🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 9.7.1 and PixelYourSite PRO <= 10.4.2 - Unauthenticated Information Exposure and Log Deletion

6.5

CVE-2024-7870

Sep 3, 2024

Researcher: Xetnus

Justified Image Grid <= 4.6.1 - Unauthenticated Server-Side Request Forgery

6.5

CVE-2024-43989

Aug 29, 2024

Researcher: Rafie Muhammad

Funnelforms Free <= 3.7.3.2 - Authenticated (Administrator+) Arbitrary File Deletion

6.5

CVE-2024-6312

Aug 27, 2024

Researcher: István Márton

Smart Online Order for Clover <= 1.5.6 - Missing Authorization to Plugin Deactivation and Data Deletion

6.5

CVE-2024-7032

Aug 20, 2024

Researcher: Lucio Sá

GiveWP – Donation Plugin and Fundraising Platform <= 3.13.0 - Missing Authorization to Unauthenticated Event Settings Update

6.5

CVE-2024-5940

Aug 19, 2024

Researcher: villu164

6.5

CVE-2022-4532

Aug 16, 2024

Researcher: rezaduty

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.7.2 - Authenticated (Contributor+) Arbitrary File Read

6.5

CVE-2024-4359

Aug 8, 2024

Researcher: Webbernaut

Docket (WooCommerce Collections / Wishlist / Watchlist) < 1.7.0 - Missing Authorization to Unauthenticated Arbitrary Post/Page Deletion

6.5

CVE-2024-43131

Aug 7, 2024

Researcher: Dave Jong

WooCommerce PDF Vouchers <= 4.9.4 - Missing Authorization

6.5

CVE-2024-39650

Aug 1, 2024

Researcher: Dave Jong

Tainacan <= 0.21.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read

6.5

CVE-2024-7135

Jul 30, 2024

Researcher: 1337_Wannabe

Social Auto Poster <= 5.3.14 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

6.5

CVE-2024-6755

Jul 23, 2024

Researcher: István Márton

Mercado Pago payments for WooCommerce 7.3.0 - 7.6.1 - Authenticated (Subscriber+) Arbitrary File Download

6.5

CVE-2024-3934

Jul 19, 2024

Researcher: Krzysztof Zając

WPCS <= 1.2.0.3 - Unauthenticated Arbitrary Shortcode Execution

6.5

CVE-2024-38700

Jul 10, 2024

Researcher: stealthcopter

Premium Addons for Elementor <= 4.10.34 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.5

CVE-2024-37922

Jul 9, 2024

Researcher: wesley (wcraft)

Cliengo - Chatbot <= 3.0.2 - Missing Authorization to Unauthenticated Chatbot Settings Update

6.5

CVE-2024-5992

Jul 8, 2024

Researcher: Lucio Sá

Newspack Blocks <= 3.0.8 - Authenticated (Contributor+) Arbitrary Directory Deletion

6.5

CVE-2024-37423

Jun 28, 2024

Researcher: Rafie Muhammad

Sparkle Demo Importer <= 1.4.7 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import

6.5

CVE-2024-6120

Jun 21, 2024

Researcher: Lucio Sá

License Manager for WooCommerce <= 3.0.6 - Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure

6.5

CVE-2024-1639

Jun 20, 2024

Researcher: Lucio Sá

Depicter <= 3.0.2 - Authenticated (Contributor+) Arbitrary Nonce Generation

6.5

CVE-2024-4390

Jun 19, 2024

Researcher: Arkadiusz Hydzik

Materialis <= 1.1.24 - Missing Authorization to Limited Arbitrary Options Update

6.5

CVE-2023-3204

Jun 19, 2024

Researcher: Gibran Abdillah

Title	CVE ID	CVSS	Researchers	Date
PixelYourSite – Your smart PIXEL (TAG) & API Manager <= 9.7.1 and PixelYourSite PRO <= 10.4.2 - Unauthenticated Information Exposure and Log Deletion	CVE-2024-7870	6.5	Xetnus	September 3, 2024
Justified Image Grid <= 4.6.1 - Unauthenticated Server-Side Request Forgery	CVE-2024-43989	6.5	Rafie Muhammad	August 29, 2024
Funnelforms Free <= 3.7.3.2 - Authenticated (Administrator+) Arbitrary File Deletion	CVE-2024-6312	6.5	István Márton	August 27, 2024
Smart Online Order for Clover <= 1.5.6 - Missing Authorization to Plugin Deactivation and Data Deletion	CVE-2024-7032	6.5	Lucio Sá	August 20, 2024
GiveWP – Donation Plugin and Fundraising Platform <= 3.13.0 - Missing Authorization to Unauthenticated Event Settings Update	CVE-2024-5940	6.5	villu164	August 19, 2024
LOGIN AND REGISTRATION ATTEMPTS LIMIT<= 2.1 - IP Address Spoofing to Protection Mechanism Bypass	CVE-2022-4532	6.5	rezaduty	August 16, 2024
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.7.2 - Authenticated (Contributor+) Arbitrary File Read	CVE-2024-4359	6.5	Webbernaut	August 8, 2024
Docket (WooCommerce Collections / Wishlist / Watchlist) < 1.7.0 - Missing Authorization to Unauthenticated Arbitrary Post/Page Deletion	CVE-2024-43131	6.5	Dave Jong	August 7, 2024
WooCommerce PDF Vouchers <= 4.9.4 - Missing Authorization	CVE-2024-39650	6.5	Dave Jong	August 1, 2024
Tainacan <= 0.21.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read	CVE-2024-7135	6.5	1337_Wannabe	July 30, 2024
Social Auto Poster <= 5.3.14 - Missing Authorization to Unauthenticated Arbitrary Post Deletion	CVE-2024-6755	6.5	István Márton	July 23, 2024
Mercado Pago payments for WooCommerce 7.3.0 - 7.6.1 - Authenticated (Subscriber+) Arbitrary File Download	CVE-2024-3934	6.5	Krzysztof Zając	July 19, 2024
WPCS <= 1.2.0.3 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-38700	6.5	stealthcopter	July 10, 2024
Premium Addons for Elementor <= 4.10.34 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-37922	6.5	wesley (wcraft)	July 9, 2024
Cliengo - Chatbot <= 3.0.2 - Missing Authorization to Unauthenticated Chatbot Settings Update	CVE-2024-5992	6.5	Lucio Sá	July 8, 2024
Newspack Blocks <= 3.0.8 - Authenticated (Contributor+) Arbitrary Directory Deletion	CVE-2024-37423	6.5	Rafie Muhammad	June 28, 2024
Sparkle Demo Importer <= 1.4.7 - Missing Authorization to Authorized(Subscriber+) Post/Pages/Attachements Deletion and Demo Data Import	CVE-2024-6120	6.5	Lucio Sá	June 21, 2024
License Manager for WooCommerce <= 3.0.6 - Improper Authorization to Authenticated(Contributor+) Sensitive Information Exposure	CVE-2024-1639	6.5	Lucio Sá	June 20, 2024
Depicter <= 3.0.2 - Authenticated (Contributor+) Arbitrary Nonce Generation	CVE-2024-4390	6.5	Arkadiusz Hydzik	June 19, 2024
Materialis <= 1.1.24 - Missing Authorization to Limited Arbitrary Options Update	CVE-2023-3204	6.5	Gibran Abdillah	June 19, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 30, 2024 Vulns
1	Francesco Carlucci	30
2	vgo0	27
3	wesley (wcraft)	21
4	Lucio Sá	13
5	stealthcopter	10
6	Krzysztof Zając	10
7	Peter Thaleikis	7
8	Marco Wotschka	7
9	Webbernaut	6
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	zer0gh0st	4
13	LVT-tholv2k	3
14	Robert DeVore	3
15	Le Ngoc Anh	3
16	rezaduty	3
17	Tonn	2
18	Tieu Pham Trong Nhan	2
19	Michelle Porter	2
20	Connor Billings	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation