🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

HT Mega – Absolute Addons For Elementor <= 2.4.6 - Sensitive Information Exposure via purchased_products

7.5

CVE-2023-6214

Apr 16, 2024

Researcher: Francesco Carlucci

WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.0.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

5.3

CVE-2024-3599

Apr 16, 2024

Researcher: Krzysztof Zając

Cornerstone <= 0.8.0 - Reflected Cross-Site Scripting via PHP_SELF

6.1

CVE-2024-32570

Apr 16, 2024

Researcher: Rafie Muhammad

SP Project & Document Manager <= 4.71 - Authenticated (Author+) SQL Injeciton

9.9

CVE-2024-32551

Apr 16, 2024

Researcher: CatFather

Void Elementor WHMCS Elements For Elementor Page Builder <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-32592

Apr 16, 2024

Researcher: Khalid

RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.4.7 - Authenticated(Contributor+) Blind Server-Side Request Forgery (SSRF)

6.4

CVE-2023-6805

Apr 16, 2024

Researcher: Colin Xu

HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce <= 2.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-32556

Apr 16, 2024

Researcher: Joshua Chan

Shortcodes and extra features for Phlox theme <= 2.15.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag'

6.4

CVE-2024-1396

Apr 15, 2024

Researchers: István Márton, Alex Thomas

WP Cost Estimation & Payment Forms Builder <= 10.1.76 - Missing Authorization

5.3

CVE-2024-32509

Apr 15, 2024

Researcher: Rafie Muhammad

Zero Spam <= 5.5.6 - Spam Protection Bypass

5.3

CVE-2024-32521

Apr 15, 2024

Researcher: Brandon James Roldan (tomorrowisnew)

DethemeKit For Elementor <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-32508

Apr 15, 2024

Researcher: Khalid

Exclusive Addons for Elementor <= 2.6.9.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Post Grid

6.4

CVE-2024-2503

Apr 15, 2024

Researcher: wesley (wcraft)

LiveJournal Shortcode <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-3773

Apr 15, 2024

Researcher: Bob Matyas

BMI Adult & Kid Calculator <= 1.2.1 - Cross-Site Request Forgery to Cross-Site Scripting

4.3

CVE-2024-32550

Apr 15, 2024

Researcher: Faizal Abroni

Fancy Product Designer < 6.1.81 - Authenticated (Admin+) Stored Cross-Site Scripting via License Field

4.4

CVE-2024-0904

Apr 15, 2024

Researcher: Bob Matyas

Shortcodes and extra features for Phlox theme <= 2.16.2 - Authenticated (Subscriber+) PHP Object Injection via auxin_template_control_importer

7.5

CVE-2023-7064

Apr 15, 2024

Researchers: Rhynorater, Michael Brackett

Shortcodes and extra features for Phlox theme <= 2.15.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aux_timeline' Shortcode

6.4

CVE-2024-1357

Apr 15, 2024

Researcher: Ngô Thiên An (ancorn_)

GuCherry Blog <= 1.1.8 - Reflected Cross-Site Scripting

6.1

CVE-2024-32531

Apr 15, 2024

Researcher: stealthcopter

Shortcodes and extra features for Phlox theme <= 2.15.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-1533

Apr 15, 2024

Researcher: Ngô Thiên An (ancorn_)

Poll Maker <= 3.4 - Authenticated (Subscriber+) Arbitrary File Upload

9.9

CVE-2024-32514

Apr 15, 2024

Researcher: beluga

Title	CVE ID	CVSS	Researchers	Date
HT Mega – Absolute Addons For Elementor <= 2.4.6 - Sensitive Information Exposure via purchased_products	CVE-2023-6214	7.5	Francesco Carlucci	April 16, 2024
WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.0.2 - Missing Authorization to Unauthenticated Arbitrary Post Deletion	CVE-2024-3599	5.3	Krzysztof Zając	April 16, 2024
Cornerstone <= 0.8.0 - Reflected Cross-Site Scripting via PHP_SELF	CVE-2024-32570	6.1	Rafie Muhammad	April 16, 2024
SP Project & Document Manager <= 4.71 - Authenticated (Author+) SQL Injeciton	CVE-2024-32551	9.9	CatFather	April 16, 2024
Void Elementor WHMCS Elements For Elementor Page Builder <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-32592	6.4	Khalid	April 16, 2024
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 4.4.7 - Authenticated(Contributor+) Blind Server-Side Request Forgery (SSRF)	CVE-2023-6805	6.4	Colin Xu	April 16, 2024
HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce <= 2.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-32556	6.4	Joshua Chan	April 16, 2024
Shortcodes and extra features for Phlox theme <= 2.15.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag'	CVE-2024-1396	6.4	István Márton, Alex Thomas	April 15, 2024
WP Cost Estimation & Payment Forms Builder <= 10.1.76 - Missing Authorization	CVE-2024-32509	5.3	Rafie Muhammad	April 15, 2024
Zero Spam <= 5.5.6 - Spam Protection Bypass	CVE-2024-32521	5.3	Brandon James Roldan (tomorrowisnew)	April 15, 2024
DethemeKit For Elementor <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-32508	6.4	Khalid	April 15, 2024
Exclusive Addons for Elementor <= 2.6.9.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Post Grid	CVE-2024-2503	6.4	wesley (wcraft)	April 15, 2024
LiveJournal Shortcode <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-3773	6.4	Bob Matyas	April 15, 2024
BMI Adult & Kid Calculator <= 1.2.1 - Cross-Site Request Forgery to Cross-Site Scripting	CVE-2024-32550	4.3	Faizal Abroni	April 15, 2024
Fancy Product Designer < 6.1.81 - Authenticated (Admin+) Stored Cross-Site Scripting via License Field	CVE-2024-0904	4.4	Bob Matyas	April 15, 2024
Shortcodes and extra features for Phlox theme <= 2.16.2 - Authenticated (Subscriber+) PHP Object Injection via auxin_template_control_importer	CVE-2023-7064	7.5	Rhynorater, Michael Brackett	April 15, 2024
Shortcodes and extra features for Phlox theme <= 2.15.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aux_timeline' Shortcode	CVE-2024-1357	6.4	Ngô Thiên An (ancorn_)	April 15, 2024
GuCherry Blog <= 1.1.8 - Reflected Cross-Site Scripting	CVE-2024-32531	6.1	stealthcopter	April 15, 2024
Shortcodes and extra features for Phlox theme <= 2.15.7 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-1533	6.4	Ngô Thiên An (ancorn_)	April 15, 2024
Poll Maker <= 3.4 - Authenticated (Subscriber+) Arbitrary File Upload	CVE-2024-32514	9.9	beluga	April 15, 2024

Submit Vulnerability

«
‹
1
2
...
237
238
239
...
1016
1017
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Oct 21, 2024 Vulns
1	SOPROBRO	208
2	Francesco Carlucci	55
3	João Pedro Soares de Alcântara	51
4	Gab	42
5	Peter Thaleikis	39
6	stealthcopter	33
7	István Márton	28
8	vgo0	27
9	LVT-tholv2k	23
10	wesley (wcraft)	15
11	Trương Hữu Phúc (truonghuuphuc)	13
12	zer0gh0st	13
13	theviper17y	12
14	Tonn	12
15	Arkadiusz Hydzik	12
16	Mika	11
17	Tieu Pham Trong Nhan	9
18	Webbernaut	9
19	Ankit Patel	8
20	incognito	8

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation