🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Vulnerabilities protected by our SQL Injection firewall rule

1,482,313

Attacks Blocked in Past 24 Hours

Showing 961-980 of 1,444 Vulnerabilities

Email Verification for WooCommerce <= 2.8.10 - Unauthenticated SQL Injection

7.5

CVE-2024-49305

Oct 15, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Ajax Rating with Custom Login <= 1.1 - Unauthenticated SQL Injection

7.5

CVE-2024-49246

Oct 14, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SEUR Oficial <= 2.2.10.2 - Unauthenticated SQL Injection

7.5

CVE-2024-9201

Oct 10, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

YITH WooCommerce Ajax Search <= 2.8.0 - Unauthenticated SQL Injection

7.5

CVE-2024-47350

Sep 30, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Multi Step for Contact Form <= 2.7.7 - Unauthenticated SQL Injection

7.5

CVE-2024-47331

Sep 26, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

TI WooCommerce Wishlist <= 2.9.0 - Unauthenticated SQL Injection via 'lang'

7.5

CVE-2024-9156

Sep 19, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection

7.5

CVE-2024-9796

Sep 17, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

WPCargo Track & Trace <= 7.0.6 - Unauthenticated SQL Injection

7.5

CVE-2024-44004

Sep 16, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

User Activity Log <= 1.6.4 - Unauthenticated SQL Injection

7.5

CVE-2023-3435

Jul 24, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Contest Gallery <= 19.1.5 - Authenticated (Author+) SQL Injection via cg_id

7.5

CVE-2022-4159

Dec 5, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_option_id

7.5

CVE-2022-4157

Dec 5, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via wp_user_id

7.5

CVE-2022-4155

Dec 5, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via addCountS

7.5

CVE-2022-4166

Dec 5, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via option_id GET

7.5

CVE-2022-4152

Dec 5, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_order

7.5

CVE-2022-4165

Dec 5, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_row

7.5

CVE-2022-4162

Dec 5, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Contest Gallery <= 19.1.5 - Authenticated (Author+) SQL Injection via upload[]

7.5

CVE-2022-4153

Dec 5, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_multiple_files_for_post

7.5

CVE-2022-4164

Dec 5, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_copy_id

7.5

CVE-2022-4160

Dec 5, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_copy_start

7.5

CVE-2022-4161

Dec 5, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Email Verification for WooCommerce <= 2.8.10 - Unauthenticated SQL Injection	CVE-2024-49305	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	October 15, 2024
Ajax Rating with Custom Login <= 1.1 - Unauthenticated SQL Injection	CVE-2024-49246	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	October 14, 2024
SEUR Oficial <= 2.2.10.2 - Unauthenticated SQL Injection	CVE-2024-9201	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	October 10, 2024
YITH WooCommerce Ajax Search <= 2.8.0 - Unauthenticated SQL Injection	CVE-2024-47350	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	September 30, 2024
Multi Step for Contact Form <= 2.7.7 - Unauthenticated SQL Injection	CVE-2024-47331	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	September 26, 2024
TI WooCommerce Wishlist <= 2.9.0 - Unauthenticated SQL Injection via 'lang'	CVE-2024-9156	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	September 19, 2024
WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection	CVE-2024-9796	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	September 17, 2024
WPCargo Track & Trace <= 7.0.6 - Unauthenticated SQL Injection	CVE-2024-44004	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	September 16, 2024
User Activity Log <= 1.6.4 - Unauthenticated SQL Injection	CVE-2023-3435	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	July 24, 2023
Contest Gallery <= 19.1.5 - Authenticated (Author+) SQL Injection via cg_id	CVE-2022-4159	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	December 5, 2022
Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_option_id	CVE-2022-4157	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	December 5, 2022
Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via wp_user_id	CVE-2022-4155	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	December 5, 2022
Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via addCountS	CVE-2022-4166	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	December 5, 2022
Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via option_id GET	CVE-2022-4152	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	December 5, 2022
Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_order	CVE-2022-4165	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	December 5, 2022
Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_row	CVE-2022-4162	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	December 5, 2022
Contest Gallery <= 19.1.5 - Authenticated (Author+) SQL Injection via upload[]	CVE-2022-4153	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	December 5, 2022
Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_multiple_files_for_post	CVE-2022-4164	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	December 5, 2022
Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_copy_id	CVE-2022-4160	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	December 5, 2022
Contest Gallery <= 19.1.4.1 - Authenticated (Author+) SQL Injection via cg_copy_start	CVE-2022-4161	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	December 5, 2022

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation