🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

LWS Affiliation <= 2.3.3 - Missing Authorization

4.3

CVE-2024-43962

Sep 26, 2024

Researcher: Fariq Fadillah Gusti Insani (fariqfgi)

Droip <= 1.1.1 - Unauthenticated Arbitrary File Deletion

9.1

CVE-2024-43955

Sep 26, 2024

Researcher: Dave Jong

Responsive Lightbox <= 2.4.7 - Missing Authorization

5.3

CVE-2024-43924

Sep 26, 2024

Researcher: Rafie Muhammad

Cost Calculator Builder PRO <= 3.1.96 - Unauthenticated Price Manipulation

5.3

CVE-2024-6010

Sep 6, 2024

Researcher: andrea bocchetti

Pinpoint Booking System <= 2.9.9.5.0- Authenticated (Subscriber+) SQL Injection

8.8

CVE-2024-7112

Sep 6, 2024

Researcher: Piotr Kuśpit

Preloader Plus – WordPress Loading Screen Plugin <= 2.2.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVE-2024-6849

Sep 6, 2024

Researcher: wesley (wcraft)

Revision Manager TMC <= 2.8.19 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending

4.3

CVE-2024-7622

Sep 6, 2024

Researcher: Lucio Sá

ForumWP – Forum & Discussion Board Plugin <= 2.0.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover

8.8

CVE-2024-8428

Sep 6, 2024

Researcher: wesley (wcraft)

Enter Addons – Ultimate Template Builder for Elementor <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Events Card Widget

6.4

CVE-2024-7611

Sep 6, 2024

Researcher: lowol

WPCOM Member <= 1.5.2.1 - Unauthenticated Privilege Escalation via User Meta

9.8

CVE-2024-7493

Sep 6, 2024

Researcher: wesley (wcraft)

Customizer Export/Import <= 0.9.7 - Authenticated (Admin+) Arbitrary File Upload via Customization Settings Import

6.6

CVE-2024-7620

Sep 6, 2024

Researcher: Luk6785

Big File Uploads <= 2.1.2 - Authenticated (Author+) Full Path Disclosure

4.3

CVE-2024-8538

Sep 6, 2024

Researcher: netc4t

Ninja Forms File Uploads <= 3.3.16 - Unauthenticated Stored Cross-Site Scripting via File Upload

7.2

CVE-2024-1596

Sep 6, 2024

Researcher: wesley (wcraft)

Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3

CVE-2024-8427

Sep 5, 2024

Researcher: Lucio Sá

WP AdCenter – Ad Manager & Adsense Ads <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via ad_alignment Attribute

6.4

CVE-2024-8317

Sep 5, 2024

Researcher: Francesco Carlucci

LifterLMS <= 7.7.5 - Authenticated (Admin+) SQL Injection

7.2

CVE-2024-7349

Sep 5, 2024

Researcher: FKSEC

Advanced Sermons <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-7599

Sep 5, 2024

Researcher: vgo0

Remember Me Controls <= 2.0.1 - Unauthenticated Full Path Disclosure

5.3

CVE-2024-7415

Sep 5, 2024

Researcher: stealthcopter

WP-Recall – Registration, Profile, Commerce & More <= 16.26.8 - Insecure Direct Object Reference to Unauthenticated Arbitrary Password Update

9.8

CVE-2024-8292

Sep 5, 2024

Researcher: wesley (wcraft)

Newsletters <= 4.9.9.2 - Authenticated Privilege Escalation

8.8

CVE-2024-8247

Sep 5, 2024

Researcher: rajesh patil

Title	CVE ID	CVSS	Researchers	Date
LWS Affiliation <= 2.3.3 - Missing Authorization	CVE-2024-43962	4.3	Fariq Fadillah Gusti Insani (fariqfgi)	September 26, 2024
Droip <= 1.1.1 - Unauthenticated Arbitrary File Deletion	CVE-2024-43955	9.1	Dave Jong	September 26, 2024
Responsive Lightbox <= 2.4.7 - Missing Authorization	CVE-2024-43924	5.3	Rafie Muhammad	September 26, 2024
Cost Calculator Builder PRO <= 3.1.96 - Unauthenticated Price Manipulation	CVE-2024-6010	5.3	andrea bocchetti	September 6, 2024
Pinpoint Booking System <= 2.9.9.5.0- Authenticated (Subscriber+) SQL Injection	CVE-2024-7112	8.8	Piotr Kuśpit	September 6, 2024
Preloader Plus – WordPress Loading Screen Plugin <= 2.2.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload	CVE-2024-6849	6.4	wesley (wcraft)	September 6, 2024
Revision Manager TMC <= 2.8.19 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending	CVE-2024-7622	4.3	Lucio Sá	September 6, 2024
ForumWP – Forum & Discussion Board Plugin <= 2.0.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover	CVE-2024-8428	8.8	wesley (wcraft)	September 6, 2024
Enter Addons – Ultimate Template Builder for Elementor <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Events Card Widget	CVE-2024-7611	6.4	lowol	September 6, 2024
WPCOM Member <= 1.5.2.1 - Unauthenticated Privilege Escalation via User Meta	CVE-2024-7493	9.8	wesley (wcraft)	September 6, 2024
Customizer Export/Import <= 0.9.7 - Authenticated (Admin+) Arbitrary File Upload via Customization Settings Import	CVE-2024-7620	6.6	Luk6785	September 6, 2024
Big File Uploads <= 2.1.2 - Authenticated (Author+) Full Path Disclosure	CVE-2024-8538	4.3	netc4t	September 6, 2024
Ninja Forms File Uploads <= 3.3.16 - Unauthenticated Stored Cross-Site Scripting via File Upload	CVE-2024-1596	7.2	wesley (wcraft)	September 6, 2024
Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update	CVE-2024-8427	4.3	Lucio Sá	September 5, 2024
WP AdCenter – Ad Manager & Adsense Ads <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via ad_alignment Attribute	CVE-2024-8317	6.4	Francesco Carlucci	September 5, 2024
LifterLMS <= 7.7.5 - Authenticated (Admin+) SQL Injection	CVE-2024-7349	7.2	FKSEC	September 5, 2024
Advanced Sermons <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-7599	6.4	vgo0	September 5, 2024
Remember Me Controls <= 2.0.1 - Unauthenticated Full Path Disclosure	CVE-2024-7415	5.3	stealthcopter	September 5, 2024
WP-Recall – Registration, Profile, Commerce & More <= 16.26.8 - Insecure Direct Object Reference to Unauthenticated Arbitrary Password Update	CVE-2024-8292	9.8	wesley (wcraft)	September 5, 2024
Newsletters <= 4.9.9.2 - Authenticated Privilege Escalation	CVE-2024-8247	8.8	rajesh patil	September 5, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 9, 2024 Vulns
1	stealthcopter	38
2	Ananda Dhakal	25
3	Rafie Muhammad	24
4	Dave Jong	20
5	wesley (wcraft)	19
6	Lucio Sá	19
7	Bob Matyas	19
8	Daniel Ruf	16
9	Francesco Carlucci	14
10	LVT-tholv2k	13
11	João Pedro Soares de Alcântara	11
12	Trương Hữu Phúc (truonghuuphuc)	11
13	Marco Wotschka	9
14	Webbernaut	8
15	Muhammad Daffa	8
16	TANG Cheuk Hei (siunam)	7
17	Peter Thaleikis	7
18	Le Ngoc Anh	7
19	Ngô Thiên An (ancorn_)	7
20	vgo0	6

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation