🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Tracked Tweets <= 0.2.9 - Cross-Site Request Forgery to Cross-Site Scripting

8.8

CVE ID Unknown

Apr 25, 2022

Researcher: WPScanTeam

Rara One Click Demo Import <= 1.2.9 - Cross-Site Request Forgery to Arbitrary File Upload

8.8

CVE-2022-29451

Apr 21, 2022

Researcher: RE-ALTER

VikBooking Hotel Booking Engine & PMS <= 1.5.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

8.8

CVE-2022-1407

Apr 21, 2022

Researcher: Gabriel3476

Custom TinyMCE Shortcode Button <= 1.1 - Cross-Site Request Forgery to Cross-Site Scripting

8.8

CVE-2022-1217

Apr 19, 2022

Researcher: p7e4

Fancy Product Designer <= 4.7.5 - Cross-Site Request Forgery to Arbitrary File Upload

8.8

CVE-2021-4096

Apr 14, 2022

Researcher: Lin Yu

Cart Link for WooCommerce <= 2.0.2 - Cross-Site Request Forgery

8.8

CVE ID Unknown

Apr 13, 2022

Researchers:

Autolinks <= 1.0.1 - Cross-Site Request Forgery to Cross-Site Scripting

8.8

CVE-2022-1112

Apr 13, 2022

Researcher: Vaibhav Nitin Gaikwad

Elementor Website Builder 3.6.0 - 3.6.2 - Missing Authorization to Remote Code Execution

8.8

CVE-2022-1329

Apr 13, 2022

Researcher: Ram

Visual Form Builder <= 3.0.7 - Cross-Site Request Forgery to Data Modification

8.8

CVE-2022-0141

Apr 11, 2022

Researcher: Vishnupriya Ilango

Photo Gallery by 10Web <= 1.6.2 - SQL Injection

8.8

CVE-2022-1281

Apr 11, 2022

Researcher: ZhongFu Su

Easy Digital Downloads <= 2.11.5 - Cross-Site Request Forgery

8.8

CVE-2022-0707

Apr 9, 2022

Researcher: Muhamad Hidayat

Advanced Page Visit Counter <= 6.1.5 - Subscriber+ Blind SQL injection

8.8

CVE-2021-24957

Apr 8, 2022

Researcher: Krzysztof Zając

Cool Plugins (Various Versions) - Arbitrary Plugin Installation and Activation

8.8

CVE-2022-4950

Apr 4, 2022

Researcher: Jerome Bruandet

Bit File Manager – 100% free file manager for WordPress <= 5.2.2 - Subscriber+ Arbitrary File Creation/Upload/Deletion

8.8

CVE-2022-0403

Mar 14, 2022

Researcher: Luan Pedersini

WordPress Core < 5.9.1 - jQuery Prototype Pollution

8.8

CVE-2021-20083

Mar 11, 2022

Researcher: Melar Dev

Fatcat Apps Analytics Cat <= 1.0.9 - Cross-Site Request Forgery

8.8

CVE-2022-27855

Mar 8, 2022

Researcher: Rasi Afeef

Translate WordPress with GTranslate <= 2.9.8 & Translate WordPress – Google Language Translator <= 6.0.13 - Missing Authorization to Sensitive Information Disclosure

8.8

CVE-2022-0770

Mar 7, 2022

Researcher: Diogo Real

Sermon Browser <= 0.45.22 - Cross-Site Request Forgery

8.8

CVE-2022-0499

Mar 1, 2022

Researcher: Krishna Harsha Kondaveeti

Appointment and Event Booking Calendar - Amelia < 1.0.47 - Arbitrary File Upload

8.8

CVE-2022-0687

Feb 23, 2022

Researcher: qerogram

Advanced Contact form 7 DB <= 1.8.6 - Authenticated Arbitrary File Deletion

8.8

CVE-2021-24905

Feb 22, 2022

Researcher: Krzysztof Zając

Title	CVE ID	CVSS	Researchers	Date
Tracked Tweets <= 0.2.9 - Cross-Site Request Forgery to Cross-Site Scripting		8.8	WPScanTeam	April 25, 2022
Rara One Click Demo Import <= 1.2.9 - Cross-Site Request Forgery to Arbitrary File Upload	CVE-2022-29451	8.8	RE-ALTER	April 21, 2022
VikBooking Hotel Booking Engine & PMS <= 1.5.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting	CVE-2022-1407	8.8	Gabriel3476	April 21, 2022
Custom TinyMCE Shortcode Button <= 1.1 - Cross-Site Request Forgery to Cross-Site Scripting	CVE-2022-1217	8.8	p7e4	April 19, 2022
Fancy Product Designer <= 4.7.5 - Cross-Site Request Forgery to Arbitrary File Upload	CVE-2021-4096	8.8	Lin Yu	April 14, 2022
Cart Link for WooCommerce <= 2.0.2 - Cross-Site Request Forgery		8.8		April 13, 2022
Autolinks <= 1.0.1 - Cross-Site Request Forgery to Cross-Site Scripting	CVE-2022-1112	8.8	Vaibhav Nitin Gaikwad	April 13, 2022
Elementor Website Builder 3.6.0 - 3.6.2 - Missing Authorization to Remote Code Execution	CVE-2022-1329	8.8	Ram	April 13, 2022
Visual Form Builder <= 3.0.7 - Cross-Site Request Forgery to Data Modification	CVE-2022-0141	8.8	Vishnupriya Ilango	April 11, 2022
Photo Gallery by 10Web <= 1.6.2 - SQL Injection	CVE-2022-1281	8.8	ZhongFu Su	April 11, 2022
Easy Digital Downloads <= 2.11.5 - Cross-Site Request Forgery	CVE-2022-0707	8.8	Muhamad Hidayat	April 9, 2022
Advanced Page Visit Counter <= 6.1.5 - Subscriber+ Blind SQL injection	CVE-2021-24957	8.8	Krzysztof Zając	April 8, 2022
Cool Plugins (Various Versions) - Arbitrary Plugin Installation and Activation	CVE-2022-4950	8.8	Jerome Bruandet	April 4, 2022
Bit File Manager – 100% free file manager for WordPress <= 5.2.2 - Subscriber+ Arbitrary File Creation/Upload/Deletion	CVE-2022-0403	8.8	Luan Pedersini	March 14, 2022
WordPress Core < 5.9.1 - jQuery Prototype Pollution	CVE-2021-20083	8.8	Melar Dev	March 11, 2022
Fatcat Apps Analytics Cat <= 1.0.9 - Cross-Site Request Forgery	CVE-2022-27855	8.8	Rasi Afeef	March 8, 2022
Translate WordPress with GTranslate <= 2.9.8 & Translate WordPress – Google Language Translator <= 6.0.13 - Missing Authorization to Sensitive Information Disclosure	CVE-2022-0770	8.8	Diogo Real	March 7, 2022
Sermon Browser <= 0.45.22 - Cross-Site Request Forgery	CVE-2022-0499	8.8	Krishna Harsha Kondaveeti	March 1, 2022
Appointment and Event Booking Calendar - Amelia < 1.0.47 - Arbitrary File Upload	CVE-2022-0687	8.8	qerogram	February 23, 2022
Advanced Contact form 7 DB <= 1.8.6 - Authenticated Arbitrary File Deletion	CVE-2021-24905	8.8	Krzysztof Zając	February 22, 2022

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 31, 2024 Vulns
1	Francesco Carlucci	30
2	vgo0	28
3	wesley (wcraft)	21
4	Lucio Sá	13
5	Krzysztof Zając	10
6	stealthcopter	10
7	Peter Thaleikis	7
8	Marco Wotschka	7
9	Webbernaut	6
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	zer0gh0st	4
13	LVT-tholv2k	3
14	Robert DeVore	3
15	Le Ngoc Anh	3
16	rezaduty	3
17	Rafie Muhammad	2
18	Tonn	2
19	Jorge Diaz (ddiax)	2
20	Michelle Porter	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation