🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Vulnerabilities protected by our SQL Injection firewall rule

1,953,767

Attacks Blocked in Past 24 Hours

Showing 601-620 of 1,445 Vulnerabilities

AWP Classifieds <= 4.2.1 - Unauthenticated SQL Injection

9.8

CVE-2022-3254

Oct 10, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WooCommerce Products Vendor <= 2.1.65 - Unauthenticated SQL Injection

9.8

CVE ID Unknown

Oct 4, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WP ALL Export Pro <= 1.7.8 - Authenticated SQL Injection

8.8

CVE-2022-3395

Oct 3, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AntiSpam by CleanTalk <= 5.185 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-3302

Oct 3, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Blog2Social <= 6.9.9 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2022-3246

Oct 3, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Form Maker <= 1.15.5 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-3300

Sep 29, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

WP Custom Cursors <= 3.0.1 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-3150

Sep 21, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

WP Ultimate CSV Importer <= 6.5.7 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-3243

Sep 20, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Search Logger <= 0.9 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-3131

Sep 20, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

WP Statistics <= 13.2.5 - Authenticated (Subscriber+) SQL Injection

8.8

CVE ID Unknown

Sep 8, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated SQL Injection

9.8

CVE-2022-2754

Sep 6, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WordPress Core < 6.0.2 - Authenticated SQL Injection

8.0

CVE ID Unknown

Aug 30, 2022

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Zephyr Project Manager <= 3.2.42 - Unauthenticated SQL Injection

9.8

CVE-2022-2840

Aug 29, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

BadgeOS <= 3.7.1.2 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2022-2958

Aug 23, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) <= 3.12.4 - Authenticated (Admin+) SQL Injection

7.2

CVE-2022-1123

Aug 8, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

JoomSport – for Sports: Team & League, Football, Hockey & more <= 5.2.5 - Authentciated (Admin+) SQL Injection via orderby

7.2

CVE-2022-2717

Aug 8, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

JoomSport – for Sports: Team & League, Football, Hockey & more <= 5.2.5 - Authenticated (Admin+) SQL Injection via orderby

7.2

CVE-2022-2718

Aug 8, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Mobile Assistant Connector <= 2.2.2 - SQL Injection

9.8

CVE ID Unknown

Aug 7, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Fluent Support <= 1.5.7 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-2559

Aug 2, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Better Search Replace <= 1.4 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-2593

Aug 1, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
AWP Classifieds <= 4.2.1 - Unauthenticated SQL Injection	CVE-2022-3254	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 10, 2022
WooCommerce Products Vendor <= 2.1.65 - Unauthenticated SQL Injection		9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 4, 2022
WP ALL Export Pro <= 1.7.8 - Authenticated SQL Injection	CVE-2022-3395	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 3, 2022
AntiSpam by CleanTalk <= 5.185 - Authenticated (Administrator+) SQL Injection	CVE-2022-3302	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	October 3, 2022
Blog2Social <= 6.9.9 - Authenticated (Subscriber+) SQL Injection	CVE-2022-3246	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 3, 2022
Form Maker <= 1.15.5 - Authenticated (Administrator+) SQL Injection	CVE-2022-3300	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	September 29, 2022
WP Custom Cursors <= 3.0.1 - Authenticated (Administrator+) SQL Injection	CVE-2022-3150	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	September 21, 2022
WP Ultimate CSV Importer <= 6.5.7 - Authenticated (Administrator+) SQL Injection	CVE-2022-3243	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	September 20, 2022
Search Logger <= 0.9 - Authenticated (Administrator+) SQL Injection	CVE-2022-3131	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	September 20, 2022
WP Statistics <= 13.2.5 - Authenticated (Subscriber+) SQL Injection		8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	September 8, 2022
Ketchup Restaurant Reservations <= 1.0.0 - Unauthenticated SQL Injection	CVE-2022-2754	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	September 6, 2022
WordPress Core < 6.0.2 - Authenticated SQL Injection		8.0	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H	August 30, 2022
Zephyr Project Manager <= 3.2.42 - Unauthenticated SQL Injection	CVE-2022-2840	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	August 29, 2022
BadgeOS <= 3.7.1.2 - Authenticated (Subscriber+) SQL Injection	CVE-2022-2958	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	August 23, 2022
Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) <= 3.12.4 - Authenticated (Admin+) SQL Injection	CVE-2022-1123	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	August 8, 2022
JoomSport – for Sports: Team & League, Football, Hockey & more <= 5.2.5 - Authentciated (Admin+) SQL Injection via orderby	CVE-2022-2717	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	August 8, 2022
JoomSport – for Sports: Team & League, Football, Hockey & more <= 5.2.5 - Authenticated (Admin+) SQL Injection via orderby	CVE-2022-2718	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	August 8, 2022
Mobile Assistant Connector <= 2.2.2 - SQL Injection		9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	August 7, 2022
Fluent Support <= 1.5.7 - Authenticated (Administrator+) SQL Injection	CVE-2022-2559	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	August 2, 2022
Better Search Replace <= 1.4 - Authenticated (Administrator+) SQL Injection	CVE-2022-2593	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	August 1, 2022

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation