🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Spnbabble <= 1.4.1 - Multiple Cross-Site Request Forgery

8.8

CVE-2014-9339

Dec 14, 2014

Researcher: Manideep K

IP Ban <= 1.2.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

8.8

CVE-2014-9413

Dec 12, 2014

Researchers: Morten Nortoft, Kenneth Jepsen, Mikkel Vej

Lightbox Photo Gallery <= 1.0 - Cross-Site Request Forgery

8.8

CVE-2014-9441

Dec 12, 2014

Researchers: Kenneth Jepsen, Mikkel Vej, Morten Nortoft

Twimp WP <= 0.1 - Cross-Site Request Forgery to Cross-Site Scripting

8.8

CVE-2014-9397

Dec 9, 2014

Researcher: Manideep K

twitterDash <= 2.1 - Cross-Site Request Forgery to Cross-Site Scripting

8.8

CVE-2014-9368

Dec 9, 2014

Researcher: Manideep K

TweetScribe <= 1.1 - Cross-Site Request Forgery

8.8

CVE-2014-9399

Dec 9, 2014

Researcher: Manideep K

Cart66 Lite :: WordPress Ecommerce < 1.5.2 - SQL Injection

8.8

CVE-2014-9305

Dec 3, 2014

Researcher: Kacper Szurek

rtMedia for WordPress, BuddyPress and bbPress < 3.7.19 - Local File Inclusion

8.8

CVE ID Unknown

Nov 24, 2014

Researchers:

Polls CP <= 1.0.1 - Authenticated SQL Injection

8.8

CVE-2014-125091

Nov 23, 2014

Researchers:

WordPress Core < 4.0.1 Cross-Site Request Forgery to Password Reset

8.8

CVE-2014-9039

Nov 20, 2014

Researchers:

All-in-One WP Migration <= 2.0.2 - Authorization Bypass to Arbitrary File Upload

8.8

CVE ID Unknown

Nov 5, 2014

Researcher: Kacper Szurek

Featured Comments < 1.2.5 - Cross-Site Request Forgery

8.8

CVE-2014-10382

Oct 21, 2014

Researchers:

O2tweet <= 0.0.4 - Cross-Site Request Forgery

8.8

CVE-2014-9338

Oct 15, 2014

Researcher: Manideep K

WP-DBManager < 2.72 - Command Injection

8.8

CVE-2014-8335

Oct 13, 2014

Researcher: Larry W. Cashdollar

Simple Sticky Footer <= 1.3.2 - Cross-Site Request Forgery to Cross-Site Scripting

8.8

CVE-2014-9454

Oct 12, 2014

Researchers: Kenneth Jepsen, Mikkel Vej, Morten Nortoft

BulletProof Security < .51.1 - SQL Injection

8.8

CVE-2014-7959

Oct 7, 2014

Researcher: Pietro Oliva

Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin <= 3.1.0 - SQL Injection

8.8

CVE ID Unknown

Sep 29, 2014

Researcher: XroGuE

Frontend File Manager Plugin < 3.6 - Arbitrary File Upload

8.8

CVE-2014-5324

Sep 25, 2014

Researcher: Yuji Tounai

I Recommend This <= 3.7.2 - Authenticated (Subscriber+) SQL Injection via Shortcode

8.8

CVE-2014-125099

Sep 24, 2014

Researcher: Oskar Adin

WP RSS Multi Importer < 3.14 - Cross-Site Request Forgery

8.8

CVE ID Unknown

Sep 17, 2014

Researcher: Voxel@Night

Title	CVE ID	CVSS	Researchers	Date
Spnbabble <= 1.4.1 - Multiple Cross-Site Request Forgery	CVE-2014-9339	8.8	Manideep K	December 14, 2014
IP Ban <= 1.2.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting	CVE-2014-9413	8.8	Morten Nortoft, Kenneth Jepsen, Mikkel Vej	December 12, 2014
Lightbox Photo Gallery <= 1.0 - Cross-Site Request Forgery	CVE-2014-9441	8.8	Kenneth Jepsen, Mikkel Vej, Morten Nortoft	December 12, 2014
Twimp WP <= 0.1 - Cross-Site Request Forgery to Cross-Site Scripting	CVE-2014-9397	8.8	Manideep K	December 9, 2014
twitterDash <= 2.1 - Cross-Site Request Forgery to Cross-Site Scripting	CVE-2014-9368	8.8	Manideep K	December 9, 2014
TweetScribe <= 1.1 - Cross-Site Request Forgery	CVE-2014-9399	8.8	Manideep K	December 9, 2014
Cart66 Lite :: WordPress Ecommerce < 1.5.2 - SQL Injection	CVE-2014-9305	8.8	Kacper Szurek	December 3, 2014
rtMedia for WordPress, BuddyPress and bbPress < 3.7.19 - Local File Inclusion		8.8		November 24, 2014
Polls CP <= 1.0.1 - Authenticated SQL Injection	CVE-2014-125091	8.8		November 23, 2014
WordPress Core < 4.0.1 Cross-Site Request Forgery to Password Reset	CVE-2014-9039	8.8		November 20, 2014
All-in-One WP Migration <= 2.0.2 - Authorization Bypass to Arbitrary File Upload		8.8	Kacper Szurek	November 5, 2014
Featured Comments < 1.2.5 - Cross-Site Request Forgery	CVE-2014-10382	8.8		October 21, 2014
O2tweet <= 0.0.4 - Cross-Site Request Forgery	CVE-2014-9338	8.8	Manideep K	October 15, 2014
WP-DBManager < 2.72 - Command Injection	CVE-2014-8335	8.8	Larry W. Cashdollar	October 13, 2014
Simple Sticky Footer <= 1.3.2 - Cross-Site Request Forgery to Cross-Site Scripting	CVE-2014-9454	8.8	Kenneth Jepsen, Mikkel Vej, Morten Nortoft	October 12, 2014
BulletProof Security < .51.1 - SQL Injection	CVE-2014-7959	8.8	Pietro Oliva	October 7, 2014
Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin <= 3.1.0 - SQL Injection		8.8	XroGuE	September 29, 2014
Frontend File Manager Plugin < 3.6 - Arbitrary File Upload	CVE-2014-5324	8.8	Yuji Tounai	September 25, 2014
I Recommend This <= 3.7.2 - Authenticated (Subscriber+) SQL Injection via Shortcode	CVE-2014-125099	8.8	Oskar Adin	September 24, 2014
WP RSS Multi Importer < 3.14 - Cross-Site Request Forgery		8.8	Voxel@Night	September 17, 2014

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 3, 2024 Vulns
1	Francesco Carlucci	48
2	vgo0	48
3	wesley (wcraft)	21
4	Lucio Sá	14
5	stealthcopter	13
6	Krzysztof Zając	12
7	João Pedro Soares de Alcântara	12
8	Peter Thaleikis	11
9	tahu.datar	11
10	Robert DeVore	8
11	Le Ngoc Anh	8
12	Webbernaut	8
13	theviper17y	5
14	Jorge Diaz (ddiax)	5
15	Daniel Ruf	5
16	Colin Xu	5
17	TANG Cheuk Hei (siunam)	5
18	Trương Hữu Phúc (truonghuuphuc)	5
19	SOPROBRO	5
20	Rafie Muhammad	4

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation