💥 Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with our End of Year Holiday Extravaganza, High-Risk Bonus Blitz Challenge, and Superhero Challenge for the Wordfence Bug Bounty Program.

Through January 6th, 2025, our program has an expanded scope for all researchers with a new lower active install count threshold, automatic bonuses for in-scope submissions, an extra bonus for those focusing on high-risk vulnerabilities, a minimum bounty for all submissions, increased pending report limits, and our rewards remain as high as $31,200.

Review what's in scope for your tier and updated bounties with bonuses here!

Vulnerabilities protected by our Directory Traversal firewall rule

1,775,202

Attacks Blocked in Past 24 Hours

Showing 61-80 of 315 Vulnerabilities

WP Hide & Security Enhancer <= 2.5.1 - Missing Authorization to Unauthenticated Arbitrary File Contents Deletion

7.5

CVE-2024-11585

Dec 5, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

PDF Generator Addon for Elementor Page Builder <= 2.0.0 - Unauthenticated Arbitrary File Download

7.5

CVE-2024-9935

Nov 15, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

LUNA RADIO PLAYER <= 6.24.01.24 - Unauthenticated Arbitrary File Read

7.5

CVE-2024-10816

Nov 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Social Web Suite – Social Media Auto Post, Social Media Auto Publish <= 4.1.11 - Directory Traversal to Arbitrary File Download

7.5

CVE-2024-8352

Oct 2, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Strategery Migrations <= 1.0 - Unauthenticated Arbitrary File Deletion

7.5

CVE-2024-35745

Jun 6, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Wholesale Market <= 2.2.0 - Information Disclosure via Unauthenticated Arbitrary File Download

7.5

CVE-2022-4298

Dec 12, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Welcart e-Commerce 2.6.10-2.8.4 - Information Disclosure via Arbitrary File Read

7.5

CVE-2022-4140

Nov 30, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Welcart e-Commerce 2.6.0-2.7.7 - Information Disclosure via Arbitrary File Read

7.5

CVE-2022-41840

Sep 2, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

All-in-One Video Gallery 2.5.8 - 2.6.0 - Arbitrary File Download & Server-Side Request Forgery

7.5

CVE-2022-2633

Aug 17, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Team - WordPress Team Member Showcase Plugin <= 4.1.1 - Directory Traversal to Arbitrary File Read/Deletion

7.5

CVE-2022-2557

Jul 29, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

MultiSafepay plugin for WooCommerce <= 4.15.0 - Arbitrary File Read

7.5

CVE-2022-33901

Jul 18, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

WSM Downloader <= 1.4.0 - Arbitrary File Download

7.5

CVE-2022-2357

Jul 12, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Moment.js <= 2.29.1 - Directory Traversal

7.5

CVE ID Unknown

Apr 5, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Narnoo Distributor <= 2.5.1 - Path Traversal

7.5

CVE-2022-0679

Mar 1, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

True Ranker <= 2.2.2 - Directory Traversal/Arbitrary File Read

7.5

CVE-2021-39312

Dec 13, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

ZoomSounds - WordPress Wave Audio Player with Playlist <= 6.45 - Directory Traversal

7.5

CVE-2021-39316

Aug 30, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Video Downloader for TikTok < 1.4 - Directory Traversal

7.5

CVE-2020-24143

Apr 13, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Product Input Fields for WooCommerce <= 1.2.6 - Missing Authorization

7.5

CVE-2020-36696

Aug 3, 2020

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Duplicator < 1.3.28 - Directory Traversal

7.5

CVE-2020-11738

Feb 28, 2020

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

ARforms <= 3.7.1 - Unauthenticated Arbitrary File Deletion

7.5

CVE-2019-16902

Oct 11, 2019

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Title	CVE ID	CVSS	Vector	Date
WP Hide & Security Enhancer <= 2.5.1 - Missing Authorization to Unauthenticated Arbitrary File Contents Deletion	CVE-2024-11585	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	December 5, 2024
PDF Generator Addon for Elementor Page Builder <= 2.0.0 - Unauthenticated Arbitrary File Download	CVE-2024-9935	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	November 15, 2024
LUNA RADIO PLAYER <= 6.24.01.24 - Unauthenticated Arbitrary File Read	CVE-2024-10816	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	November 12, 2024
Social Web Suite – Social Media Auto Post, Social Media Auto Publish <= 4.1.11 - Directory Traversal to Arbitrary File Download	CVE-2024-8352	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	October 2, 2024
Strategery Migrations <= 1.0 - Unauthenticated Arbitrary File Deletion	CVE-2024-35745	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	June 6, 2024
Wholesale Market <= 2.2.0 - Information Disclosure via Unauthenticated Arbitrary File Download	CVE-2022-4298	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	December 12, 2022
Welcart e-Commerce 2.6.10-2.8.4 - Information Disclosure via Arbitrary File Read	CVE-2022-4140	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	November 30, 2022
Welcart e-Commerce 2.6.0-2.7.7 - Information Disclosure via Arbitrary File Read	CVE-2022-41840	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	September 2, 2022
All-in-One Video Gallery 2.5.8 - 2.6.0 - Arbitrary File Download & Server-Side Request Forgery	CVE-2022-2633	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	August 17, 2022
Team - WordPress Team Member Showcase Plugin <= 4.1.1 - Directory Traversal to Arbitrary File Read/Deletion	CVE-2022-2557	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	July 29, 2022
MultiSafepay plugin for WooCommerce <= 4.15.0 - Arbitrary File Read	CVE-2022-33901	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	July 18, 2022
WSM Downloader <= 1.4.0 - Arbitrary File Download	CVE-2022-2357	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	July 12, 2022
Moment.js <= 2.29.1 - Directory Traversal		7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	April 5, 2022
Narnoo Distributor <= 2.5.1 - Path Traversal	CVE-2022-0679	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	March 1, 2022
True Ranker <= 2.2.2 - Directory Traversal/Arbitrary File Read	CVE-2021-39312	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	December 13, 2021
ZoomSounds - WordPress Wave Audio Player with Playlist <= 6.45 - Directory Traversal	CVE-2021-39316	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	August 30, 2021
Video Downloader for TikTok < 1.4 - Directory Traversal	CVE-2020-24143	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	April 13, 2021
Product Input Fields for WooCommerce <= 1.2.6 - Missing Authorization	CVE-2020-36696	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	August 3, 2020
Duplicator < 1.3.28 - Directory Traversal	CVE-2020-11738	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	February 28, 2020
ARforms <= 3.7.1 - Unauthenticated Arbitrary File Deletion	CVE-2019-16902	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	October 11, 2019

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation