🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Plainview Activity Monitor < 20180826 - Remote Command Injection

8.8

CVE-2018-15877

Aug 26, 2018

Researchers:

WordPress Core < 4.9 - Insecure Deserialization

8.8

CVE-2017-1000600

Aug 16, 2018

Researcher: Sam Thomas

Ultimate Member <= 2.0.21 - Arbitrary File Upload

8.8

CVE ID Unknown

Aug 8, 2018

Researchers:

WordPress Core < 4.9.7 - Authenticated Arbitrary File Deletion

8.8

CVE-2018-12895

Jul 5, 2018

Researchers: Matt Barry, Karim El Ouerghemmi, Slavco Mihajloski

JS Help Desk – Best Help Desk & Support Plugin <= 2.0.5 - Cross-Site Request Forgery

8.8

CVE-2018-21002

Jun 25, 2018

Researchers:

Quick Chat <= 4.14 - SQL Injection

8.8

CVE-2019-1010104

Jun 12, 2018

Researcher: Amine Taouirsa

JS Job Manager <= 1.0.6 - Cross-Site Request Forgery

8.8

CVE-2018-20974

May 28, 2018

Researchers:

ProfileGrid – User Profiles, Memberships, Groups and Communities < 2.8.6 - Remote Code Execution

8.8

CVE-2019-15873

May 18, 2018

Researcher: Karim El Ouerghemmi

Metronet Tag Manager < 1.2.9 - Cross-Site Request Forgery

8.8

CVE-2018-1000506

May 15, 2018

Researcher: Mallory Adams

WP User Groups <= 2.1.0 - Cross-Site Request Forgery

8.8

CVE ID Unknown

May 11, 2018

Researchers: Mallory Adams, dwxsupport

Ultimate Member <= 2.0.6 - Multiple Cross-Site Request Forgery Issues

8.8

CVE-2018-10233

Apr 23, 2018

Researcher: Riccardo ten Cate

bbPress Move Topics <= 1.1.4 - Cross-Site Request Forgery

8.8

CVE-2018-21006

Mar 11, 2018

Researchers:

bbPress Move Topics <= 1.1.4 - PHP Object Injection

8.8

CVE-2018-21005

Mar 11, 2018

Researchers:

Church Admin < 1.2550 - Cross-Site Request Forgery

8.8

CVE-2018-20971

Feb 14, 2018

Researchers:

Splashing Images <= 2.1 - PHP Object Injection

8.8

CVE-2018-6195

Jan 26, 2018

Researcher: Nicolas Buzy-Debat

Health Check & Troubleshooting <= 1.2.3 - Missing Authorization Checks

8.8

CVE ID Unknown

Jan 25, 2018

Researcher: Julien Legras

Coming Soon Page – Responsive Coming Soon & Maintenance Mode <= 1.1.18 - Cross-Site Request Forgery

8.8

CVE-2018-5658

Jan 12, 2018

Researcher: d4wner

Booking calendar, Appointment Booking System <= 2.1.7 - Cross-Site Request Forgery

8.8

CVE-2018-5673

Jan 12, 2018

Researcher: d4wner

Dbox 3D Slider Lite <= 1.2.2 - SQL Injection

8.8

CVE-2018-5374

Jan 11, 2018

Researcher: DefenceCode

WPGlobus – Multilingual Everything! <= 1.9.6 - Cross-Site Request Forgery

8.8

CVE-2018-5361

Jan 11, 2018

Researcher: d4wner

Title	CVE ID	CVSS	Researchers	Date
Plainview Activity Monitor < 20180826 - Remote Command Injection	CVE-2018-15877	8.8		August 26, 2018
WordPress Core < 4.9 - Insecure Deserialization	CVE-2017-1000600	8.8	Sam Thomas	August 16, 2018
Ultimate Member <= 2.0.21 - Arbitrary File Upload		8.8		August 8, 2018
WordPress Core < 4.9.7 - Authenticated Arbitrary File Deletion	CVE-2018-12895	8.8	Matt Barry, Karim El Ouerghemmi, Slavco Mihajloski	July 5, 2018
JS Help Desk – Best Help Desk & Support Plugin <= 2.0.5 - Cross-Site Request Forgery	CVE-2018-21002	8.8		June 25, 2018
Quick Chat <= 4.14 - SQL Injection	CVE-2019-1010104	8.8	Amine Taouirsa	June 12, 2018
JS Job Manager <= 1.0.6 - Cross-Site Request Forgery	CVE-2018-20974	8.8		May 28, 2018
ProfileGrid – User Profiles, Memberships, Groups and Communities < 2.8.6 - Remote Code Execution	CVE-2019-15873	8.8	Karim El Ouerghemmi	May 18, 2018
Metronet Tag Manager < 1.2.9 - Cross-Site Request Forgery	CVE-2018-1000506	8.8	Mallory Adams	May 15, 2018
WP User Groups <= 2.1.0 - Cross-Site Request Forgery		8.8	Mallory Adams, dwxsupport	May 11, 2018
Ultimate Member <= 2.0.6 - Multiple Cross-Site Request Forgery Issues	CVE-2018-10233	8.8	Riccardo ten Cate	April 23, 2018
bbPress Move Topics <= 1.1.4 - Cross-Site Request Forgery	CVE-2018-21006	8.8		March 11, 2018
bbPress Move Topics <= 1.1.4 - PHP Object Injection	CVE-2018-21005	8.8		March 11, 2018
Church Admin < 1.2550 - Cross-Site Request Forgery	CVE-2018-20971	8.8		February 14, 2018
Splashing Images <= 2.1 - PHP Object Injection	CVE-2018-6195	8.8	Nicolas Buzy-Debat	January 26, 2018
Health Check & Troubleshooting <= 1.2.3 - Missing Authorization Checks		8.8	Julien Legras	January 25, 2018
Coming Soon Page – Responsive Coming Soon & Maintenance Mode <= 1.1.18 - Cross-Site Request Forgery	CVE-2018-5658	8.8	d4wner	January 12, 2018
Booking calendar, Appointment Booking System <= 2.1.7 - Cross-Site Request Forgery	CVE-2018-5673	8.8	d4wner	January 12, 2018
Dbox 3D Slider Lite <= 1.2.2 - SQL Injection	CVE-2018-5374	8.8	DefenceCode	January 11, 2018
WPGlobus – Multilingual Everything! <= 1.9.6 - Cross-Site Request Forgery	CVE-2018-5361	8.8	d4wner	January 11, 2018

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 2, 2024 Vulns
1	Francesco Carlucci	46
2	vgo0	40
3	wesley (wcraft)	22
4	Lucio Sá	14
5	Krzysztof Zając	12
6	stealthcopter	12
7	Peter Thaleikis	11
8	tahu.datar	11
9	João Pedro Soares de Alcântara	7
10	Marco Wotschka	7
11	Webbernaut	7
12	Daniel Ruf	5
13	Robert DeVore	5
14	TANG Cheuk Hei (siunam)	5
15	Tonn	4
16	Abdi Pranata	4
17	SOPROBRO	4
18	zer0gh0st	4
19	Colin Xu	4
20	LVT-tholv2k	3

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation