🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Custom Field For WP Job Manager <= 1.2 - Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode

4.3

CVE-2023-7049

Aug 15, 2024

Researcher: Francesco Carlucci

JetBlocks <= 1.3.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-7147

Aug 15, 2024

Researcher: stealthcopter

KBucket: Your Curated Content in WordPress <= 4.1.5 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-6665

Aug 15, 2024

Researcher: Vuln Seeker Cybersecurity Team

NinjaTeam Header Footer Custom Code < 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-6493

Aug 15, 2024

Researcher: Takshal Patel

Newsletters <= 4.9.9 - Unauthenticated Full Path Disclosure

5.3

CVE-2024-7411

Aug 14, 2024

Researcher: stealthcopter

MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.2 - Authentication Bypass to Account Takeover

8.1

CVE-2024-7628

Aug 14, 2024

Researcher: Truoc Phan

Insert PHP Code Snippet <= 1.3.6 - Cross-Site Request Forgery to Code Snippet Activate/Deactivate/Deletion

5.8

CVE-2024-7420

Aug 14, 2024

Researcher: vgo0

Sensei LMS – Online Courses, Quizzes, & Learning <= 4.24.1 - Unauthenticated Email Template Disclosure

5.3

CVE-2024-7786

Aug 14, 2024

Researcher: Sushmita Poudel

Zephyr Project Manager <= 3.3.101 - Authenticated (Subscriber+) Limited Privilege Escalation

8.1

CVE-2024-7624

Aug 14, 2024

Researcher: wesley (wcraft)

ElementsKit Pro <= 3.6.6 - Authenticated (Contributor+) Sensitive Information Exposure

4.3

CVE-2024-7063

Aug 14, 2024

Researcher: Webbernaut

Chatbot with ChatGPT <= 2.4.4 - Missing Authorization

5.3

CVE-2024-6846

Aug 14, 2024

Researcher: Bob Matyas

ElementsKit Pro <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-7064

Aug 14, 2024

Researcher: Webbernaut

Sheet to Table Live Sync for Google Sheet <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via STWT_Sheet_Table Shortcode

6.4

CVE-2024-6532

Aug 13, 2024

Researcher: Artem Polynko (Artem Polynko)

Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel <= 3.1.1 - Authenticated (Contributor+) Arbitrary File Upload

8.8

CVE-2024-4389

Aug 13, 2024

Researcher: Arkadiusz Hydzik

Gutenberg Blocks, Page Builder – ComboBlocks <= 2.2.87 - Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion Block

6.4

CVE-2024-7588

Aug 13, 2024

Researcher: lowol

Secure Copy Content Protection and Content Locking <= 4.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-6889

Aug 13, 2024

Researcher: Dmitrii Ignatyev

Secure Copy Content Protection and Content Locking <= 4.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-6888

Aug 13, 2024

Researcher: Bob Matyas

Sign-up Sheets <= 2.2.12 - Reflected Cross-Site Scripting

6.1

CVE-2024-6020

Aug 13, 2024

Researcher: Bob Matyas

Event Tickets with Ticket Scanner <= 2.3.7 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-6711

Aug 13, 2024

Researchers: Satyam Singh, Anas Jamal

Media Library Assistant <= 3.18 - Authenticated (Author+) Arbitrary File Upload via mla-inline-edit-upload-scripts AJAX Action

8.8

CVE-2024-6823

Aug 12, 2024

Researcher: wesley (wcraft)

Title	CVE ID	CVSS	Researchers	Date
Custom Field For WP Job Manager <= 1.2 - Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode	CVE-2023-7049	4.3	Francesco Carlucci	August 15, 2024
JetBlocks <= 1.3.12 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-7147	6.4	stealthcopter	August 15, 2024
KBucket: Your Curated Content in WordPress <= 4.1.5 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-6665	4.4	Vuln Seeker Cybersecurity Team	August 15, 2024
NinjaTeam Header Footer Custom Code < 1.2 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-6493	4.4	Takshal Patel	August 15, 2024
Newsletters <= 4.9.9 - Unauthenticated Full Path Disclosure	CVE-2024-7411	5.3	stealthcopter	August 14, 2024
MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.2 - Authentication Bypass to Account Takeover	CVE-2024-7628	8.1	Truoc Phan	August 14, 2024
Insert PHP Code Snippet <= 1.3.6 - Cross-Site Request Forgery to Code Snippet Activate/Deactivate/Deletion	CVE-2024-7420	5.8	vgo0	August 14, 2024
Sensei LMS – Online Courses, Quizzes, & Learning <= 4.24.1 - Unauthenticated Email Template Disclosure	CVE-2024-7786	5.3	Sushmita Poudel	August 14, 2024
Zephyr Project Manager <= 3.3.101 - Authenticated (Subscriber+) Limited Privilege Escalation	CVE-2024-7624	8.1	wesley (wcraft)	August 14, 2024
ElementsKit Pro <= 3.6.6 - Authenticated (Contributor+) Sensitive Information Exposure	CVE-2024-7063	4.3	Webbernaut	August 14, 2024
Chatbot with ChatGPT <= 2.4.4 - Missing Authorization	CVE-2024-6846	5.3	Bob Matyas	August 14, 2024
ElementsKit Pro <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-7064	6.4	Webbernaut	August 14, 2024
Sheet to Table Live Sync for Google Sheet <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via STWT_Sheet_Table Shortcode	CVE-2024-6532	6.4	Artem Polynko (Artem Polynko)	August 13, 2024
Slider & Popup Builder by Depicter – Add Image Slider, Carousel Slider, Exit Intent Popup, Popup Modal, Coupon Popup, Post Slider Carousel <= 3.1.1 - Authenticated (Contributor+) Arbitrary File Upload	CVE-2024-4389	8.8	Arkadiusz Hydzik	August 13, 2024
Gutenberg Blocks, Page Builder – ComboBlocks <= 2.2.87 - Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion Block	CVE-2024-7588	6.4	lowol	August 13, 2024
Secure Copy Content Protection and Content Locking <= 4.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-6889	4.4	Dmitrii Ignatyev	August 13, 2024
Secure Copy Content Protection and Content Locking <= 4.1.6 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-6888	4.4	Bob Matyas	August 13, 2024
Sign-up Sheets <= 2.2.12 - Reflected Cross-Site Scripting	CVE-2024-6020	6.1	Bob Matyas	August 13, 2024
Event Tickets with Ticket Scanner <= 2.3.7 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-6711	4.4	Satyam Singh, Anas Jamal	August 13, 2024
Media Library Assistant <= 3.18 - Authenticated (Author+) Arbitrary File Upload via mla-inline-edit-upload-scripts AJAX Action	CVE-2024-6823	8.8	wesley (wcraft)	August 12, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 22, 2024 Vulns
1	stealthcopter	24
2	Francesco Carlucci	20
3	wesley (wcraft)	19
4	Lucio Sá	17
5	vgo0	15
6	Rafie Muhammad	11
7	Dave Jong	10
8	Ananda Dhakal	9
9	Marco Wotschka	8
10	Daniel Ruf	7
11	Muhammad Daffa	6
12	Krzysztof Zając	6
13	João Pedro Soares de Alcântara	5
14	Fariq Fadillah Gusti Insani (fariqfgi)	5
15	Le Ngoc Anh	5
16	Peter Thaleikis	4
17	LVT-tholv2k	4
18	Webbernaut	4
19	István Márton	4
20	rezaduty	4

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation