🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Yoast SEO <= 1.4.6 - Missing Authorization

6.5

CVE ID Unknown

Aug 1, 2014

Researchers:

User Meta – User Profile Builder and User management plugin 1.1.1 - Arbitrary File Upload

6.5

CVE ID Unknown

Aug 1, 2014

Researcher: Adrien Thierry

WordPress Core < 3.8.2 - Authentication Cookie Forgery

6.5

CVE-2014-0166

Apr 8, 2014

Researcher: Jon Cave

BuddyPress <= 1.9.1 - Authorization Bypass

6.5

CVE-2014-1889

Feb 5, 2014

Researcher: Pietro Oliva

Wordfence Security - Firewall & Malware Scan <= 3.3.6 - Stored Cross-Site Scripting

6.5

CVE ID Unknown

Oct 19, 2012

Researchers:

iThemes Security < 3.4.4 - Cross-Site Scripting

6.5

CVE ID Unknown

Aug 20, 2012

Researcher: Benjamin Kunz Mejri

WordPress Core <= 3.3.2 - Cross-Site Scripting

6.5

CVE-2012-6633

Jun 27, 2012

Researchers:

WordPress Core <= 3.3.1 - Same Origin Policy Bypass

6.5

CVE-2012-2401

Apr 20, 2012

Researchers:

eShop < 6.2.9 - Reflected Cross-Site Scripting

6.5

CVE ID Unknown

Jul 20, 2011

Researcher: HTBridge

WordPress Core <= 2.8.4 - Denial of Service

6.5

CVE-2009-3622

Oct 20, 2009

Researchers:

WordPress Core < 2.6.2 - Cryptographic Weakness

6.5

CVE-2008-4107

Sep 8, 2008

Researcher: Stefan Esser

WordPress Core < 2.3.3 - Improper Authorization Checks

6.5

CVE-2008-0664

Sep 8, 2007

Researchers:

WordPress Core < 2.1 - Directory Traversal

6.5

CVE-2007-0541

Jan 24, 2007

Researcher: Blake Matheny

WordPress Core <= 2.0.4 - Denial of Service

6.5

CVE-2006-6017

Oct 27, 2006

Researchers:

WordPress Core <= 2.0.4 - Directory Traversal

6.5

CVE-2006-5705

Oct 27, 2006

Researchers:

WordPress Core <= 2.0.3 - Denial of Service

6.5

CVE-2008-0194

Jul 29, 2006

Researchers:

OSM <= 6.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes

6.4

CVE-2024-8991

Sep 26, 2024

Researcher: Peter Thaleikis

Premium Addons for Elementor <= 4.10.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Media Grid Widget

6.4

CVE-2024-8681

Sep 26, 2024

Researcher: zer0gh0st

Themedy Toolbox <= 1.0.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes

6.4

CVE-2024-9177

Sep 26, 2024

Researcher: Francesco Carlucci

Absolute Reviews <= 1.1.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Criteria Name

6.4

CVE-2024-8965

Sep 26, 2024

Researcher: Muhammad Adel (ItsFadinG)

Title	CVE ID	CVSS	Researchers	Date
Yoast SEO <= 1.4.6 - Missing Authorization		6.5		August 1, 2014
User Meta – User Profile Builder and User management plugin 1.1.1 - Arbitrary File Upload		6.5	Adrien Thierry	August 1, 2014
WordPress Core < 3.8.2 - Authentication Cookie Forgery	CVE-2014-0166	6.5	Jon Cave	April 8, 2014
BuddyPress <= 1.9.1 - Authorization Bypass	CVE-2014-1889	6.5	Pietro Oliva	February 5, 2014
Wordfence Security - Firewall & Malware Scan <= 3.3.6 - Stored Cross-Site Scripting		6.5		October 19, 2012
iThemes Security < 3.4.4 - Cross-Site Scripting		6.5	Benjamin Kunz Mejri	August 20, 2012
WordPress Core <= 3.3.2 - Cross-Site Scripting	CVE-2012-6633	6.5		June 27, 2012
WordPress Core <= 3.3.1 - Same Origin Policy Bypass	CVE-2012-2401	6.5		April 20, 2012
eShop < 6.2.9 - Reflected Cross-Site Scripting		6.5	HTBridge	July 20, 2011
WordPress Core <= 2.8.4 - Denial of Service	CVE-2009-3622	6.5		October 20, 2009
WordPress Core < 2.6.2 - Cryptographic Weakness	CVE-2008-4107	6.5	Stefan Esser	September 8, 2008
WordPress Core < 2.3.3 - Improper Authorization Checks	CVE-2008-0664	6.5		September 8, 2007
WordPress Core < 2.1 - Directory Traversal	CVE-2007-0541	6.5	Blake Matheny	January 24, 2007
WordPress Core <= 2.0.4 - Denial of Service	CVE-2006-6017	6.5		October 27, 2006
WordPress Core <= 2.0.4 - Directory Traversal	CVE-2006-5705	6.5		October 27, 2006
WordPress Core <= 2.0.3 - Denial of Service	CVE-2008-0194	6.5		July 29, 2006
OSM <= 6.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via osm_map and osm_map_v3 Shortcodes	CVE-2024-8991	6.4	Peter Thaleikis	September 26, 2024
Premium Addons for Elementor <= 4.10.52 - Authenticated (Contributor+) Stored Cross-Site Scripting via Media Grid Widget	CVE-2024-8681	6.4	zer0gh0st	September 26, 2024
Themedy Toolbox <= 1.0.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes	CVE-2024-9177	6.4	Francesco Carlucci	September 26, 2024
Absolute Reviews <= 1.1.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Criteria Name	CVE-2024-8965	6.4	Muhammad Adel (ItsFadinG)	September 26, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 28, 2024 Vulns
1	Francesco Carlucci	33
2	vgo0	24
3	stealthcopter	23
4	wesley (wcraft)	23
5	Lucio Sá	14
6	Krzysztof Zając	9
7	Webbernaut	7
8	Marco Wotschka	7
9	Peter Thaleikis	6
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	rezaduty	5
13	zer0gh0st	4
14	LVT-tholv2k	3
15	Rafie Muhammad	3
16	Le Ngoc Anh	3
17	Robert DeVore	3
18	João Pedro Soares de Alcântara	3
19	Arkadiusz Hydzik	2
20	Peng Zhou	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation