🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Event Calendar <= 1.4.6 - Missing Authorization to Event Modification

6.5

CVE-2022-38067

Aug 25, 2022

Researcher: Nguy Minh Tuan

Analytify – Google Analytics Dashboard For WordPress <= 4.2.2 - Authorization Bypass

6.5

CVE ID Unknown

Aug 22, 2022

Researchers:

Migration, Backup, Staging – WPvivid <= 0.9.75 - Authenticated (Administrator+) Path Traversal

6.5

CVE-2022-2863

Aug 22, 2022

Researcher: Rodolfo Tavares

Export All URLs <= 4.3 - Arbitrary File Deletion

6.5

CVE-2022-2638

Aug 8, 2022

Researcher: Raad Haddad

WPQA - Builder forms Addon For WordPress < 5.7 - Information Disclosure

6.5

CVE-2022-2198

Aug 1, 2022

Researcher: Bikram kharal

Transposh WordPress Translation <= 1.0.7 - Unauthenticated Stored Cross-Site Scripting via 'tp_translation'

6.5

CVE-2021-24911

Jul 22, 2022

Researcher: Julien Ahrens

Web en Mantenimiento <= 1.0.6 - Cross-Site Request Forgery to Settings Update

6.5

CVE ID Unknown

Jul 19, 2022

Researchers:

YaySMTP – Simple WP SMTP Mail <= 2.2 - Missing Authorization to Sensitive Information Exposure

6.5

CVE-2022-2370

Jul 11, 2022

Researchers:

eBay Dropshipping and Affiliate by Wooshark <= 1.5.6 - Unprotected AJAX Actions

6.5

CVE ID Unknown

Jun 22, 2022

Researchers:

Rename wp-login.php <= 2.6.0 - Cross-Site Request Forgery & Unauthenticated Settings Change

6.5

CVE-2022-1732

Jun 16, 2022

Researcher: Daniel Ruf

Wbcom Designs – BuddyPress Group Reviews <= 2.8.3 - Unauthorized AJAX Actions due to Nonce Bypass

6.5

CVE-2022-2108

Jun 16, 2022

Researcher: Marco Wotschka

Browser and Operating System Finder <= 1.2 - Missing Authorization

6.5

CVE ID Unknown

Jun 2, 2022

Researcher: WPScanTeam

WP-EMail <= 2.68.2 - Spam Protection Bypass

6.5

CVE-2022-1614

May 30, 2022

Researcher: Daniel Ruf

Envato Sales By Item <= 1.1 - Unauthenticated SQL Injection via AJAX call

6.5

CVE ID Unknown

May 26, 2022

Researchers:

HC Custom WP-Admin URL <= 1.4 - Information Exposure

6.5

CVE-2022-1595

May 18, 2022

Researcher: Daniel Ruf

Jupiter Theme <= 6.10.1 - Authenticated Arbitrary Plugin Deletion

6.5

CVE-2022-1658

May 18, 2022

Researcher: Ram

JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6 - Authenticated Arbitrary Plugin Deactivation and Settings Modification

6.5

CVE-2022-1656

May 18, 2022

Researcher: Ram

External Links in New Window / New Tab <= 1.42 - Tabnabbing

6.5

CVE-2022-1583

May 9, 2022

Researcher: Daniel Ruf

WP-Stateless – Google Cloud Storage <= 3.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting

6.5

CVE-2022-4905

May 6, 2022

Researchers:

Breeze – WordPress Cache Plugin <= 2.0.2 - Unprotected AJAX Actions

6.5

CVE-2022-29444

May 2, 2022

Researcher: Dave Jong

Title	CVE ID	CVSS	Researchers	Date
Event Calendar <= 1.4.6 - Missing Authorization to Event Modification	CVE-2022-38067	6.5	Nguy Minh Tuan	August 25, 2022
Analytify – Google Analytics Dashboard For WordPress <= 4.2.2 - Authorization Bypass		6.5		August 22, 2022
Migration, Backup, Staging – WPvivid <= 0.9.75 - Authenticated (Administrator+) Path Traversal	CVE-2022-2863	6.5	Rodolfo Tavares	August 22, 2022
Export All URLs <= 4.3 - Arbitrary File Deletion	CVE-2022-2638	6.5	Raad Haddad	August 8, 2022
WPQA - Builder forms Addon For WordPress < 5.7 - Information Disclosure	CVE-2022-2198	6.5	Bikram kharal	August 1, 2022
Transposh WordPress Translation <= 1.0.7 - Unauthenticated Stored Cross-Site Scripting via 'tp_translation'	CVE-2021-24911	6.5	Julien Ahrens	July 22, 2022
Web en Mantenimiento <= 1.0.6 - Cross-Site Request Forgery to Settings Update		6.5		July 19, 2022
YaySMTP – Simple WP SMTP Mail <= 2.2 - Missing Authorization to Sensitive Information Exposure	CVE-2022-2370	6.5		July 11, 2022
eBay Dropshipping and Affiliate by Wooshark <= 1.5.6 - Unprotected AJAX Actions		6.5		June 22, 2022
Rename wp-login.php <= 2.6.0 - Cross-Site Request Forgery & Unauthenticated Settings Change	CVE-2022-1732	6.5	Daniel Ruf	June 16, 2022
Wbcom Designs – BuddyPress Group Reviews <= 2.8.3 - Unauthorized AJAX Actions due to Nonce Bypass	CVE-2022-2108	6.5	Marco Wotschka	June 16, 2022
Browser and Operating System Finder <= 1.2 - Missing Authorization		6.5	WPScanTeam	June 2, 2022
WP-EMail <= 2.68.2 - Spam Protection Bypass	CVE-2022-1614	6.5	Daniel Ruf	May 30, 2022
Envato Sales By Item <= 1.1 - Unauthenticated SQL Injection via AJAX call		6.5		May 26, 2022
HC Custom WP-Admin URL <= 1.4 - Information Exposure	CVE-2022-1595	6.5	Daniel Ruf	May 18, 2022
Jupiter Theme <= 6.10.1 - Authenticated Arbitrary Plugin Deletion	CVE-2022-1658	6.5	Ram	May 18, 2022
JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6 - Authenticated Arbitrary Plugin Deactivation and Settings Modification	CVE-2022-1656	6.5	Ram	May 18, 2022
External Links in New Window / New Tab <= 1.42 - Tabnabbing	CVE-2022-1583	6.5	Daniel Ruf	May 9, 2022
WP-Stateless – Google Cloud Storage <= 3.1.1 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2022-4905	6.5		May 6, 2022
Breeze – WordPress Cache Plugin <= 2.0.2 - Unprotected AJAX Actions	CVE-2022-29444	6.5	Dave Jong	May 2, 2022

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 29, 2024 Vulns
1	Francesco Carlucci	33
2	vgo0	27
3	wesley (wcraft)	21
4	Lucio Sá	13
5	Krzysztof Zając	10
6	stealthcopter	10
7	Marco Wotschka	7
8	Peter Thaleikis	7
9	Webbernaut	6
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	rezaduty	5
13	zer0gh0st	4
14	LVT-tholv2k	3
15	Robert DeVore	3
16	Le Ngoc Anh	3
17	RyotaK	2
18	Jorge Diaz (ddiax)	2
19	Tonn	2
20	Ankit Patel	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation