Wpexperts Wpexperts

  1. Vendors
  2. Wpexperts

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Wpexperts product.

RSS Feeds for Wpexperts security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Wpexperts products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Wpexperts Sorted by Most Security Vulnerabilities since 2018

Wpexperts Post Smtp20 vulnerabilities

Wpexperts Post Smtp Mailer8 vulnerabilities

Wpexperts Wp Multi Store Locator3 vulnerabilities

Wpexperts License Manager Woocommerce2 vulnerabilities

Wpexperts New User Approve2 vulnerabilities

Wpexperts Password Protected2 vulnerabilities

Wpexperts Wp Contact Slider2 vulnerabilities

Wpexperts Wholesale For Woocommerce2 vulnerabilities

Wpexperts Wp Secure Maintenance1 vulnerability

Wpexperts Email Templates1 vulnerability

Wpexperts Wp Pdf Generator1 vulnerability

Wpexperts Wc Shop Sync1 vulnerability

Wpexperts User Avatar Reloaded1 vulnerability

Wpexperts Rocket Maintenance Mode Coming Soon Page1 vulnerability

Wpexperts Post Smpt1 vulnerability

Wpexperts Omgf1 vulnerability

Wpexperts Givewp Square1 vulnerability

Wpexperts Email Templates Customizer Designer1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Wpexperts. Last year, in 2025 Wpexperts had 7 security vulnerabilities published. Right now, Wpexperts is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 7 6.30
2024 17 6.32
2023 14 6.78
2022 5 5.18

It may take a day or so for new Wpexperts vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Wpexperts Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-24000 Aug 07, 2025
WPExperts Post SMTP Auth Bypass before v3.2.1 Authentication Bypass Using an Alternate Path or Channel vulnerability in WPExperts Post SMTP allows Authentication Bypass.This issue affects Post SMTP: from n/a through 3.2.0.
Post Smtp
CVE-2024-13844 Mar 08, 2025
WordPress Post SMTP <=3.1.2 SQLi via columns param (Admin) The Post SMTP plugin for WordPress is vulnerable to generic SQL Injection via the columns parameter in all versions up to, and including, 3.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Post Smtp
CVE-2024-13713 Feb 21, 2025
SQL Injection in WPExperts Square For GiveWP (1.3.1) via 'post' param The WPExperts Square For GiveWP plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Givewp Square
CVE-2025-0521 Feb 18, 2025
WP Post SMTP v3.0.2 XSS via from/subject param injection The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Post Smtp
CVE-2025-24680 Jan 27, 2025
WP Multi Store Locator 2.4.7 Reflected XSS via Unescaped HTML Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in WpMultiStoreLocator WP Multi Store Locator allows Reflected XSS. This issue affects WP Multi Store Locator: from n/a through 2.4.7.
Wp Multi Store Locator
CVE-2025-22800 Jan 13, 2025
Post SMTP <=2.9.11 Missing Auth Exploit (MA) Missing Authorization vulnerability in Post SMTP Post SMTP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post SMTP: from n/a through 2.9.11.
Post Smtp
CVE-2024-12475 Jan 04, 2025
WP Multi Store Locator <=2.4.1 Stored XSS via sanitization flaw The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Wp Multi Store Locator
CVE-2024-52436 Nov 18, 2024
Post SMTP Blind SQL Injection Vulnerability before 3.0 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Post SMTP allows Blind SQL Injection.This issue affects Post SMTP: from n/a through 2.9.9.
Post Smtp
CVE-2024-4753 Jul 12, 2024
WP Secure Maintenance <1.7 XSS via unsanitised settings The WP Secure Maintenance WordPress plugin before 1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Wp Secure Maintenance
CVE-2024-1639 Jun 21, 2024
Unauthorized Data Access in WooCommerce License Manager v3.0.7 The License Manager for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the showLicenseKey() and showAllLicenseKeys() functions in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, with admin dashboard access (contributors by default due to WooCommerce) to view arbitrary decrypted license keys. The functions contain a referrer nonce check. However, these can be retrieved via the dashboard through the "license" JS variable.
License Manager Woocommerce
CVE-2023-52233 Jun 11, 2024
Missing Auth Vulnerability in Post SMTP Mailer/Email Log 2.8.6 Missing Authorization vulnerability in Post SMTP Post SMTP Mailer/Email Log.This issue affects Post SMTP Mailer/Email Log: from n/a through 2.8.6.
Post Smtp Mailer
Post Smtp
CVE-2024-5207 May 30, 2024
WordPress POST SMTP <=2.9.3 Auth TimeBased SQLi The POST SMTP The #1 WordPress SMTP Plugin with Advanced Email Logging and Delivery Failure Notifications plugin for WordPress is vulnerable to time-based SQL Injection via the selected parameter in all versions up to, and including, 2.9.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with administrator access or higher to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Post Smtp
CVE-2024-31297 Apr 10, 2024
Missing Auth in WPExperts Wholesale For WooCommerce <=2.3.0 Missing Authorization vulnerability in WPExperts Wholesale For WooCommerce.This issue affects Wholesale For WooCommerce: from n/a through 2.3.0.
Wholesale For Woocommerce
CVE-2024-30469 Mar 29, 2024
Missing Auth in WPExperts Wholesale WooCommerce v2.3.0 (CVE-2024-30469) Missing Authorization vulnerability in WPExperts Wholesale For WooCommerce.This issue affects Wholesale For WooCommerce: from n/a through 2.3.0.
Wholesale For Woocommerce
CVE-2024-29128 Mar 19, 2024
POST SMTP XSS Vulnerability (2.8.6) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Post SMTP POST SMTP allows Reflected XSS.This issue affects POST SMTP: from n/a through 2.8.6.
Post Smtp
CVE-2024-27959 Mar 17, 2024
WC Shop Sync XSS Vulnerability in Square & WooCommerce Integration v<4.2.9 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wpexpertsio WC Shop Sync Integrate Square and WooCommerce for Seamless Shop Management allows Reflected XSS.This issue affects WC Shop Sync Integrate Square and WooCommerce for Seamless Shop Management: from n/a through 4.2.9.
Wc Shop Sync
CVE-2024-0656 Feb 29, 2024
WP Plugin: Password Protected Ultimate XSS via Captcha Key in v2.6.6 The Password Protected Ultimate Plugin to Password Protect Your WordPress Content with Ease plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Captcha Site Key in all versions up to, and including, 2.6.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Password Protected
CVE-2023-3178 Jan 16, 2024
CSRF in POST SMTP Mailer WP Plugin <2.5.7: Delete Logs The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability delete arbitrary logs via a CSRF attack.
Post Smtp
CVE-2023-6620 Jan 15, 2024
SQL Injection in POST SMTP Mailer WP Plugin <2.8.7 (admin) The POST SMTP Mailer WordPress plugin before 2.8.7 does not properly sanitise and escape several parameters before using them in SQL statements, leading to a SQL injection exploitable by high privilege users such as admin.
Post Smtp Mailer
Post Smtp
CVE-2023-6875 Jan 11, 2024
Best Mail SMTP WP Plugin Before 2.8.7 REST Endpoint Type Juggling Grants Unauthorized Access The POST SMTP Mailer Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.
Post Smtp Mailer
Post Smtp
CVE-2023-6621 Jan 03, 2024
Reflected XSS in POST SMTP WP < 2.8.7 via unsanitised msg param The POST SMTP WordPress plugin before 2.8.7 does not sanitise and escape the msg parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Post Smtp
CVE-2023-6600 Jan 03, 2024
WordPress OMGF Plugin <5.7.10: Unauthorized Settings Modification & Stored XSS The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init in all versions up to, and including, 5.7.9. This makes it possible for unauthenticated attackers to update the plugin's settings which can be used to inject Cross-Site Scripting payloads and delete entire directories. PLease note there were several attempted patched, and we consider 5.7.10 to be the most sufficiently patched.
Omgf
CVE-2023-6629 Jan 03, 2024
WordPress Best Mail SMTP <=2.8.6 XSS via msg param The POST SMTP Mailer Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the msg parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Post Smtp
CVE-2023-7027 Jan 03, 2024
Stored XSS in Post SMTP Mailer <=2.8.7 via Device Header The POST SMTP Mailer Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the device header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Post Smtp
CVE-2023-50902 Dec 29, 2023
WPExpertsio New User Approve CSRF vulnerability before 2.5.2 Cross-Site Request Forgery (CSRF) vulnerability in WPExpertsio New User Approve.This issue affects New User Approve: from n/a through 2.5.1.
New User Approve
CVE-2023-49842 Dec 14, 2023
XSS Stored in Rocket Maintenance Mode (<=4.3) WP Plugin Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpexpertsio Rocket Maintenance Mode & Coming Soon Page allows Stored XSS.This issue affects Rocket Maintenance Mode & Coming Soon Page: from n/a through 4.3.
Rocket Maintenance Mode Coming Soon Page
CVE-2023-48742 Nov 30, 2023
SQLi CVE-2023-48742 in License Manager for WooCommerce <=2.2.10 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LicenseManager License Manager for WooCommerce license-manager-for-woocommerce allows SQL Injection.This issue affects License Manager for WooCommerce: from n/a through 2.2.10.
License Manager Woocommerce
CVE-2023-5958 Nov 27, 2023
POST SMTP Mailer WP Plugin XSS before 2.7.1 The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape email message content before displaying it in the backend, allowing an unauthenticated attacker to perform XSS attacks against highly privileged users.
Post Smtp Mailer
Post Smtp
CVE-2022-47181 Nov 07, 2023
CSRF in WPEXP Email Templates Customizer <=1.4.2 Cross-Site Request Forgery (CSRF) vulnerability in wpexpertsio Email Templates Customizer and Designer for WordPress and WooCommerce email-templates allows Cross Site Request Forgery.This issue affects Email Templates Customizer and Designer for WordPress and WooCommerce: from n/a through 1.4.2.
Email Templates Customizer Designer
CVE-2023-4798 Oct 16, 2023
WordPress User Avatar Plugin <1.2.2 Vulnerable to Stored XSS via Shortcode Attributes The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks.
User Avatar Reloaded
CVE-2023-35038 Jul 17, 2023
CSRF in wpexperts.Io WP PDF Generator 1.2.2 Cross-Site Request Forgery (CSRF) vulnerability in wpexperts.Io WP PDF Generator plugin <= 1.2.2 versions.
Wp Pdf Generator
CVE-2023-3179 Jul 17, 2023
WordPress POST SMTP Mailer 2.5.6 CSRF in AJAX Resend Email (CVE-2023-3179) The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability resend an email to an arbitrary address (for example a password reset email could be resent to an attacker controlled email, and allow them to take over an account).
Post Smtp Mailer
Post Smtp
CVE-2021-4422 Jul 12, 2023
WordPress POST SMTP Mailer <=2.0.20 CSRF via handleCsvExport() The POST SMTP Mailer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.20. This is due to missing or incorrect nonce validation on the handleCsvExport() function. This makes it possible for unauthenticated attackers to trigger a CSV export via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Post Smtp Mailer
Post Smtp
CVE-2023-3082 Jul 12, 2023
Post SMTP <=2.5.7 Stored XSS via Email Content The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email contents in versions up to, and including, 2.5.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Post Smtp Mailer
Post Smtp
CVE-2023-32580 Jun 23, 2023
Stored XSS Vulnerability in WPExperts Password Protected plugin 2.6.2 (Auth+) Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPExperts Password Protected plugin <= 2.6.2 versions.
Password Protected
CVE-2021-4342 Jun 07, 2023
Common Vulnerability in unspecified software (CVE-2021-4342) ** REJECT ** CVE split into individual CVE IDs for each software record.
Post Smtp Mailer
CVE-2019-25150 Jun 07, 2023
WordPress EmailTemplates 1.3 - HTML Injection Vulnerability The Email Templates plugin for WordPress is vulnerable to HTML Injection in versions up to, and including, 1.3. This makes it possible for attackers to present phishing forms or conduct cross-site request forgery attacks against site administrators.
Email Templates
CVE-2023-0152 Jun 05, 2023
WP Multi Store Locator 2.4 Stored XSS via Shortcode Attributes The WP Multi Store Locator WordPress plugin through 2.4 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
Wp Multi Store Locator
CVE-2022-3237 Oct 31, 2022
WP Contact Slider <2.4.8 XSS via unsanitized settings for privileged users The WP Contact Slider WordPress plugin before 2.4.8 does not sanitize and escape its settings, allowing high privilege users such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
Wp Contact Slider
CVE-2022-2352 Sep 26, 2022
Post SMTP WP Plugin <=2.1.6 Blind SSRF via unauthorized AJAX The Post SMTP Mailer/Email Log WordPress plugin before 2.1.7 does not have proper authorisation in some AJAX actions, which could allow high privilege users such as admin to perform blind SSRF on multisite installations for example.
Post Smtp
CVE-2022-2351 Sep 16, 2022
High-priv XSS in Post SMTP Mailer WP Plugin < 2.1.4 The Post SMTP Mailer/Email Log WordPress plugin before 2.1.4 does not escape some of its settings before outputting them in the admins dashboard, allowing high privilege users to perform Cross-Site Scripting attacks against other users even when the unfiltered_html capability is disallowed.
Post Smpt
Post Smtp
CVE-2022-1301 Jul 04, 2022
The WP Contact Slider WordPress plugin before 2.4.7 does not sanitize and escape the Text to Display settings of sliders, which could The WP Contact Slider WordPress plugin before 2.4.7 does not sanitize and escape the Text to Display settings of sliders, which could allow high privileged users such as editor and above to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed
Wp Contact Slider
CVE-2022-1625 Jun 27, 2022
The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could The New User Approve WordPress plugin before 2.4 does not have CSRF check in place when updating its settings and adding invitation codes, which could allow attackers to add invitation codes (for bypassing the provided restrictions) and to change plugin settings by tricking admin users into visiting specially crafted websites.
New User Approve
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.