🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

wpForo Forum <= 2.2.8 - Cross-Site Request Forgery via logout()

4.3

CVE-2023-47870

Nov 20, 2023

Researcher: Jesse McNeil

Parallax Image <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-47854

Nov 20, 2023

Researcher: resecured.io

wpForo Forum <= 2.2.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVE-2023-47872

Nov 20, 2023

Researcher: Jesse McNeil

File Manager <= 6.3 - Authenticated (Admin+) Arbitrary OS File Access via Path Traversal

2.2

CVE-2023-5907

Nov 20, 2023

Researcher: Dmitrii Ignatyev

Customer Reviews for WooCommerce <= 5.38.1 - Missing Authorization via manual review reminders

4.3

CVE ID Unknown

Nov 19, 2023

Researchers:

Customer Reviews for WooCommerce <= 5.38.1 - Cross-Site Request Forgery via manual review reminders

4.3

CVE ID Unknown

Nov 19, 2023

Researchers:

Embed Privacy <= 1.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVE-2023-48300

Nov 18, 2023

Researcher: wpdabh

wpDiscuz <= 7.6.12 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVE-2023-51691

Nov 17, 2023

Researcher: Jeongwoo-Lee(Roronoa)

EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting

6.1

CVE-2023-5749

Nov 17, 2023

Researcher: Krzysztof Zając

Audio Merchant <= 5.0.4 - Cross-Site Request Forgery to Settings Modifcation and Stored Cross-Site Scripting

5.4

CVE-2023-6197

Nov 17, 2023

Researcher: Ala Arfaoui

EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting

6.1

CVE-2023-5750

Nov 17, 2023

Researcher: Erwan LR

Audio Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload

8.8

CVE-2023-6196

Nov 17, 2023

Researcher: Ala Arfaoui

Community by PeepSo <= 6.1.6.0 - Cross-Site Request Forgery via delete

4.3

CVE-2023-39925

Nov 16, 2023

Researcher: Revan Arifio

Jetpack <= 12.6.2 - Improper Authorization via WPCom External Media REST endpoints

4.3

CVE-2023-47788

Nov 16, 2023

Researcher: Rafie Muhammad

ARI Stream Quiz <= 1.2.32 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-47835

Nov 16, 2023

Researcher: emad

WP Meta and Date Remover <= 2.3.0 - Cross-Site Request Forgery via updateSettings

5.3

CVE-2023-47836

Nov 16, 2023

Researcher: Abdi Pranata

Theater for WordPress <= 0.18.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

4.4

CVE-2023-47833

Nov 16, 2023

Researcher: DoYeon Park (p6rkdoye0n)

Easy Call Now by ThikShare <= 1.1.0 - Cross-Site Request Forgery via settings_page

4.3

CVE-2023-47819

Nov 16, 2023

Researcher: Nguyen Xuan Chien

ARMember <= 4.0.10 - Authenticated (Subscriber+) Membership Plan Bypass

4.3

CVE-2023-47837

Nov 16, 2023

Researcher: Revan Arifio

Restaurant & Cafe Addon for Elementor <= 1.5.3 - Missing Authorization via multiple AJAX functions

3.1

CVE-2023-47826

Nov 16, 2023

Researcher: Abdi Pranata

Title	CVE ID	CVSS	Researchers	Date
wpForo Forum <= 2.2.8 - Cross-Site Request Forgery via logout()	CVE-2023-47870	4.3	Jesse McNeil	November 20, 2023
Parallax Image <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-47854	6.4	resecured.io	November 20, 2023
wpForo Forum <= 2.2.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting	CVE-2023-47872	6.4	Jesse McNeil	November 20, 2023
File Manager <= 6.3 - Authenticated (Admin+) Arbitrary OS File Access via Path Traversal	CVE-2023-5907	2.2	Dmitrii Ignatyev	November 20, 2023
Customer Reviews for WooCommerce <= 5.38.1 - Missing Authorization via manual review reminders		4.3		November 19, 2023
Customer Reviews for WooCommerce <= 5.38.1 - Cross-Site Request Forgery via manual review reminders		4.3		November 19, 2023
Embed Privacy <= 1.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-48300	5.4	wpdabh	November 18, 2023
wpDiscuz <= 7.6.12 - Authenticated (Administrator+) Stored Cross-Site Scripting	CVE-2023-51691	4.4	Jeongwoo-Lee(Roronoa)	November 17, 2023
EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting	CVE-2023-5749	6.1	Krzysztof Zając	November 17, 2023
Audio Merchant <= 5.0.4 - Cross-Site Request Forgery to Settings Modifcation and Stored Cross-Site Scripting	CVE-2023-6197	5.4	Ala Arfaoui	November 17, 2023
EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting	CVE-2023-5750	6.1	Erwan LR	November 17, 2023
Audio Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload	CVE-2023-6196	8.8	Ala Arfaoui	November 17, 2023
Community by PeepSo <= 6.1.6.0 - Cross-Site Request Forgery via delete	CVE-2023-39925	4.3	Revan Arifio	November 16, 2023
Jetpack <= 12.6.2 - Improper Authorization via WPCom External Media REST endpoints	CVE-2023-47788	4.3	Rafie Muhammad	November 16, 2023
ARI Stream Quiz <= 1.2.32 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-47835	6.4	emad	November 16, 2023
WP Meta and Date Remover <= 2.3.0 - Cross-Site Request Forgery via updateSettings	CVE-2023-47836	5.3	Abdi Pranata	November 16, 2023
Theater for WordPress <= 0.18.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings	CVE-2023-47833	4.4	DoYeon Park (p6rkdoye0n)	November 16, 2023
Easy Call Now by ThikShare <= 1.1.0 - Cross-Site Request Forgery via settings_page	CVE-2023-47819	4.3	Nguyen Xuan Chien	November 16, 2023
ARMember <= 4.0.10 - Authenticated (Subscriber+) Membership Plan Bypass	CVE-2023-47837	4.3	Revan Arifio	November 16, 2023
Restaurant & Cafe Addon for Elementor <= 1.5.3 - Missing Authorization via multiple AJAX functions	CVE-2023-47826	3.1	Abdi Pranata	November 16, 2023

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 28, 2024 Vulns
1	Francesco Carlucci	33
2	vgo0	24
3	stealthcopter	23
4	wesley (wcraft)	23
5	Lucio Sá	14
6	Krzysztof Zając	9
7	Webbernaut	7
8	Marco Wotschka	7
9	Peter Thaleikis	6
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	rezaduty	5
13	zer0gh0st	4
14	LVT-tholv2k	3
15	Rafie Muhammad	3
16	Le Ngoc Anh	3
17	Robert DeVore	3
18	João Pedro Soares de Alcântara	3
19	Arkadiusz Hydzik	2
20	Peng Zhou	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation