🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

WordPress Facebook <= 1.0.13 - SQL Injection

8.8

CVE ID Unknown

May 2, 2017

Researcher: Neven Birusk

Photo Gallery by 10Web <= 1.3.37 - Authenticated SQL Injection

8.8

CVE ID Unknown

May 2, 2017

Researcher: Neven Birusk

Avada <= 5.1.4 - Cross-Site Request Forgery

8.8

CVE-2017-18607

Apr 26, 2017

Researchers:

WHIZZ < 1.1.1 - Cross-Site Request Forgery

8.8

CVE-2017-8099

Apr 7, 2017

Researcher: Zhiyang Zeng

Twitter Cards Meta <= 2.4.5 - Cross-Site Request Forgery

8.8

CVE-2017-18504

Apr 6, 2017

Researchers:

LayerSlider <= 6.2.0 - Cross-Site Request Forgery

8.8

CVE ID Unknown

Mar 28, 2017

Researcher: WpHutte

LayerSlider <= 6.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

8.8

CVE ID Unknown

Mar 28, 2017

Researcher: 0x21

Invite Anyone < 1.3.16 - Cross-Site Request Forgery

8.8

CVE-2017-18544

Mar 22, 2017

Researchers:

Membership Simplified <= 1.58 Beta - SQL Injection

8.8

CVE-2017-1002010

Mar 17, 2017

Researcher: Larry W. Cashdollar

WordPress Core < 4.7.3 - Cross-Site Request Forgery via Press This

8.8

CVE-2017-6819

Mar 6, 2017

Researcher: Sipke Mellema

Admin Custom Login <= 2.4.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

8.8

CVE ID Unknown

Mar 1, 2017

Researcher: Burak Kelebek

Bit File Manager <= 4.1.4 - Cross-Site Request Forgery to Arbitrary File Upload

8.8

CVE ID Unknown

Mar 1, 2017

Researcher: David Vaartjes

Global Content Blocks <= 2.1.5 - Cross-Site Request Forgery

8.8

CVE-2017-20090

Mar 1, 2017

Researcher: Yorick Koster,

Contact Form Manager <= 1.4.3 - Cross-Site Request Forgery

8.8

CVE-2017-20053

Mar 1, 2017

Researcher: Edwin Molenaar

WordPress Download Manager <= 2.9.45 - Cross-Site Request Forgery

8.8

CVE ID Unknown

Mar 1, 2017

Researchers:

Gwolle Guestbook <= 2.1.0 - Cross-Site Request Forgery

8.8

CVE ID Unknown

Mar 1, 2017

Researcher: Radjnies Bhansingh

Democracy Poll <= 5.3.6 - Cross-Site Request Forgery

8.8

CVE-2017-18521

Feb 23, 2017

Researchers:

WordPress Core < 4.7.2 - Authenticated SQL Injection

8.8

CVE-2017-5611

Jan 26, 2017

Researcher: Mo Jangda (batmoo)

WP Email Users <= 1.4.4 - SQL Injection

8.8

CVE ID Unknown

Jan 17, 2017

Researcher: Lenon Leite

WordPress Core < 4.7.1 - Cross-Site Request Forgery via Widget Editing

8.8

CVE-2017-5492

Jan 11, 2017

Researcher: Ronnie Skansing

Title	CVE ID	CVSS	Researchers	Date
WordPress Facebook <= 1.0.13 - SQL Injection		8.8	Neven Birusk	May 2, 2017
Photo Gallery by 10Web <= 1.3.37 - Authenticated SQL Injection		8.8	Neven Birusk	May 2, 2017
Avada <= 5.1.4 - Cross-Site Request Forgery	CVE-2017-18607	8.8		April 26, 2017
WHIZZ < 1.1.1 - Cross-Site Request Forgery	CVE-2017-8099	8.8	Zhiyang Zeng	April 7, 2017
Twitter Cards Meta <= 2.4.5 - Cross-Site Request Forgery	CVE-2017-18504	8.8		April 6, 2017
LayerSlider <= 6.2.0 - Cross-Site Request Forgery		8.8	WpHutte	March 28, 2017
LayerSlider <= 6.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting		8.8	0x21	March 28, 2017
Invite Anyone < 1.3.16 - Cross-Site Request Forgery	CVE-2017-18544	8.8		March 22, 2017
Membership Simplified <= 1.58 Beta - SQL Injection	CVE-2017-1002010	8.8	Larry W. Cashdollar	March 17, 2017
WordPress Core < 4.7.3 - Cross-Site Request Forgery via Press This	CVE-2017-6819	8.8	Sipke Mellema	March 6, 2017
Admin Custom Login <= 2.4.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting		8.8	Burak Kelebek	March 1, 2017
Bit File Manager <= 4.1.4 - Cross-Site Request Forgery to Arbitrary File Upload		8.8	David Vaartjes	March 1, 2017
Global Content Blocks <= 2.1.5 - Cross-Site Request Forgery	CVE-2017-20090	8.8	Yorick Koster,	March 1, 2017
Contact Form Manager <= 1.4.3 - Cross-Site Request Forgery	CVE-2017-20053	8.8	Edwin Molenaar	March 1, 2017
WordPress Download Manager <= 2.9.45 - Cross-Site Request Forgery		8.8		March 1, 2017
Gwolle Guestbook <= 2.1.0 - Cross-Site Request Forgery		8.8	Radjnies Bhansingh	March 1, 2017
Democracy Poll <= 5.3.6 - Cross-Site Request Forgery	CVE-2017-18521	8.8		February 23, 2017
WordPress Core < 4.7.2 - Authenticated SQL Injection	CVE-2017-5611	8.8	Mo Jangda (batmoo)	January 26, 2017
WP Email Users <= 1.4.4 - SQL Injection		8.8	Lenon Leite	January 17, 2017
WordPress Core < 4.7.1 - Cross-Site Request Forgery via Widget Editing	CVE-2017-5492	8.8	Ronnie Skansing	January 11, 2017

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 3, 2024 Vulns
1	Francesco Carlucci	44
2	vgo0	40
3	wesley (wcraft)	20
4	Lucio Sá	14
5	stealthcopter	13
6	Krzysztof Zając	12
7	tahu.datar	11
8	Peter Thaleikis	11
9	João Pedro Soares de Alcântara	9
10	Webbernaut	7
11	Robert DeVore	7
12	Daniel Ruf	5
13	TANG Cheuk Hei (siunam)	5
14	SOPROBRO	5
15	Rafie Muhammad	4
16	Trương Hữu Phúc (truonghuuphuc)	4
17	Colin Xu	4
18	Tonn	4
19	zer0gh0st	4
20	LVT-tholv2k	4

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation