🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

iubenda < 2.3.5 - Failure to Restrict URL Protocol

6.5

CVE-2020-12742

May 12, 2020

Researchers:

WP Mega Menu <= 1.3.6 - Unauthenticated Settings Update to Stored Cross-Site Scripting

6.5

CVE ID Unknown

Apr 20, 2020

Researchers:

MapPress Maps for WordPress <=2.53.8 - Authenticated Map Creation/Deletion to Stored Cross-Site Scripting & Remote Code Execution

6.5

CVE-2020-12077

Apr 1, 2020

Researcher: Ram

Elementor Website Builder <= 2.9.5 - Authorization Bypass

6.5

CVE-2020-20634

Mar 31, 2020

Researcher: Jerome Bruandet

Font Awesome 4.0.0-rc15 and 4.0.0-rc16 - API Token Exposure

6.5

CVE ID Unknown

Mar 11, 2020

Researchers:

Brizy - Page Builder < 1.0.114 - Missing Authorization to Settings Update

6.5

CVE ID Unknown

Mar 5, 2020

Researcher: riki aji

301 Redirects - Easy Redirect Manager <= 2.40 - Missing Authorization

6.5

CVE-2019-19915

Dec 19, 2019

Researcher: Chloe Chamberland

Email Subscribers & Newsletters <= 4.2.2 - Unauthenticated Option Creation

6.5

CVE-2019-19982

Nov 13, 2019

Researcher: Chloe Chamberland

Safe SVG <= 1.9.4 - Denial of Service

6.5

CVE-2019-18855

Nov 5, 2019

Researcher: Nguyen Thanh Nguyen

Safe SVG <= 1.9.4 - Denial of Service

6.5

CVE-2019-18854

Nov 5, 2019

Researcher: Nguyen Thanh Nguyen

Currency Switcher <= 2.11.1 - Authorization Bypass

6.5

CVE-2019-18668

Nov 2, 2019

Researcher: Luka Sikic

Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated Settings Import/Export

6.5

CVE-2019-17228

Sep 20, 2019

Researcher: Jerome Bruandet

Custom Simple RSS < 2.0.7 - Cross-Site Request Forgery

6.5

CVE-2019-14327

Jul 27, 2019

Researcher: Mehdi Esmaeilpour

Coming Soon Page & Maintenance Mode <= 1.8.1 - Unauthenticated Settings Reset

6.5

CVE-2019-25139

Jul 17, 2019

Researcher: Jerome Bruandet

Hybrid Composer <= 1.4.6 - Missing Authorization to Arbitrary Options Update

6.5

CVE ID Unknown

Jul 10, 2019

Researcher: rootetsy

WPGraphQL <= 0.3.4 - Information Exposure

6.5

CVE-2019-25060

Jul 10, 2019

Researcher: Rohan Pagey

Insert or Embed Articulate Content into WordPress < 4.29991 - Directory Traversal

6.5

CVE-2019-15648

Jul 2, 2019

Researcher: WPScanTeam

Rank Math SEO <= 1.0.27 - Authenticated Settings Reset via reset-cmb Parameter

6.5

CVE-2019-14786

Jun 21, 2019

Researchers:

WordPress Core <= 5.0.3 - Path Traversal and Local File Inclusion

6.5

CVE-2019-8943

Feb 19, 2019

Researchers: Wilfried Becard, RIPS Technologies

PS PHPCaptcha <= 1.1.0 - Authenticated Denial of Service

6.5

CVE-2019-7412

Feb 16, 2019

Researcher: Metamorfosec

Title	CVE ID	CVSS	Researchers	Date
iubenda < 2.3.5 - Failure to Restrict URL Protocol	CVE-2020-12742	6.5		May 12, 2020
WP Mega Menu <= 1.3.6 - Unauthenticated Settings Update to Stored Cross-Site Scripting		6.5		April 20, 2020
MapPress Maps for WordPress <=2.53.8 - Authenticated Map Creation/Deletion to Stored Cross-Site Scripting & Remote Code Execution	CVE-2020-12077	6.5	Ram	April 1, 2020
Elementor Website Builder <= 2.9.5 - Authorization Bypass	CVE-2020-20634	6.5	Jerome Bruandet	March 31, 2020
Font Awesome 4.0.0-rc15 and 4.0.0-rc16 - API Token Exposure		6.5		March 11, 2020
Brizy - Page Builder < 1.0.114 - Missing Authorization to Settings Update		6.5	riki aji	March 5, 2020
301 Redirects - Easy Redirect Manager <= 2.40 - Missing Authorization	CVE-2019-19915	6.5	Chloe Chamberland	December 19, 2019
Email Subscribers & Newsletters <= 4.2.2 - Unauthenticated Option Creation	CVE-2019-19982	6.5	Chloe Chamberland	November 13, 2019
Safe SVG <= 1.9.4 - Denial of Service	CVE-2019-18855	6.5	Nguyen Thanh Nguyen	November 5, 2019
Safe SVG <= 1.9.4 - Denial of Service	CVE-2019-18854	6.5	Nguyen Thanh Nguyen	November 5, 2019
Currency Switcher <= 2.11.1 - Authorization Bypass	CVE-2019-18668	6.5	Luka Sikic	November 2, 2019
Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated Settings Import/Export	CVE-2019-17228	6.5	Jerome Bruandet	September 20, 2019
Custom Simple RSS < 2.0.7 - Cross-Site Request Forgery	CVE-2019-14327	6.5	Mehdi Esmaeilpour	July 27, 2019
Coming Soon Page & Maintenance Mode <= 1.8.1 - Unauthenticated Settings Reset	CVE-2019-25139	6.5	Jerome Bruandet	July 17, 2019
Hybrid Composer <= 1.4.6 - Missing Authorization to Arbitrary Options Update		6.5	rootetsy	July 10, 2019
WPGraphQL <= 0.3.4 - Information Exposure	CVE-2019-25060	6.5	Rohan Pagey	July 10, 2019
Insert or Embed Articulate Content into WordPress < 4.29991 - Directory Traversal	CVE-2019-15648	6.5	WPScanTeam	July 2, 2019
Rank Math SEO <= 1.0.27 - Authenticated Settings Reset via reset-cmb Parameter	CVE-2019-14786	6.5		June 21, 2019
WordPress Core <= 5.0.3 - Path Traversal and Local File Inclusion	CVE-2019-8943	6.5	Wilfried Becard, RIPS Technologies	February 19, 2019
PS PHPCaptcha <= 1.1.0 - Authenticated Denial of Service	CVE-2019-7412	6.5	Metamorfosec	February 16, 2019

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 28, 2024 Vulns
1	Francesco Carlucci	34
2	vgo0	26
3	stealthcopter	23
4	wesley (wcraft)	23
5	Lucio Sá	14
6	Krzysztof Zając	10
7	Peter Thaleikis	7
8	Webbernaut	7
9	Marco Wotschka	7
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	rezaduty	5
13	zer0gh0st	4
14	LVT-tholv2k	3
15	Rafie Muhammad	3
16	Le Ngoc Anh	3
17	Robert DeVore	3
18	João Pedro Soares de Alcântara	3
19	Arkadiusz Hydzik	2
20	Peng Zhou	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation