🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Vulnerabilities protected by our SQL Injection firewall rule

1,566,195

Attacks Blocked in Past 24 Hours

Showing 41-60 of 1,441 Vulnerabilities

SW Contact Form <= 1.0 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2024-49612

Oct 18, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Photo Gallery Slideshow & Masonry Tiled Gallery <= 1.0.3 - Authenticated (Admin+) SQL Injection

4.9

CVE-2019-25218

Oct 18, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Duplicate Title Validate <= 1.0 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2024-49623

Oct 18, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Apa Banner Slider <= 1.0.0 - Cross-Site Request Forgery to SLQ Injection

8.8

CVE-2024-49622

Oct 17, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Email Verification for WooCommerce <= 2.8.10 - Unauthenticated SQL Injection

7.5

CVE-2024-49305

Oct 15, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Surfer <= 1.5.0.502 - Authenticated (Administrator+) SQL Injection

4.9

CVE-2024-49299

Oct 15, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Zoho CRM Lead Magnet <= 1.7.9.7 - Authenticated (Contributor+) SQL Injection

6.5

CVE-2024-49297

Oct 15, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Ajax Rating with Custom Login <= 1.1 - Unauthenticated SQL Injection

7.5

CVE-2024-49246

Oct 14, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CSV Product Import Export for WooCommerce <= 1.0.0 - Authenticated (Subscriber+) SQL Injection

6.5

CVE-2024-49244

Oct 14, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

ShortPixel Image Optimizer <= 5.6.3 - Authenticated (Editor+) SQL Injection

4.9

CVE-2024-48043

Oct 13, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Boost Your Blog's Engagement with WP Post Author <= 3.8.1 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2024-8757

Oct 11, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SEUR Oficial <= 2.2.10.2 - Unauthenticated SQL Injection

7.5

CVE-2024-9201

Oct 10, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tainacan <= 0.21.8 - Authenticated (Subscriber+) SQL Injection

6.5

CVE-2024-48040

Oct 9, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Backup and Staging by WP Time Capsule <= 1.22.21 - Authenticated (Contributor+) SQL Injection

6.5

CVE-2024-48020

Oct 8, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

YITH WooCommerce Ajax Search <= 2.8.0 - Unauthenticated SQL Injection

7.5

CVE-2024-47350

Sep 30, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Zoho Flow for WordPress <= 2.8.0 - Authenticated (Administrator+) SQL Injection

4.9

CVE-2024-47334

Sep 26, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Bit Form – Contact Form Plugin <= 2.13.11 - Authenticated (Administrator+) SQL Injection

4.9

CVE-2024-47335

Sep 26, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

WPExperts Square For GiveWP <= 1.3 - Authenticated (Administrator+) SQL Injection

4.9

CVE-2024-47338

Sep 26, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Multi Step for Contact Form <= 2.7.7 - Unauthenticated SQL Injection

7.5

CVE-2024-47331

Sep 26, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Fluent Support <= 1.8.0 - Authenticated (Subscriber+) SQL Injection

6.5

CVE-2024-47304

Sep 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Title	CVE ID	CVSS	Vector	Date
SW Contact Form <= 1.0 - Authenticated (Subscriber+) SQL Injection	CVE-2024-49612	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 18, 2024
Photo Gallery Slideshow & Masonry Tiled Gallery <= 1.0.3 - Authenticated (Admin+) SQL Injection	CVE-2019-25218	4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N	October 18, 2024
Duplicate Title Validate <= 1.0 - Authenticated (Subscriber+) SQL Injection	CVE-2024-49623	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 18, 2024
Apa Banner Slider <= 1.0.0 - Cross-Site Request Forgery to SLQ Injection	CVE-2024-49622	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	October 17, 2024
Email Verification for WooCommerce <= 2.8.10 - Unauthenticated SQL Injection	CVE-2024-49305	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	October 15, 2024
Surfer <= 1.5.0.502 - Authenticated (Administrator+) SQL Injection	CVE-2024-49299	4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N	October 15, 2024
Zoho CRM Lead Magnet <= 1.7.9.7 - Authenticated (Contributor+) SQL Injection	CVE-2024-49297	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	October 15, 2024
Ajax Rating with Custom Login <= 1.1 - Unauthenticated SQL Injection	CVE-2024-49246	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	October 14, 2024
CSV Product Import Export for WooCommerce <= 1.0.0 - Authenticated (Subscriber+) SQL Injection	CVE-2024-49244	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	October 14, 2024
ShortPixel Image Optimizer <= 5.6.3 - Authenticated (Editor+) SQL Injection	CVE-2024-48043	4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N	October 13, 2024
Boost Your Blog's Engagement with WP Post Author <= 3.8.1 - Authenticated (Administrator+) SQL Injection	CVE-2024-8757	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	October 11, 2024
SEUR Oficial <= 2.2.10.2 - Unauthenticated SQL Injection	CVE-2024-9201	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	October 10, 2024
Tainacan <= 0.21.8 - Authenticated (Subscriber+) SQL Injection	CVE-2024-48040	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	October 9, 2024
Backup and Staging by WP Time Capsule <= 1.22.21 - Authenticated (Contributor+) SQL Injection	CVE-2024-48020	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	October 8, 2024
YITH WooCommerce Ajax Search <= 2.8.0 - Unauthenticated SQL Injection	CVE-2024-47350	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	September 30, 2024
Zoho Flow for WordPress <= 2.8.0 - Authenticated (Administrator+) SQL Injection	CVE-2024-47334	4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N	September 26, 2024
Bit Form – Contact Form Plugin <= 2.13.11 - Authenticated (Administrator+) SQL Injection	CVE-2024-47335	4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N	September 26, 2024
WPExperts Square For GiveWP <= 1.3 - Authenticated (Administrator+) SQL Injection	CVE-2024-47338	4.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N	September 26, 2024
Multi Step for Contact Form <= 2.7.7 - Unauthenticated SQL Injection	CVE-2024-47331	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	September 26, 2024
Fluent Support <= 1.8.0 - Authenticated (Subscriber+) SQL Injection	CVE-2024-47304	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	September 25, 2024

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation