🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-34757

May 14, 2024

Researcher: Khalid

Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-4057

May 14, 2024

Researcher: Dmitrii Ignatyev

WP Fundraising Donation and Crowdfunding Platform <= 1.6.4 - Missing Authorization

5.3

CVE-2024-34758

May 14, 2024

Researcher: Peng Zhou

All-in-One Video Gallery <= 3.6.5 - Authenticated (Contributor+) Local File Inclusion via aiovg_search_form Shortcode

8.8

CVE-2024-4670

May 14, 2024

Researcher: Ngô Thiên An (ancorn_)

iframe <= 5.0 - Authenticated (Contributor+ Stored Cross-Site Scripting

6.4

CVE-2024-34805

May 14, 2024

Researcher: Byeongjun Jo

Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typer Effect

6.4

CVE-2024-4208

May 14, 2024

Researcher: Webbernaut

Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.37 - Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVE-2024-3189

May 14, 2024

Researcher: stealthcopter

Order Export & Order Import for WooCommerce <= 2.4.9 - Authenticated (Administrator+) PHP Object Injection

7.2

CVE-2024-34751

May 14, 2024

Researcher: Trinh Vu (Sonicrrrr)

Sydney Toolbox <= 1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via aThemes: Portfolio Widget

6.4

CVE-2024-4473

May 13, 2024

Researcher: Ngô Thiên An (ancorn_)

140+ Widgets | Best Addons For Elementor – FREE <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVE-2024-4440

May 13, 2024

Researcher: stealthcopter

Jetpack – WP Security, Backup, Speed, & Growth <= 13.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpvideo Shortcode

6.4

CVE-2024-4392

May 13, 2024

Researcher: wesley (wcraft)

WP SMS <= 6.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVE-2024-34811

May 13, 2024

Researcher: Dhabaleshwar Das

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.20 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-4624

May 13, 2024

Researcher: wesley (wcraft)

YITH WooCommerce Gift Cards <= 4.12.0 - Missing Authorization to Unauthenticated WooCommerce Settings Update

5.3

CVE-2024-0870

May 13, 2024

Researcher: Francesco Carlucci

Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) <= 3.5.3 - Authenticated (Contributor+) DOM-Based Cross-Site Scripting

6.4

CVE-2024-4333

May 13, 2024

Researcher: Webbernaut

Clearfy Cache <= 2.2.3 - Cross-Site Request Forgery

4.3

CVE-2024-34806

May 13, 2024

Researcher: Dhabaleshwar Das

Kognetiks Chatbot for WordPress <= 2.0.0 - Unauthenticated Arbitrary File Upload

10.0

CVE-2024-32700

May 13, 2024

Researcher: LVT-tholv2k

WP Compress – Image Optimizer [All-In-One] <= 6.20.01 - Open Redirect via css

4.3

CVE-2023-6812

May 13, 2024

Researcher: Krzysztof Zając

Extend Themes <= (Multiple Versions) - Cross-Site Request Forgery

4.3

CVE-2024-34810

May 13, 2024

Researcher: Dhabaleshwar Das

Simple Basic Contact Form <= 20240502 - Unauthenticated Arbitrary Shortcode Execution

6.5

CVE-2024-4144

May 13, 2024

Researcher: stealthcopter

Title	CVE ID	CVSS	Researchers	Date
Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg <= 1.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-34757	6.4	Khalid	May 14, 2024
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-4057	6.4	Dmitrii Ignatyev	May 14, 2024
WP Fundraising Donation and Crowdfunding Platform <= 1.6.4 - Missing Authorization	CVE-2024-34758	5.3	Peng Zhou	May 14, 2024
All-in-One Video Gallery <= 3.6.5 - Authenticated (Contributor+) Local File Inclusion via aiovg_search_form Shortcode	CVE-2024-4670	8.8	Ngô Thiên An (ancorn_)	May 14, 2024
iframe <= 5.0 - Authenticated (Contributor+ Stored Cross-Site Scripting	CVE-2024-34805	6.4	Byeongjun Jo	May 14, 2024
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typer Effect	CVE-2024-4208	6.4	Webbernaut	May 14, 2024
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.37 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-3189	5.4	stealthcopter	May 14, 2024
Order Export & Order Import for WooCommerce <= 2.4.9 - Authenticated (Administrator+) PHP Object Injection	CVE-2024-34751	7.2	Trinh Vu (Sonicrrrr)	May 14, 2024
Sydney Toolbox <= 1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via aThemes: Portfolio Widget	CVE-2024-4473	6.4	Ngô Thiên An (ancorn_)	May 13, 2024
140+ Widgets \| Best Addons For Elementor – FREE <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets	CVE-2024-4440	6.4	stealthcopter	May 13, 2024
Jetpack – WP Security, Backup, Speed, & Growth <= 13.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpvideo Shortcode	CVE-2024-4392	6.4	wesley (wcraft)	May 13, 2024
WP SMS <= 6.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting	CVE-2024-34811	4.4	Dhabaleshwar Das	May 13, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.20 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-4624	6.4	wesley (wcraft)	May 13, 2024
YITH WooCommerce Gift Cards <= 4.12.0 - Missing Authorization to Unauthenticated WooCommerce Settings Update	CVE-2024-0870	5.3	Francesco Carlucci	May 13, 2024
Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) <= 3.5.3 - Authenticated (Contributor+) DOM-Based Cross-Site Scripting	CVE-2024-4333	6.4	Webbernaut	May 13, 2024
Clearfy Cache <= 2.2.3 - Cross-Site Request Forgery	CVE-2024-34806	4.3	Dhabaleshwar Das	May 13, 2024
Kognetiks Chatbot for WordPress <= 2.0.0 - Unauthenticated Arbitrary File Upload	CVE-2024-32700	10.0	LVT-tholv2k	May 13, 2024
WP Compress – Image Optimizer [All-In-One] <= 6.20.01 - Open Redirect via css	CVE-2023-6812	4.3	Krzysztof Zając	May 13, 2024
Extend Themes <= (Multiple Versions) - Cross-Site Request Forgery	CVE-2024-34810	4.3	Dhabaleshwar Das	May 13, 2024
Simple Basic Contact Form <= 20240502 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-4144	6.5	stealthcopter	May 13, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 31, 2024 Vulns
1	Francesco Carlucci	30
2	vgo0	27
3	wesley (wcraft)	21
4	Lucio Sá	13
5	Krzysztof Zając	10
6	stealthcopter	10
7	Peter Thaleikis	7
8	Marco Wotschka	7
9	Webbernaut	6
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	zer0gh0st	4
13	LVT-tholv2k	3
14	Robert DeVore	3
15	Le Ngoc Anh	3
16	rezaduty	3
17	Rafie Muhammad	2
18	Tonn	2
19	Jorge Diaz (ddiax)	2
20	Michelle Porter	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation