🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

JobCareer | Job Board Responsive WordPress Theme < 2.4 - Unauthenticated Arbitrary Password Reset

8.8

CVE-2018-19488

Dec 4, 2018

Researcher: Anthony MAESTRE

Redirection <= 3.6.3 - Cross-Site Request Forgery to Remote Code Execution

8.8

CVE ID Unknown

Nov 14, 2018

Researcher: RIPS Technologies

Weblizar Pin Feeds < 1.1.2 - Cross-Site Request Forgery

8.8

CVE-2018-5656

Nov 13, 2018

Researcher: d4wner

Read and Understood < 2.2 - Cross-Site Request Forgery

8.8

CVE-2018-5669

Nov 13, 2018

Researcher: d4wner

Simple Link Directory <= 5.6.0 - PHP Object Injection

8.8

CVE ID Unknown

Nov 12, 2018

Researchers:

Image Intense <= 3.2.5 - SQL Injection

8.8

CVE ID Unknown

Oct 11, 2018

Researchers:

WP Fastest Cache <= 0.8.8.5 - Cross-Site Request Forgery via page to wpfastestcacheoptions

8.8

CVE-2018-17584

Oct 9, 2018

Researcher: Mohammed Ansari

Companion Auto Update <= 3.2.0 - Cross-Site Request Forgery

8.8

CVE-2018-20972

Oct 2, 2018

Researchers:

File Manager <= 3.0 - Cross-Site Request Forgery

8.8

CVE-2018-16966

Sep 17, 2018

Researcher: Mohammed Ansari

Plainview Activity Monitor < 20180826 - Remote Command Injection

8.8

CVE-2018-15877

Aug 26, 2018

Researchers:

WordPress Core < 4.9 - Insecure Deserialization

8.8

CVE-2017-1000600

Aug 16, 2018

Researcher: Sam Thomas

Ultimate Member <= 2.0.21 - Arbitrary File Upload

8.8

CVE ID Unknown

Aug 8, 2018

Researchers:

WordPress Core < 4.9.7 - Authenticated Arbitrary File Deletion

8.8

CVE-2018-12895

Jul 5, 2018

Researchers: Matt Barry, Karim El Ouerghemmi, Slavco Mihajloski

JS Help Desk – Best Help Desk & Support Plugin <= 2.0.5 - Cross-Site Request Forgery

8.8

CVE-2018-21002

Jun 25, 2018

Researchers:

Quick Chat <= 4.14 - SQL Injection

8.8

CVE-2019-1010104

Jun 12, 2018

Researcher: Amine Taouirsa

JS Job Manager <= 1.0.6 - Cross-Site Request Forgery

8.8

CVE-2018-20974

May 28, 2018

Researchers:

ProfileGrid – User Profiles, Memberships, Groups and Communities < 2.8.6 - Remote Code Execution

8.8

CVE-2019-15873

May 18, 2018

Researcher: Karim El Ouerghemmi

Metronet Tag Manager < 1.2.9 - Cross-Site Request Forgery

8.8

CVE-2018-1000506

May 15, 2018

Researcher: Mallory Adams

WP User Groups <= 2.1.0 - Cross-Site Request Forgery

8.8

CVE ID Unknown

May 11, 2018

Researchers: Mallory Adams, dwxsupport

Ultimate Member <= 2.0.6 - Multiple Cross-Site Request Forgery Issues

8.8

CVE-2018-10233

Apr 23, 2018

Researcher: Riccardo ten Cate

Title	CVE ID	CVSS	Researchers	Date
JobCareer \| Job Board Responsive WordPress Theme < 2.4 - Unauthenticated Arbitrary Password Reset	CVE-2018-19488	8.8	Anthony MAESTRE	December 4, 2018
Redirection <= 3.6.3 - Cross-Site Request Forgery to Remote Code Execution		8.8	RIPS Technologies	November 14, 2018
Weblizar Pin Feeds < 1.1.2 - Cross-Site Request Forgery	CVE-2018-5656	8.8	d4wner	November 13, 2018
Read and Understood < 2.2 - Cross-Site Request Forgery	CVE-2018-5669	8.8	d4wner	November 13, 2018
Simple Link Directory <= 5.6.0 - PHP Object Injection		8.8		November 12, 2018
Image Intense <= 3.2.5 - SQL Injection		8.8		October 11, 2018
WP Fastest Cache <= 0.8.8.5 - Cross-Site Request Forgery via page to wpfastestcacheoptions	CVE-2018-17584	8.8	Mohammed Ansari	October 9, 2018
Companion Auto Update <= 3.2.0 - Cross-Site Request Forgery	CVE-2018-20972	8.8		October 2, 2018
File Manager <= 3.0 - Cross-Site Request Forgery	CVE-2018-16966	8.8	Mohammed Ansari	September 17, 2018
Plainview Activity Monitor < 20180826 - Remote Command Injection	CVE-2018-15877	8.8		August 26, 2018
WordPress Core < 4.9 - Insecure Deserialization	CVE-2017-1000600	8.8	Sam Thomas	August 16, 2018
Ultimate Member <= 2.0.21 - Arbitrary File Upload		8.8		August 8, 2018
WordPress Core < 4.9.7 - Authenticated Arbitrary File Deletion	CVE-2018-12895	8.8	Matt Barry, Karim El Ouerghemmi, Slavco Mihajloski	July 5, 2018
JS Help Desk – Best Help Desk & Support Plugin <= 2.0.5 - Cross-Site Request Forgery	CVE-2018-21002	8.8		June 25, 2018
Quick Chat <= 4.14 - SQL Injection	CVE-2019-1010104	8.8	Amine Taouirsa	June 12, 2018
JS Job Manager <= 1.0.6 - Cross-Site Request Forgery	CVE-2018-20974	8.8		May 28, 2018
ProfileGrid – User Profiles, Memberships, Groups and Communities < 2.8.6 - Remote Code Execution	CVE-2019-15873	8.8	Karim El Ouerghemmi	May 18, 2018
Metronet Tag Manager < 1.2.9 - Cross-Site Request Forgery	CVE-2018-1000506	8.8	Mallory Adams	May 15, 2018
WP User Groups <= 2.1.0 - Cross-Site Request Forgery		8.8	Mallory Adams, dwxsupport	May 11, 2018
Ultimate Member <= 2.0.6 - Multiple Cross-Site Request Forgery Issues	CVE-2018-10233	8.8	Riccardo ten Cate	April 23, 2018

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 2, 2024 Vulns
1	Francesco Carlucci	46
2	vgo0	40
3	wesley (wcraft)	22
4	Lucio Sá	14
5	Krzysztof Zając	12
6	stealthcopter	11
7	Peter Thaleikis	11
8	Webbernaut	7
9	Marco Wotschka	7
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	Colin Xu	4
13	Robert DeVore	4
14	zer0gh0st	4
15	Tonn	4
16	István Márton	3
17	rezaduty	3
18	Le Ngoc Anh	3
19	LVT-tholv2k	3
20	João Pedro Soares de Alcântara	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation