🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Ultimate Member <= 2.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-8519

Oct 3, 2024

Researcher: Jack Taylor

Logo Slider <= 3.7.0 - Cross-Site Request Forgery

4.3

CVE-2024-9233

Oct 3, 2024

Researcher: Dmitrii Ignatyev

Photo Gallery by 10Web <= 1.8.28 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVE-2024-8670

Oct 3, 2024

Researcher: Dmitrii Ignatyev

Code Embed <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-8804

Oct 3, 2024

Researcher: Leo

Memberful – Membership Plugin <= 1.73.7 - Authenticated (contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-9242

Oct 3, 2024

Researcher: vgo0

ShiftController Employee Shift Scheduling <= 4.9.66 - Reflected Cross-Site Scripting

6.1

CVE-2024-9435

Oct 3, 2024

Researcher: vgo0

6.1

CVE-2024-9353

Oct 3, 2024

Researcher: vgo0

Social Web Suite – Social Media Auto Post, Social Media Auto Publish <= 4.1.11 - Directory Traversal to Arbitrary File Download

7.5

CVE-2024-8352

Oct 2, 2024

Researcher: Thanh Nam Tran

Ibtana – WordPress Website Builder <= 1.2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute

6.4

CVE-2024-8282

Oct 1, 2024

Researcher: Francesco Carlucci

WordPress Infinite Scroll - Ajax Load More <= 7.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via button_label Parameter

6.4

CVE-2024-8505

Oct 1, 2024

Researcher: Robert DeVore

Demo Importer Plus <= 2.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVE-2024-9172

Oct 1, 2024

Researcher: Francesco Carlucci

PWA — easy way to Progressive Web App <= 1.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVE-2024-8967

Oct 1, 2024

Researcher: Francesco Carlucci

BerqWP – Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript <= 2.1.1 - Reflected Cross-Site Scripting

6.1

CVE-2024-9344

Oct 1, 2024

Researcher: vgo0

SEOPress – On-site SEO <= 8.1.1 - Reflected Cross-Site Scripting

6.1

CVE-2024-9225

Oct 1, 2024

Researcher: vgo0

YML for Yandex Market <= 4.7.2 - Reflected Cross-Site Scripting

6.1

CVE-2024-9378

Oct 1, 2024

Researcher: Colin Xu

WP Hotel Booking <= 2.1.2 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVE-2024-7855

Oct 1, 2024

Researcher: Truoc Phan

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

5.4

CVE-2024-8254

Oct 1, 2024

Researcher: Arkadiusz Hydzik

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.12.8 - Reflected Cross-Site Scripting

6.1

CVE-2024-9222

Oct 1, 2024

Researcher: Colin Xu

Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid <= 1.3.14 - Reflected Cross-Site Scripting

6.1

CVE-2024-9218

Oct 1, 2024

Researcher: Colin Xu

RabbitLoader – Website Speed Optimization for improving Core Web Vital metrics with Cache, Image Optimization, and more <= 2.21.0 - Reflected Cross-Site Scripting

6.1

CVE-2024-8800

Oct 1, 2024

Researcher: vgo0

Title	CVE ID	CVSS	Researchers	Date
Ultimate Member <= 2.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-8519	6.4	Jack Taylor	October 3, 2024
Logo Slider <= 3.7.0 - Cross-Site Request Forgery	CVE-2024-9233	4.3	Dmitrii Ignatyev	October 3, 2024
Photo Gallery by 10Web <= 1.8.28 - Authenticated (Administrator+) Stored Cross-Site Scripting	CVE-2024-8670	4.4	Dmitrii Ignatyev	October 3, 2024
Code Embed <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-8804	6.4	Leo	October 3, 2024
Memberful – Membership Plugin <= 1.73.7 - Authenticated (contributor+) Stored Cross-Site Scripting	CVE-2024-9242	6.4	vgo0	October 3, 2024
ShiftController Employee Shift Scheduling <= 4.9.66 - Reflected Cross-Site Scripting	CVE-2024-9435	6.1	vgo0	October 3, 2024
Popularis Extra <= 1.2.6 - Reflected Cross-Site Scripting	CVE-2024-9353	6.1	vgo0	October 3, 2024
Social Web Suite – Social Media Auto Post, Social Media Auto Publish <= 4.1.11 - Directory Traversal to Arbitrary File Download	CVE-2024-8352	7.5	Thanh Nam Tran	October 2, 2024
Ibtana – WordPress Website Builder <= 1.2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute	CVE-2024-8282	6.4	Francesco Carlucci	October 1, 2024
WordPress Infinite Scroll - Ajax Load More <= 7.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via button_label Parameter	CVE-2024-8505	6.4	Robert DeVore	October 1, 2024
Demo Importer Plus <= 2.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload	CVE-2024-9172	6.4	Francesco Carlucci	October 1, 2024
PWA — easy way to Progressive Web App <= 1.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload	CVE-2024-8967	6.4	Francesco Carlucci	October 1, 2024
BerqWP – Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript <= 2.1.1 - Reflected Cross-Site Scripting	CVE-2024-9344	6.1	vgo0	October 1, 2024
SEOPress – On-site SEO <= 8.1.1 - Reflected Cross-Site Scripting	CVE-2024-9225	6.1	vgo0	October 1, 2024
YML for Yandex Market <= 4.7.2 - Reflected Cross-Site Scripting	CVE-2024-9378	6.1	Colin Xu	October 1, 2024
WP Hotel Booking <= 2.1.2 - Authenticated (Subscriber+) Arbitrary File Upload	CVE-2024-7855	8.8	Truoc Phan	October 1, 2024
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Authenticated (Subscriber+) Arbitrary Shortcode Execution	CVE-2024-8254	5.4	Arkadiusz Hydzik	October 1, 2024
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.12.8 - Reflected Cross-Site Scripting	CVE-2024-9222	6.1	Colin Xu	October 1, 2024
Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid <= 1.3.14 - Reflected Cross-Site Scripting	CVE-2024-9218	6.1	Colin Xu	October 1, 2024
RabbitLoader – Website Speed Optimization for improving Core Web Vital metrics with Cache, Image Optimization, and more <= 2.21.0 - Reflected Cross-Site Scripting	CVE-2024-8800	6.1	vgo0	October 1, 2024

Submit Vulnerability

«
‹
1
2
...
57
58
59
...
1012
1013
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Oct 15, 2024 Vulns
1	SOPROBRO	215
2	João Pedro Soares de Alcântara	73
3	Francesco Carlucci	57
4	stealthcopter	47
5	Gab	46
6	István Márton	38
7	Peter Thaleikis	36
8	Mika	34
9	vgo0	29
10	LVT-tholv2k	25
11	wesley (wcraft)	15
12	theviper17y	15
13	zer0gh0st	13
14	Trương Hữu Phúc (truonghuuphuc)	12
15	Tonn	11
16	Ankit Patel	8
17	Webbernaut	8
18	Rafie Muhammad	8
19	Le Ngoc Anh	8
20	Tieu Pham Trong Nhan	8

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation