🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

WordPress Core <= 2.0.1 - Cross-Site Scripting

7.2

CVE-2006-0985

Mar 10, 2006

Researchers:

WordPress Core <= 1.5.2 - SQL Injection

7.2

CVE-2006-1012

Dec 31, 2005

Researchers:

WordPress Core <= 1.5.1.2 - Cross-Site Scripting

7.2

CVE-2005-2107

Jun 29, 2005

Researchers:

Broken Link Checker <= 2.4.0 - Reflected Cross-Site Scripting

7.1

CVE-2024-8981

Sep 30, 2024

Researcher: vgo0

Tutor LMS Pro <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Insecure Direct Object Reference

7.1

CVE-2024-5784

Aug 29, 2024

Researcher: Thanh Nam Tran

Brizy – Page Builder <= 2.4.44 - Missing Authorization to Authenticated (Contributor+) Post Modification

7.1

CVE-2024-1937

Jul 15, 2024

Researcher: stealthcopter

Export WP Page to Static HTML/CSS <= 2.2.2 - Open Redirect

7.1

CVE-2024-3597

Jun 19, 2024

Researcher: Krzysztof Zając

FooEvents for WooCommerce <= 1.19.20 - Improper Authorization to (Contributor+) Arbitrary File Upload

7.1

CVE-2024-6000

Jun 14, 2024

Researcher: István Márton

User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.2.0.1 - Missing Authorization to Privilege Escalation

7.1

CVE-2024-4958

May 31, 2024

Researcher: Thanh Nam Tran

ShopLentor <= 2.8.8 - Missing Authorization to WordPress Option Modification

7.1

CVE-2024-4566

May 20, 2024

Researcher: TheGreatLol

Brizy – Page Builder <= 2.4.41 - Authenticated(Contributor+) Stored Cross-Site Scripting

7.1

CVE-2024-1940

May 6, 2024

Researcher: stealthcopter

ARForms Form Builder <= 1.6.4 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion

7.1

CVE-2024-1945

Apr 25, 2024

Researcher: Lucio Sá

WP-Stateless – Google Cloud Storage <= 3.4.0 - Missing Authorization to Limited Arbitrary Options Update

7.1

CVE-2024-1385

Apr 5, 2024

Researcher: Krzysztof Zając

Change Table Prefix <= 2.0 - Cross-Site Request Forgery via change_prefix_form

7.1

CVE-2024-25932

Feb 20, 2024

Researcher: Nguyen Xuan Chien

Index Now <= 2.6.3 - Cross-Site Request Forgery via reset_form

7.1

CVE-2024-0428

Jan 12, 2024

Researcher: Francesco Carlucci

WP Cleanfix <= 5.6.2 - Missing Authorization via register

7.1

CVE-2023-48775

Nov 28, 2023

Researcher: Abdi Pranata

JetEngine <= 3.2.4 - Missing Authorization

7.1

CVE-2023-48758

Nov 28, 2023

Researcher: Rafie Muhammad

SVGator – Add Animated SVG Easily <= 1.2.4 - Cross-Site Request Forgery

7.1

CVE-2023-48766

Nov 28, 2023

Researcher: Abdi Pranata

Profile Builder <= 3.10.3 - Cross-Site Request Forgery via pms-cross-promotion.php

7.1

CVE-2023-47669

Nov 7, 2023

Researcher: Brandon James Roldan (tomorrowisnew)

Ultimate Addons for WPBakery Page Builder <= 3.19.14 - Authenticated(Contributor+) Local File Inclusion

7.1

CVE-2023-46205

Oct 19, 2023

Researcher: Rafie Muhammad

Title	CVE ID	CVSS	Researchers	Date
WordPress Core <= 2.0.1 - Cross-Site Scripting	CVE-2006-0985	7.2		March 10, 2006
WordPress Core <= 1.5.2 - SQL Injection	CVE-2006-1012	7.2		December 31, 2005
WordPress Core <= 1.5.1.2 - Cross-Site Scripting	CVE-2005-2107	7.2		June 29, 2005
Broken Link Checker <= 2.4.0 - Reflected Cross-Site Scripting	CVE-2024-8981	7.1	vgo0	September 30, 2024
Tutor LMS Pro <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Insecure Direct Object Reference	CVE-2024-5784	7.1	Thanh Nam Tran	August 29, 2024
Brizy – Page Builder <= 2.4.44 - Missing Authorization to Authenticated (Contributor+) Post Modification	CVE-2024-1937	7.1	stealthcopter	July 15, 2024
Export WP Page to Static HTML/CSS <= 2.2.2 - Open Redirect	CVE-2024-3597	7.1	Krzysztof Zając	June 19, 2024
FooEvents for WooCommerce <= 1.19.20 - Improper Authorization to (Contributor+) Arbitrary File Upload	CVE-2024-6000	7.1	István Márton	June 14, 2024
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.2.0.1 - Missing Authorization to Privilege Escalation	CVE-2024-4958	7.1	Thanh Nam Tran	May 31, 2024
ShopLentor <= 2.8.8 - Missing Authorization to WordPress Option Modification	CVE-2024-4566	7.1	TheGreatLol	May 20, 2024
Brizy – Page Builder <= 2.4.41 - Authenticated(Contributor+) Stored Cross-Site Scripting	CVE-2024-1940	7.1	stealthcopter	May 6, 2024
ARForms Form Builder <= 1.6.4 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion	CVE-2024-1945	7.1	Lucio Sá	April 25, 2024
WP-Stateless – Google Cloud Storage <= 3.4.0 - Missing Authorization to Limited Arbitrary Options Update	CVE-2024-1385	7.1	Krzysztof Zając	April 5, 2024
Change Table Prefix <= 2.0 - Cross-Site Request Forgery via change_prefix_form	CVE-2024-25932	7.1	Nguyen Xuan Chien	February 20, 2024
Index Now <= 2.6.3 - Cross-Site Request Forgery via reset_form	CVE-2024-0428	7.1	Francesco Carlucci	January 12, 2024
WP Cleanfix <= 5.6.2 - Missing Authorization via register	CVE-2023-48775	7.1	Abdi Pranata	November 28, 2023
JetEngine <= 3.2.4 - Missing Authorization	CVE-2023-48758	7.1	Rafie Muhammad	November 28, 2023
SVGator – Add Animated SVG Easily <= 1.2.4 - Cross-Site Request Forgery	CVE-2023-48766	7.1	Abdi Pranata	November 28, 2023
Profile Builder <= 3.10.3 - Cross-Site Request Forgery via pms-cross-promotion.php	CVE-2023-47669	7.1	Brandon James Roldan (tomorrowisnew)	November 7, 2023
Ultimate Addons for WPBakery Page Builder <= 3.19.14 - Authenticated(Contributor+) Local File Inclusion	CVE-2023-46205	7.1	Rafie Muhammad	October 19, 2023

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 31, 2024 Vulns
1	Francesco Carlucci	30
2	vgo0	30
3	wesley (wcraft)	22
4	Lucio Sá	13
5	Krzysztof Zając	12
6	stealthcopter	11
7	Peter Thaleikis	10
8	Marco Wotschka	7
9	Webbernaut	7
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	zer0gh0st	4
13	LVT-tholv2k	3
14	Robert DeVore	3
15	Le Ngoc Anh	3
16	István Márton	3
17	rezaduty	3
18	Jorge Diaz (ddiax)	2
19	Tonn	2
20	Michelle Porter	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation