🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 - Missing Authorization to Authenticated (Subscriber+) Gallery Manipulation

4.3

CVE-2024-8437

Sep 23, 2024

Researcher: Lucio Sá

Download Manager <= 3.2.98 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-8284

Sep 23, 2024

Researcher: Dmitrii Ignatyev

WP Category Dropdown <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter

6.4

CVE-2024-8103

Sep 23, 2024

Researcher: Francesco Carlucci

MailChimp for Wordpress <= 4.9.16 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVE-2024-8680

Sep 20, 2024

Researcher: Jorge Diaz (ddiax)

LatePoint <= 5.0.11 - Unauthenticated Arbitrary User Password Change via SQL Injection

9.8

CVE-2024-8911

Sep 20, 2024

Researcher: István Márton

PeoplePond <= 1.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVE-2024-8085

Sep 20, 2024

Researcher: Daniel Ruf

Backup Database <= 4.9 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-8702

Sep 20, 2024

Researcher: Bob Matyas

Simple Nav Archives <= 2.1.3 - Cross-Site Request Forgery to Settings Update

4.3

CVE-2024-8398

Sep 20, 2024

Researcher: Daniel Ruf

TI WooCommerce Wishlist <= 2.9.0 - Unauthenticated SQL Injection via 'lang'

7.5

CVE-2024-9156

Sep 19, 2024

Researcher: John Castro

WP Custom Fields Search <= 1.2.35 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpcfs-preset Shortcode

6.4

CVE-2024-8364

Sep 18, 2024

Researcher: Krzysztof Zając

Welcart e-Commerce <= 2.11.1 - Authenticated (Admin+) SQL Injection

4.9

CVE-2024-42404

Sep 18, 2024

Researcher: Shogo Kumamaru

MC4WP: Mailchimp for WordPress 4.9.9 - 4.9.16 - Reflected Cross-Site Scripting

6.1

CVE-2024-8850

Sep 18, 2024

Researcher: kauenavarro

Limit Login Attempts Plus <= 1.1.0 - IP Address Spoofing to Protection Mechanism Bypass

5.3

CVE-2022-4533

Sep 18, 2024

Researcher: rezaduty

Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting

4.8

CVE-2024-8983

Sep 17, 2024

Researcher: Krugov Artyom

WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection

7.5

CVE-2024-9796

Sep 17, 2024

Researcher: Wojciech Jezowski

Houzez <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVE-2024-22303

Sep 17, 2024

Researcher: luc

Relevanssi – A Better Search <= 4.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-9021

Sep 17, 2024

Researcher: Krugov Artyom

WP Hardening – Fix Your WordPress Security <= 1.2.6 - Unauthenticated Security Feature Bypass to Username Enumeration

5.3

CVE-2024-6641

Sep 17, 2024

Researcher: Felipe Caon

Houzez Login Register <= 3.2.5 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

8.8

CVE-2024-21743

Sep 17, 2024

Researcher: luc

Webo-facto <= 1.40 - Unauthenticated Privilege Escalation

9.8

CVE-2024-8853

Sep 17, 2024

Researcher: István Márton

Title	CVE ID	CVSS	Researchers	Date
WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 - Missing Authorization to Authenticated (Subscriber+) Gallery Manipulation	CVE-2024-8437	4.3	Lucio Sá	September 23, 2024
Download Manager <= 3.2.98 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-8284	4.4	Dmitrii Ignatyev	September 23, 2024
WP Category Dropdown <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter	CVE-2024-8103	6.4	Francesco Carlucci	September 23, 2024
MailChimp for Wordpress <= 4.9.16 - Authenticated (Administrator+) Stored Cross-Site Scripting	CVE-2024-8680	4.4	Jorge Diaz (ddiax)	September 20, 2024
LatePoint <= 5.0.11 - Unauthenticated Arbitrary User Password Change via SQL Injection	CVE-2024-8911	9.8	István Márton	September 20, 2024
PeoplePond <= 1.1.9 - Cross-Site Request Forgery to Stored Cross-Site Scripting	CVE-2024-8085	6.1	Daniel Ruf	September 20, 2024
Backup Database <= 4.9 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-8702	4.4	Bob Matyas	September 20, 2024
Simple Nav Archives <= 2.1.3 - Cross-Site Request Forgery to Settings Update	CVE-2024-8398	4.3	Daniel Ruf	September 20, 2024
TI WooCommerce Wishlist <= 2.9.0 - Unauthenticated SQL Injection via 'lang'	CVE-2024-9156	7.5	John Castro	September 19, 2024
WP Custom Fields Search <= 1.2.35 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpcfs-preset Shortcode	CVE-2024-8364	6.4	Krzysztof Zając	September 18, 2024
Welcart e-Commerce <= 2.11.1 - Authenticated (Admin+) SQL Injection	CVE-2024-42404	4.9	Shogo Kumamaru	September 18, 2024
MC4WP: Mailchimp for WordPress 4.9.9 - 4.9.16 - Reflected Cross-Site Scripting	CVE-2024-8850	6.1	kauenavarro	September 18, 2024
Limit Login Attempts Plus <= 1.1.0 - IP Address Spoofing to Protection Mechanism Bypass	CVE-2022-4533	5.3	rezaduty	September 18, 2024
Custom Twitter Feeds – A Tweets Widget or X Feed Widget <= 2.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-8983	4.8	Krugov Artyom	September 17, 2024
WordPress WP-Advanced-Search <= 3.3.9 - Unauthenticated SQL Injection	CVE-2024-9796	7.5	Wojciech Jezowski	September 17, 2024
Houzez <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation	CVE-2024-22303	8.8	luc	September 17, 2024
Relevanssi – A Better Search <= 4.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-9021	6.4	Krugov Artyom	September 17, 2024
WP Hardening – Fix Your WordPress Security <= 1.2.6 - Unauthenticated Security Feature Bypass to Username Enumeration	CVE-2024-6641	5.3	Felipe Caon	September 17, 2024
Houzez Login Register <= 3.2.5 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover	CVE-2024-21743	8.8	luc	September 17, 2024
Webo-facto <= 1.40 - Unauthenticated Privilege Escalation	CVE-2024-8853	9.8	István Márton	September 17, 2024

Submit Vulnerability

«
‹
1
2
...
75
76
77
...
1014
1015
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Oct 17, 2024 Vulns
1	SOPROBRO	215
2	João Pedro Soares de Alcântara	70
3	Francesco Carlucci	54
4	Gab	46
5	stealthcopter	39
6	Peter Thaleikis	36
7	Mika	33
8	István Márton	33
9	LVT-tholv2k	25
10	vgo0	22
11	wesley (wcraft)	15
12	Trương Hữu Phúc (truonghuuphuc)	15
13	theviper17y	14
14	zer0gh0st	13
15	Tonn	12
16	Tieu Pham Trong Nhan	9
17	Arkadiusz Hydzik	8
18	Le Ngoc Anh	8
19	Rafie Muhammad	8
20	incognito	8

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation