💥 Time to wrap up this year and kick-off the new year with a bang! We’re wrapping up the year with our End of Year Holiday Extravaganza, High-Risk Bonus Blitz Challenge, and Superhero Challenge for the Wordfence Bug Bounty Program.

Through January 6th, 2025, our program has an expanded scope for all researchers with a new lower active install count threshold, automatic bonuses for in-scope submissions, an extra bonus for those focusing on high-risk vulnerabilities, a minimum bounty for all submissions, increased pending report limits, and our rewards remain as high as $31,200.

Review what's in scope for your tier and updated bounties with bonuses here!

Vulnerabilities protected by our LFI: Local File Inclusion firewall rule

566,387

Attacks Blocked in Past 24 Hours

Showing 161-180 of 254 Vulnerabilities

Sina Extension for Elementor <= 3.5.1 - Authenticated (Contributor+) Local File Inclusion

8.8

CVE-2024-34384

May 3, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Better Elementor Addons <= 1.4.1 - Authenticated(Contributor+) Local File Inclusion

8.8

CVE-2024-33541

Apr 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

XforWooCommerce <= 2.0.2 - Authenticated (Subscriber+) Local File Inclusion

8.8

CVE-2024-33628

Apr 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ElementsKit Pro <= 3.6.0 - Authenticated (Contributor+) Local File Inclusion via Price Menu, Hotspot, and Advanced Toggle Widgets

8.8

CVE-2024-3500

Apr 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ElementsKit Elementor addons <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Onepage Scroll Module

8.8

CVE-2024-3499

Apr 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Elementor <= 3.19.0 - Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization

8.8

CVE-2024-24934

Feb 7, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Qi Addons For Elementor <= 1.6.3 - Authenticated (Contributor+) Local File Inclusion

8.8

CVE-2023-47679

Nov 9, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

HTML filter and csv-file search <= 2.7 - Authenticated (Contributor+) Local File Inclusion via Shortcode

8.8

CVE-2023-5099

Oct 30, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Grid Plus <= 1.3.3 - Authenticated (Subscriber+) Local File Inclusion via Shortcode

8.8

CVE-2023-5250

Oct 29, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WooCommerce One Page Checkout <= 2.3.0 - Authenticated (Contributor+) Local File Inclusion via `woocommerce_one_page_checkout`

8.8

CVE-2023-35881

Aug 10, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

wpForo Forum <= 2.1.7 - Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents

8.8

CVE-2023-2249

Jun 1, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

YARPP <= 5.30.4 - Authenticated (Subscriber+) Local File Inclusion

8.8

CVE-2022-45374

Apr 18, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WP Dark Mode <= 4.0.7 - Authenticated (Subscriber+) Local File Inclusion via 'style'

8.8

CVE-2023-0467

Mar 6, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

OceanWP <= 3.4.1 - Authenticated (Subscriber+) Local File Inclusion

8.8

CVE-2023-23700

Feb 27, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Custom Content Shortcode <= 4.0.2 - Authenticated (Contributor+) Local File Inclusion via Shortcode

8.8

CVE-2023-0340

Feb 22, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Popup Builder <= 4.0.6 - Local File Inclusion and PHAR Deserialization

8.8

CVE-2021-25082

Jan 24, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WP-Appbox <= 4.3.17 - Local File Inclusion

8.8

CVE ID Unknown

Jan 17, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Include Me <= 1.2.1 - Local File Inclusion leading to Authenticated Remote Code Execution

8.8

CVE-2021-24453

Jan 2, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WOOCS – Currency Switcher for WooCommerce Professional Free <= 1.3.7 - Authenticated Local File Inclusion

8.8

CVE-2021-24566

Jul 22, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SAM Pro (Free Edition) < 1.9.7.69 & Simple Ads Manager <= 2.10.0.130 & SAM Pro Lite < 1.9.0.53 - Local/Remote File Inclusion

8.8

CVE ID Unknown

Oct 10, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Sina Extension for Elementor <= 3.5.1 - Authenticated (Contributor+) Local File Inclusion	CVE-2024-34384	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	May 3, 2024
Better Elementor Addons <= 1.4.1 - Authenticated(Contributor+) Local File Inclusion	CVE-2024-33541	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 25, 2024
XforWooCommerce <= 2.0.2 - Authenticated (Subscriber+) Local File Inclusion	CVE-2024-33628	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 25, 2024
ElementsKit Pro <= 3.6.0 - Authenticated (Contributor+) Local File Inclusion via Price Menu, Hotspot, and Advanced Toggle Widgets	CVE-2024-3500	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 25, 2024
ElementsKit Elementor addons <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Onepage Scroll Module	CVE-2024-3499	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 22, 2024
Elementor <= 3.19.0 - Authenticated(Contributor+) Arbitrary File Deletion and PHAR Deserialization	CVE-2024-24934	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 7, 2024
Qi Addons For Elementor <= 1.6.3 - Authenticated (Contributor+) Local File Inclusion	CVE-2023-47679	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	November 9, 2023
HTML filter and csv-file search <= 2.7 - Authenticated (Contributor+) Local File Inclusion via Shortcode	CVE-2023-5099	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 30, 2023
Grid Plus <= 1.3.3 - Authenticated (Subscriber+) Local File Inclusion via Shortcode	CVE-2023-5250	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 29, 2023
WooCommerce One Page Checkout <= 2.3.0 - Authenticated (Contributor+) Local File Inclusion via `woocommerce_one_page_checkout`	CVE-2023-35881	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	August 10, 2023
wpForo Forum <= 2.1.7 - Authenticated (Subscriber+) Local File Include, Server-Side Request Forgery, and PHAR Deserialization via file_get_contents	CVE-2023-2249	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	June 1, 2023
YARPP <= 5.30.4 - Authenticated (Subscriber+) Local File Inclusion	CVE-2022-45374	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 18, 2023
WP Dark Mode <= 4.0.7 - Authenticated (Subscriber+) Local File Inclusion via 'style'	CVE-2023-0467	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	March 6, 2023
OceanWP <= 3.4.1 - Authenticated (Subscriber+) Local File Inclusion	CVE-2023-23700	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 27, 2023
Custom Content Shortcode <= 4.0.2 - Authenticated (Contributor+) Local File Inclusion via Shortcode	CVE-2023-0340	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 22, 2023
Popup Builder <= 4.0.6 - Local File Inclusion and PHAR Deserialization	CVE-2021-25082	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	January 24, 2022
WP-Appbox <= 4.3.17 - Local File Inclusion		8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	January 17, 2022
Include Me <= 1.2.1 - Local File Inclusion leading to Authenticated Remote Code Execution	CVE-2021-24453	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	January 2, 2022
WOOCS – Currency Switcher for WooCommerce Professional Free <= 1.3.7 - Authenticated Local File Inclusion	CVE-2021-24566	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	July 22, 2021
SAM Pro (Free Edition) < 1.9.7.69 & Simple Ads Manager <= 2.10.0.130 & SAM Pro Lite < 1.9.0.53 - Local/Remote File Inclusion		8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 10, 2016

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation