4.3 | Medium | 2025-12-19 |
| CVE-2025-12362 | myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7 - Missing Authorization to Unauthenticated Withdrawal Request Approval — Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCredCWE-862 | 5.3 | Medium | 2025-12-13 |
| CVE-2025-12887 | Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.1 - Missing Authorization to Authenticated (Subscriber+) OAuth Token Update — Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppCWE-862 | 5.4 | Medium | 2025-12-03 |
| CVE-2025-12770 | New User Approve <= 3.0.9 - Unauthenticated Sensitive Information Disclosure via Type Juggling — New User ApproveCWE-200 | 5.3 | Medium | 2025-11-19 |
| CVE-2025-11833 | Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.0 - Missing Authorization to Account Takeover via Unauthenticated Email Log Disclosure — Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppCWE-862 | 9.8 | Critical | 2025-11-01 |
| CVE-2025-11244 | Password Protected <= 2.7.11 - Unauthenticated Authorization Bypass via IP Address Spoofing — Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial ContentCWE-285 | 3.7 | Low | 2025-10-25 |
| CVE-2025-9219 | Post SMTP <= 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Option Update — Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppCWE-862 | 4.3 | Medium | 2025-09-03 |
| CVE-2025-3453 | Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products <= 2.7.7 - Unauthenticated Sensitive Information Exposure — Password Protected — Lock Entire Site, Pages, Posts, Categories, and Partial ContentCWE-863 | 5.3 | Medium | 2025-04-17 |
| CVE-2024-13844 | Post SMTP <= 3.1.2 - Authenticated (Administrator+) SQL Injection via columns Parameter — Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppCWE-89 | 4.9 | Medium | 2025-03-08 |
| CVE-2024-13805 | Advanced File Manager <= 5.2.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload — Advanced File Manager – Ultimate File Manager for WordPress And Document Library SolutionCWE-79 | 6.4 | Medium | 2025-03-07 |
| CVE-2024-13713 | WPExperts Square For GiveWP <= 1.3.1 - Authenticated (Subscriber+) SQL Injection — WPExperts Square For GiveWPCWE-89 | 6.5 | Medium | 2025-02-21 |
| CVE-2025-0521 | Post SMTP <= 3.0.2 - Unauthenticated Stored Cross-Site Scripting — Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppCWE-79 | 7.2 | High | 2025-02-18 |
| CVE-2024-13333 | Advanced File Manager 5.2.12 - 5.2.13 - Authenticated (Subscriber+) Arbitrary File Upload — Advanced File Manager — Ultimate WordPress File Manager and Document Library PluginCWE-434 | 7.5 | High | 2025-01-17 |
| CVE-2024-11201 | myCred – Loyalty Points and Rewards plugin <= 2.7.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_send Shortcode — Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCredCWE-79 | 6.4 | Medium | 2024-12-06 |
| CVE-2024-11391 | Advanced File Manager <= 5.2.10 - Authenticated (Subscriber+) Arbitrary File Upload — Advanced File Manager – Ultimate File Manager for WordPress And Document Library SolutionCWE-434 | 7.5 | High | 2024-12-03 |
| CVE-2024-10187 | myCred <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_link Shortcode — Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCredCWE-79 | 6.4 | Medium | 2024-11-08 |
| CVE-2024-8126 | Advanced File Manager <= 5.2.8 - Authenticated (Subscriber+) Arbitrary File Upload — Advanced File Manager – Ultimate File Manager for WordPress And Document Library SolutionCWE-434 | 7.5 | High | 2024-09-26 |
| CVE-2024-8725 | Advanced File Manager <= 5.2.8 - Authenticated (Subscriber+) Limited File Upload — Advanced File Manager – Ultimate File Manager for WordPress And Document Library SolutionCWE-434 | 6.8 | Medium | 2024-09-26 |
| CVE-2024-8704 | Advanced File Manager <= 5.2.8 - Authenticated (Administrator+) Local JavaScript File Inclusion via fma_locale — Advanced File Manager – Ultimate File Manager for WordPress And Document Library SolutionCWE-22 | 7.2 | High | 2024-09-26 |
| CVE-2024-8658 | myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification <= 2.7.3 - Missing Authorization to Unauthenticated Database Upgrade — Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCredCWE-862 | 5.3 | Medium | 2024-09-25 |
| CVE-2024-5861 | WP Easy Pay (Free) <= 4.2.3 - Missing Authorization to Unauthenticated Service Disconnection — WP Easy Pay – Payment and Donation form Builder for SquareCWE-862 | 5.3 | Medium | 2024-07-24 |
| CVE-2024-5598 | Advanced File Manager <= 5.2.4 - Sensitive Information Exposure via Directory Listing — Advanced File Manager – Ultimate File Manager for WordPress And Document Library SolutionCWE-922 | 7.5 | High | 2024-06-29 |
| CVE-2024-1639 | License Manager for WooCommerce <= 3.0.6 - Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure — License Manager for WooCommerceCWE-862 | 6.5 | Medium | 2024-06-21 |
| CVE-2024-5207 | POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.9.3 - Authenticated (Administrator+) SQL Injection — Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile AppCWE-89 | 7.2 | High | 2024-05-30 |