🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

NextMove Lite – Thank You Page for WooCommerce & Finale Lite – Sales Countdown Timer & Discount for WooCommerce <= 2.17.0 - Missing Authorization to Unauthenticated System Information Disclosure

5.3

CVE-2024-1120

Feb 29, 2024

Researcher: Francesco Carlucci

Genesis Blocks <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via postTitleTag

6.4

CVE-2024-2761

Feb 29, 2024

Researcher: Dmitrii Ignatyev

AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth By AWeber <= 7.3.14 - Authenticated (Admin+) SQL Injection

7.2

CVE-2024-1793

Feb 29, 2024

Researchers: Kunal Sharma, Akshay Kumar

Exclusive Addons for Elementor <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget

6.4

CVE-2024-1413

Feb 29, 2024

Researcher: RandomRoot

Giveaways and Contests by RafflePress <= 1.12.5 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-1935

Feb 29, 2024

Researcher: Krzysztof Zając

Exclusive Addons for Elementor <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-1234

Feb 29, 2024

Researcher: Webbernaut

Slider Responsive Slideshow – Image slider, Gallery slideshow <= 1.3.8 - Authenticated (Contributor+) PHP Object Injection

8.8

CVE-2024-1859

Feb 29, 2024

Researcher: Francesco Carlucci

Exclusive Addons for Elementor <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Covid-19 Stats Widget

6.4

CVE-2024-2028

Feb 29, 2024

Researcher: Nikolas

Custom Field Suite <= 2.6.4 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-0689

Feb 28, 2024

Researcher: Sh

Travelpayouts: All Travel Brands in One Place <= 1.1.16 - Open Redirect

6.1

CVE-2024-0337

Feb 28, 2024

Researcher: Krzysztof Zając

Avada | Website Builder For WordPress & WooCommerce <= 7.11.4 - Authenticated (Contributor+) Arbitrary File Upload

8.8

CVE-2024-1468

Feb 28, 2024

Researcher: Muhammad Zeeshan (Xib3rR4dAr)

Events Manager <= 6.4.6.4 - Authenticated(Administator+) Stored Cross-Site Scripting via settings

4.4

CVE-2024-0614

Feb 28, 2024

Researcher: Akbar Kustirama

WPvivid Backup and Migration <= 0.9.68 - Missing Authorization

6.5

CVE-2024-1982

Feb 28, 2024

Researcher: Denis Werner

Download Manager <= 3.2.85 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-6954

Feb 28, 2024

Researcher: Richard Telleng (stueotue)

Beaver Builder – WordPress Page Builder <= 2.7.4.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Audio Widget

6.4

CVE-2024-1074

Feb 28, 2024

Researcher: RandomRoot

Restaurant Solutions – Checklist 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-1977

Feb 28, 2024

Researcher: José Adán Hernández Flores

Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-1854

Feb 28, 2024

Researchers: Ngô Thiên An (ancorn_), Dau Hoang Tai

Advanced iFrame <= 2024.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

4.9

CVE-2024-1341

Feb 28, 2024

Researcher: Fariq Fadillah Gusti Insani (fariqfgi)

Premium Addons for Elementor <= 4.10.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via Banner, Team Members, and Image Scroll Widgets

6.4

CVE-2024-1680

Feb 28, 2024

Researcher: Webbernaut

Friends <= 2.8.5 - Authenticated (Admin+) Blind Server-Side Request Forgery

5.5

CVE-2024-1978

Feb 28, 2024

Researcher: Francisco Gutierrez

Title	CVE ID	CVSS	Researchers	Date
NextMove Lite – Thank You Page for WooCommerce & Finale Lite – Sales Countdown Timer & Discount for WooCommerce <= 2.17.0 - Missing Authorization to Unauthenticated System Information Disclosure	CVE-2024-1120	5.3	Francesco Carlucci	February 29, 2024
Genesis Blocks <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via postTitleTag	CVE-2024-2761	6.4	Dmitrii Ignatyev	February 29, 2024
AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth By AWeber <= 7.3.14 - Authenticated (Admin+) SQL Injection	CVE-2024-1793	7.2	Kunal Sharma, Akshay Kumar	February 29, 2024
Exclusive Addons for Elementor <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer Widget	CVE-2024-1413	6.4	RandomRoot	February 29, 2024
Giveaways and Contests by RafflePress <= 1.12.5 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-1935	7.2	Krzysztof Zając	February 29, 2024
Exclusive Addons for Elementor <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-1234	6.4	Webbernaut	February 29, 2024
Slider Responsive Slideshow – Image slider, Gallery slideshow <= 1.3.8 - Authenticated (Contributor+) PHP Object Injection	CVE-2024-1859	8.8	Francesco Carlucci	February 29, 2024
Exclusive Addons for Elementor <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Covid-19 Stats Widget	CVE-2024-2028	6.4	Nikolas	February 29, 2024
Custom Field Suite <= 2.6.4 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-0689	4.4	Sh	February 28, 2024
Travelpayouts: All Travel Brands in One Place <= 1.1.16 - Open Redirect	CVE-2024-0337	6.1	Krzysztof Zając	February 28, 2024
Avada \| Website Builder For WordPress & WooCommerce <= 7.11.4 - Authenticated (Contributor+) Arbitrary File Upload	CVE-2024-1468	8.8	Muhammad Zeeshan (Xib3rR4dAr)	February 28, 2024
Events Manager <= 6.4.6.4 - Authenticated(Administator+) Stored Cross-Site Scripting via settings	CVE-2024-0614	4.4	Akbar Kustirama	February 28, 2024
WPvivid Backup and Migration <= 0.9.68 - Missing Authorization	CVE-2024-1982	6.5	Denis Werner	February 28, 2024
Download Manager <= 3.2.85 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-6954	6.4	Richard Telleng (stueotue)	February 28, 2024
Beaver Builder – WordPress Page Builder <= 2.7.4.2 - Authenticated(Contributor+) Stored Cross-Site Scripting via Audio Widget	CVE-2024-1074	6.4	RandomRoot	February 28, 2024
Restaurant Solutions – Checklist 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-1977	4.4	José Adán Hernández Flores	February 28, 2024
Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates <= 4.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-1854	6.4	Ngô Thiên An (ancorn_), Dau Hoang Tai	February 28, 2024
Advanced iFrame <= 2024.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-1341	4.9	Fariq Fadillah Gusti Insani (fariqfgi)	February 28, 2024
Premium Addons for Elementor <= 4.10.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via Banner, Team Members, and Image Scroll Widgets	CVE-2024-1680	6.4	Webbernaut	February 28, 2024
Friends <= 2.8.5 - Authenticated (Admin+) Blind Server-Side Request Forgery	CVE-2024-1978	5.5	Francisco Gutierrez	February 28, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Sep 3, 2024 Vulns
1	Francesco Carlucci	44
2	vgo0	40
3	wesley (wcraft)	20
4	Lucio Sá	14
5	stealthcopter	13
6	Krzysztof Zając	12
7	tahu.datar	11
8	Peter Thaleikis	11
9	João Pedro Soares de Alcântara	9
10	Webbernaut	7
11	Robert DeVore	7
12	Daniel Ruf	5
13	TANG Cheuk Hei (siunam)	5
14	SOPROBRO	5
15	Rafie Muhammad	4
16	Trương Hữu Phúc (truonghuuphuc)	4
17	Colin Xu	4
18	Tonn	4
19	zer0gh0st	4
20	LVT-tholv2k	4

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation