🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Spam protection, AntiSpam, FireWall by CleanTalk <= 6.10 - Missing Authorization

6.3

CVE-2023-33996

Jun 22, 2023

Researcher: Rafshanzani Suhada

Gallery Metabox <= 1.5 - Missing Authorization via refresh_metabox

4.3

CVE-2023-2562

Jun 22, 2023

Researcher: Marco Wotschka

WP-Members Membership <= 3.4.7.3 - Cross-Site Request Forgery to Settings Update

4.3

CVE-2023-2869

Jun 22, 2023

Researcher: Marco Wotschka

Mail Queue <= 1.1 - Unauthenticated Stored Cross-Site Scripting via Email Subject

7.2

CVE-2023-3167

Jun 22, 2023

Researcher: Alex Thomas

ReDi Restaurant Reservation <= 23.0211 - Missing Authorization

5.3

CVE-2023-36510

Jun 22, 2023

Researcher: Abdi Pranata

Booking Calendar Contact Form <= 1.2.40 - Reflected Cross-Site Scripting

6.1

CVE-2023-36384

Jun 22, 2023

Researcher: BOT

Customer Service Software & Support Ticket System <= 5.12.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVE ID Unknown

Jun 22, 2023

Researchers:

teachPress <= 9.0.2 - Reflected Cross-Site Scripting via meta_field_id and cite_id

6.1

CVE-2023-36501

Jun 22, 2023

Researcher: Le Ngoc Anh

About Me 3000 widget <= 2.2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVE-2023-3369

Jun 22, 2023

Researcher: Marco Wotschka

Colibri Page Builder <= 1.0.227 - Authenticated (Administrator+) SQL Injection via post_id

7.2

CVE-2023-2188

Jun 22, 2023

Researcher: Marco Wotschka

Metform Elementor Contact Form Builder <= 3.3.2 - Cross-Site Request Forgery via permalink_setup

5.4

CVE-2023-2517

Jun 22, 2023

Researcher: Marco Wotschka

Quick Post Duplicator <= 2.0 - Authenticated (Contributor+) SQL Injection via post_id

8.8

CVE-2023-2229

Jun 22, 2023

Researcher: Marco Wotschka

Ninja Forms <= 3.6.24 - Authenticated (Admin+) Arbitrary File Deletion

6.5

CVE-2023-36505

Jun 22, 2023

Researcher: Theodoros Malachias

Gallery Metabox <= 1.5 - Missing Authorization via gallery_remove

4.3

CVE-2023-2561

Jun 22, 2023

Researcher: Marco Wotschka

Gravity Forms <= 2.7.4 - Reflected Cross-Site Scripting

6.1

CVE-2023-2701

Jun 21, 2023

Researcher: Fioravante Souza

Complianz <= 6.4.4 (Premium <= 6.4.6.1) - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVE-2023-33333

Jun 21, 2023

Researcher: Rafie Muhammad

OOPSpam Anti-Spam <= 1.1.44 - Cross-Site Request Forgery via empty_ham_entries and empty_spam_entries

5.4

CVE-2023-35913

Jun 21, 2023

Researcher: Skalucy

MonsterInsights Pro <= 8.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-32291

Jun 21, 2023

Researcher: Rafie Muhammad

WPBakery Page Builder for WordPress <= 6.12.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-31213

Jun 20, 2023

Researcher: Rafie Muhammad

Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.65 - Missing Authorization

6.3

CVE-2023-31080

Jun 20, 2023

Researcher: Rafie Muhammad

Title	CVE ID	CVSS	Researchers	Date
Spam protection, AntiSpam, FireWall by CleanTalk <= 6.10 - Missing Authorization	CVE-2023-33996	6.3	Rafshanzani Suhada	June 22, 2023
Gallery Metabox <= 1.5 - Missing Authorization via refresh_metabox	CVE-2023-2562	4.3	Marco Wotschka	June 22, 2023
WP-Members Membership <= 3.4.7.3 - Cross-Site Request Forgery to Settings Update	CVE-2023-2869	4.3	Marco Wotschka	June 22, 2023
Mail Queue <= 1.1 - Unauthenticated Stored Cross-Site Scripting via Email Subject	CVE-2023-3167	7.2	Alex Thomas	June 22, 2023
ReDi Restaurant Reservation <= 23.0211 - Missing Authorization	CVE-2023-36510	5.3	Abdi Pranata	June 22, 2023
Booking Calendar Contact Form <= 1.2.40 - Reflected Cross-Site Scripting	CVE-2023-36384	6.1	BOT	June 22, 2023
Customer Service Software & Support Ticket System <= 5.12.0 - Authenticated (Administrator+) Stored Cross-Site Scripting		4.4		June 22, 2023
teachPress <= 9.0.2 - Reflected Cross-Site Scripting via meta_field_id and cite_id	CVE-2023-36501	6.1	Le Ngoc Anh	June 22, 2023
About Me 3000 widget <= 2.2.6 - Authenticated (Administrator+) Stored Cross-Site Scripting	CVE-2023-3369	4.4	Marco Wotschka	June 22, 2023
Colibri Page Builder <= 1.0.227 - Authenticated (Administrator+) SQL Injection via post_id	CVE-2023-2188	7.2	Marco Wotschka	June 22, 2023
Metform Elementor Contact Form Builder <= 3.3.2 - Cross-Site Request Forgery via permalink_setup	CVE-2023-2517	5.4	Marco Wotschka	June 22, 2023
Quick Post Duplicator <= 2.0 - Authenticated (Contributor+) SQL Injection via post_id	CVE-2023-2229	8.8	Marco Wotschka	June 22, 2023
Ninja Forms <= 3.6.24 - Authenticated (Admin+) Arbitrary File Deletion	CVE-2023-36505	6.5	Theodoros Malachias	June 22, 2023
Gallery Metabox <= 1.5 - Missing Authorization via gallery_remove	CVE-2023-2561	4.3	Marco Wotschka	June 22, 2023
Gravity Forms <= 2.7.4 - Reflected Cross-Site Scripting	CVE-2023-2701	6.1	Fioravante Souza	June 21, 2023
Complianz <= 6.4.4 (Premium <= 6.4.6.1) - Cross-Site Request Forgery to Stored Cross-Site Scripting	CVE-2023-33333	6.1	Rafie Muhammad	June 21, 2023
OOPSpam Anti-Spam <= 1.1.44 - Cross-Site Request Forgery via empty_ham_entries and empty_spam_entries	CVE-2023-35913	5.4	Skalucy	June 21, 2023
MonsterInsights Pro <= 8.14.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-32291	6.4	Rafie Muhammad	June 21, 2023
WPBakery Page Builder for WordPress <= 6.12.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-31213	6.4	Rafie Muhammad	June 20, 2023
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.65 - Missing Authorization	CVE-2023-31080	6.3	Rafie Muhammad	June 20, 2023

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 9, 2024 Vulns
1	stealthcopter	38
2	Ananda Dhakal	25
3	Rafie Muhammad	24
4	Dave Jong	20
5	wesley (wcraft)	19
6	Lucio Sá	19
7	Bob Matyas	19
8	Daniel Ruf	16
9	Francesco Carlucci	14
10	LVT-tholv2k	13
11	João Pedro Soares de Alcântara	11
12	Trương Hữu Phúc (truonghuuphuc)	11
13	Marco Wotschka	9
14	Webbernaut	8
15	Muhammad Daffa	8
16	TANG Cheuk Hei (siunam)	7
17	Peter Thaleikis	7
18	Le Ngoc Anh	7
19	Ngô Thiên An (ancorn_)	7
20	vgo0	6

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation