🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

FileOrganizer <= 1.0.7 - Sensitive Information Exposure via Directory Listing

7.5

CVE-2024-5599

Jun 6, 2024

Researcher: emad

WP-DB-Table-Editor <= 1.8.4 - Missing Authorization to Authenticated(Contributor+) Database Access

7.5

CVE-2024-2019

Jun 3, 2024

Researcher: Francesco Carlucci

Visual Website Collaboration, Feedback & Project Management – Atarim <= 3.22.6 - Hardcoded Credentials

7.5

CVE-2024-2038

May 22, 2024

Researcher: Lucio Sá

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.15 - PHP Object Injection via extractDynamicValues

7.5

CVE-2024-4157

May 21, 2024

Researcher: Tobias Weißhaar (kun_19)

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.16 - Missing Authorization to Setting Manipulation

7.5

CVE-2024-2782

May 17, 2024

Researcher: Tobias Weißhaar (kun_19)

ShiftController Employee Shift Scheduling <= 4.9.57 - Authenticated (Contributor+) PHP Object Injection

7.5

CVE-2024-4733

May 16, 2024

Researcher: Peter Thaleikis

ConvertPlus <= 3.5.26 - Authenticated (Contributor+) PHP Object Injection

7.5

CVE-2024-4838

May 15, 2024

Researcher: haidv35

Photo Gallery <= 1.4.2 - Authenticated(Contributor+) PHP Object Injection via Shortcode

7.5

CVE-2024-1896

Apr 29, 2024

Researcher: Francesco Carlucci

Event Monster <= 1.4.1 - Authenticated(Contributor+) PHP Object Injection via Custom Meta

7.5

CVE-2024-1895

Apr 29, 2024

Researcher: Francesco Carlucci

Grid Gallery – Photo Image Grid Gallery <= 1.4.3 - Authenticated (Contributor+) PHP Object Injection via shortcode

7.5

CVE-2024-1897

Apr 29, 2024

Researcher: Francesco Carlucci

Conversational Forms for ChatBot <= 1.1.8 - Unauthenticated Arbitrary File Download

7.5

CVE-2024-32729

Apr 22, 2024

Researcher: beluga

Salient Core <= 2.0.7 - Authenticated (Contributor+) Local File Inclusion via Shortcode

7.5

CVE-2024-3812

Apr 17, 2024

Researcher: István Márton

HT Mega – Absolute Addons For Elementor <= 2.4.6 - Sensitive Information Exposure via purchased_products

7.5

CVE-2023-6214

Apr 16, 2024

Researcher: Francesco Carlucci

Shortcodes and extra features for Phlox theme <= 2.16.2 - Authenticated (Subscriber+) PHP Object Injection via auxin_template_control_importer

7.5

CVE-2023-7064

Apr 15, 2024

Researchers: Rhynorater, Michael Brackett

Citadela Listing <= 5.18.1 - Unauthenticated Sensitive Information Exposure

7.5

CVE-2024-32086

Apr 11, 2024

Researcher: Dave Jong

WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, SSL Score <= 7.0 - Sensitive Information Exposure via insufficiently protected files

7.5

CVE-2023-7046

Apr 9, 2024

Researcher: Krzysztof Zając

CMB2 <= 2.10.1 - Authenticated (Contributor+) PHP Object Injection

7.5

CVE-2024-1792

Apr 3, 2024

Researcher: Francesco Carlucci

Responsive <= 5.0.2 - Missing Authorization to HTML Injection

7.5

CVE-2024-2848

Mar 28, 2024

Researchers: Krzysztof Zając, Muhammad Zeeshan (Xib3rR4dAr)

Hubbub Lite – Fast, Reliable Social Network Sharing Buttons <= 1.33.1 - PHP Object Injection

7.5

CVE-2024-2501

Mar 27, 2024

Researcher: Webbernaut

WP Crontrol <= 1.16.1 - Remote Code Execution

7.5

CVE-2024-28850

Mar 24, 2024

Researcher: Calvin Alkan

Title	CVE ID	CVSS	Researchers	Date
FileOrganizer <= 1.0.7 - Sensitive Information Exposure via Directory Listing	CVE-2024-5599	7.5	emad	June 6, 2024
WP-DB-Table-Editor <= 1.8.4 - Missing Authorization to Authenticated(Contributor+) Database Access	CVE-2024-2019	7.5	Francesco Carlucci	June 3, 2024
Visual Website Collaboration, Feedback & Project Management – Atarim <= 3.22.6 - Hardcoded Credentials	CVE-2024-2038	7.5	Lucio Sá	May 22, 2024
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.15 - PHP Object Injection via extractDynamicValues	CVE-2024-4157	7.5	Tobias Weißhaar (kun_19)	May 21, 2024
Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder <= 5.1.16 - Missing Authorization to Setting Manipulation	CVE-2024-2782	7.5	Tobias Weißhaar (kun_19)	May 17, 2024
ShiftController Employee Shift Scheduling <= 4.9.57 - Authenticated (Contributor+) PHP Object Injection	CVE-2024-4733	7.5	Peter Thaleikis	May 16, 2024
ConvertPlus <= 3.5.26 - Authenticated (Contributor+) PHP Object Injection	CVE-2024-4838	7.5	haidv35	May 15, 2024
Photo Gallery <= 1.4.2 - Authenticated(Contributor+) PHP Object Injection via Shortcode	CVE-2024-1896	7.5	Francesco Carlucci	April 29, 2024
Event Monster <= 1.4.1 - Authenticated(Contributor+) PHP Object Injection via Custom Meta	CVE-2024-1895	7.5	Francesco Carlucci	April 29, 2024
Grid Gallery – Photo Image Grid Gallery <= 1.4.3 - Authenticated (Contributor+) PHP Object Injection via shortcode	CVE-2024-1897	7.5	Francesco Carlucci	April 29, 2024
Conversational Forms for ChatBot <= 1.1.8 - Unauthenticated Arbitrary File Download	CVE-2024-32729	7.5	beluga	April 22, 2024
Salient Core <= 2.0.7 - Authenticated (Contributor+) Local File Inclusion via Shortcode	CVE-2024-3812	7.5	István Márton	April 17, 2024
HT Mega – Absolute Addons For Elementor <= 2.4.6 - Sensitive Information Exposure via purchased_products	CVE-2023-6214	7.5	Francesco Carlucci	April 16, 2024
Shortcodes and extra features for Phlox theme <= 2.16.2 - Authenticated (Subscriber+) PHP Object Injection via auxin_template_control_importer	CVE-2023-7064	7.5	Rhynorater, Michael Brackett	April 15, 2024
Citadela Listing <= 5.18.1 - Unauthenticated Sensitive Information Exposure	CVE-2024-32086	7.5	Dave Jong	April 11, 2024
WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, SSL Score <= 7.0 - Sensitive Information Exposure via insufficiently protected files	CVE-2023-7046	7.5	Krzysztof Zając	April 9, 2024
CMB2 <= 2.10.1 - Authenticated (Contributor+) PHP Object Injection	CVE-2024-1792	7.5	Francesco Carlucci	April 3, 2024
Responsive <= 5.0.2 - Missing Authorization to HTML Injection	CVE-2024-2848	7.5	Krzysztof Zając, Muhammad Zeeshan (Xib3rR4dAr)	March 28, 2024
Hubbub Lite – Fast, Reliable Social Network Sharing Buttons <= 1.33.1 - PHP Object Injection	CVE-2024-2501	7.5	Webbernaut	March 27, 2024
WP Crontrol <= 1.16.1 - Remote Code Execution	CVE-2024-28850	7.5	Calvin Alkan	March 24, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 6, 2024 Vulns
1	Francesco Carlucci	48
2	vgo0	47
3	wesley (wcraft)	16
4	João Pedro Soares de Alcântara	12
5	stealthcopter	12
6	tahu.datar	11
7	Krzysztof Zając	11
8	Lucio Sá	10
9	Peter Thaleikis	9
10	Le Ngoc Anh	9
11	Webbernaut	8
12	Robert DeVore	8
13	Colin Xu	6
14	Daniel Ruf	5
15	Dmitrii Ignatyev	5
16	Jorge Diaz (ddiax)	5
17	LVT-tholv2k	5
18	theviper17y	5
19	Trương Hữu Phúc (truonghuuphuc)	5
20	TANG Cheuk Hei (siunam)	5

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation