WP Extended – The Ultimate WordPress Toolkit WordPress Plugin Security Vulnerabilities | WPScan

17

April 24, 2026

600

Published

2026-03-21

Title

The Ultimate WordPress Toolkit – WP Extended < 3.2.5 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module

Fixed in

Fixed in 3.2.5

CVSS

8.8 (high)

Published

2025-05-27

Title

WP Extended < 3.0.16 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Fixed in

Fixed in 3.0.16

CVSS

6.4 (medium)

Published

2025-03-27

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.15 - Reflected Cross-Site Scripting

Fixed in

Fixed in 3.0.15

CVSS

6.1 (medium)

Published

2025-02-11

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.14 - Missing Authorization to Unauthenticated Post Order Manipulation

Fixed in

Fixed in 3.0.14

CVSS

5.3 (medium)

Published

2025-01-17

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.13 - Unauthenticated SQL Injection via Login Attempts Module

Fixed in

Fixed in 3.0.13

CVSS

7.5 (high)

Published

2025-01-07

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.12 - Missing Authorization to Authenticated (Subscriber+) Remote Code Execution

Fixed in

Fixed in 3.0.12

CVSS

8.8 (high)

Published

2025-01-07

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.12 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Fixed in

Fixed in 3.0.12

CVSS

7.4 (high)

Published

2024-10-16

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.10 - Reflected Cross-Site Scripting

Fixed in

Fixed in 3.0.10

CVSS

6.1 (medium)

Published

2024-09-30

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Reflected Cross-Site Scripting

Fixed in

Fixed in 3.0.9

CVSS

6.1 (medium)

Published

2024-09-03

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Authenticated (Subscriber+) Sensitive Information Exposure

Fixed in

Fixed in 3.0.9

CVSS

6.5 (medium)

Published

2024-09-03

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Insecure Direct Object Reference

Fixed in

Fixed in 3.0.9

CVSS

5.4 (medium)

Published

2024-09-03

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Reflected Cross-Site Scripting via selected_option

Fixed in

Fixed in 3.0.9

CVSS

6.1 (medium)

Published

2024-09-03

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Reflected Cross-Site Scripting via page

Fixed in

Fixed in 3.0.9

CVSS

6.1 (medium)

Published

2024-09-03

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Authenticated (Subscriber+) Arbitrary Options Update

Fixed in

Fixed in 3.0.9

CVSS

8.8 (high)

Published

2024-09-03

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Missing Authorization to Admin Username Change

Fixed in

Fixed in 3.0.9

CVSS

5.4 (medium)

Published

2024-09-03

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.9 - Directory Traversal to Authenticated (Subscriber+) Arbitrary File Download

Fixed in

Fixed in 3.0.9

CVSS

8.8 (high)

Published

2024-06-27

Title

The Ultimate WordPress Toolkit – WP Extended < 3.0.0 - Unauthenticated Stored Cross-Site Scripting

Fixed in

Fixed in 3.0.0

CVSS

6.1 (medium)