🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Unique <= 0.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-33952

Apr 30, 2024

Researcher: stealthcopter

Min and Max Purchase for WooCommerce <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVE-2024-33949

Apr 30, 2024

Researcher: Joshua Chan

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.6.1 - Missing Authorization

4.3

CVE-2024-3936

Apr 30, 2024

Researcher: Pavel Palii

Ultimate Under Construction <= 1.9.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVE-2024-33943

Apr 30, 2024

Researcher: Cronus

Cost Calculator Builder Pro <= 3.1.67 - Unauthenticated Cross-Site Scripting via SVG Upload

7.2

CVE-2024-4097

Apr 30, 2024

Researcher: andrea bocchetti

Carousel Slider <= 2.2.10 - Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVE-2024-4372

Apr 30, 2024

Researcher: Dmitrii Ignatyev

Masteriyo - LMS <= 1.7.3 - Insecure Direct Object Reference

5.3

CVE-2024-33939

Apr 30, 2024

Researcher: Steven Julian

Archives Calendar Widget <= 1.0.15 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-33950

Apr 30, 2024

Researcher: Joshua Chan

All in One SEO <= 4.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-3368

Apr 29, 2024

Researcher: Dmitrii Ignatyev

6.4

CVE-2024-33932

Apr 29, 2024

Researcher: Ngô Thiên An (ancorn_)

AnnounceKit <= 2.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-3023

Apr 29, 2024

Researcher: Benedictus Jovan (aillesiM)

Directorist <= 7.8.6 - Missing Authorization

5.3

CVE-2024-33929

Apr 29, 2024

Researcher: Dhabaleshwar Das

5280 Bootstrap Modal Contact Form <= 1.0 - Cross-Site Request Forgery to Bulk Delete Messages

4.3

CVE-2024-0847

Apr 29, 2024

Researcher: Nathan (calysteon)

Photo Gallery <= 1.4.2 - Authenticated(Contributor+) PHP Object Injection via Shortcode

7.5

CVE-2024-1896

Apr 29, 2024

Researcher: Francesco Carlucci

Easy Restaurant Table Booking <= 1.0.0 - Cross-Site Request Forgery

4.3

CVE-2024-4083

Apr 29, 2024

Researcher: Benedictus Jovan (aillesiM)

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.7.7 - Sensitive Information Exposure

5.3

CVE-2024-3717

Apr 29, 2024

Researcher: Tim Coen

Calendar <= 1.3.14 - Authenticated (Contributor+) SQL Injection via Shortcode

8.8

CVE-2024-2831

Apr 29, 2024

Researcher: Krzysztof Zając

ReviewX <= 1.6.21 - Missing Authorization

4.3

CVE-2024-33921

Apr 29, 2024

Researcher: Abdi Pranata

Elementor ImageBox <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-3074

Apr 29, 2024

Researchers: Etan Imanol Castro Aldrete, Eduardo Berlanga (seqode), Joaquin Alvarez, Abraham de León (h4m1), José Vazquez (AKA Retr0_1000101), Samuel Gonzalez (Winsad), j0r38, Manuel Manjarrez, Alex Delgado, Emiliano Perez, M41w4r3, Xeniel, Cr4zyD14m0nd, l1ttl3Bugc4t, Dr4c0t4, Bryan Velez, mrgh057, D4ZC, Deibyd, MindFall, PumaHat, Tr3ckR, xm4nd0, pCix, 0xjar8

Social Share Icons & Social Share Buttons <= 3.6.2 - Missing Authorization to Notice Dismissal

5.3

CVE-2024-32820

Apr 29, 2024

Researcher: Mika

Title	CVE ID	CVSS	Researchers	Date
Unique <= 0.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-33952	6.4	stealthcopter	April 30, 2024
Min and Max Purchase for WooCommerce <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-33949	5.4	Joshua Chan	April 30, 2024
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.6.1 - Missing Authorization	CVE-2024-3936	4.3	Pavel Palii	April 30, 2024
Ultimate Under Construction <= 1.9.3 - Authenticated (Administrator+) Stored Cross-Site Scripting	CVE-2024-33943	4.4	Cronus	April 30, 2024
Cost Calculator Builder Pro <= 3.1.67 - Unauthenticated Cross-Site Scripting via SVG Upload	CVE-2024-4097	7.2	andrea bocchetti	April 30, 2024
Carousel Slider <= 2.2.10 - Authenticated (Editor+) Stored Cross-Site Scripting	CVE-2024-4372	5.5	Dmitrii Ignatyev	April 30, 2024
Masteriyo - LMS <= 1.7.3 - Insecure Direct Object Reference	CVE-2024-33939	5.3	Steven Julian	April 30, 2024
Archives Calendar Widget <= 1.0.15 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-33950	4.4	Joshua Chan	April 30, 2024
All in One SEO <= 4.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-3368	6.4	Dmitrii Ignatyev	April 29, 2024
Login Logout Register Menu <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-33932	6.4	Ngô Thiên An (ancorn_)	April 29, 2024
AnnounceKit <= 2.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-3023	4.4	Benedictus Jovan (aillesiM)	April 29, 2024
Directorist <= 7.8.6 - Missing Authorization	CVE-2024-33929	5.3	Dhabaleshwar Das	April 29, 2024
5280 Bootstrap Modal Contact Form <= 1.0 - Cross-Site Request Forgery to Bulk Delete Messages	CVE-2024-0847	4.3	Nathan (calysteon)	April 29, 2024
Photo Gallery <= 1.4.2 - Authenticated(Contributor+) PHP Object Injection via Shortcode	CVE-2024-1896	7.5	Francesco Carlucci	April 29, 2024
Easy Restaurant Table Booking <= 1.0.0 - Cross-Site Request Forgery	CVE-2024-4083	4.3	Benedictus Jovan (aillesiM)	April 29, 2024
Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.7.7 - Sensitive Information Exposure	CVE-2024-3717	5.3	Tim Coen	April 29, 2024
Calendar <= 1.3.14 - Authenticated (Contributor+) SQL Injection via Shortcode	CVE-2024-2831	8.8	Krzysztof Zając	April 29, 2024
ReviewX <= 1.6.21 - Missing Authorization	CVE-2024-33921	4.3	Abdi Pranata	April 29, 2024
Elementor ImageBox <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-3074	6.4	Etan Imanol Castro Aldrete, Eduardo Berlanga (seqode), Joaquin Alvarez, Abraham de León (h4m1), José Vazquez (AKA Retr0_1000101), Samuel Gonzalez (Winsad), j0r38, Manuel Manjarrez, Alex Delgado, Emiliano Perez, M41w4r3, Xeniel, Cr4zyD14m0nd, l1ttl3Bugc4t, Dr4c0t4, Bryan Velez, mrgh057, D4ZC, Deibyd, MindFall, PumaHat, Tr3ckR, xm4nd0, pCix, 0xjar8	April 29, 2024
Social Share Icons & Social Share Buttons <= 3.6.2 - Missing Authorization to Notice Dismissal	CVE-2024-32820	5.3	Mika	April 29, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 2, 2024 Vulns
1	Francesco Carlucci	46
2	vgo0	40
3	wesley (wcraft)	22
4	Lucio Sá	14
5	Krzysztof Zając	12
6	stealthcopter	11
7	Peter Thaleikis	11
8	Marco Wotschka	7
9	Webbernaut	7
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	zer0gh0st	4
13	Tonn	4
14	Colin Xu	4
15	Robert DeVore	4
16	LVT-tholv2k	3
17	Le Ngoc Anh	3
18	István Márton	3
19	rezaduty	3
20	theviper17y	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation