Have you found a vulnerability in a WordPress plugin or theme? Report vulnerabilities in WordPress plugins and themes through our bug bounty program and earn a bounty on all in-scope submissions, while we handle the responsible disclosure process on your behalf.

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Charity Addon for Elementor <= 1.3.2 - Authenticated (Contributor+) Post Disclosure

4.3

CVE-2024-12062

Dec 2, 2024

Researcher: Francesco Carlucci

IdeaPush <= 8.71 - Missing Authorization to Board Term Deletion

4.3

CVE-2024-11844

Dec 2, 2024

Researcher: Lucio Sá

BP Profile Shortcodes Extra <= 2.6.0 - Authenticated (Contributor+) SQL Injection via tab Parameter

6.5

CVE-2024-11732

Dec 2, 2024

Researcher: Peter Thaleikis

jAlbum Bridge <= 2.0.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via ar Parameter

6.4

CVE-2024-11853

Dec 2, 2024

Researcher: Peter Thaleikis

Quick License Manager – WooCommerce Plugin <= 2.4.17 - Reflected Cross-Site Scripting

6.1

CVE-2024-11805

Dec 2, 2024

Researcher: vgo0

Spectra – WordPress Gutenberg Blocks <= 2.16.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Widget

6.4

CVE-2024-10484

Dec 2, 2024

Researcher: zer0gh0st

WP Project Manager <= 2.6.16 - Authenticated (Project Manager+) SQL Injection

6.5

CVE-2024-12015

Dec 2, 2024

Researcher: Joshua Martinelle

FAT Services Booking <= 5.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVE-2024-54220

Dec 2, 2024

Researcher: Dave Jong

FAT Services Booking <= 5.6 - Unauthenticated SQL Injection

8.6

CVE-2024-54221

Dec 2, 2024

Researcher: Dave Jong

Awesome Shortcodes <= 1.7.2 - Reflected Cross-Site Scripting

6.1

CVE-2024-54209

Dec 2, 2024

Researcher: SOPROBRO

Magical Addons For Elementor <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-54212

Dec 2, 2024

Researcher: João G. Barbosa (4rCanJ0x!)

Analytify <= 5.4.3 - Missing Authorization

4.3

CVE-2024-53814

Dec 2, 2024

Researcher: Trương Hữu Phúc (truonghuuphuc)

Client Invoicing by Sprout Invoices <= 20.8.0 - Insecure Direct Object Reference

5.3

CVE-2024-53819

Dec 2, 2024

Researcher: Manab Jyoti Dowarah

Futurio Extra <= 2.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via header_size tag

6.4

CVE-2024-53802

Dec 2, 2024

Researcher: João Pedro Soares de Alcântara

AIO Contact <= 2.8.1 - Missing Authorization

6.5

CVE-2024-54218

Dec 2, 2024

Researcher: Dave Jong

Element Pack Elementor Addons <= 5.10.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Lightbox Widget

6.4

CVE-2024-9058

Dec 2, 2024

Researcher: zer0gh0st

WP Mailster <= 1.8.16.0 - Missing Authorization

6.5

CVE-2024-53803

Dec 2, 2024

Researcher: Mika

Church Admin <= 5.0.8 - Missing Authorization

5.3

CVE-2024-53795

Dec 2, 2024

Researcher: Mika

Themesflat Addons For Elementor <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-53796

Dec 2, 2024

Researcher: João Pedro Soares de Alcântara

Borderless <= 1.5.8 - Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVE-2024-54211

Dec 2, 2024

Researcher: João G. Barbosa (4rCanJ0x!)

Title	CVE ID	CVSS	Researchers	Date
Charity Addon for Elementor <= 1.3.2 - Authenticated (Contributor+) Post Disclosure	CVE-2024-12062	4.3	Francesco Carlucci	December 2, 2024
IdeaPush <= 8.71 - Missing Authorization to Board Term Deletion	CVE-2024-11844	4.3	Lucio Sá	December 2, 2024
BP Profile Shortcodes Extra <= 2.6.0 - Authenticated (Contributor+) SQL Injection via tab Parameter	CVE-2024-11732	6.5	Peter Thaleikis	December 2, 2024
jAlbum Bridge <= 2.0.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via ar Parameter	CVE-2024-11853	6.4	Peter Thaleikis	December 2, 2024
Quick License Manager – WooCommerce Plugin <= 2.4.17 - Reflected Cross-Site Scripting	CVE-2024-11805	6.1	vgo0	December 2, 2024
Spectra – WordPress Gutenberg Blocks <= 2.16.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Widget	CVE-2024-10484	6.4	zer0gh0st	December 2, 2024
WP Project Manager <= 2.6.16 - Authenticated (Project Manager+) SQL Injection	CVE-2024-12015	6.5	Joshua Martinelle	December 2, 2024
FAT Services Booking <= 5.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting	CVE-2024-54220	6.4	Dave Jong	December 2, 2024
FAT Services Booking <= 5.6 - Unauthenticated SQL Injection	CVE-2024-54221	8.6	Dave Jong	December 2, 2024
Awesome Shortcodes <= 1.7.2 - Reflected Cross-Site Scripting	CVE-2024-54209	6.1	SOPROBRO	December 2, 2024
Magical Addons For Elementor <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-54212	6.4	João G. Barbosa (4rCanJ0x!)	December 2, 2024
Analytify <= 5.4.3 - Missing Authorization	CVE-2024-53814	4.3	Trương Hữu Phúc (truonghuuphuc)	December 2, 2024
Client Invoicing by Sprout Invoices <= 20.8.0 - Insecure Direct Object Reference	CVE-2024-53819	5.3	Manab Jyoti Dowarah	December 2, 2024
Futurio Extra <= 2.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via header_size tag	CVE-2024-53802	6.4	João Pedro Soares de Alcântara	December 2, 2024
AIO Contact <= 2.8.1 - Missing Authorization	CVE-2024-54218	6.5	Dave Jong	December 2, 2024
Element Pack Elementor Addons <= 5.10.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Lightbox Widget	CVE-2024-9058	6.4	zer0gh0st	December 2, 2024
WP Mailster <= 1.8.16.0 - Missing Authorization	CVE-2024-53803	6.5	Mika	December 2, 2024
Church Admin <= 5.0.8 - Missing Authorization	CVE-2024-53795	5.3	Mika	December 2, 2024
Themesflat Addons For Elementor <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-53796	6.4	João Pedro Soares de Alcântara	December 2, 2024
Borderless <= 1.5.8 - Authenticated (Editor+) Stored Cross-Site Scripting	CVE-2024-54211	5.5	João G. Barbosa (4rCanJ0x!)	December 2, 2024

Submit Vulnerability

«
‹
1
2
...
44
45
46
...
1086
1087
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Dec 9, 2024 Vulns
1	SOPROBRO	89
2	vgo0	62
3	Peter Thaleikis	43
4	Mika	41
5	João Pedro Soares de Alcântara	30
6	Rafie Muhammad	30
7	Francesco Carlucci	24
8	zaim	23
9	Lucio Sá	23
10	stealthcopter	18
11	theviper17y	16
12	yudha	16
13	ardias	15
14	thiennv	15
15	zakaria	13
16	Tieu Pham Trong Nhan	13
17	Colin Xu	12
18	zer0gh0st	10
19	Trương Hữu Phúc (truonghuuphuc)	9
20	Webbernaut	9

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation