🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Vulnerabilities protected by our Malicious File Upload firewall rule

465,276

Attacks Blocked in Past 24 Hours

Showing 261-280 of 568 Vulnerabilities

Workreap - Freelance Marketplace and Directory WordPress Theme < 2.2.2 - Arbitrary File Upload

9.8

CVE-2021-24499

Jul 2, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

PWA for WP & AMP <= 1.7.32 - Arbitrary File Upload

8.8

CVE-2021-4354

Jul 1, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload

9.8

CVE-2021-34624

Jun 28, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) 3.0.0 - 3.1.3 - Unauthenticated Privilege Escalation

9.8

CVE-2021-34623

Jun 28, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

ZoomSounds <= 5.96 - Unauthenticated Arbitrary File Upload

9.8

CVE-2021-4449

Jun 24, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Recently <= 3.0.4 - Arbitrary File Upload to Remote Code Exectution

8.8

CVE-2021-4382

Jun 7, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Comments - wpDiscuz 7.0 - 7.0.4 - Unauthenticated Arbitrary File Upload leading to Remote Code Execution

9.8

CVE-2020-24186

Jun 6, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Fancy Product Designer <= 4.6.8 - Unauthenticated Arbitrary File Upload

9.8

CVE-2021-24370

Jun 1, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Gallery From Files <= 1.60 - Arbitrary File Upload

9.8

CVE ID Unknown

May 26, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

External Media <= 1.0.33 - Authenticated Arbitrary File Upload

8.8

CVE-2021-24311

May 13, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WordPress Download Manager < 3.1.19 - Arbitrary File Upload

8.8

CVE ID Unknown

Apr 30, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Kaswara Modern VC Addons <= 3.0.1 - Arbitrary File Upload

9.8

CVE-2021-24284

Apr 20, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

College publisher Import <= 0.1 - Arbitrary File Upload

7.2

CVE-2021-24254

Apr 11, 2021

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Business Directory Plugin <= 5.11 - Authenticated PHP4 Upload

7.2

CVE-2021-24248

Apr 11, 2021

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

classyfrieds <= 3.8 - Arbitrary File Upload

8.8

CVE-2021-24253

Apr 10, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Imagements <= 1.2.5 - Arbitrary File Upload

9.8

CVE-2021-24236

Apr 8, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Business Hours Pro <= 5.5.0 - Arbitrary File Upload

9.8

CVE-2021-24240

Apr 2, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WP-Curriculo Vitae Free <= 6.3 - Arbitrary File Upload

9.8

CVE-2021-24222

Mar 26, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

N5 Upload Form <= 1.0 - Arbitrary File Upload

9.8

CVE-2021-24223

Mar 26, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Easy Form Builder <= 1.0 - Arbitrary File Upload

8.8

CVE-2021-24224

Mar 26, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Workreap - Freelance Marketplace and Directory WordPress Theme < 2.2.2 - Arbitrary File Upload	CVE-2021-24499	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	July 2, 2021
PWA for WP & AMP <= 1.7.32 - Arbitrary File Upload	CVE-2021-4354	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	July 1, 2021
ProfilePress 3.0 - 3.1.3 - Arbitrary File Upload	CVE-2021-34624	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	June 28, 2021
User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar) 3.0.0 - 3.1.3 - Unauthenticated Privilege Escalation	CVE-2021-34623	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	June 28, 2021
ZoomSounds <= 5.96 - Unauthenticated Arbitrary File Upload	CVE-2021-4449	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	June 24, 2021
Recently <= 3.0.4 - Arbitrary File Upload to Remote Code Exectution	CVE-2021-4382	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	June 7, 2021
Comments - wpDiscuz 7.0 - 7.0.4 - Unauthenticated Arbitrary File Upload leading to Remote Code Execution	CVE-2020-24186	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	June 6, 2021
Fancy Product Designer <= 4.6.8 - Unauthenticated Arbitrary File Upload	CVE-2021-24370	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	June 1, 2021
Gallery From Files <= 1.60 - Arbitrary File Upload		9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	May 26, 2021
External Media <= 1.0.33 - Authenticated Arbitrary File Upload	CVE-2021-24311	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	May 13, 2021
WordPress Download Manager < 3.1.19 - Arbitrary File Upload		8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 30, 2021
Kaswara Modern VC Addons <= 3.0.1 - Arbitrary File Upload	CVE-2021-24284	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	April 20, 2021
College publisher Import <= 0.1 - Arbitrary File Upload	CVE-2021-24254	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	April 11, 2021
Business Directory Plugin <= 5.11 - Authenticated PHP4 Upload	CVE-2021-24248	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	April 11, 2021
classyfrieds <= 3.8 - Arbitrary File Upload	CVE-2021-24253	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 10, 2021
Imagements <= 1.2.5 - Arbitrary File Upload	CVE-2021-24236	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	April 8, 2021
Business Hours Pro <= 5.5.0 - Arbitrary File Upload	CVE-2021-24240	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	April 2, 2021
WP-Curriculo Vitae Free <= 6.3 - Arbitrary File Upload	CVE-2021-24222	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 26, 2021
N5 Upload Form <= 1.0 - Arbitrary File Upload	CVE-2021-24223	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 26, 2021
Easy Form Builder <= 1.0 - Arbitrary File Upload	CVE-2021-24224	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	March 26, 2021

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation