🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

WP Coder <= 2.5.1 - Remote File Inclusion leading to Remote Code Execution via Cross-Site Request Forgery

8.8

CVE-2021-25053

Dec 5, 2021

Researcher: Krzysztof Zając

Button Generator – easily Button Builder <= 2.3.2 - Cross-Site Request Forgery

8.8

CVE-2021-25052

Dec 5, 2021

Researcher: Krzysztof Zając

Modal Window – create popup modal window <= 5.2.1 - Cross-Site Request Forgery to Remote Code Execution

8.8

CVE-2021-25051

Dec 5, 2021

Researcher: Krzysztof Zając

Contact Form With Captcha <= 1.6.7 - Cross-Site Request Forgery

8.8

CVE-2021-42358

Nov 29, 2021

Researcher: Yuga Futatsuki

Rich Reviews by Starfish <= 1.9.5 - SQL Injection

8.8

CVE-2021-24753

Nov 29, 2021

Researcher: bl4derunner

MOLIE <= 0.5 - SQL Injection

8.8

CVE-2021-25007

Nov 29, 2021

Researcher: Jeremie Amsellem

Stetic <= 1.0.6 Cross-Site Request Forgery to Stored Cross-Site Scripting

8.8

CVE-2021-42364

Nov 29, 2021

Researcher: Naoki Ogawa, Cryptography Laboratory in Tokyo Denki University

Browser and Operating System Finder <= 1.1 - Cross-Site Request Forgery

8.8

CVE-2021-20851

Nov 25, 2021

Researcher: imai shinpei, Tokyo Denki University

Kudos Donations – Easy donations and payments with Mollie < 3.1.2 - Cross-Site Request Forgery

8.8

CVE ID Unknown

Nov 22, 2021

Researcher: WPScanTeam

Ni WooCommerce Custom Order Status <= 1.9.6 - SQL Injection

8.8

CVE-2021-24846

Nov 22, 2021

Researcher: ZhongFu Su

Easy Registration Forms <= 2.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

8.8

CVE-2021-39353

Nov 18, 2021

Researcher: Thinkland Security Team

Push Notifications for WordPress (Lite) < 6.0.1 - Cross-Site Request Forgery

8.8

CVE-2021-20846

Nov 16, 2021

Researcher: Ten Katouno

Directorist <= 7.0.6.1 - Cross-Site Request Forgery to Arbitrary File Upload

8.8

CVE-2021-24981

Nov 16, 2021

Researcher: lostbytes1

Pixel Cat – Conversion Pixel Manager <= 2.6.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting

8.8

CVE-2021-24922

Nov 15, 2021

Researcher: ZhongFu Su

Mediamatic – Media Library Folders <= 2.8.0 - SQL Injection

8.8

CVE-2021-24848

Nov 15, 2021

Researcher: ZhongFu Su

NEX-Forms – Ultimate Form Builder <= 8.4.2 - Cross-Site Request Forgery to Cross-Site Scripting

8.8

CVE-2021-24705

Nov 14, 2021

Researcher: Shivam Rai

8.8

CVE-2021-42362

Nov 12, 2021

Researcher: Jerome Bruandet

WP Reset PRO 5.00-5.98 - Cross-Site Request Forgery

8.8

CVE-2021-36908

Nov 10, 2021

Researcher: Dave Jong

WP Reset – Most Advanced WordPress Reset Tool (PRO) 5.00- 5.98 - Missing Authorization to Database Reset

8.8

CVE-2021-36909

Nov 10, 2021

Researcher: Dave Jong

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin <= 2.2 - Subscriber+ SQL Injection

8.8

CVE-2021-24755

Nov 1, 2021

Researcher: bl4derunner

Title	CVE ID	CVSS	Researchers	Date
WP Coder <= 2.5.1 - Remote File Inclusion leading to Remote Code Execution via Cross-Site Request Forgery	CVE-2021-25053	8.8	Krzysztof Zając	December 5, 2021
Button Generator – easily Button Builder <= 2.3.2 - Cross-Site Request Forgery	CVE-2021-25052	8.8	Krzysztof Zając	December 5, 2021
Modal Window – create popup modal window <= 5.2.1 - Cross-Site Request Forgery to Remote Code Execution	CVE-2021-25051	8.8	Krzysztof Zając	December 5, 2021
Contact Form With Captcha <= 1.6.7 - Cross-Site Request Forgery	CVE-2021-42358	8.8	Yuga Futatsuki	November 29, 2021
Rich Reviews by Starfish <= 1.9.5 - SQL Injection	CVE-2021-24753	8.8	bl4derunner	November 29, 2021
MOLIE <= 0.5 - SQL Injection	CVE-2021-25007	8.8	Jeremie Amsellem	November 29, 2021
Stetic <= 1.0.6 Cross-Site Request Forgery to Stored Cross-Site Scripting	CVE-2021-42364	8.8	Naoki Ogawa, Cryptography Laboratory in Tokyo Denki University	November 29, 2021
Browser and Operating System Finder <= 1.1 - Cross-Site Request Forgery	CVE-2021-20851	8.8	imai shinpei, Tokyo Denki University	November 25, 2021
Kudos Donations – Easy donations and payments with Mollie < 3.1.2 - Cross-Site Request Forgery		8.8	WPScanTeam	November 22, 2021
Ni WooCommerce Custom Order Status <= 1.9.6 - SQL Injection	CVE-2021-24846	8.8	ZhongFu Su	November 22, 2021
Easy Registration Forms <= 2.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting	CVE-2021-39353	8.8	Thinkland Security Team	November 18, 2021
Push Notifications for WordPress (Lite) < 6.0.1 - Cross-Site Request Forgery	CVE-2021-20846	8.8	Ten Katouno	November 16, 2021
Directorist <= 7.0.6.1 - Cross-Site Request Forgery to Arbitrary File Upload	CVE-2021-24981	8.8	lostbytes1	November 16, 2021
Pixel Cat – Conversion Pixel Manager <= 2.6.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting	CVE-2021-24922	8.8	ZhongFu Su	November 15, 2021
Mediamatic – Media Library Folders <= 2.8.0 - SQL Injection	CVE-2021-24848	8.8	ZhongFu Su	November 15, 2021
NEX-Forms – Ultimate Form Builder <= 8.4.2 - Cross-Site Request Forgery to Cross-Site Scripting	CVE-2021-24705	8.8	Shivam Rai	November 14, 2021
WordPress Popular Posts <= 5.3.2 - Authenticated Arbitrary File Upload	CVE-2021-42362	8.8	Jerome Bruandet	November 12, 2021
WP Reset PRO 5.00-5.98 - Cross-Site Request Forgery	CVE-2021-36908	8.8	Dave Jong	November 10, 2021
WP Reset – Most Advanced WordPress Reset Tool (PRO) 5.00- 5.98 - Missing Authorization to Database Reset	CVE-2021-36909	8.8	Dave Jong	November 10, 2021
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin <= 2.2 - Subscriber+ SQL Injection	CVE-2021-24755	8.8	bl4derunner	November 1, 2021

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 1, 2024 Vulns
1	Francesco Carlucci	43
2	vgo0	36
3	wesley (wcraft)	22
4	Lucio Sá	14
5	Krzysztof Zając	12
6	stealthcopter	11
7	Peter Thaleikis	11
8	Marco Wotschka	7
9	Webbernaut	7
10	Daniel Ruf	5
11	TANG Cheuk Hei (siunam)	5
12	zer0gh0st	4
13	Tonn	4
14	Robert DeVore	3
15	LVT-tholv2k	3
16	Le Ngoc Anh	3
17	István Márton	3
18	rezaduty	3
19	theviper17y	2
20	Michelle Porter	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation