🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

NextMove Lite <= 2.17.0 - Missing Authorization to Authenticated(Subscriber+) Plugin Activation

6.5

CVE-2024-25092

Feb 9, 2024

Researcher: beluga

AMP for WP <= 1.0.93.1 - Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data

6.5

CVE-2024-1043

Feb 6, 2024

Researcher: Sean Murphy

WP Hotel Booking <= 2.0.9.2 - Improper Authorization on Multiple REST API Routes

6.5

CVE ID Unknown

Feb 3, 2024

Researchers:

Quicksand Post Filter jQuery Plugin <= 3.1.1 - Cross-Site Request Forgery via renderAdmin

6.5

CVE-2024-24849

Feb 2, 2024

Researcher: Mika

HTML5 Video Player <= 2.5.24 - Unauthenticated SQL Injection via id

6.5

CVE-2024-1061

Jan 31, 2024

Researcher: Joshua Martinelle

Order Delivery Date for WP e-Commerce <= 1.2 - Unauthenticated Stored Cross-Site Scripting

6.5

CVE-2024-0678

Jan 29, 2024

Researcher: Krzysztof Zając

Backuply – Backup, Restore, Migrate and Clone <= 1.2.3 - Authenticated (Administrator+) Directory Traversal

6.5

CVE-2024-0697

Jan 26, 2024

Researcher: Bence Szalai

10Web AI Assistant – AI content writing assistant <= 1.0.18 - Missing Authorization to Arbitrary Plugin Installation

6.5

CVE-2023-6985

Jan 25, 2024

Researcher: Krzysztof Zając

easy.jobs <= 2.4.6 - Missing Authorization to Settings Update

6.5

CVE-2023-6843

Jan 21, 2024

Researcher: Krzysztof Zając

ColorMag <= 3.1.2 - Missing Authorization to Arbitrary Plugin Installation

6.5

CVE-2024-0679

Jan 19, 2024

Researcher: Sean Murphy

Splashscreen <= 0.20 - Cross-Site Request Forgery

6.5

CVE-2023-6501

Jan 19, 2024

Researcher: Daniel Ruf

lasTunes <= 3.6.1 - Cross-Site Request Forgery

6.5

CVE-2023-6499

Jan 19, 2024

Researcher: Daniel Ruf

Amelia <= 1.0.98 - Missing Authorization

6.5

CVE-2024-22298

Jan 17, 2024

Researcher: Abdi Pranata

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.4 - Authenticated (Contributor+) Stored Cross-Site Scritping

6.5

CVE-2024-0586

Jan 17, 2024

Researcher: Webbernaut

Contact Form builder with drag & drop - Kali Forms <= 2.3.36 - Insecure Direct Object Reference

6.5

CVE-2024-22305

Jan 17, 2024

Researcher: Revan Arifio

Browser Theme Color <= 1.3 - Cross-Site Request Forgery via btc_settings_page

6.5

CVE-2024-22291

Jan 17, 2024

Researcher: Nguyen Xuan Chien

Better Anchor Links <= 1.7.5 - Cross-Site Request Forgery via admin/options.php

6.5

CVE-2024-22287

Jan 16, 2024

Researcher: Dimas Maulana

SalesKing <= 1.6.15 - Missing Authorization to Settings Change

6.5

CVE-2024-22156

Jan 16, 2024

Researcher: Dave Jong

Profile Builder Pro <= 3.10.0 - Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure

6.5

CVE-2024-22141

Jan 10, 2024

Researcher: Dave Jong

List category posts <= 0.89.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.5

CVE-2023-6994

Jan 9, 2024

Researcher: Ngô Thiên An (ancorn_)

Title	CVE ID	CVSS	Researchers	Date
NextMove Lite <= 2.17.0 - Missing Authorization to Authenticated(Subscriber+) Plugin Activation	CVE-2024-25092	6.5	beluga	February 9, 2024
AMP for WP <= 1.0.93.1 - Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data	CVE-2024-1043	6.5	Sean Murphy	February 6, 2024
WP Hotel Booking <= 2.0.9.2 - Improper Authorization on Multiple REST API Routes		6.5		February 3, 2024
Quicksand Post Filter jQuery Plugin <= 3.1.1 - Cross-Site Request Forgery via renderAdmin	CVE-2024-24849	6.5	Mika	February 2, 2024
HTML5 Video Player <= 2.5.24 - Unauthenticated SQL Injection via id	CVE-2024-1061	6.5	Joshua Martinelle	January 31, 2024
Order Delivery Date for WP e-Commerce <= 1.2 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-0678	6.5	Krzysztof Zając	January 29, 2024
Backuply – Backup, Restore, Migrate and Clone <= 1.2.3 - Authenticated (Administrator+) Directory Traversal	CVE-2024-0697	6.5	Bence Szalai	January 26, 2024
10Web AI Assistant – AI content writing assistant <= 1.0.18 - Missing Authorization to Arbitrary Plugin Installation	CVE-2023-6985	6.5	Krzysztof Zając	January 25, 2024
easy.jobs <= 2.4.6 - Missing Authorization to Settings Update	CVE-2023-6843	6.5	Krzysztof Zając	January 21, 2024
ColorMag <= 3.1.2 - Missing Authorization to Arbitrary Plugin Installation	CVE-2024-0679	6.5	Sean Murphy	January 19, 2024
Splashscreen <= 0.20 - Cross-Site Request Forgery	CVE-2023-6501	6.5	Daniel Ruf	January 19, 2024
lasTunes <= 3.6.1 - Cross-Site Request Forgery	CVE-2023-6499	6.5	Daniel Ruf	January 19, 2024
Amelia <= 1.0.98 - Missing Authorization	CVE-2024-22298	6.5	Abdi Pranata	January 17, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.4 - Authenticated (Contributor+) Stored Cross-Site Scritping	CVE-2024-0586	6.5	Webbernaut	January 17, 2024
Contact Form builder with drag & drop - Kali Forms <= 2.3.36 - Insecure Direct Object Reference	CVE-2024-22305	6.5	Revan Arifio	January 17, 2024
Browser Theme Color <= 1.3 - Cross-Site Request Forgery via btc_settings_page	CVE-2024-22291	6.5	Nguyen Xuan Chien	January 17, 2024
Better Anchor Links <= 1.7.5 - Cross-Site Request Forgery via admin/options.php	CVE-2024-22287	6.5	Dimas Maulana	January 16, 2024
SalesKing <= 1.6.15 - Missing Authorization to Settings Change	CVE-2024-22156	6.5	Dave Jong	January 16, 2024
Profile Builder Pro <= 3.10.0 - Authenticated (Subscriber+) Time-Based One-Time Password Sensitive Information Exposure	CVE-2024-22141	6.5	Dave Jong	January 10, 2024
List category posts <= 0.89.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-6994	6.5	Ngô Thiên An (ancorn_)	January 9, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 30, 2024 Vulns
1	Francesco Carlucci	30
2	vgo0	27
3	wesley (wcraft)	21
4	Lucio Sá	13
5	stealthcopter	10
6	Krzysztof Zając	10
7	Peter Thaleikis	7
8	Marco Wotschka	7
9	Webbernaut	6
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	zer0gh0st	4
13	LVT-tholv2k	3
14	Robert DeVore	3
15	Le Ngoc Anh	3
16	rezaduty	3
17	Tonn	2
18	Tieu Pham Trong Nhan	2
19	Michelle Porter	2
20	Connor Billings	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation