🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Email Log <= 2.4.8 - Unauthenticated Hook Injection

8.1

CVE-2024-0867

May 23, 2024

Researcher: Sean Murphy

Hash Form – Drag & Drop Form Builder <= 1.1.0 - Unauthenticated PHP Object Injection

8.1

CVE-2024-5085

May 22, 2024

Researcher: Francesco Carlucci

XML Sitemap & Google News <= 5.4.8 - Unauthenticated Local File Inclusion

8.1

CVE-2024-4441

May 7, 2024

Researcher: Foxyyy

Customer Email Verification for WooCommerce <= 2.7.4 - Email Verification and Authentication Bypass due to Insufficient Randomness

8.1

CVE-2024-4185

Apr 29, 2024

Researcher: István Márton

ARForms <= 6.4 - Missing Authorization to Arbitrary File Deletion

8.1

CVE-2024-32703

Apr 22, 2024

Researcher: Dave Jong

Check & Log Email <= 1.0.9 - Unauthenticated Hook Injection

8.1

CVE-2024-0866

Mar 25, 2024

Researcher: Sean Murphy

WooCommerce Add to Cart Custom Redirect <= 1.2.13 - Authenticated(Contributor+) Missing Authorization to Limited Arbitrary Options Update

8.1

CVE-2024-1862

Mar 7, 2024

Researcher: Lucio Sá

8.1

CVE-2023-7247

Feb 27, 2024

Researcher: Dmitrii Ignatyev

Woostify Sites Library <= 1.4.7 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

8.1

CVE-2023-6279

Jan 31, 2024

Researcher: Krzysztof Zając

PropertyHive <= 2.0.5 - Unauthenticated PHP Object Injection via propertyhive_currency

8.1

CVE-2024-23513

Jan 30, 2024

Researcher: beluga

File Manager <= 7.2.1 - Sensitive Information Exposure via Backup Filenames

8.1

CVE-2024-0761

Jan 22, 2024

Researcher: Yuki Haruma

LearnPress <= 4.2.5.7 - Command Injection

8.1

CVE-2023-6634

Jan 3, 2024

Researcher: hir0ot

Build App Online <= 1.0.22 - Account Takeover via Weak Password Reset Mechanism

8.1

CVE-2023-7264

Dec 27, 2023

Researcher: Ram

Backup Migration 1.0.8 - 1.3.9 - Remote File Inclusion via content-dir

8.1

CVE-2023-6971

Dec 22, 2023

Researcher: Hiroho Shimada

Uncode Core <= 2.8.8 - Authenticated (Subscriber+) Arbitrary File Deletion

8.1

CVE-2023-51500

Dec 21, 2023

Researcher: Rafie Muhammad

Piotnet Forms <= 1.0.28 - Unauthenticated Arbitrary File Upload

8.1

CVE-2023-6220

Dec 4, 2023

Researcher: István Márton

AppPresser <= 4.2.5 - Insecure Password Reset Mechanism

8.1

CVE-2023-4214

Nov 16, 2023

Researcher: István Márton

Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.7.3 - Unauthenticated Arbitrary File Upload

8.1

CVE-2023-5822

Nov 1, 2023

Researcher: István Márton

News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Remote Code Execution via Local File Inclusion

8.1

CVE-2023-5815

Oct 26, 2023

Researcher: Florian Hauser

KD Coming Soon <= 1.7 - Unauthenticated PHP Object Injection via cetitle

8.1

CVE-2023-46615

Oct 24, 2023

Researcher: Mika

Title	CVE ID	CVSS	Researchers	Date
Email Log <= 2.4.8 - Unauthenticated Hook Injection	CVE-2024-0867	8.1	Sean Murphy	May 23, 2024
Hash Form – Drag & Drop Form Builder <= 1.1.0 - Unauthenticated PHP Object Injection	CVE-2024-5085	8.1	Francesco Carlucci	May 22, 2024
XML Sitemap & Google News <= 5.4.8 - Unauthenticated Local File Inclusion	CVE-2024-4441	8.1	Foxyyy	May 7, 2024
Customer Email Verification for WooCommerce <= 2.7.4 - Email Verification and Authentication Bypass due to Insufficient Randomness	CVE-2024-4185	8.1	István Márton	April 29, 2024
ARForms <= 6.4 - Missing Authorization to Arbitrary File Deletion	CVE-2024-32703	8.1	Dave Jong	April 22, 2024
Check & Log Email <= 1.0.9 - Unauthenticated Hook Injection	CVE-2024-0866	8.1	Sean Murphy	March 25, 2024
WooCommerce Add to Cart Custom Redirect <= 1.2.13 - Authenticated(Contributor+) Missing Authorization to Limited Arbitrary Options Update	CVE-2024-1862	8.1	Lucio Sá	March 7, 2024
Login as User or Customer <= 3.8 - Unauthenticated Limited Admin Account Compromise	CVE-2023-7247	8.1	Dmitrii Ignatyev	February 27, 2024
Woostify Sites Library <= 1.4.7 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update	CVE-2023-6279	8.1	Krzysztof Zając	January 31, 2024
PropertyHive <= 2.0.5 - Unauthenticated PHP Object Injection via propertyhive_currency	CVE-2024-23513	8.1	beluga	January 30, 2024
File Manager <= 7.2.1 - Sensitive Information Exposure via Backup Filenames	CVE-2024-0761	8.1	Yuki Haruma	January 22, 2024
LearnPress <= 4.2.5.7 - Command Injection	CVE-2023-6634	8.1	hir0ot	January 3, 2024
Build App Online <= 1.0.22 - Account Takeover via Weak Password Reset Mechanism	CVE-2023-7264	8.1	Ram	December 27, 2023
Backup Migration 1.0.8 - 1.3.9 - Remote File Inclusion via content-dir	CVE-2023-6971	8.1	Hiroho Shimada	December 22, 2023
Uncode Core <= 2.8.8 - Authenticated (Subscriber+) Arbitrary File Deletion	CVE-2023-51500	8.1	Rafie Muhammad	December 21, 2023
Piotnet Forms <= 1.0.28 - Unauthenticated Arbitrary File Upload	CVE-2023-6220	8.1	István Márton	December 4, 2023
AppPresser <= 4.2.5 - Insecure Password Reset Mechanism	CVE-2023-4214	8.1	István Márton	November 16, 2023
Drag and Drop Multiple File Upload - Contact Form 7 <= 1.3.7.3 - Unauthenticated Arbitrary File Upload	CVE-2023-5822	8.1	István Márton	November 1, 2023
News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Remote Code Execution via Local File Inclusion	CVE-2023-5815	8.1	Florian Hauser	October 26, 2023
KD Coming Soon <= 1.7 - Unauthenticated PHP Object Injection via cetitle	CVE-2023-46615	8.1	Mika	October 24, 2023

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 5, 2024 Vulns
1	Francesco Carlucci	48
2	vgo0	47
3	wesley (wcraft)	20
4	João Pedro Soares de Alcântara	12
5	stealthcopter	12
6	Krzysztof Zając	11
7	Lucio Sá	11
8	tahu.datar	11
9	Peter Thaleikis	9
10	Le Ngoc Anh	9
11	Webbernaut	8
12	Robert DeVore	8
13	Colin Xu	6
14	TANG Cheuk Hei (siunam)	5
15	Jorge Diaz (ddiax)	5
16	SOPROBRO	5
17	Dmitrii Ignatyev	5
18	Daniel Ruf	5
19	LVT-tholv2k	5
20	Trương Hữu Phúc (truonghuuphuc)	5

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation