🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Vulnerabilities protected by our SQL Injection firewall rule

1,421,202

Attacks Blocked in Past 24 Hours

Showing 581-600 of 1,444 Vulnerabilities

Icegram Express <= 5.4.19 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2022-3981

Nov 21, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Jetpack CRM <= 5.4.2 - Authenticated (Administrator+) Cross-Site Scripting

5.5

CVE-2022-3919

Nov 21, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Buddybadges <= 1.0.0 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-3925

Nov 17, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Comic Book Management System < 2.2.0 - Authenticated (Administrator+) SQL Injection

9.1

CVE-2022-3856

Nov 14, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Floating Chat Widget - Chaty <= 3.0.2 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-3858

Nov 14, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

WP CSV Exporter <= 1.3.6 - Authenticated (Admin+) SQL Injection

7.2

CVE-2022-3249

Nov 9, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Form Vibes <= 1.4.5 - Authenticated (Admininstrator+) SQL Injection

7.2

CVE-2022-3764

Nov 8, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

WPSmartContracts <= 1.3.11 - Authenticated (Author+) SQL Injection

8.8

CVE-2022-3768

Nov 7, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WP User Merger <= 1.5.2 - Authenticated (Admin+) SQL Injection

7.2

CVE-2022-3848

Nov 7, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

HTML Forms <= 1.3.24 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-3689

Nov 7, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

WP User Merger <= 1.5.2 - Authenticated (Admin+) SQL Injection

7.2

CVE-2022-3849

Nov 7, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

WP User Merger <= 1.5.2 - Authenticated (Admin+) SQL Injection

7.2

CVE-2022-3865

Nov 7, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

OWM Weather <= 5.6.8 - Authenticated (Contributor+) SQL Injection

8.8

CVE-2022-3769

Nov 2, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Event Monster <= 1.2.0 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-3720

Oct 31, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

IP Blacklist Cloud <= 5.00 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-43462

Oct 24, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Quiz And Survey Master <= 7.3.4 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2021-36898

Oct 21, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 6.0.3 - SQL Injection via WP_Date_Query

9.8

CVE ID Unknown

Oct 18, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Complianz Free <= 6.3.3 & Premium <= 6.3.5 - SQL Injection via Translations

8.8

CVE-2022-3494

Oct 17, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WooCommerce Dropshipping Premium <= 4.3 - Unauthenticated SQL Injection

9.8

CVE-2022-3481

Oct 17, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AWP Classifieds <= 4.2.1 - Unauthenticated SQL Injection

9.8

CVE-2022-3254

Oct 10, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Icegram Express <= 5.4.19 - Authenticated (Subscriber+) SQL Injection	CVE-2022-3981	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	November 21, 2022
Jetpack CRM <= 5.4.2 - Authenticated (Administrator+) Cross-Site Scripting	CVE-2022-3919	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	November 21, 2022
Buddybadges <= 1.0.0 - Authenticated (Administrator+) SQL Injection	CVE-2022-3925	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	November 17, 2022
Comic Book Management System < 2.2.0 - Authenticated (Administrator+) SQL Injection	CVE-2022-3856	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	November 14, 2022
Floating Chat Widget - Chaty <= 3.0.2 - Authenticated (Administrator+) SQL Injection	CVE-2022-3858	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	November 14, 2022
WP CSV Exporter <= 1.3.6 - Authenticated (Admin+) SQL Injection	CVE-2022-3249	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	November 9, 2022
Form Vibes <= 1.4.5 - Authenticated (Admininstrator+) SQL Injection	CVE-2022-3764	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	November 8, 2022
WPSmartContracts <= 1.3.11 - Authenticated (Author+) SQL Injection	CVE-2022-3768	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	November 7, 2022
WP User Merger <= 1.5.2 - Authenticated (Admin+) SQL Injection	CVE-2022-3848	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	November 7, 2022
HTML Forms <= 1.3.24 - Authenticated (Administrator+) SQL Injection	CVE-2022-3689	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	November 7, 2022
WP User Merger <= 1.5.2 - Authenticated (Admin+) SQL Injection	CVE-2022-3849	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	November 7, 2022
WP User Merger <= 1.5.2 - Authenticated (Admin+) SQL Injection	CVE-2022-3865	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	November 7, 2022
OWM Weather <= 5.6.8 - Authenticated (Contributor+) SQL Injection	CVE-2022-3769	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	November 2, 2022
Event Monster <= 1.2.0 - Authenticated (Administrator+) SQL Injection	CVE-2022-3720	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	October 31, 2022
IP Blacklist Cloud <= 5.00 - Authenticated (Administrator+) SQL Injection	CVE-2022-43462	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	October 24, 2022
Quiz And Survey Master <= 7.3.4 - Authenticated (Administrator+) SQL Injection	CVE-2021-36898	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	October 21, 2022
WordPress Core < 6.0.3 - SQL Injection via WP_Date_Query		9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 18, 2022
Complianz Free <= 6.3.3 & Premium <= 6.3.5 - SQL Injection via Translations	CVE-2022-3494	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 17, 2022
WooCommerce Dropshipping Premium <= 4.3 - Unauthenticated SQL Injection	CVE-2022-3481	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 17, 2022
AWP Classifieds <= 4.2.1 - Unauthenticated SQL Injection	CVE-2022-3254	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 10, 2022

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation