🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers, top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Stop User Enumeration <= 1.3.4 - Username Enumeration Bypasses

5.3

CVE ID Unknown

Jan 4, 2017

Researchers:

Stop User Enumeration <= 1.3.8 - Unauthenticated Username Enumeration

5.3

CVE-2017-1000226

Jan 4, 2017

Researchers: Glyn Wintle, dwxsupport

WordPress Ad Widget <= 2.11.0 - Local File Inclusion

9.9

CVE ID Unknown

Jan 1, 2017

Researcher: DefenceCode

WordPress Core < 4.7.2 - Path Disclosure

4.3

CVE-2017-6514

Jan 1, 2017

Researchers:

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.4 - Path Traversal to Sensitive Information Disclosure

4.3

CVE ID Unknown

Dec 31, 2016

Researchers:

Nelio AB Testing < 4.5.11 - Server-Side Request Forgery

7.2

CVE-2016-10927

Dec 29, 2016

Researcher: YEO QUAN YANG

Image Slider < 1.1.90 - Arbitrary File Deletion

8.1

CVE ID Unknown

Dec 23, 2016

Researcher: dwxsupport

BuddyPress 2.0 - 2.7.3 - Unauthenticated Arbitrary File Deletion

10.0

CVE ID Unknown

Dec 23, 2016

Researcher: Sam Pizzey (mopman)

copy-me <= 1.0.0 - Missing Authorization & Cross-Site Request Forgery

5.4

CVE-2016-10938

Dec 21, 2016

Researchers: Mallory Adams, dwxsupport

rtMedia for WordPress, BuddyPress and bbPress <= 4.2 - Arbitary File Upload

9.8

CVE ID Unknown

Dec 21, 2016

Researcher: James Golovich

Chained Quiz <= 0.9.8 - Cross-Site Scripting

6.4

CVE ID Unknown

Dec 21, 2016

Researchers:

ZX_CSV Upload <= 1 - Authenticated (Admin+) SQL Injection

7.2

CVE-2016-10943

Dec 16, 2016

Researcher: Lenon Leite

WP Private Messages <= 1.0.1 - Authenticated SQL Injection

6.3

CVE ID Unknown

Dec 16, 2016

Researcher: Lenon Leite

ZM Gallery <= 1.0 - Authenticated (Admin+) SQL Injection

7.2

CVE-2016-10940

Dec 16, 2016

Researcher: Lenon Leite

Xtreme Locator Dealer Locator Plugin <= 3.0.1 - Authenticated (Admin+) SQL Injection

7.2

CVE-2016-10939

Dec 16, 2016

Researcher: Lenon Leite

Quiz And Survey Master <= 4.7.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting

8.8

CVE-2016-11085

Dec 15, 2016

Researchers: Mallory Adams, dwxsupport

Podlove Podcast Publisher < 2.3.16 - SQL Injection

8.8

CVE-2016-10942

Dec 14, 2016

Researcher: RIPS Technologies

MailChimp for WordPress <= 4.0.10 - Authenticated Cross-Site Scripting

6.1

CVE-2016-10871

Dec 13, 2016

Researchers:

WP Support Plus Responsive Ticket System <= 7.1.4 - SQL Injection

8.8

CVE ID Unknown

Dec 12, 2016

Researcher: Lenon Leite

Google Analytics Counter Tracker <= 3.4.1 - Unauthenticated PHP Object Injection

9.8

CVE ID Unknown

Dec 11, 2016

Researcher: Remco Vermeulen

Title	CVE ID	CVSS	Researchers	Date
Stop User Enumeration <= 1.3.4 - Username Enumeration Bypasses		5.3		January 4, 2017
Stop User Enumeration <= 1.3.8 - Unauthenticated Username Enumeration	CVE-2017-1000226	5.3	Glyn Wintle, dwxsupport	January 4, 2017
WordPress Ad Widget <= 2.11.0 - Local File Inclusion		9.9	DefenceCode	January 1, 2017
WordPress Core < 4.7.2 - Path Disclosure	CVE-2017-6514	4.3		January 1, 2017
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 3.1.4 - Path Traversal to Sensitive Information Disclosure		4.3		December 31, 2016
Nelio AB Testing < 4.5.11 - Server-Side Request Forgery	CVE-2016-10927	7.2	YEO QUAN YANG	December 29, 2016
Image Slider < 1.1.90 - Arbitrary File Deletion		8.1	dwxsupport	December 23, 2016
BuddyPress 2.0 - 2.7.3 - Unauthenticated Arbitrary File Deletion		10.0	Sam Pizzey (mopman)	December 23, 2016
copy-me <= 1.0.0 - Missing Authorization & Cross-Site Request Forgery	CVE-2016-10938	5.4	Mallory Adams, dwxsupport	December 21, 2016
rtMedia for WordPress, BuddyPress and bbPress <= 4.2 - Arbitary File Upload		9.8	James Golovich	December 21, 2016
Chained Quiz <= 0.9.8 - Cross-Site Scripting		6.4		December 21, 2016
ZX_CSV Upload <= 1 - Authenticated (Admin+) SQL Injection	CVE-2016-10943	7.2	Lenon Leite	December 16, 2016
WP Private Messages <= 1.0.1 - Authenticated SQL Injection		6.3	Lenon Leite	December 16, 2016
ZM Gallery <= 1.0 - Authenticated (Admin+) SQL Injection	CVE-2016-10940	7.2	Lenon Leite	December 16, 2016
Xtreme Locator Dealer Locator Plugin <= 3.0.1 - Authenticated (Admin+) SQL Injection	CVE-2016-10939	7.2	Lenon Leite	December 16, 2016
Quiz And Survey Master <= 4.7.8 - Cross-Site Request Forgery to Stored Cross-Site Scripting	CVE-2016-11085	8.8	Mallory Adams, dwxsupport	December 15, 2016
Podlove Podcast Publisher < 2.3.16 - SQL Injection	CVE-2016-10942	8.8	RIPS Technologies	December 14, 2016
MailChimp for WordPress <= 4.0.10 - Authenticated Cross-Site Scripting	CVE-2016-10871	6.1		December 13, 2016
WP Support Plus Responsive Ticket System <= 7.1.4 - SQL Injection		8.8	Lenon Leite	December 12, 2016
Google Analytics Counter Tracker <= 3.4.1 - Unauthenticated PHP Object Injection		9.8	Remco Vermeulen	December 11, 2016

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 23, 2024 Vulns
1	Francesco Carlucci	65
2	vgo0	55
3	João Pedro Soares de Alcântara	42
4	stealthcopter	35
5	István Márton	35
6	SOPROBRO	25
7	Peter Thaleikis	21
8	Le Ngoc Anh	18
9	Robert DeVore	14
10	Rafie Muhammad	13
11	Trương Hữu Phúc (truonghuuphuc)	13
12	Colin Xu	12
13	LVT-tholv2k	12
14	tahu.datar	12
15	wesley (wcraft)	11
16	theviper17y	11
17	Khalid Yusuf	11
18	Joshua Chan	10
19	Hakiduck	9
20	TANG Cheuk Hei (siunam)	9

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation