🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Health Check & Troubleshooting <= 1.2.3 - Cross-Site Request Forgery

8.0

CVE ID Unknown

Jan 25, 2019

Researcher: Julien Legras

Wise Chat <= 2.6.3 - Reverse Tabnabbing

6.1

CVE-2019-6780

Jan 25, 2019

Researcher: MTK (Muhammad Talha Khan)

Polylang <= 2.5 - Cross-Site Request Forgery

8.8

CVE ID Unknown

Jan 16, 2019

Researchers:

Social Network Tabs - Social Media API Key Leakage <= 1.7.1 - Information Exposure

9.8

CVE-2018-20555

Jan 16, 2019

Researcher: fs0c131y

Shortcode Factory <= 2.7 - Local File Inclusion

9.8

CVE-2019-15322

Jan 16, 2019

Researchers:

Companion Auto Update <= 3.3.5 - Authenticated (Admin+) SQL Injection

7.2

CVE ID Unknown

Jan 14, 2019

Researchers:

Easy Redirect Manager <= 2.18.18 - Cross-Site Scripting

6.1

CVE-2019-6267

Jan 14, 2019

Researcher: LS Team

Gallery Images Ape <= 1.6.14 - Stored Cross-Site Scripting

6.1

CVE-2019-6117

Jan 10, 2019

Researchers:

Companion Sitemap Generator – HTML & XML <= 3.6.6 - Cross-Site Request Forgery and Local File Inclusion

8.8

CVE-2019-15113

Jan 10, 2019

Researchers:

spam-byebye <= 2.2.1 - Unauthenticated Cross-Site Scripting

6.1

CVE-2018-16206

Jan 10, 2019

Researcher: qw3rTyTy

User Registration <= 1.5.5 - Cross-Site Scripting

6.4

CVE ID Unknown

Jan 9, 2019

Researcher: Mr Winst0n

MapSVG Lite < 3.3.0 - Cross-Site Request Forgery

6.1

CVE-2019-1000003

Jan 8, 2019

Researcher: Rob Skilling (DXW)

Baggage Freight Shipping Australia <= 0.1.0 - Arbitrary File Upload

9.8

CVE ID Unknown

Jan 8, 2019

Researcher: Kaimi

JSmol2WP <= 1.07 - Cross-Site Scripting

6.1

CVE-2018-20462

Jan 7, 2019

Researchers:

Ninja Forms Contact Form <= 3.3.21.1 - SQL Injection

9.8

CVE-2019-15025

Jan 7, 2019

Researchers:

WP Job Manager <= 1.31.2 - PHP Object Injection via PHAR Deserialization

7.5

CVE ID Unknown

Jan 7, 2019

Researcher: RIPS Technologies

Audio Record <= 1.0 - Arbitrary File Upload

9.8

CVE ID Unknown

Jan 7, 2019

Researcher: Kaimi

UserPro <= 4.9.20 - Privilege Escalation

10.0

CVE ID Unknown

Jan 3, 2019

Researcher: Noman Riffat

Booking Calendar <= 8.4.3 - SQL injection

8.8

CVE-2018-20556

Dec 28, 2018

Researcher: B0UG

Order XML File Export Import for WooCommerce < 1.2.3 - Cross-Site Scripting

6.1

CVE ID Unknown

Dec 28, 2018

Researchers:

Title	CVE ID	CVSS	Researchers	Date
Health Check & Troubleshooting <= 1.2.3 - Cross-Site Request Forgery		8.0	Julien Legras	January 25, 2019
Wise Chat <= 2.6.3 - Reverse Tabnabbing	CVE-2019-6780	6.1	MTK (Muhammad Talha Khan)	January 25, 2019
Polylang <= 2.5 - Cross-Site Request Forgery		8.8		January 16, 2019
Social Network Tabs - Social Media API Key Leakage <= 1.7.1 - Information Exposure	CVE-2018-20555	9.8	fs0c131y	January 16, 2019
Shortcode Factory <= 2.7 - Local File Inclusion	CVE-2019-15322	9.8		January 16, 2019
Companion Auto Update <= 3.3.5 - Authenticated (Admin+) SQL Injection		7.2		January 14, 2019
Easy Redirect Manager <= 2.18.18 - Cross-Site Scripting	CVE-2019-6267	6.1	LS Team	January 14, 2019
Gallery Images Ape <= 1.6.14 - Stored Cross-Site Scripting	CVE-2019-6117	6.1		January 10, 2019
Companion Sitemap Generator – HTML & XML <= 3.6.6 - Cross-Site Request Forgery and Local File Inclusion	CVE-2019-15113	8.8		January 10, 2019
spam-byebye <= 2.2.1 - Unauthenticated Cross-Site Scripting	CVE-2018-16206	6.1	qw3rTyTy	January 10, 2019
User Registration <= 1.5.5 - Cross-Site Scripting		6.4	Mr Winst0n	January 9, 2019
MapSVG Lite < 3.3.0 - Cross-Site Request Forgery	CVE-2019-1000003	6.1	Rob Skilling (DXW)	January 8, 2019
Baggage Freight Shipping Australia <= 0.1.0 - Arbitrary File Upload		9.8	Kaimi	January 8, 2019
JSmol2WP <= 1.07 - Cross-Site Scripting	CVE-2018-20462	6.1		January 7, 2019
Ninja Forms Contact Form <= 3.3.21.1 - SQL Injection	CVE-2019-15025	9.8		January 7, 2019
WP Job Manager <= 1.31.2 - PHP Object Injection via PHAR Deserialization		7.5	RIPS Technologies	January 7, 2019
Audio Record <= 1.0 - Arbitrary File Upload		9.8	Kaimi	January 7, 2019
UserPro <= 4.9.20 - Privilege Escalation		10.0	Noman Riffat	January 3, 2019
Booking Calendar <= 8.4.3 - SQL injection	CVE-2018-20556	8.8	B0UG	December 28, 2018
Order XML File Export Import for WooCommerce < 1.2.3 - Cross-Site Scripting		6.1		December 28, 2018

Submit Vulnerability

«
‹
1
2
...
835
836
837
...
1015
1016
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Oct 20, 2024 Vulns
1	SOPROBRO	211
2	João Pedro Soares de Alcântara	61
3	Francesco Carlucci	55
4	Gab	44
5	stealthcopter	39
6	Peter Thaleikis	39
7	István Márton	35
8	Mika	29
9	vgo0	25
10	LVT-tholv2k	23
11	Trương Hữu Phúc (truonghuuphuc)	15
12	wesley (wcraft)	15
13	theviper17y	14
14	zer0gh0st	13
15	Tonn	12
16	Arkadiusz Hydzik	10
17	Tieu Pham Trong Nhan	9
18	Le Ngoc Anh	8
19	Rafie Muhammad	8
20	Webbernaut	8

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation