💥 Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with our End of Year Holiday Extravaganza, High-Risk Bonus Blitz Challenge, and Superhero Challenge for the Wordfence Bug Bounty Program.

Through January 6th, 2025, our program has an expanded scope for all researchers with a new lower active install count threshold, automatic bonuses for in-scope submissions, an extra bonus for those focusing on high-risk vulnerabilities, a minimum bounty for all submissions, increased pending report limits, and our rewards remain as high as $31,200.

Review what's in scope for your tier and updated bounties with bonuses here!

Vulnerabilities protected by our Directory Traversal firewall rule

2,055,017

Attacks Blocked in Past 24 Hours

Showing 1-20 of 315 Vulnerabilities

BuddyPress 2.0 - 2.7.3 - Unauthenticated Arbitrary File Deletion

10.0

CVE ID Unknown

Dec 23, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H

File Manager And File Manager Pro (Multiple Versions) - Directory Traversal

9.9

CVE-2023-6825

Mar 4, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Chartify – WordPress Chart Plugin <= 2.9.5 - Unauthenticated Local File Inclusion via source

9.8

CVE-2024-10571

Nov 13, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress User Extra Fields <= 16.6 - Unauthenticated Arbitrary File Deletion

9.8

CVE-2024-11150

Nov 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WooCommerce Support Ticket System <= 17.7 - Unauthenticated Arbitrary File Deletion

9.8

CVE-2024-10625

Nov 8, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Contact Form 7 Campaign Monitor Extension <= 0.4.67 - Missing Authorization to Unauthenticated Arbitrary File Deletion

9.8

CVE-2024-44019

Sep 24, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Checkout Field Editor for WooCommerce (Pro) <= 3.6.2 - Unauthenticated Arbitrary File Deletion

9.8

CVE-2024-35658

Jun 3, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

MoveTo <= 6.2 - Unauthenticated Directory Traversal to Arbitrary File Deletion

9.8

CVE-2024-25911

Feb 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 - Unauthenticated Local File Inclusion

9.8

CVE-2023-6989

Feb 5, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Dynamic Font Replacement DFR4WP EN <= 1.3 EN - Arbitrary File Deletion

9.8

CVE ID Unknown

Jul 12, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Admin Word Count Column <= 2.2 - Arbitrary File Read

9.8

CVE ID Unknown

Mar 27, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress File Upload <= 4.12.2 - Directory Traversal to Remote Code Execution

9.8

CVE-2020-10564

Mar 13, 2020

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Advanced Access Manager <= 5.9.8.1 - Unauthenticated Arbitrary File Read

9.8

CVE-2019-25213

Sep 9, 2019

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WPS Child Theme Generator < 1.2 - Directory Traversal

9.8

CVE-2019-15822

Jul 23, 2019

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

微信群发助手-Wechat Broadcast <= 1.2.0 - Directory Traversal

9.8

CVE-2018-16283

Sep 19, 2018

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Media File Manager <= 1.4.2 - Directory Traversal to Arbitrary File Relocation

9.8

CVE-2018-19042

May 11, 2018

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Membership Simplified <= 1.58 - Arbitrary File Download

9.8

CVE-2017-1002008

Mar 13, 2017

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SE HTML5 Album Audio Player <= 1.1.0 - Directory Traversal

9.8

CVE-2015-4414

Jun 6, 2015

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

My Calendar <= 2.3.29 - Path Traversal to Remote Code Execution

9.8

CVE ID Unknown

May 15, 2015

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP < 4.29.5 - Arbitrary File Read/Deletion

9.8

CVE-2014-1907

Feb 27, 2014

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
BuddyPress 2.0 - 2.7.3 - Unauthenticated Arbitrary File Deletion		10.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H	December 23, 2016
File Manager And File Manager Pro (Multiple Versions) - Directory Traversal	CVE-2023-6825	9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	March 4, 2024
Chartify – WordPress Chart Plugin <= 2.9.5 - Unauthenticated Local File Inclusion via source	CVE-2024-10571	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	November 13, 2024
WordPress User Extra Fields <= 16.6 - Unauthenticated Arbitrary File Deletion	CVE-2024-11150	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	November 12, 2024
WooCommerce Support Ticket System <= 17.7 - Unauthenticated Arbitrary File Deletion	CVE-2024-10625	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	November 8, 2024
Contact Form 7 Campaign Monitor Extension <= 0.4.67 - Missing Authorization to Unauthenticated Arbitrary File Deletion	CVE-2024-44019	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	September 24, 2024
Checkout Field Editor for WooCommerce (Pro) <= 3.6.2 - Unauthenticated Arbitrary File Deletion	CVE-2024-35658	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	June 3, 2024
MoveTo <= 6.2 - Unauthenticated Directory Traversal to Arbitrary File Deletion	CVE-2024-25911	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 12, 2024
Shield Security – Smart Bot Blocking & Intrusion Prevention Security <= 18.5.9 - Unauthenticated Local File Inclusion	CVE-2023-6989	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 5, 2024
Dynamic Font Replacement DFR4WP EN <= 1.3 EN - Arbitrary File Deletion		9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	July 12, 2022
Admin Word Count Column <= 2.2 - Arbitrary File Read		9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 27, 2022
WordPress File Upload <= 4.12.2 - Directory Traversal to Remote Code Execution	CVE-2020-10564	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 13, 2020
Advanced Access Manager <= 5.9.8.1 - Unauthenticated Arbitrary File Read	CVE-2019-25213	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	September 9, 2019
WPS Child Theme Generator < 1.2 - Directory Traversal	CVE-2019-15822	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	July 23, 2019
微信群发助手-Wechat Broadcast <= 1.2.0 - Directory Traversal	CVE-2018-16283	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	September 19, 2018
Media File Manager <= 1.4.2 - Directory Traversal to Arbitrary File Relocation	CVE-2018-19042	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	May 11, 2018
Membership Simplified <= 1.58 - Arbitrary File Download	CVE-2017-1002008	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 13, 2017
SE HTML5 Album Audio Player <= 1.1.0 - Directory Traversal	CVE-2015-4414	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	June 6, 2015
My Calendar <= 2.3.29 - Path Traversal to Remote Code Execution		9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	May 15, 2015
Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP < 4.29.5 - Arbitrary File Read/Deletion	CVE-2014-1907	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 27, 2014

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation