🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

WSM Downloader <= 1.4.0 - Arbitrary File Download

7.5

CVE-2022-2357

Jul 12, 2022

Researcher: Raad Haddad

YaySMTP – Simple WP SMTP Mail <= 2.2 - Sensitive Information Disclosure

7.5

CVE-2022-2369

Jul 11, 2022

Researcher: Rafshanzani Suhada

Export to Text <= 2.4 - Unauthenticated Post Export

7.5

CVE ID Unknown

Jun 15, 2022

Researchers:

Co-Authors Plus 3.5 - 3.5.1 - Sensitive Information Disclosure

7.5

CVE ID Unknown

Jun 7, 2022

Researcher: Douglas Johnson

Log WP_Mail <= 0.1 - Sensitive Information Disclosure

7.5

CVE-2022-1412

May 18, 2022

Researcher: Daniel Ruf

semver-regex <= 3.1.3 and 4.0.0-4.0.3 - Regular Expression Denial of Service (ReDoS)

7.5

CVE-2021-43307

May 13, 2022

Researchers:

Metform Elementor Contact Form Builder <= 2.1.3 - Sensitive Information Disclosure

7.5

CVE-2022-1442

Apr 23, 2022

Researcher: Muhammad Zeeshan (Xib3rR4dAr)

Product Filter For WooCommerce Product <= 1.3.1 - Unauthenticated SQL Injection

7.5

CVE ID Unknown

Apr 14, 2022

Researcher: cydave

Moment.js <= 2.29.1 - Directory Traversal

7.5

CVE ID Unknown

Apr 5, 2022

Researchers:

Salon Booking System and Salon Booking System Pro <= 7.6.2 - Sensitive Information Disclosure

7.5

CVE-2022-0920

Mar 21, 2022

Researcher: Huli, Cymetrics

Download Manager <= 3.2.38 - Unauthenticated Brute Force of File Master Key

7.5

CVE-2022-0828

Mar 16, 2022

Researcher: Diogo Real

NS WooCommerce Watermark <= 2.11.3 - Abuse of Functionality

7.5

CVE-2022-0989

Mar 15, 2022

Researcher: Felipe Restrepo Rodriguez (pfelilpe)

Booking Package <= 1.5.28 - Unauthenticated Sensitive Data Disclosure

7.5

CVE-2022-0709

Mar 9, 2022

Researcher: Huli, Cymetrics

Narnoo Distributor <= 2.5.1 - Path Traversal

7.5

CVE-2022-0679

Mar 1, 2022

Researcher: cydave

Download Manager <= 3.2.34 - Sensitive Information Disclosure

7.5

CVE-2021-25087

Feb 2, 2022

Researcher: Diogo Real

Cost Calculator <= 1.8 - Authenticated Local File Inclusion

7.5

CVE-2021-24820

Feb 1, 2022

Researcher: apple502j

AccessPress Social Icons 1.8.2 - Backdoor

7.5

CVE ID Unknown

Jan 18, 2022

Researcher: Harald Eilertsen

Popup | Custom Popup Builder <= 1.3 - Denial of Service

7.5

CVE-2022-0214

Jan 17, 2022

Researcher: Felipe de Avila

WP Import Export Lite & WP Import Export <= 3.9.15 - Unauthenticated Sensitive Data Disclosure

7.5

CVE-2022-0236

Jan 14, 2022

Researcher: Karan Saini

SupportCandy <= 2.2.4 - Unauthenticated Arbitrary Ticket Deletion

7.5

CVE-2021-24839

Jan 5, 2022

Researcher: Brandon James Roldan (tomorrowisnew)

Title	CVE ID	CVSS	Researchers	Date
WSM Downloader <= 1.4.0 - Arbitrary File Download	CVE-2022-2357	7.5	Raad Haddad	July 12, 2022
YaySMTP – Simple WP SMTP Mail <= 2.2 - Sensitive Information Disclosure	CVE-2022-2369	7.5	Rafshanzani Suhada	July 11, 2022
Export to Text <= 2.4 - Unauthenticated Post Export		7.5		June 15, 2022
Co-Authors Plus 3.5 - 3.5.1 - Sensitive Information Disclosure		7.5	Douglas Johnson	June 7, 2022
Log WP_Mail <= 0.1 - Sensitive Information Disclosure	CVE-2022-1412	7.5	Daniel Ruf	May 18, 2022
semver-regex <= 3.1.3 and 4.0.0-4.0.3 - Regular Expression Denial of Service (ReDoS)	CVE-2021-43307	7.5		May 13, 2022
Metform Elementor Contact Form Builder <= 2.1.3 - Sensitive Information Disclosure	CVE-2022-1442	7.5	Muhammad Zeeshan (Xib3rR4dAr)	April 23, 2022
Product Filter For WooCommerce Product <= 1.3.1 - Unauthenticated SQL Injection		7.5	cydave	April 14, 2022
Moment.js <= 2.29.1 - Directory Traversal		7.5		April 5, 2022
Salon Booking System and Salon Booking System Pro <= 7.6.2 - Sensitive Information Disclosure	CVE-2022-0920	7.5	Huli, Cymetrics	March 21, 2022
Download Manager <= 3.2.38 - Unauthenticated Brute Force of File Master Key	CVE-2022-0828	7.5	Diogo Real	March 16, 2022
NS WooCommerce Watermark <= 2.11.3 - Abuse of Functionality	CVE-2022-0989	7.5	Felipe Restrepo Rodriguez (pfelilpe)	March 15, 2022
Booking Package <= 1.5.28 - Unauthenticated Sensitive Data Disclosure	CVE-2022-0709	7.5	Huli, Cymetrics	March 9, 2022
Narnoo Distributor <= 2.5.1 - Path Traversal	CVE-2022-0679	7.5	cydave	March 1, 2022
Download Manager <= 3.2.34 - Sensitive Information Disclosure	CVE-2021-25087	7.5	Diogo Real	February 2, 2022
Cost Calculator <= 1.8 - Authenticated Local File Inclusion	CVE-2021-24820	7.5	apple502j	February 1, 2022
AccessPress Social Icons 1.8.2 - Backdoor		7.5	Harald Eilertsen	January 18, 2022
Popup \| Custom Popup Builder <= 1.3 - Denial of Service	CVE-2022-0214	7.5	Felipe de Avila	January 17, 2022
WP Import Export Lite & WP Import Export <= 3.9.15 - Unauthenticated Sensitive Data Disclosure	CVE-2022-0236	7.5	Karan Saini	January 14, 2022
SupportCandy <= 2.2.4 - Unauthenticated Arbitrary Ticket Deletion	CVE-2021-24839	7.5	Brandon James Roldan (tomorrowisnew)	January 5, 2022

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 6, 2024 Vulns
1	Francesco Carlucci	48
2	vgo0	47
3	wesley (wcraft)	16
4	João Pedro Soares de Alcântara	12
5	stealthcopter	12
6	tahu.datar	11
7	Krzysztof Zając	11
8	Lucio Sá	10
9	Peter Thaleikis	9
10	Le Ngoc Anh	9
11	Webbernaut	8
12	Robert DeVore	8
13	Colin Xu	6
14	Daniel Ruf	5
15	Dmitrii Ignatyev	5
16	Jorge Diaz (ddiax)	5
17	LVT-tholv2k	5
18	theviper17y	5
19	Trương Hữu Phúc (truonghuuphuc)	5
20	TANG Cheuk Hei (siunam)	5

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation