Wpdevart
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Wpdevart product.
RSS Feeds for Wpdevart security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Wpdevart products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Wpdevart Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 1 vulnerability in Wpdevart with an average score of 6.4 out of ten. Last year, in 2025 Wpdevart had 4 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Wpdevart in 2026 could surpass last years number. Last year, the average CVE base score was greater by 0.08
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 1 | 6.40 |
| 2025 | 4 | 6.48 |
| 2024 | 9 | 7.14 |
| 2023 | 17 | 6.08 |
| 2022 | 8 | 5.46 |
| 2021 | 4 | 7.35 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 1 | 0.00 |
It may take a day or so for new Wpdevart vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Wpdevart Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2025-14555 | Jan 10, 2026 |
Countdown widget XSS via wpdevart_countdown shortcode up to v2.7.7The Countdown Timer Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
|
| CVE-2025-67574 | Dec 09, 2025 |
wpdevart Booking Calendar Missing Auth (3.2.30)Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.30. |
Booking Calendar
|
| CVE-2025-62886 | Oct 27, 2025 |
wpdevart Pricing Table Builder <=1.5.1 CSRF + Stored XSSCross-Site Request Forgery (CSRF) vulnerability in wpdevart Pricing Table builder wpdevart-pricing-table allows Stored XSS.This issue affects Pricing Table builder: from n/a through <= 1.5.1. |
Pricing Table Builder
|
| CVE-2025-2537 | Jul 03, 2025 |
WordPress XSS via ThickBox JavaScript v3.1 in various pluginsMultiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled ThickBox JavaScript library (version 3.1) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Youtube Embed Playlist Popup
|
| CVE-2023-45631 | Jan 02, 2025 |
wpdevart Responsive Image Gallery plugin 2.0.3: Missing Authorization (ACL)Missing Authorization vulnerability in wpdevart Responsive Image Gallery, Gallery Album allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. |
Gallery
|
| CVE-2024-10856 | Dec 24, 2024 |
SQL Injection Vulnerability in Booking Calendar WpDevArt PluginThe Booking Calendar WpDevArt plugin is vulnerable to time-based, blind SQL injection via the `id` parameter in the wpdevart_booking_calendar shortcode in versions up to, and including, 3.2.19 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. The vulnerability requires the delete_prev_date theme option being enabled. This makes it possible for authenticated attackers, with contributor-level access or above, to append additional SQL queries into already existing query that can be used to extract sensitive information such as passwords from the database. |
Booking Calendar
|
| CVE-2023-24407 | Dec 09, 2024 |
Missing Auth in WpDevArt Booking Cal v3.2.3Missing Authorization vulnerability in WpDevArt Booking calendar, Appointment Booking System allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.3. |
Booking Calendar
|
| CVE-2024-7355 | Aug 07, 2024 |
WP Org Chart Plugin <=1.5.0 Stored XSS via title_input & node_descriptionThe Organization chart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the title_input and 'node_description' parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure charts can be extended to subscribers. |
Organization Chart
|
| CVE-2024-37542 | Jul 06, 2024 |
Missing Auth in WpDevArt Responsive Img Gallery 2.0.3Missing Authorization vulnerability in WpDevArt Responsive Image Gallery, Gallery Album.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. |
Gallery
|
| CVE-2024-35750 | Jun 08, 2024 |
SQLi in wpdevart Responsive Image Gallery 2.0.3Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevart Responsive Image Gallery, Gallery Album.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. |
Gallery
|
| CVE-2023-49741 | Jun 04, 2024 |
Authentication Bypass via ACL Spoofing in wpdevart CS&M 3.7.3Authentication Bypass by Spoofing vulnerability in wpdevart Coming soon and Maintenance mode allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Coming soon and Maintenance mode: from n/a through 3.7.3. |
Coming Soon Maintenance Mode
|
| CVE-2023-24373 | Jun 03, 2024 |
External Control of Immutable Web Params in WpDevArt Booking Calendar 3.2.3External Control of Assumed-Immutable Web Parameter vulnerability in WpDevArt Booking calendar, Appointment Booking System allows Manipulating Hidden Fields.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.3. |
Booking Calendar
|
| CVE-2024-30550 | Mar 31, 2024 |
Responsive Img Gallery <=2.0.3 Reflected XSS (CVE-2024-30550)Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Responsive Image Gallery, Gallery Album allows Reflected XSS.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. |
Gallery
|
| CVE-2024-31120 | Mar 31, 2024 |
wpdevart Responsive Image Gallery XSS (Stored) <=2.0.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Responsive Image Gallery, Gallery Album allows Stored XSS.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. |
Gallery
|
| CVE-2023-47533 | Nov 14, 2023 |
wpdevart Countdown/Countup XSS (auth admin+) <=1.8.2 insecureAuth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in wpdevart Countdown and CountUp, WooCommerce Sales Timer plugin <= 1.8.2 versions. |
Countdown Countup Woocommerce Sales Timer
|
| CVE-2022-47428 | Nov 06, 2023 |
SQL Injection in WpDevArt Booking Calendar <3.2.7Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpDevArt Booking calendar, Appointment Booking System allows SQL Injection.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.7. |
Booking Calendar
|
| CVE-2023-46075 | Oct 26, 2023 |
Unauth. XSS in wpdevart Contact Form Builder <= 2.1.6Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wpdevart Contact Form Builder, Contact Widget plugin <= 2.1.6 versions. |
Contact Form Builder
|
| CVE-2023-45630 | Oct 18, 2023 |
wpdevart Gallery Unauth Stored XSS <=2.0.3Unauth. Stored Cross-Site Scripting (XSS) vulnerability in wpdevart Gallery Image and Video Gallery with Thumbnails plugin <= 2.0.3 versions. |
Gallery
|
| CVE-2023-45629 | Oct 16, 2023 |
CSRF in wpdevart Gallery Img & Video Gallery <=2.0.3Cross-Site Request Forgery (CSRF) vulnerability in wpdevart Gallery Image and Video Gallery with Thumbnails plugin <= 2.0.3 versions. |
Gallery Image Video Gallery With Thumbnails
|
| CVE-2023-0900 | Jun 05, 2023 |
Pricing Table Builder WP Plugin <=1.1.6 SQLi via unsanitized paramThe Pricing Table Builder WordPress plugin through 1.1.6 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high-privilege users such as admins. |
Pricing Table Builder
|
| CVE-2023-24387 | Apr 06, 2023 |
WPdevart Org Chart Plugin <=1.4.4 XSS for Auth Admin+Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPdevart Organization chart plugin <= 1.4.4 versions. |
Organization Chart
|
| CVE-2023-24004 | Apr 06, 2023 |
WPdevart Image & Video Lightbox <=2.1.5 Stored XSS (Auth admin+)Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPdevart Image and Video Lightbox, Image PopUp plugin <= 2.1.5 versions. |
Download Image Video Lightbox Image Popup
|
| CVE-2023-24002 | Apr 06, 2023 |
WPdevart YouTube Embed <=2.6.3 Stored XSS (Admin+ Auth)Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPdevart YouTube Embed, Playlist and Popup by WpDevArt plugin <= 2.6.3 versions. |
Youtube Embed Playlist Popup
|
| CVE-2023-23972 | Apr 06, 2023 |
CVE-2023-23972: Admin+ XSS in SmplugPlug <=0.8.39Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Smplug-in Social Like Box and Page by WpDevArt plugin <= 0.8.39 versions. |
Social Like Box And Page
|
| CVE-2023-23870 | Apr 04, 2023 |
Stored XSS in wpdevart Responsive Vertical Icon Menu <= 1.5.8Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in wpdevart Responsive Vertical Icon Menu plugin <= 1.5.8 versions. |
Responsive Vertical Icon Menu
|
| CVE-2022-47603 | Mar 29, 2023 |
Unauth Reflected XSS in wpdevart Gallery <=2.0.1Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wpdevart Gallery Image and Video Gallery with Thumbnails plugin <= 2.0.1 versions. |
Image Video Gallery With Thumbnails
|
| CVE-2022-47438 | Mar 29, 2023 |
WpDevArt Booking Calendar <=3.2.3 XSS via editor+ in Wordpress pluginAuth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions. |
Booking Calendar
|
| CVE-2023-23983 | Feb 28, 2023 |
CSRF in wpdevart Icon Menu <=1.5.8 Enables Theme DeletionCross-Site Request Forgery (CSRF) vulnerability in wpdevart Responsive Vertical Icon Menu plugin <= 1.5.8 can lead to theme deletion. |
Responsive Vertical Icon Menu
|
| CVE-2023-24384 | Feb 23, 2023 |
WordPress WpDevArt Org Chart <=1.4.4 CSRF VulnerabilityCross-Site Request Forgery (CSRF) vulnerability in WpDevArt Organization chart <= 1.4.4 versions. |
Organization Chart
|
| CVE-2023-24388 | Feb 17, 2023 |
CSRF in WpDevArt Booking Calendar Plugin <=3.2.3Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin <= 3.2.3 versions affects plugin forms actions (create, duplicate, edit, delete). |
Booking Calendar
|
| CVE-2023-0177 | Feb 13, 2023 |
Stored XSS in WpDevArt Social Like Box <0.8.41The Social Like Box and Page by WpDevArt WordPress plugin before 0.8.41 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. |
Social Like Box And Page
|
| CVE-2022-3982 | Dec 12, 2022 |
Booking Calendar <=3.2.2 Unauthenticated File Upload RCEThe Booking calendar, Appointment Booking System WordPress plugin before 3.2.2 does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE |
Booking Calendar
|
| CVE-2022-34656 | Sep 06, 2022 |
Auth(+) XSS in wpdevart Poll plugin <=1.7.4 (WordPress)Authenticated (admin+) Cross-Site Scripting (XSS) vulnerability in wpdevart Poll, Survey, Questionnaire and Voting system plugin <= 1.7.4 at WordPress. |
Poll Survey Questionnaire Voting System
|
| CVE-2022-1946 | Jul 04, 2022 |
The Gallery WordPress plugin before 2.0.0 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users)The Gallery WordPress plugin before 2.0.0 does not sanitise and escape a parameter before outputting it back in the response of an AJAX action (available to both unauthenticated and authenticated users), leading to a Reflected Cross-Site Scripting issue |
Gallery
|
| CVE-2022-0876 | Apr 25, 2022 |
The Social comments by WpDevArt WordPress plugin before 2.5.0 does not sanitise and escape its settingsThe Social comments by WpDevArt WordPress plugin before 2.5.0 does not sanitise and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when unfiltered_html is disallowed |
Social Comments
|
| CVE-2022-0640 | Mar 21, 2022 |
The Pricing Table Builder WordPress plugin before 1.1.5 does not sanitize and escape the postid parameter before outputting it back in an admin pageThe Pricing Table Builder WordPress plugin before 1.1.5 does not sanitize and escape the postid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting. |
Pricing Table Builder
|
| CVE-2021-25075 | Feb 21, 2022 |
The Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX actionThe Duplicate Page or Post WordPress plugin before 1.5.1 does not have any authorisation and has a flawed CSRF check in the wpdevart_duplicate_post_parametrs_save_in_db AJAX action, allowing any authenticated users, such as subscriber to call it and change the plugin's settings, or perform such attack via CSRF. Furthermore, due to the lack of escaping, this could lead to Stored Cross-Site Scripting issues |
Duplicate Page Or Post
|
| CVE-2022-0164 | Feb 21, 2022 |
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX actionThe Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users |
Coming Soon Maintenance Mode
|
| CVE-2022-0199 | Feb 21, 2022 |
The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX actionThe Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack |
Coming Soon Maintenance Mode
|
| CVE-2021-24577 | Oct 11, 2021 |
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pagesThe Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not properly sanitize inputs submitted by authenticated users when setting adding or modifying coming soon or maintenance mode pages, leading to stored XSS. |
Coming Soon Maintenance Mode
|
| CVE-2021-34636 | Sep 28, 2021 |
The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check whichThe Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7. |
Countdown Countup Woocommerce Sales Timer
|
| CVE-2021-24464 | Aug 02, 2021 |
The YouTube EmbedThe YouTube Embed, Playlist and Popup by WpDevArt WordPress plugin before 2.3.9 did not escape, validate or sanitise some of its shortcode options, available to users with a role as low as Contributor, leading to an authenticated Stored Cross-Site Scripting issue. |
Youtube Embed Playlist Popup
|
| CVE-2021-24442 | Jul 12, 2021 |
The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll resultThe Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the date_answers[] POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks |
Poll Survey Questionnaire Voting System
|
| CVE-2018-10363 | Jun 13, 2018 |
An issue was discovered in the WpDevArt "Booking calendar, Appointment Booking System" plugin 2.2.2 for WordPressAn issue was discovered in the WpDevArt "Booking calendar, Appointment Booking System" plugin 2.2.2 for WordPress. Multiple parameters allow remote attackers to manipulate the values to change data such as prices. |
Booking Calendar
|