🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Schema & Structured Data for WP & AMP <= 1.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-51677

Dec 27, 2023

Researcher: LVT-tholv2k

BookingPress <= 1.0.74 - Booking Price Manipulation via bookingpress_confirm_booking

7.5

CVE-2023-51405

Dec 27, 2023

Researcher: Abdi Pranata

Duplicator <= 1.5.7 - Cross-Site Request Forgery via views/tools/diagnostics/information.php

4.3

CVE-2023-51681

Dec 27, 2023

Researcher: Rafie Muhammad

Simple Staff List <= 2.2.4 - Missing Authorization via ajax_flush_rewrite_rules and staff_member_export

5.4

CVE-2023-51526

Dec 27, 2023

Researcher: Abdi Pranata

AI Power: Complete AI Pack – Powered by GPT-4 <= 1.8.1 - Missing Authorization to Sensitive Data Exposure

5.3

CVE-2023-51527

Dec 27, 2023

Researcher: Brandon James Roldan (tomorrowisnew)

Database Cleaner <= 0.9.8 - Sensitive Information Exposure via Log File

5.3

CVE-2023-51508

Dec 27, 2023

Researcher: Joshua Chan

Everest Forms <= 2.0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVE-2023-51695

Dec 27, 2023

Researcher: Robert DeVore

ARI Stream Quiz <= 1.2.32 - Cross-Site Request Forgery

5.4

CVE-2023-51487

Dec 27, 2023

Researcher: Nguyen Xuan Chien

My Agile Privacy <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vis Shortcode

6.4

CVE-2023-51404

Dec 27, 2023

Researcher: resecured.io

TerraClassifieds <= 2.0.3 - Cross-Site Request Forgery

8.8

CVE-2023-51474

Dec 27, 2023

Researcher: Rafie Muhammad

RegistrationMagic <= 5.2.5.0 - IP Spoofing

5.3

CVE-2023-51543

Dec 27, 2023

Researcher: Brandon James Roldan (tomorrowisnew)

Frontend Admin by DynamiApps Plugin <= 3.18.3 - Unauthenticated Arbitrary File Upload

9.8

CVE-2023-51411

Dec 27, 2023

Researcher: Rafie Muhammad

WooCommerce PDF Invoices <= 4.2.1 - Authenticated(Shop Manager+) Arbitrary Options Update via JSON Import

7.2

CVE-2023-51546

Dec 27, 2023

Researcher: Rafie Muhammad

Checkout Mestres WP <= 7.1.9.6 - Authentication Bypass via Password Reset

9.8

CVE-2023-51472

Dec 27, 2023

Researcher: Rafie Muhammad

Export Media URLs <= 1.0 - Cross-Site Request Forgery

4.3

CVE-2023-51510

Dec 27, 2023

Researcher: Skalucy

Build App Online <= 1.0.21 - Authentication Bypass via Header

9.8

CVE-2023-51478

Dec 27, 2023

Researchers: Rafie Muhammad, István Márton

Awesome Support <= 6.1.5 - Missing Authorization via wpas_load_reply_history

5.3

CVE-2023-51537

Dec 27, 2023

Researcher: Brandon James Roldan (tomorrowisnew)

Paid Member Subscriptions <= 2.10.4 - Cross-Site Request Forgery via ajax_add_log_entry

4.3

CVE-2023-51522

Dec 27, 2023

Researcher: Brandon James Roldan (tomorrowisnew)

Verge3D <= 4.5.2 - Authenticated(Subscriber+) Arbitrary File Upload

8.8

CVE-2023-51421

Dec 27, 2023

Researcher: Rafie Muhammad

Rencontre – Dating Site <= 3.11.1 - Authenticated (Subscriber+) PHP Object Injection

8.8

CVE-2023-51470

Dec 27, 2023

Researcher: Rafie Muhammad

Title	CVE ID	CVSS	Researchers	Date
Schema & Structured Data for WP & AMP <= 1.23 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-51677	6.4	LVT-tholv2k	December 27, 2023
BookingPress <= 1.0.74 - Booking Price Manipulation via bookingpress_confirm_booking	CVE-2023-51405	7.5	Abdi Pranata	December 27, 2023
Duplicator <= 1.5.7 - Cross-Site Request Forgery via views/tools/diagnostics/information.php	CVE-2023-51681	4.3	Rafie Muhammad	December 27, 2023
Simple Staff List <= 2.2.4 - Missing Authorization via ajax_flush_rewrite_rules and staff_member_export	CVE-2023-51526	5.4	Abdi Pranata	December 27, 2023
AI Power: Complete AI Pack – Powered by GPT-4 <= 1.8.1 - Missing Authorization to Sensitive Data Exposure	CVE-2023-51527	5.3	Brandon James Roldan (tomorrowisnew)	December 27, 2023
Database Cleaner <= 0.9.8 - Sensitive Information Exposure via Log File	CVE-2023-51508	5.3	Joshua Chan	December 27, 2023
Everest Forms <= 2.0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	CVE-2023-51695	4.4	Robert DeVore	December 27, 2023
ARI Stream Quiz <= 1.2.32 - Cross-Site Request Forgery	CVE-2023-51487	5.4	Nguyen Xuan Chien	December 27, 2023
My Agile Privacy <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vis Shortcode	CVE-2023-51404	6.4	resecured.io	December 27, 2023
TerraClassifieds <= 2.0.3 - Cross-Site Request Forgery	CVE-2023-51474	8.8	Rafie Muhammad	December 27, 2023
RegistrationMagic <= 5.2.5.0 - IP Spoofing	CVE-2023-51543	5.3	Brandon James Roldan (tomorrowisnew)	December 27, 2023
Frontend Admin by DynamiApps Plugin <= 3.18.3 - Unauthenticated Arbitrary File Upload	CVE-2023-51411	9.8	Rafie Muhammad	December 27, 2023
WooCommerce PDF Invoices <= 4.2.1 - Authenticated(Shop Manager+) Arbitrary Options Update via JSON Import	CVE-2023-51546	7.2	Rafie Muhammad	December 27, 2023
Checkout Mestres WP <= 7.1.9.6 - Authentication Bypass via Password Reset	CVE-2023-51472	9.8	Rafie Muhammad	December 27, 2023
Export Media URLs <= 1.0 - Cross-Site Request Forgery	CVE-2023-51510	4.3	Skalucy	December 27, 2023
Build App Online <= 1.0.21 - Authentication Bypass via Header	CVE-2023-51478	9.8	Rafie Muhammad, István Márton	December 27, 2023
Awesome Support <= 6.1.5 - Missing Authorization via wpas_load_reply_history	CVE-2023-51537	5.3	Brandon James Roldan (tomorrowisnew)	December 27, 2023
Paid Member Subscriptions <= 2.10.4 - Cross-Site Request Forgery via ajax_add_log_entry	CVE-2023-51522	4.3	Brandon James Roldan (tomorrowisnew)	December 27, 2023
Verge3D <= 4.5.2 - Authenticated(Subscriber+) Arbitrary File Upload	CVE-2023-51421	8.8	Rafie Muhammad	December 27, 2023
Rencontre – Dating Site <= 3.11.1 - Authenticated (Subscriber+) PHP Object Injection	CVE-2023-51470	8.8	Rafie Muhammad	December 27, 2023

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 30, 2024 Vulns
1	Francesco Carlucci	30
2	vgo0	27
3	wesley (wcraft)	21
4	Lucio Sá	13
5	stealthcopter	10
6	Krzysztof Zając	10
7	Peter Thaleikis	7
8	Marco Wotschka	7
9	Webbernaut	6
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	zer0gh0st	4
13	LVT-tholv2k	3
14	Robert DeVore	3
15	Le Ngoc Anh	3
16	rezaduty	3
17	Tonn	2
18	Tieu Pham Trong Nhan	2
19	Michelle Porter	2
20	Connor Billings	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation