🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Categorify <= 1.0.7.4 - Missing Authorization in categorifyAjaxRenameCategory

4.3

CVE-2024-1650

Feb 26, 2024

Researcher: Francesco Carlucci

Duitku Payment Gateway <= 2.11.6 - Missing Authorization via check_duitku_response

5.3

CVE-2024-0631

Feb 26, 2024

Researcher: Francesco Carlucci

SoundCloud Shortcode <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

6.4

CVE-2024-25936

Feb 26, 2024

Researcher: LVT-tholv2k

Rolo Slider <= 1.0.9 - Missing Authorization to Authenticated(Subscriber+) Settings Change

6.5

CVE-2024-1438

Feb 26, 2024

Researcher: Emili Castells

Comments Extra Fields For Post,Pages and CPT <= 5.0 - Cross-Site Request Forgery

4.3

CVE-2024-0830

Feb 26, 2024

Researcher: Francesco Carlucci

Download Media <= 1.4.2 - Missing Authorization via generate_link_for_media

4.3

CVE-2024-27190

Feb 26, 2024

Researcher: Steven Julian

Categorify <= 1.0.7.4 - Missing Authorization in categorifyAjaxUpdateFolderPosition

4.3

CVE-2024-1653

Feb 26, 2024

Researcher: Francesco Carlucci

WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit <= 1.0.9 - Unauthenticated Sensitive Information Exposure

5.3

CVE-2024-1436

Feb 26, 2024

Researcher: Emili Castells

BeePress <= 6.9.8 - Cross-Site Request Forgery via beepress-pro.php

6.5

CVE-2024-27197

Feb 26, 2024

Researcher: Majed Refaea

Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Data Export

4.3

CVE-2024-1686

Feb 26, 2024

Researcher: Lucio Sá

Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution

5.4

CVE-2024-1687

Feb 26, 2024

Researcher: Lucio Sá

Orbit Fox by ThemeIsle <= 2.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-1499

Feb 26, 2024

Researcher: RandomRoot

NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor <= 2.8.2 - Unauthenticated SQL Injection

9.8

CVE-2024-1698

Feb 26, 2024

Researcher: Krzysztof Zając

PayU India <= 3.8.3 - Reflected Cross-Site Scripting via type

6.1

CVE-2024-27193

Feb 26, 2024

Researcher: Dimas Maulana

Tainacan <= 0.20.6 - Unauthenticated Sensitive Information Exposure

5.3

CVE-2024-1435

Feb 26, 2024

Researcher: Peng Zhou

SMS Alert Order Notifications – WooCommerce <= 3.6.9 - Cross-Site Request Forgery

4.3

CVE-2024-1489

Feb 26, 2024

Researcher: Krzysztof Zając

Responsive Pricing Table <= 5.1.10 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVE-2024-1333

Feb 26, 2024

Researcher: Dmitrii Ignatyev

User Shortcodes Plus <= 2.0.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via user_meta Shortcode

4.3

CVE-2023-6969

Feb 26, 2024

Researcher: Francesco Carlucci

Media Alt Renamer 0.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via _wp_attachment_image_alt postmeta

6.4

CVE-2024-1434

Feb 26, 2024

Researcher: Joshua Chan

Categorify <= 1.0.7.4 - Cross-Site Request Forgery via categorifyAjaxAddCategory

4.3

CVE-2024-1906

Feb 26, 2024

Researcher: Francesco Carlucci

Title	CVE ID	CVSS	Researchers	Date
Categorify <= 1.0.7.4 - Missing Authorization in categorifyAjaxRenameCategory	CVE-2024-1650	4.3	Francesco Carlucci	February 26, 2024
Duitku Payment Gateway <= 2.11.6 - Missing Authorization via check_duitku_response	CVE-2024-0631	5.3	Francesco Carlucci	February 26, 2024
SoundCloud Shortcode <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode	CVE-2024-25936	6.4	LVT-tholv2k	February 26, 2024
Rolo Slider <= 1.0.9 - Missing Authorization to Authenticated(Subscriber+) Settings Change	CVE-2024-1438	6.5	Emili Castells	February 26, 2024
Comments Extra Fields For Post,Pages and CPT <= 5.0 - Cross-Site Request Forgery	CVE-2024-0830	4.3	Francesco Carlucci	February 26, 2024
Download Media <= 1.4.2 - Missing Authorization via generate_link_for_media	CVE-2024-27190	4.3	Steven Julian	February 26, 2024
Categorify <= 1.0.7.4 - Missing Authorization in categorifyAjaxUpdateFolderPosition	CVE-2024-1653	4.3	Francesco Carlucci	February 26, 2024
WooCommerce Coupon Popup, SmartBar, Slide In \| MyShopKit <= 1.0.9 - Unauthenticated Sensitive Information Exposure	CVE-2024-1436	5.3	Emili Castells	February 26, 2024
BeePress <= 6.9.8 - Cross-Site Request Forgery via beepress-pro.php	CVE-2024-27197	6.5	Majed Refaea	February 26, 2024
Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Data Export	CVE-2024-1686	4.3	Lucio Sá	February 26, 2024
Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution	CVE-2024-1687	5.4	Lucio Sá	February 26, 2024
Orbit Fox by ThemeIsle <= 2.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-1499	6.4	RandomRoot	February 26, 2024
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor <= 2.8.2 - Unauthenticated SQL Injection	CVE-2024-1698	9.8	Krzysztof Zając	February 26, 2024
PayU India <= 3.8.3 - Reflected Cross-Site Scripting via type	CVE-2024-27193	6.1	Dimas Maulana	February 26, 2024
Tainacan <= 0.20.6 - Unauthenticated Sensitive Information Exposure	CVE-2024-1435	5.3	Peng Zhou	February 26, 2024
SMS Alert Order Notifications – WooCommerce <= 3.6.9 - Cross-Site Request Forgery	CVE-2024-1489	4.3	Krzysztof Zając	February 26, 2024
Responsive Pricing Table <= 5.1.10 - Authenticated (Author+) Stored Cross-Site Scripting	CVE-2024-1333	6.4	Dmitrii Ignatyev	February 26, 2024
User Shortcodes Plus <= 2.0.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via user_meta Shortcode	CVE-2023-6969	4.3	Francesco Carlucci	February 26, 2024
Media Alt Renamer 0.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via _wp_attachment_image_alt postmeta	CVE-2024-1434	6.4	Joshua Chan	February 26, 2024
Categorify <= 1.0.7.4 - Cross-Site Request Forgery via categorifyAjaxAddCategory	CVE-2024-1906	4.3	Francesco Carlucci	February 26, 2024

Submit Vulnerability

«
‹
1
2
...
307
308
309
...
1018
1019
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Oct 21, 2024 Vulns
1	SOPROBRO	214
2	Francesco Carlucci	64
3	João Pedro Soares de Alcântara	51
4	Peter Thaleikis	45
5	Gab	42
6	stealthcopter	33
7	vgo0	33
8	István Márton	28
9	LVT-tholv2k	23
10	wesley (wcraft)	15
11	zer0gh0st	14
12	Trương Hữu Phúc (truonghuuphuc)	13
13	Arkadiusz Hydzik	12
14	theviper17y	12
15	Tonn	12
16	Mika	12
17	Tieu Pham Trong Nhan	9
18	Webbernaut	9
19	Ankit Patel	8
20	incognito	8

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation