🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Sell Media File with Stripe <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-51892

Nov 8, 2024

Researcher: SOPROBRO

Th Shop Mania <= 1.4.9 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

8.8

CVE-2024-10674

Nov 8, 2024

Researchers: Sean Murphy, Kevin Murphy (knmurphy)

Surbma | Font Awesome <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-51798

Nov 8, 2024

Researcher: SOPROBRO

Beacon For Help Scout <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-51828

Nov 8, 2024

Researcher: SOPROBRO

ra_qrcode <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-52345

Nov 8, 2024

Researcher: SOPROBRO

Wd-image-magnifier-xoss <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-51840

Nov 8, 2024

Researcher: SOPROBRO

Easy Social Sharebar <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-51833

Nov 8, 2024

Researcher: SOPROBRO

Charity Addon for Elementor <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-51938

Nov 8, 2024

Researcher: Michael

WP PagSeguro Payments <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-51847

Nov 8, 2024

Researcher: SOPROBRO

Multifox Plus <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-51916

Nov 8, 2024

Researcher: SOPROBRO

IntelliWidget Elements <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-51912

Nov 8, 2024

Researcher: SOPROBRO

L Squared Hub WP <= 1.0 - Authenticated (Contributor+) SQL Injection

6.5

CVE-2024-51820

Nov 8, 2024

Researcher: LVT-tholv2k

WP Agenda <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-51924

Nov 8, 2024

Researcher: SOPROBRO

Elementor Header & Footer Builder <= 1.6.45 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVE-2024-10325

Nov 7, 2024

Researcher: Francesco Carlucci

myCred <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_link Shortcode

6.4

CVE-2024-10187

Nov 7, 2024

Researcher: Peter Thaleikis

Easy SVG Support <= 3.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVE-2024-10269

Nov 7, 2024

Researcher: Francesco Carlucci

Simple Shortcode for Google Maps <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-10621

Nov 7, 2024

Researcher: Akbar Kustirama

Prime Slider - Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider <= 3.15.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via Blog Widget

6.4

CVE-2024-8442

Nov 6, 2024

Researcher: Robert DeVore

Event Post <= 5.9.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via events_cal Shortcode

6.4

CVE-2024-10186

Nov 5, 2024

Researcher: Peter Thaleikis

Active Products Tables for WooCommerce. Use constructor to create tables <= 1.0.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via woot_button Shortcode

6.4

CVE-2024-10168

Nov 5, 2024

Researcher: Peter Thaleikis

Title	CVE ID	CVSS	Researchers	Date
Sell Media File with Stripe <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-51892	6.4	SOPROBRO	November 8, 2024
Th Shop Mania <= 1.4.9 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation	CVE-2024-10674	8.8	Sean Murphy, Kevin Murphy (knmurphy)	November 8, 2024
Surbma \| Font Awesome <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-51798	6.4	SOPROBRO	November 8, 2024
Beacon For Help Scout <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-51828	6.4	SOPROBRO	November 8, 2024
ra_qrcode <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-52345	6.4	SOPROBRO	November 8, 2024
Wd-image-magnifier-xoss <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-51840	6.4	SOPROBRO	November 8, 2024
Easy Social Sharebar <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-51833	6.4	SOPROBRO	November 8, 2024
Charity Addon for Elementor <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-51938	6.4	Michael	November 8, 2024
WP PagSeguro Payments <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-51847	6.4	SOPROBRO	November 8, 2024
Multifox Plus <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-51916	6.4	SOPROBRO	November 8, 2024
IntelliWidget Elements <= 2.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-51912	6.4	SOPROBRO	November 8, 2024
L Squared Hub WP <= 1.0 - Authenticated (Contributor+) SQL Injection	CVE-2024-51820	6.5	LVT-tholv2k	November 8, 2024
WP Agenda <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-51924	6.4	SOPROBRO	November 8, 2024
Elementor Header & Footer Builder <= 1.6.45 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload	CVE-2024-10325	6.4	Francesco Carlucci	November 7, 2024
myCred <= 2.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via mycred_link Shortcode	CVE-2024-10187	6.4	Peter Thaleikis	November 7, 2024
Easy SVG Support <= 3.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload	CVE-2024-10269	6.4	Francesco Carlucci	November 7, 2024
Simple Shortcode for Google Maps <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-10621	6.4	Akbar Kustirama	November 7, 2024
Prime Slider - Addons For Elementor (Revolution of a slider, Hero Slider, Ecommerce Slider <= 3.15.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via Blog Widget	CVE-2024-8442	6.4	Robert DeVore	November 6, 2024
Event Post <= 5.9.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via events_cal Shortcode	CVE-2024-10186	6.4	Peter Thaleikis	November 5, 2024
Active Products Tables for WooCommerce. Use constructor to create tables <= 1.0.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via woot_button Shortcode	CVE-2024-10168	6.4	Peter Thaleikis	November 5, 2024

Submit Vulnerability

«
‹
1
2
...
24
25
26
...
1024
1025
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Oct 25, 2024 Vulns
1	SOPROBRO	213
2	Francesco Carlucci	59
3	Peter Thaleikis	51
4	Gab	43
5	João Pedro Soares de Alcântara	40
6	vgo0	39
7	stealthcopter	39
8	LVT-tholv2k	23
9	Tonn	17
10	Mika	16
11	István Márton	14
12	Arkadiusz Hydzik	13
13	zer0gh0st	11
14	theviper17y	10
15	Trương Hữu Phúc (truonghuuphuc)	9
16	Tieu Pham Trong Nhan	9
17	wesley (wcraft)	8
18	Colin Xu	8
19	Joshua Chan	8
20	Ankit Patel	7

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation