🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Quick Paypal Payments <= 5.7.25 - Unauthenticated Stored Cross Site Scripting

7.2

CVE-2023-25713

Feb 14, 2023

Researcher: yuyudhn

Multi Rating <= 5.0.5 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2022-47433

Feb 14, 2023

Researcher: minhtuanact

RSVPMaker <= 9.9.3 - Authenticated (Admin+) SQL Injection via $email value

7.2

CVE-2023-25045

Feb 13, 2023

Researcher: Aldo Dimas Anugrah K

RSVPMaker <= 9.9.3 - Authenticated (Admin+) SQL Injection via 'delete' parameter

7.2

CVE-2023-25047

Feb 13, 2023

Researcher: Muhammad Arsalan Diponegoro (tripoloski)

My Sticky Elements <= 2.0.8 - Authenticated (Admin+) SQL Injection

7.2

CVE-2023-0487

Feb 9, 2023

Researcher: qerogram

Auto Featured Image (Auto Post Thumbnail) <= 3.9.15 - Authenticated (Author+) Arbitrary File Upload

7.2

CVE-2023-0477

Feb 7, 2023

Researcher: dc11

Arigato Autoresponder and Newsletter <= 2.7.1 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2023-25020

Feb 6, 2023

Researcher: Rafshanzani Suhada

Monolit <= 2.0.6 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2023-25041

Feb 6, 2023

Researcher: RE-ALTER

Redirection for Contact Form 7 <= 2.7.0 - Authenticated(Editor+) Privilege Escalation

7.2

CVE-2023-23990

Feb 6, 2023

Researcher: Rafie Muhammad

Gallery – Image and Video Gallery with Thumbnails <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2022-47603

Feb 3, 2023

Researcher: minhtuanact

Metform Elementor Contact Form Builder <= 3.1.2 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2023-0084

Feb 2, 2023

Researcher: Mohammed El Amin, Chemouri

Image Hover Effects Plugin - Caption Hover with Carousel <= 2.8 - Unauthenticated Stored Cross Site Scripting

7.2

CVE-2022-45831

Feb 2, 2023

Researcher: minhtuanact

GeoDirectory <= 2.2.23 - Authenticated (Admin+) SQL Injection

7.2

CVE-2023-0278

Jan 31, 2023

Researchers: Daniel Krohmer, Kunal Sharma

Beautiful Cookie Consent Banner <= 2.10.1 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2023-3388

Jan 31, 2023

Researchers:

bbPress Voting <= 2.1.11.0 - Authenticated (Admin+) Stored Cross-Site Scripting

7.2

CVE-2023-24403

Jan 27, 2023

Researcher: Rio Darmawan

Simple Newsletter Plugin – Noptin <= 1.10.3 - Unauthenticated CSV Injection

7.2

CVE-2022-46803

Jan 27, 2023

Researcher: Mika

Welcart e-Commerce <= 2.8.10 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2023-22705

Jan 27, 2023

Researcher: Le Ngoc Anh

Limit Login Attempts Plus <= 1.0.9 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE ID Unknown

Jan 27, 2023

Researchers:

Quick Event Manager <= 9.7.4 - Unauthenticated Stored Cross Site Scripting

7.2

CVE-2023-23979

Jan 20, 2023

Researcher: yuyudhn

RapidLoad Power-Up for Autoptimize <= 1.6.35 - Authenticated (Subscriber+) SQL Injection

7.2

CVE-2022-47593

Jan 20, 2023

Researcher: Le Ngoc Anh

Title	CVE ID	CVSS	Researchers	Date
Quick Paypal Payments <= 5.7.25 - Unauthenticated Stored Cross Site Scripting	CVE-2023-25713	7.2	yuyudhn	February 14, 2023
Multi Rating <= 5.0.5 - Unauthenticated Stored Cross-Site Scripting	CVE-2022-47433	7.2	minhtuanact	February 14, 2023
RSVPMaker <= 9.9.3 - Authenticated (Admin+) SQL Injection via $email value	CVE-2023-25045	7.2	Aldo Dimas Anugrah K	February 13, 2023
RSVPMaker <= 9.9.3 - Authenticated (Admin+) SQL Injection via 'delete' parameter	CVE-2023-25047	7.2	Muhammad Arsalan Diponegoro (tripoloski)	February 13, 2023
My Sticky Elements <= 2.0.8 - Authenticated (Admin+) SQL Injection	CVE-2023-0487	7.2	qerogram	February 9, 2023
Auto Featured Image (Auto Post Thumbnail) <= 3.9.15 - Authenticated (Author+) Arbitrary File Upload	CVE-2023-0477	7.2	dc11	February 7, 2023
Arigato Autoresponder and Newsletter <= 2.7.1 - Unauthenticated Stored Cross-Site Scripting	CVE-2023-25020	7.2	Rafshanzani Suhada	February 6, 2023
Monolit <= 2.0.6 - Unauthenticated Stored Cross-Site Scripting	CVE-2023-25041	7.2	RE-ALTER	February 6, 2023
Redirection for Contact Form 7 <= 2.7.0 - Authenticated(Editor+) Privilege Escalation	CVE-2023-23990	7.2	Rafie Muhammad	February 6, 2023
Gallery – Image and Video Gallery with Thumbnails <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting	CVE-2022-47603	7.2	minhtuanact	February 3, 2023
Metform Elementor Contact Form Builder <= 3.1.2 - Unauthenticated Stored Cross-Site Scripting	CVE-2023-0084	7.2	Mohammed El Amin, Chemouri	February 2, 2023
Image Hover Effects Plugin - Caption Hover with Carousel <= 2.8 - Unauthenticated Stored Cross Site Scripting	CVE-2022-45831	7.2	minhtuanact	February 2, 2023
GeoDirectory <= 2.2.23 - Authenticated (Admin+) SQL Injection	CVE-2023-0278	7.2	Daniel Krohmer, Kunal Sharma	January 31, 2023
Beautiful Cookie Consent Banner <= 2.10.1 - Unauthenticated Stored Cross-Site Scripting	CVE-2023-3388	7.2		January 31, 2023
bbPress Voting <= 2.1.11.0 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2023-24403	7.2	Rio Darmawan	January 27, 2023
Simple Newsletter Plugin – Noptin <= 1.10.3 - Unauthenticated CSV Injection	CVE-2022-46803	7.2	Mika	January 27, 2023
Welcart e-Commerce <= 2.8.10 - Unauthenticated Stored Cross-Site Scripting	CVE-2023-22705	7.2	Le Ngoc Anh	January 27, 2023
Limit Login Attempts Plus <= 1.0.9 - Unauthenticated Stored Cross-Site Scripting		7.2		January 27, 2023
Quick Event Manager <= 9.7.4 - Unauthenticated Stored Cross Site Scripting	CVE-2023-23979	7.2	yuyudhn	January 20, 2023
RapidLoad Power-Up for Autoptimize <= 1.6.35 - Authenticated (Subscriber+) SQL Injection	CVE-2022-47593	7.2	Le Ngoc Anh	January 20, 2023

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 3, 2024 Vulns
1	Francesco Carlucci	44
2	vgo0	40
3	wesley (wcraft)	20
4	Lucio Sá	14
5	stealthcopter	13
6	Krzysztof Zając	12
7	tahu.datar	11
8	Peter Thaleikis	11
9	João Pedro Soares de Alcântara	9
10	Webbernaut	7
11	Robert DeVore	7
12	Daniel Ruf	5
13	TANG Cheuk Hei (siunam)	5
14	SOPROBRO	5
15	Rafie Muhammad	4
16	Trương Hữu Phúc (truonghuuphuc)	4
17	Colin Xu	4
18	Tonn	4
19	zer0gh0st	4
20	LVT-tholv2k	4

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation