Plugin Planet Plugin Planet

  1. Vendors
  2. Plugin Planet

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Plugin Planet product.

RSS Feeds for Plugin Planet security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Plugin Planet products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Plugin Planet Sorted by Most Security Vulnerabilities since 2018

Plugin Planet Simple Ajax Chat5 vulnerabilities

Plugin Planet User Submitted Posts5 vulnerabilities

Plugin Planet Dashboard Widget Suite2 vulnerabilities

Plugin Planet Prismatic2 vulnerabilities

Plugin Planet Simple Download Counter2 vulnerabilities

Plugin Planet Theme Switcha2 vulnerabilities

Plugin Planet Blackhole For Bad Bots1 vulnerability

Plugin Planet Contact Form X1 vulnerability

Plugin Planet Dashboard Widgets Suite1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Plugin Planet. Last year, in 2025 Plugin Planet had 2 security vulnerabilities published. Right now, Plugin Planet is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 2 5.40
2024 4 5.75
2023 8 6.35
2022 5 6.62
2021 2 5.75

It may take a day or so for new Plugin Planet vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Plugin Planet Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-46239 Apr 22, 2025
Stored XSS in Theme Switcha <=3.4 (Jeff Starr) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Theme Switcha allows Stored XSS. This issue affects Theme Switcha: from n/a through 3.4.
Theme Switcha
CVE-2025-46240 Apr 22, 2025
Stored XSS in Jeff Starr Simple Download Counter <2.3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Download Counter allows Stored XSS. This issue affects Simple Download Counter: from n/a through 2.2.
Simple Download Counter
CVE-2024-5002 Jul 13, 2024
User Submitted Posts WP Plugin: Stored XSS via unsanitised settings The User Submitted Posts WordPress plugin before 20240516 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
User Submitted Posts
CVE-2024-0979 Jun 13, 2024
Dashboard Widgets Suite WP XSS via 'tab' param 3.4.3 The Dashboard Widgets Suite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 3.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Dashboard Widgets Suite
CVE-2024-2470 Jun 04, 2024
WordPress Simple Ajax Chat Plugin Stored XSS via Unsanitized Settings The Simple Ajax Chat WordPress plugin before 20240412 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Simple Ajax Chat
CVE-2024-1983 Mar 20, 2024
WP Simple Ajax Chat Reflected XSS via Unsanitized Name Input (CVE-2024-1983) The Simple Ajax Chat WordPress plugin before 20240223 does not prevent visitors from using malicious Names when using the chat, which will be reflected unsanitized to other users.
Simple Ajax Chat
CVE-2023-45603 Dec 20, 2023
WordPress: Unrestricted Upload in UserSubmittedPosts plugin Unrestricted Upload of File with Dangerous Type vulnerability in Jeff Starr User Submitted Posts Enable Users to Submit Posts from the Front End.This issue affects User Submitted Posts Enable Users to Submit Posts from the Front End: from n/a through 20230902.
User Submitted Posts
CVE-2023-49743 Dec 14, 2023
Dashboard Widgets Suite Stored XSS vulnerable before 3.4.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Dashboard Widgets Suite allows Stored XSS.This issue affects Dashboard Widgets Suite: from n/a through 3.4.1.
Dashboard Widget Suite
CVE-2023-5614 Oct 20, 2023
WP Theme Switcha 3.3 Stored XSS via theme_switcha_list Shortcode The Theme Switcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'theme_switcha_list' shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Theme Switcha
CVE-2023-4838 Sep 09, 2023
WordPress Simple Download Counter 1.6 XSS via shortcode attrs The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes like 'before' and 'after'. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Simple Download Counter
CVE-2023-4779 Sep 06, 2023
WordPress UserSubmittedPosts XSS via usp_gallery Authenticated Contributor The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [usp_gallery] shortcode in versions up to, and including, 20230811 due to insufficient input sanitization and output escaping on user supplied attributes like 'before'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
User Submitted Posts
CVE-2023-4308 Aug 15, 2023
WordPress User Submitted Posts Plugin Stored XSS via user-submitted-content The User Submitted Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user-submitted-content parameter in versions up to, and including, 20230809 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
User Submitted Posts
CVE-2019-25138 Jun 07, 2023
WordPress USP Plugin: Arbitrary File Upload via usp_check_images The User Submitted Posts plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the usp_check_images function in versions up to, and including, 20190312. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
User Submitted Posts
CVE-2023-26517 May 06, 2023
Jeff Starr Dashboard Widgets Suite <=3.2.1 Auth+ Stored XSS Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jeff Starr Dashboard Widgets Suite plugin <= 3.2.1 versions.
Dashboard Widget Suite
CVE-2022-27850 Apr 15, 2022
Cross-Site Request Forgery (CSRF) in Simple Ajax Chat (WordPress plugin) <= 20220115 Cross-Site Request Forgery (CSRF) in Simple Ajax Chat (WordPress plugin) <= 20220115 allows an attacker to clear the chat log or delete a chat message.
Simple Ajax Chat
CVE-2022-27849 Apr 15, 2022
Sensitive Information Disclosure (sac-export.csv) in Simple Ajax Chat (WordPress plugin) <= 20220115 Sensitive Information Disclosure (sac-export.csv) in Simple Ajax Chat (WordPress plugin) <= 20220115
Simple Ajax Chat
CVE-2022-1165 Apr 04, 2022
The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which The Blackhole for Bad Bots WordPress plugin before 3.3.2 uses headers such as CF-CONNECTING-IP, CLIENT-IP etc to determine the IP address of requests hitting the blackhole URL, which allows them to be spoofed. This could result in blocking arbitrary IP addresses, such as legitimate/good search engine crawlers / bots. This could also be abused by competitors to cause damage related to visibility in search engines, can be used to bypass arbitrary blocks caused by this plugin, block any visitor or even the administrator and even more.
Blackhole For Bad Bots
CVE-2022-25610 Mar 25, 2022
Unauthenticated Stored Cross-Site Scripting (XSS) in Simple Ajax Chat <= 20220115 allows an attacker to store the malicious code Unauthenticated Stored Cross-Site Scripting (XSS) in Simple Ajax Chat <= 20220115 allows an attacker to store the malicious code. However, the attack requires specific conditions, making it hard to exploit.
Simple Ajax Chat
CVE-2022-25601 Mar 11, 2022
Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4). Reflected Cross-Site Scripting (XSS) vulnerability affecting parameter &tab discovered in Contact Form X WordPress plugin (versions <= 2.4).
Contact Form X
CVE-2021-24409 Jul 12, 2021
The Prismatic WordPress plugin before 2.8 does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue The Prismatic WordPress plugin before 2.8 does not escape the 'tab' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator
Prismatic
CVE-2021-24408 Jul 12, 2021
The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability.
Prismatic
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.