💥 Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with our End of Year Holiday Extravaganza, High-Risk Bonus Blitz Challenge, and Superhero Challenge for the Wordfence Bug Bounty Program.

Through January 6th, 2025, our program has an expanded scope for all researchers with a new lower active install count threshold, automatic bonuses for in-scope submissions, an extra bonus for those focusing on high-risk vulnerabilities, a minimum bounty for all submissions, increased pending report limits, and our rewards remain as high as $31,200.

Review what's in scope for your tier and updated bounties with bonuses here!

Vulnerabilities protected by our Directory Traversal firewall rule

1,797,650

Attacks Blocked in Past 24 Hours

Showing 41-60 of 315 Vulnerabilities

Responsive Owl Carousel for Elementor <= 1.2.0 - Local File Inclusion

8.8

CVE-2024-5345

May 30, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Elementor Addon Elements <= 1.12.12 - Directory Traversal to Local File Inclusion

8.8

CVE-2024-1358

Feb 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Elementor <= 3.19.0 - Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization

8.8

CVE-2024-24934

Feb 7, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

JVM rich text icons <= 1.2.6 - Directory Traversal to Authenticated(Subscriber+) Arbitrary File Deletion

8.8

CVE-2023-51418

Dec 27, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Mmm Simple File List <= 2.3 - Authenticated (Subscriber+) Directory Traversal

8.8

CVE-2023-4297

Nov 6, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Download Manager <= 3.2.50 - Authenticated (Contributor+) Arbitrary File Deletion

8.8

CVE-2022-2431

Jul 27, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Newsletters <= 4.6.18 - Directory Traversal

8.8

CVE-2019-14788

Jul 1, 2019

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal

8.7

CVE-2023-5504

Nov 22, 2023

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

Migration, Backup, Staging – WPvivid <= 0.9.89 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal

8.7

CVE-2023-4274

Sep 22, 2023

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

WP-DBManager <= 2.79.1 - Directory Traversal Allowing Arbitrary File Deletion

8.7

CVE ID Unknown

Oct 22, 2018

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

Media File Organizer <= 1.0.1 - Directory Traversal

8.6

CVE-2020-24144

Apr 13, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Simple File List <= 3.2.4 - Arbitrary File Deletion

8.6

CVE ID Unknown

May 23, 2019

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Zip Attachments <= 1.5 - Directory Traversal

8.6

CVE-2015-4694

Jun 12, 2015

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

BuddyPress <= 14.1.0 - Authenticated (Subscriber+) Directory Traversal

8.1

CVE-2024-10011

Oct 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar <= 5.7.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion

8.1

CVE-2024-7856

Aug 28, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

JupiterX Theme <= 3.0.0 - Authenticated Local File Inclusion via print_pane

8.1

CVE-2023-32110

May 3, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Simple:Press <= 6.8 - Authenticated (Subscriber+) Path Traversal to Arbitrary File Deletion

8.1

CVE-2022-4030

Nov 29, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CM Download Manager < 2.8.0 - Directory Traversal to Arbitrary File Deletion and Denial of Service

8.1

CVE-2020-24146

Apr 13, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Best WordPress Gallery Plugin – FooGallery <= 2.4.16 - Authenticated (Contributor+) Directory Traversal

7.7

CVE-2023-6947

Dec 9, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

ARForms <= 6.4.1 - Directory Traversal to Authenticated (Subscriber+) Arbitrary File Read

7.7

CVE-2024-54216

Dec 2, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Title	CVE ID	CVSS	Vector	Date
Responsive Owl Carousel for Elementor <= 1.2.0 - Local File Inclusion	CVE-2024-5345	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	May 30, 2024
Elementor Addon Elements <= 1.12.12 - Directory Traversal to Local File Inclusion	CVE-2024-1358	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 21, 2024
Elementor <= 3.19.0 - Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization	CVE-2024-24934	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 7, 2024
JVM rich text icons <= 1.2.6 - Directory Traversal to Authenticated(Subscriber+) Arbitrary File Deletion	CVE-2023-51418	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	December 27, 2023
Mmm Simple File List <= 2.3 - Authenticated (Subscriber+) Directory Traversal	CVE-2023-4297	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	November 6, 2023
Download Manager <= 3.2.50 - Authenticated (Contributor+) Arbitrary File Deletion	CVE-2022-2431	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	July 27, 2022
Newsletters <= 4.6.18 - Directory Traversal	CVE-2019-14788	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	July 1, 2019
BackWPup <= 4.0.1 - Authenticated (Administrator+) Directory Traversal	CVE-2023-5504	8.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H	November 22, 2023
Migration, Backup, Staging – WPvivid <= 0.9.89 - Authenticated (Administrator+) Arbitrary Directory Deletion via Path Traversal	CVE-2023-4274	8.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H	September 22, 2023
WP-DBManager <= 2.79.1 - Directory Traversal Allowing Arbitrary File Deletion		8.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H	October 22, 2018
Media File Organizer <= 1.0.1 - Directory Traversal	CVE-2020-24144	8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N	April 13, 2021
Simple File List <= 3.2.4 - Arbitrary File Deletion		8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N	May 23, 2019
Zip Attachments <= 1.5 - Directory Traversal	CVE-2015-4694	8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N	June 12, 2015
BuddyPress <= 14.1.0 - Authenticated (Subscriber+) Directory Traversal	CVE-2024-10011	8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	October 24, 2024
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar <= 5.7.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Deletion	CVE-2024-7856	8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H	August 28, 2024
JupiterX Theme <= 3.0.0 - Authenticated Local File Inclusion via print_pane	CVE-2023-32110	8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N	May 3, 2023
Simple:Press <= 6.8 - Authenticated (Subscriber+) Path Traversal to Arbitrary File Deletion	CVE-2022-4030	8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H	November 29, 2022
CM Download Manager < 2.8.0 - Directory Traversal to Arbitrary File Deletion and Denial of Service	CVE-2020-24146	8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H	April 13, 2021
Best WordPress Gallery Plugin – FooGallery <= 2.4.16 - Authenticated (Contributor+) Directory Traversal	CVE-2023-6947	7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	December 9, 2024
ARForms <= 6.4.1 - Directory Traversal to Authenticated (Subscriber+) Arbitrary File Read	CVE-2024-54216	7.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	December 2, 2024

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation