🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

UserFeedback Lite <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Name Parameter

7.2

CVE-2024-5902

Jul 12, 2024

Researcher: zer0gh0st

FULL <= 3.1.12 - Unauthenticated Stored Cross-Site Scripting via License Plan Parameter

7.2

CVE-2024-6447

Jul 10, 2024

Researcher: stealthcopter

BerqWP <= 1.7.5 - Unauthenticated Server-Side Request Forgery

7.2

CVE-2024-37942

Jul 10, 2024

Researcher: Dave Jong

Business Card <= 1.0.0 - Authenticated (Admin+) Arbitrary File Uplaod

7.2

CVE-2024-5807

Jul 9, 2024

Researcher: Anjo Rev Tingson

TOCHAT.BE <= 1.3.1 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-37563

Jul 9, 2024

Researcher: Joshua Chan

Donation Block For PayPal <= 2.1.0 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-6021

Jul 9, 2024

Researcher: Bob Matyas

Easy Pixels by JEVNET <= 2.13 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-5479

Jul 8, 2024

Researcher: Lucio Sá

EventON <= 2.2.15 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates

7.2

CVE-2024-6180

Jul 8, 2024

Researcher: Lucio Sá

Bit Form <= 2.13.3 - Authenticated (Administrator+) Arbitrary File Upload

7.2

CVE-2024-6123

Jul 8, 2024

Researcher: István Márton

Beaver Builder Addons by WPZOOM <= 1.3.5 - Authenticated (Editor+) Local File Inclusion

7.2

CVE-2024-37464

Jul 1, 2024

Researcher: João Pedro Soares de Alcântara

IdeaPush <= 8.65 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-37461

Jul 1, 2024

Researcher: piro

PowerPack Lite for Beaver Builder <= 1.3.0.3 - Authenticated (Editor+) Local File Inclusion

7.2

CVE-2024-37410

Jun 28, 2024

Researcher: João Pedro Soares de Alcântara

Foxiz <= 2.3.5 - Unauthenticated Server-Side Request Forgery

7.2

CVE-2024-37260

Jun 27, 2024

Researcher: Kursat Cetin

WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header

7.2

CVE-2024-4869

Jun 25, 2024

Researcher: Krzysztof Zając

UberMenu <= 3.8.3 - Cross-Site Request Forgery to Settings Reset

7.2

CVE-2024-3593

Jun 21, 2024

Researcher: M.Awad

Appointment Booking and Online Scheduling <= 4.4.2 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-5791

Jun 21, 2024

Researcher: Lucio Sá

Quotes and Tips by BestWebSoft <= 1.44 - Authenticated (Admin+) Arbitrary File Upload

7.2

CVE-2024-3112

Jun 21, 2024

Researcher: Peng Zhou

WishList Member X <= 3.25.1 - Missing Authorization to Stored Cross-Site Scripting

7.2

CVE-2024-37106

Jun 20, 2024

Researcher: Dave Jong

Tutor LMS – eLearning and online course solution <= 2.7.1 -Authenticated (Administrator+) SQL Injection

7.2

CVE-2024-4902

Jun 6, 2024

Researcher: wesley (wcraft)

Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.1 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Navigation Menu Widget

7.2

CVE-2024-5542

Jun 6, 2024

Researcher: Webbernaut

Title	CVE ID	CVSS	Researchers	Date
UserFeedback Lite <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Name Parameter	CVE-2024-5902	7.2	zer0gh0st	July 12, 2024
FULL <= 3.1.12 - Unauthenticated Stored Cross-Site Scripting via License Plan Parameter	CVE-2024-6447	7.2	stealthcopter	July 10, 2024
BerqWP <= 1.7.5 - Unauthenticated Server-Side Request Forgery	CVE-2024-37942	7.2	Dave Jong	July 10, 2024
Business Card <= 1.0.0 - Authenticated (Admin+) Arbitrary File Uplaod	CVE-2024-5807	7.2	Anjo Rev Tingson	July 9, 2024
TOCHAT.BE <= 1.3.1 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-37563	7.2	Joshua Chan	July 9, 2024
Donation Block For PayPal <= 2.1.0 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-6021	7.2	Bob Matyas	July 9, 2024
Easy Pixels by JEVNET <= 2.13 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-5479	7.2	Lucio Sá	July 8, 2024
EventON <= 2.2.15 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting and Plugin Settings Updates	CVE-2024-6180	7.2	Lucio Sá	July 8, 2024
Bit Form <= 2.13.3 - Authenticated (Administrator+) Arbitrary File Upload	CVE-2024-6123	7.2	István Márton	July 8, 2024
Beaver Builder Addons by WPZOOM <= 1.3.5 - Authenticated (Editor+) Local File Inclusion	CVE-2024-37464	7.2	João Pedro Soares de Alcântara	July 1, 2024
IdeaPush <= 8.65 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-37461	7.2	piro	July 1, 2024
PowerPack Lite for Beaver Builder <= 1.3.0.3 - Authenticated (Editor+) Local File Inclusion	CVE-2024-37410	7.2	João Pedro Soares de Alcântara	June 28, 2024
Foxiz <= 2.3.5 - Unauthenticated Server-Side Request Forgery	CVE-2024-37260	7.2	Kursat Cetin	June 27, 2024
WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header	CVE-2024-4869	7.2	Krzysztof Zając	June 25, 2024
UberMenu <= 3.8.3 - Cross-Site Request Forgery to Settings Reset	CVE-2024-3593	7.2	M.Awad	June 21, 2024
Appointment Booking and Online Scheduling <= 4.4.2 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting	CVE-2024-5791	7.2	Lucio Sá	June 21, 2024
Quotes and Tips by BestWebSoft <= 1.44 - Authenticated (Admin+) Arbitrary File Upload	CVE-2024-3112	7.2	Peng Zhou	June 21, 2024
WishList Member X <= 3.25.1 - Missing Authorization to Stored Cross-Site Scripting	CVE-2024-37106	7.2	Dave Jong	June 20, 2024
Tutor LMS – eLearning and online course solution <= 2.7.1 -Authenticated (Administrator+) SQL Injection	CVE-2024-4902	7.2	wesley (wcraft)	June 6, 2024
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.1 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Navigation Menu Widget	CVE-2024-5542	7.2	Webbernaut	June 6, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 4, 2024 Vulns
1	Francesco Carlucci	49
2	vgo0	48
3	wesley (wcraft)	21
4	João Pedro Soares de Alcântara	12
5	stealthcopter	12
6	Lucio Sá	12
7	Krzysztof Zając	11
8	tahu.datar	11
9	Peter Thaleikis	9
10	Le Ngoc Anh	9
11	Robert DeVore	8
12	Webbernaut	7
13	Colin Xu	6
14	LVT-tholv2k	5
15	SOPROBRO	5
16	Jorge Diaz (ddiax)	5
17	theviper17y	5
18	Trương Hữu Phúc (truonghuuphuc)	5
19	Dmitrii Ignatyev	5
20	Daniel Ruf	5

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation