🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

Vulnerabilities protected by our SQL Injection firewall rule

1,396,790

Attacks Blocked in Past 24 Hours

Showing 1301-1320 of 1,361 Vulnerabilities

GeoDirectory <= 2.3.28 - Authenticated(Administrator+) SQL Injection

6.6

CVE-2023-50845

Dec 21, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Funnel Builder for WordPress by FunnelKit <= 2.14.3 - Authenticated(Administrator+) SQL Injection

6.6

CVE-2023-50856

Dec 21, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Advanced Form Integration <= 1.75.0 - Authenticated(Administrator+) SQL Injection

6.6

CVE-2023-50853

Dec 21, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

BookIt <= 2.4.3 - Authenticated(Administrator+) SQL Injection

6.6

CVE-2023-50852

Dec 21, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Clockwork SMS Notfications <= 3.0.4 - Authenticated(Administrator+) SQL Injection

6.6

CVE-2023-50843

Dec 21, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

WordPress Brute Force Protection – Stop Brute Force Attacks <= 2.2.5 - Authenticated (Administrator+) SQL Injection via orderby

6.6

CVE-2023-48764

Nov 28, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Bravo Translate <= 1.2 - Authenticated (Administrator+) SQL Injection

6.6

CVE-2023-49161

Nov 28, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

History Log by click5 <= 1.0.12 - Authenticated(Administrator+) Time-Based Blind SQL Injection

6.6

CVE-2023-5082

Oct 15, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Bookly <= 22.3.1 - Authenticated(Administrator+) SQL Injection

6.6

CVE-2023-4691

Sep 25, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

WooCommerce Payments <= 5.9.0 - Authenticated (Shop manager+) SQL Injection via currency parameters

6.6

CVE-2023-35915

Jun 20, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

WooCommerce Product Vendors <= 2.1.78 - Authenticated (Shop manager+) SQL Injection

6.6

CVE-2023-35879

Jun 19, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Contact Form Maker <= 1.13.23 - Authenticated (Administrator+) SQL Injection

6.6

CVE-2023-2655

Jun 15, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

FormCraft Premium <= 3.9.6 - Authenticated(Administrator+) SQL Injection

6.6

CVE-2023-2592

Jun 5, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Responsive CSS EDITOR <= 1.0 - Authenticated(Administrator+) SQL Injection

6.6

CVE-2023-2482

Jun 5, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

User Activity Log <= 1.6.2 - Authenticated(Administrator+) SQL Injection via txtsearch

6.6

CVE-2023-2761

May 25, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

HollerBox <= 2.1.3 - Authenticated (edit_popups+) SQL Injection

6.6

CVE-2023-2111

May 2, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

HTTP Headers <= 1.18.8 - Authenticated(Administrator+) SQL Injection

6.6

CVE-2023-1207

Apr 24, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Elementor <= 3.12.1 - Authenticated(Administrator+) SQL Injection via 'replace_urls'

6.6

CVE-2023-0329

Apr 24, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Intuitive Custom Post Order <= 3.1.4.1 - Authenticated (Admin+) SQL Injection

6.6

CVE-2023-1016

Jan 25, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Booking Calendar <= 9.4.2 - Authenticated (Admin+) SQL Injection

6.6

CVE-2023-23991

Jan 20, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
GeoDirectory <= 2.3.28 - Authenticated(Administrator+) SQL Injection	CVE-2023-50845	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	December 21, 2023
Funnel Builder for WordPress by FunnelKit <= 2.14.3 - Authenticated(Administrator+) SQL Injection	CVE-2023-50856	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	December 21, 2023
Advanced Form Integration <= 1.75.0 - Authenticated(Administrator+) SQL Injection	CVE-2023-50853	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	December 21, 2023
BookIt <= 2.4.3 - Authenticated(Administrator+) SQL Injection	CVE-2023-50852	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	December 21, 2023
Clockwork SMS Notfications <= 3.0.4 - Authenticated(Administrator+) SQL Injection	CVE-2023-50843	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	December 21, 2023
WordPress Brute Force Protection – Stop Brute Force Attacks <= 2.2.5 - Authenticated (Administrator+) SQL Injection via orderby	CVE-2023-48764	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	November 28, 2023
Bravo Translate <= 1.2 - Authenticated (Administrator+) SQL Injection	CVE-2023-49161	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	November 28, 2023
History Log by click5 <= 1.0.12 - Authenticated(Administrator+) Time-Based Blind SQL Injection	CVE-2023-5082	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	October 15, 2023
Bookly <= 22.3.1 - Authenticated(Administrator+) SQL Injection	CVE-2023-4691	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	September 25, 2023
WooCommerce Payments <= 5.9.0 - Authenticated (Shop manager+) SQL Injection via currency parameters	CVE-2023-35915	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	June 20, 2023
WooCommerce Product Vendors <= 2.1.78 - Authenticated (Shop manager+) SQL Injection	CVE-2023-35879	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	June 19, 2023
Contact Form Maker <= 1.13.23 - Authenticated (Administrator+) SQL Injection	CVE-2023-2655	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	June 15, 2023
FormCraft Premium <= 3.9.6 - Authenticated(Administrator+) SQL Injection	CVE-2023-2592	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	June 5, 2023
Responsive CSS EDITOR <= 1.0 - Authenticated(Administrator+) SQL Injection	CVE-2023-2482	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	June 5, 2023
User Activity Log <= 1.6.2 - Authenticated(Administrator+) SQL Injection via txtsearch	CVE-2023-2761	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	May 25, 2023
HollerBox <= 2.1.3 - Authenticated (edit_popups+) SQL Injection	CVE-2023-2111	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	May 2, 2023
HTTP Headers <= 1.18.8 - Authenticated(Administrator+) SQL Injection	CVE-2023-1207	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	April 24, 2023
Elementor <= 3.12.1 - Authenticated(Administrator+) SQL Injection via 'replace_urls'	CVE-2023-0329	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	April 24, 2023
Intuitive Custom Post Order <= 3.1.4.1 - Authenticated (Admin+) SQL Injection	CVE-2023-1016	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	January 25, 2023
Booking Calendar <= 9.4.2 - Authenticated (Admin+) SQL Injection	CVE-2023-23991	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	January 20, 2023

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation