🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Vulnerabilities protected by our Stored Cross-Site Scripting via Shortcode firewall rule

1,499

Attacks Blocked in Past 24 Hours

Showing 261-280 of 493 Vulnerabilities

Simple Posts Ticker <= 1.1.5 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode

6.4

CVE-2023-4646

Sep 25, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP Mailto Links – Protect Email Addresses <= 3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-5109

Sep 22, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Simple Cloudflare Turnstile <= 1.23.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-5135

Sep 22, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Copy Anything to Clipboard <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-5086

Sep 22, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Memberlite Shortcodes <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-5237

Sep 21, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Media Library Assistant <= 3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4716

Sep 21, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Magee Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-4783

Sep 21, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP-Matomo Integration (WP-Piwik) <= 1.0.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4774

Sep 21, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Leaflet Map <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-5050

Sep 20, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Anchor Episodes Index (Spotify for Podcasters) <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-44145

Sep 20, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Charts <= 0.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-5062

Sep 19, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Widget Responsive for Youtube <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-5063

Sep 19, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Poptin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4961

Sep 18, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WS Facebook Like Box Widget <= 5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4963

Sep 14, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Booster for WooCommerce <= 7.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4945

Sep 13, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Feeds for YouTube <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4841

Sep 13, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Awesome Weather Widget <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4944

Sep 13, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

JQuery Accordion Menu Widget <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4890

Sep 11, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

MapPress Maps for WordPress <= 2.88.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4840

Sep 11, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Google Maps Plugin by Intergeo <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-4887

Sep 11, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
Simple Posts Ticker <= 1.1.5 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode	CVE-2023-4646	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 25, 2023
WP Mailto Links – Protect Email Addresses <= 3.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-5109	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 22, 2023
Simple Cloudflare Turnstile <= 1.23.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-5135	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 22, 2023
Copy Anything to Clipboard <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-5086	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 22, 2023
Memberlite Shortcodes <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-5237	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 21, 2023
Media Library Assistant <= 3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-4716	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 21, 2023
Magee Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-4783	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 21, 2023
WP-Matomo Integration (WP-Piwik) <= 1.0.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-4774	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 21, 2023
Leaflet Map <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-5050	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 20, 2023
Anchor Episodes Index (Spotify for Podcasters) <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-44145	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 20, 2023
WordPress Charts <= 0.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-5062	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 19, 2023
Widget Responsive for Youtube <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-5063	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 19, 2023
Poptin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-4961	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 18, 2023
WS Facebook Like Box Widget <= 5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-4963	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 14, 2023
Booster for WooCommerce <= 7.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-4945	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 13, 2023
Feeds for YouTube <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-4841	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 13, 2023
Awesome Weather Widget <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-4944	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 13, 2023
JQuery Accordion Menu Widget <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-4890	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 11, 2023
MapPress Maps for WordPress <= 2.88.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-4840	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 11, 2023
Google Maps Plugin by Intergeo <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-4887	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 11, 2023

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation