🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Elementor Addon Elements <= 1.12.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Modal Popup effet

6.4

CVE-2024-1422

Feb 21, 2024

Researcher: Webbernaut

Elementor Addon Elements <= 1.12.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Thumbnail Slider Widget

6.4

CVE-2024-1391

Feb 21, 2024

Researcher: wesley (wcraft)

Maintenance Page <= 1.0.8 - Security Mechanism Bypass via REST API

5.3

CVE-2024-1462

Feb 21, 2024

Researcher: Francesco Carlucci

Fancy Product Designer <= 6.1.4 - Authenticated (Admin+) SQL Injection

9.1

CVE-2024-0365

Feb 20, 2024

Researcher: Ivan Spiridonov (xbz0n)

Heureka <= 1.0.8 - Cross-Site Request Forgery

4.3

CVE-2024-25931

Feb 20, 2024

Researcher: Mika

Backup Bolt <= 1.3.0 - Sensitive Information Exposure

5.3

CVE-2023-7236

Feb 20, 2024

Researcher: Dmitrii Ignatyev

Tabs Shortcode and Widget <= 1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-0719

Feb 20, 2024

Researcher: Dmitrii Ignatyev

Custom Order Statuses for WooCommerce <= 1.5.2 - Cross-Site Request Forgery

5.4

CVE-2024-25930

Feb 20, 2024

Researcher: Skalucy

Cost of Goods Sold (COGS): Cost & Profit Calculator for WooCommerce <= 3.2.8 - Reflected Cross-Site Scripting

6.1

CVE-2024-0821

Feb 20, 2024

Researcher: Krzysztof Zając

Enjoy Social Feed <= 6.2.2 - Missing Authorization

5.3

CVE-2024-0779

Feb 20, 2024

Researcher: Krzysztof Zając

Scalable Vector Graphics (SVG) <= 3.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG

6.4

CVE-2023-7085

Feb 20, 2024

Researcher: Bob Matyas

4.4

CVE-2024-0602

Feb 20, 2024

Researcher: Akbar Kustirama

Error Log Viewer <= 1.1.2 - Sensitive Information Exposure

5.3

CVE-2023-6821

Feb 20, 2024

Researcher: Dmitrii Ignatyev

Simple Job Board <= 2.10.8 - Missing Authorization to Unauthenticated Information Disclosure

5.3

CVE-2024-0593

Feb 20, 2024

Researcher: Krzysztof Zając

Beaver Builder – WordPress Page Builder <= 2.7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-0897

Feb 20, 2024

Researcher: RandomRoot

Tutor LMS <= 2.6.0 - Authenticated(Student+) HTML Injection via Q&A

5.4

CVE-2024-1128

Feb 20, 2024

Researcher: drop

Sassy Social Share <= 3.3.56 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-1448

Feb 20, 2024

Researcher: Richard Telleng (stueotue)

Beaver Builder <= 2.7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Widget

5.4

CVE-2024-0871

Feb 20, 2024

Researchers: wesley (wcraft), Nikolas Santos (Mdr01 Salokin)

RegistrationMagic <= 5.2.5.9 - Cross-Site Request Forgery

4.3

CVE-2024-25935

Feb 20, 2024

Researcher: Majed Refaea

Beaver Builder – WordPress Page Builder <= 2.7.4.2 - Reflected (DOM-Based) Cross-Site Scripting

5.4

CVE-2024-1038

Feb 20, 2024

Researcher: wesley (wcraft)

Title	CVE ID	CVSS	Researchers	Date
Elementor Addon Elements <= 1.12.12 - Authenticated(Contributor+) Stored Cross-Site Scripting via Modal Popup effet	CVE-2024-1422	6.4	Webbernaut	February 21, 2024
Elementor Addon Elements <= 1.12.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Thumbnail Slider Widget	CVE-2024-1391	6.4	wesley (wcraft)	February 21, 2024
Maintenance Page <= 1.0.8 - Security Mechanism Bypass via REST API	CVE-2024-1462	5.3	Francesco Carlucci	February 21, 2024
Fancy Product Designer <= 6.1.4 - Authenticated (Admin+) SQL Injection	CVE-2024-0365	9.1	Ivan Spiridonov (xbz0n)	February 20, 2024
Heureka <= 1.0.8 - Cross-Site Request Forgery	CVE-2024-25931	4.3	Mika	February 20, 2024
Backup Bolt <= 1.3.0 - Sensitive Information Exposure	CVE-2023-7236	5.3	Dmitrii Ignatyev	February 20, 2024
Tabs Shortcode and Widget <= 1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-0719	6.4	Dmitrii Ignatyev	February 20, 2024
Custom Order Statuses for WooCommerce <= 1.5.2 - Cross-Site Request Forgery	CVE-2024-25930	5.4	Skalucy	February 20, 2024
Cost of Goods Sold (COGS): Cost & Profit Calculator for WooCommerce <= 3.2.8 - Reflected Cross-Site Scripting	CVE-2024-0821	6.1	Krzysztof Zając	February 20, 2024
Enjoy Social Feed <= 6.2.2 - Missing Authorization	CVE-2024-0779	5.3	Krzysztof Zając	February 20, 2024
Scalable Vector Graphics (SVG) <= 3.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG	CVE-2023-7085	6.4	Bob Matyas	February 20, 2024
Yet Another Related Posts Plugin (YARPP) <= 5.30.9 - Authenticated(Administrator+) Stored Cross-Site Scripting via settings	CVE-2024-0602	4.4	Akbar Kustirama	February 20, 2024
Error Log Viewer <= 1.1.2 - Sensitive Information Exposure	CVE-2023-6821	5.3	Dmitrii Ignatyev	February 20, 2024
Simple Job Board <= 2.10.8 - Missing Authorization to Unauthenticated Information Disclosure	CVE-2024-0593	5.3	Krzysztof Zając	February 20, 2024
Beaver Builder – WordPress Page Builder <= 2.7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-0897	6.4	RandomRoot	February 20, 2024
Tutor LMS <= 2.6.0 - Authenticated(Student+) HTML Injection via Q&A	CVE-2024-1128	5.4	drop	February 20, 2024
Sassy Social Share <= 3.3.56 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-1448	6.4	Richard Telleng (stueotue)	February 20, 2024
Beaver Builder <= 2.7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Widget	CVE-2024-0871	5.4	wesley (wcraft), Nikolas Santos (Mdr01 Salokin)	February 20, 2024
RegistrationMagic <= 5.2.5.9 - Cross-Site Request Forgery	CVE-2024-25935	4.3	Majed Refaea	February 20, 2024
Beaver Builder – WordPress Page Builder <= 2.7.4.2 - Reflected (DOM-Based) Cross-Site Scripting	CVE-2024-1038	5.4	wesley (wcraft)	February 20, 2024

Submit Vulnerability

«
‹
1
2
...
309
310
311
...
1017
1018
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Oct 21, 2024 Vulns
1	SOPROBRO	211
2	Francesco Carlucci	59
3	João Pedro Soares de Alcântara	51
4	Gab	42
5	Peter Thaleikis	40
6	stealthcopter	33
7	István Márton	28
8	vgo0	28
9	LVT-tholv2k	23
10	wesley (wcraft)	15
11	zer0gh0st	13
12	Trương Hữu Phúc (truonghuuphuc)	13
13	Arkadiusz Hydzik	12
14	theviper17y	12
15	Tonn	12
16	Mika	11
17	Tieu Pham Trong Nhan	9
18	Webbernaut	9
19	Ankit Patel	8
20	incognito	8

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation