🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers, top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Nexter Extension <= 2.0.3 - Reflected Cross-Site Scripting via post and post_id

6.1

CVE-2023-45750

Oct 12, 2023

Researcher: Rafie Muhammad

Constant Contact Forms by MailMunch <= 2.0.10 - Cross-Site Request Forgery

4.3

CVE-2023-45647

Oct 12, 2023

Researcher: Rio Darmawan

WordPress Core 4.7.0 - 6.3.1 - Sensitive Information Exposure via User Search REST Endpoint

5.3

CVE-2023-5561

Oct 12, 2023

Researcher: Marc-Alexandre Montpas

PDF Block <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-45646

Oct 12, 2023

Researcher: Mika

Sort SearchResult By Title <= 10.0 - Cross-Site Request Forgery via settings_page

4.3

CVE-2023-45639

Oct 12, 2023

Researcher: Skalucy

MailChimp Forms by MailMunch <= 3.1.7 - Cross-Site Request Forgery via Multiple AJAX actions

5.4

CVE-2023-45748

Oct 12, 2023

Researcher: Abdi Pranata

Contact Form With Captcha <= 1.6.8 - Cross-Site Request Forgery

5.4

CVE-2023-45771

Oct 12, 2023

Researcher: LEE SE HYOUNG

BuddyPress Global Search <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVE-2023-45755

Oct 12, 2023

Researcher: yuyudhn

WP Attachments <= 5.0.11 - Cross-Site Request Forgery

4.3

CVE-2023-45651

Oct 12, 2023

Researcher: Abdi Pranata

wpDiscuz <= 7.6.3 - Missing Authorization via AJAX actions

5.4

CVE-2023-45760

Oct 12, 2023

Researcher: RE-ALTER

WP Lightbox 2 <= 3.0.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

5.5

CVE-2023-45747

Oct 12, 2023

Researcher: Rio Darmawan

HTML5 Maps <= 1.7.1.4 - Cross-Site Request Forgery

4.3

CVE-2023-45650

Oct 12, 2023

Researcher: Mika

CPT Shortcode Generator <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

4.4

CVE-2023-45644

Oct 12, 2023

Researcher: Lokesh Dachepalli

AI ChatBot <= 4.8.9 - Unauthenticated SQL Injection via qc_wpbo_search_response

9.8

CVE-2023-5204

Oct 11, 2023

Researcher: Marco Wotschka

QR Twitter Widget <= 0.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

6.4

CVE-2023-45628

Oct 11, 2023

Researcher: Mika

AI ChatBot <= 4.8.9 and 4.9.2- Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file

9.6

CVE-2023-5212

Oct 11, 2023

Researchers: Marco Wotschka, Chloe Chamberland

Responsive Image Gallery, Gallery Album <= 2.0.3 - Missing Authorization via Multiple AJAX Actions

5.4

CVE-2023-45631

Oct 11, 2023

Researcher: thiennv

AI ChatBot <= 4.8.9 and 4.9.2 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file

9.6

CVE-2023-5241

Oct 11, 2023

Researcher: Marco Wotschka

Get Custom Field Values <= 4.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin widget

5.5

CVE-2023-45604

Oct 11, 2023

Researcher: Satoo Nakano

Thumbnail Slider With Lightbox <= 1.0 - Cross-Site Request Forgery

4.3

CVE-2023-5531

Oct 11, 2023

Researcher: Ala Arfaoui

Title	CVE ID	CVSS	Researchers	Date
Nexter Extension <= 2.0.3 - Reflected Cross-Site Scripting via post and post_id	CVE-2023-45750	6.1	Rafie Muhammad	October 12, 2023
Constant Contact Forms by MailMunch <= 2.0.10 - Cross-Site Request Forgery	CVE-2023-45647	4.3	Rio Darmawan	October 12, 2023
WordPress Core 4.7.0 - 6.3.1 - Sensitive Information Exposure via User Search REST Endpoint	CVE-2023-5561	5.3	Marc-Alexandre Montpas	October 12, 2023
PDF Block <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-45646	6.4	Mika	October 12, 2023
Sort SearchResult By Title <= 10.0 - Cross-Site Request Forgery via settings_page	CVE-2023-45639	4.3	Skalucy	October 12, 2023
MailChimp Forms by MailMunch <= 3.1.7 - Cross-Site Request Forgery via Multiple AJAX actions	CVE-2023-45748	5.4	Abdi Pranata	October 12, 2023
Contact Form With Captcha <= 1.6.8 - Cross-Site Request Forgery	CVE-2023-45771	5.4	LEE SE HYOUNG	October 12, 2023
BuddyPress Global Search <= 1.2.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	CVE-2023-45755	4.4	yuyudhn	October 12, 2023
WP Attachments <= 5.0.11 - Cross-Site Request Forgery	CVE-2023-45651	4.3	Abdi Pranata	October 12, 2023
wpDiscuz <= 7.6.3 - Missing Authorization via AJAX actions	CVE-2023-45760	5.4	RE-ALTER	October 12, 2023
WP Lightbox 2 <= 3.0.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings	CVE-2023-45747	5.5	Rio Darmawan	October 12, 2023
HTML5 Maps <= 1.7.1.4 - Cross-Site Request Forgery	CVE-2023-45650	4.3	Mika	October 12, 2023
CPT Shortcode Generator <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings	CVE-2023-45644	4.4	Lokesh Dachepalli	October 12, 2023
AI ChatBot <= 4.8.9 - Unauthenticated SQL Injection via qc_wpbo_search_response	CVE-2023-5204	9.8	Marco Wotschka	October 11, 2023
QR Twitter Widget <= 0.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode	CVE-2023-45628	6.4	Mika	October 11, 2023
AI ChatBot <= 4.8.9 and 4.9.2- Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file	CVE-2023-5212	9.6	Marco Wotschka, Chloe Chamberland	October 11, 2023
Responsive Image Gallery, Gallery Album <= 2.0.3 - Missing Authorization via Multiple AJAX Actions	CVE-2023-45631	5.4	thiennv	October 11, 2023
AI ChatBot <= 4.8.9 and 4.9.2 - Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file	CVE-2023-5241	9.6	Marco Wotschka	October 11, 2023
Get Custom Field Values <= 4.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin widget	CVE-2023-45604	5.5	Satoo Nakano	October 11, 2023
Thumbnail Slider With Lightbox <= 1.0 - Cross-Site Request Forgery	CVE-2023-5531	4.3	Ala Arfaoui	October 11, 2023

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Oct 8, 2024 Vulns
1	SOPROBRO	107
2	João Pedro Soares de Alcântara	56
3	stealthcopter	55
4	Francesco Carlucci	52
5	István Márton	49
6	vgo0	34
7	Mika	32
8	Peter Thaleikis	30
9	LVT-tholv2k	29
10	Gab	26
11	theviper17y	19
12	Trương Hữu Phúc (truonghuuphuc)	18
13	wesley (wcraft)	16
14	Rafie Muhammad	15
15	Joshua Chan	11
16	Khalid Yusuf	10
17	Ankit Patel	10
18	Colin Xu	9
19	zer0gh0st	8
20	Hakiduck	8

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation