🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Visual CSS Style Editor <= 7.2.0 - Unauthenticated Arbitrary Options Update

9.8

CVE-2019-11886

Apr 11, 2019

Researchers:

Pipdig Power Pack (P3) <= 4.7.3 - Backdoor

9.8

CVE ID Unknown

Mar 29, 2019

Researchers: Mikey Veenstra, Jemjabella

WP Database Backup <= 5.1.2 - Unauthenticated Settings Update to Remote Code Execution

9.8

CVE ID Unknown

Mar 24, 2019

Researchers:

Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update

9.8

CVE-2019-25141

Mar 17, 2019

Researcher: Jerome Bruandet

SiteGround Optimizer <= 5.0.12 - Missing Authorization

9.8

CVE-2019-25217

Mar 14, 2019

Researcher: Marc-Alexandre Montpas

Caldera Forms Pro < 1.8.2 - Missing Authorization

9.8

CVE ID Unknown

Mar 13, 2019

Researcher: Marc-Alexandre Montpas

GraceMedia Media Player <= 1.0 - Local File Inclusion

9.8

CVE-2019-9618

Mar 13, 2019

Researcher: Manuel Garcia Cardenas

WP Live Chat Support Pro <= 8.0.06 - Remote Code Execution via unrestricted file upload

9.8

CVE-2018-12426

Mar 11, 2019

Researcher: Riccardo ten Cate

Indeed Membership Pro <= 7.5 - Arbitrary File Upload

9.8

CVE ID Unknown

Feb 26, 2019

Researcher: James Fraser

WP Cost Estimation <= 9.642 - Missing Authorization to Arbitrary File Upload/Delete

9.8

CVE ID Unknown

Feb 14, 2019

Researcher: Mikey Veenstra

Yet Another Stars Rating <= 1.8.6 - Unauthenticated PHP Object Injection

9.8

CVE ID Unknown

Jan 27, 2019

Researcher: Paul Dannewitz

Total Donations <= 2.0.5 - Missing Authorization to Arbitrary Options Update

9.8

CVE-2019-6703

Jan 25, 2019

Researchers: Nate Smith, Mikey Veenstra, Matt Rusnak, Ram

Social Network Tabs - Social Media API Key Leakage <= 1.7.1 - Information Exposure

9.8

CVE-2018-20555

Jan 16, 2019

Researcher: fs0c131y

Shortcode Factory <= 2.7 - Local File Inclusion

9.8

CVE-2019-15322

Jan 16, 2019

Researchers:

Baggage Freight Shipping Australia <= 0.1.0 - Arbitrary File Upload

9.8

CVE ID Unknown

Jan 8, 2019

Researcher: Kaimi

Ninja Forms Contact Form <= 3.3.21.1 - SQL Injection

9.8

CVE-2019-15025

Jan 7, 2019

Researchers:

Audio Record <= 1.0 - Arbitrary File Upload

9.8

CVE ID Unknown

Jan 7, 2019

Researcher: Kaimi

Smush – Lazy Load Images, Optimize & Compress Images <= 2.9.1 - Cross-Site Scripting

9.8

CVE ID Unknown

Dec 10, 2018

Researchers:

WP Payeezy Pay < 2.98 - Local File Inclusion

9.8

CVE-2018-20985

Dec 7, 2018

Researchers:

Woo Confirmation Email < 3.2.0 - Improper Access Control

9.8

CVE-2018-21007

Nov 27, 2018

Researchers:

Title	CVE ID	CVSS	Researchers	Date
Visual CSS Style Editor <= 7.2.0 - Unauthenticated Arbitrary Options Update	CVE-2019-11886	9.8		April 11, 2019
Pipdig Power Pack (P3) <= 4.7.3 - Backdoor		9.8	Mikey Veenstra, Jemjabella	March 29, 2019
WP Database Backup <= 5.1.2 - Unauthenticated Settings Update to Remote Code Execution		9.8		March 24, 2019
Easy WP SMTP <= 1.3.9 - Missing Authorization to Arbitrary Options Update	CVE-2019-25141	9.8	Jerome Bruandet	March 17, 2019
SiteGround Optimizer <= 5.0.12 - Missing Authorization	CVE-2019-25217	9.8	Marc-Alexandre Montpas	March 14, 2019
Caldera Forms Pro < 1.8.2 - Missing Authorization		9.8	Marc-Alexandre Montpas	March 13, 2019
GraceMedia Media Player <= 1.0 - Local File Inclusion	CVE-2019-9618	9.8	Manuel Garcia Cardenas	March 13, 2019
WP Live Chat Support Pro <= 8.0.06 - Remote Code Execution via unrestricted file upload	CVE-2018-12426	9.8	Riccardo ten Cate	March 11, 2019
Indeed Membership Pro <= 7.5 - Arbitrary File Upload		9.8	James Fraser	February 26, 2019
WP Cost Estimation <= 9.642 - Missing Authorization to Arbitrary File Upload/Delete		9.8	Mikey Veenstra	February 14, 2019
Yet Another Stars Rating <= 1.8.6 - Unauthenticated PHP Object Injection		9.8	Paul Dannewitz	January 27, 2019
Total Donations <= 2.0.5 - Missing Authorization to Arbitrary Options Update	CVE-2019-6703	9.8	Nate Smith, Mikey Veenstra, Matt Rusnak, Ram	January 25, 2019
Social Network Tabs - Social Media API Key Leakage <= 1.7.1 - Information Exposure	CVE-2018-20555	9.8	fs0c131y	January 16, 2019
Shortcode Factory <= 2.7 - Local File Inclusion	CVE-2019-15322	9.8		January 16, 2019
Baggage Freight Shipping Australia <= 0.1.0 - Arbitrary File Upload		9.8	Kaimi	January 8, 2019
Ninja Forms Contact Form <= 3.3.21.1 - SQL Injection	CVE-2019-15025	9.8		January 7, 2019
Audio Record <= 1.0 - Arbitrary File Upload		9.8	Kaimi	January 7, 2019
Smush – Lazy Load Images, Optimize & Compress Images <= 2.9.1 - Cross-Site Scripting		9.8		December 10, 2018
WP Payeezy Pay < 2.98 - Local File Inclusion	CVE-2018-20985	9.8		December 7, 2018
Woo Confirmation Email < 3.2.0 - Improper Access Control	CVE-2018-21007	9.8		November 27, 2018

Submit Vulnerability

«
‹
1
2
...
49
50
51
...
1030
1031
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Oct 27, 2024 Vulns
1	SOPROBRO	235
2	Francesco Carlucci	62
3	Peter Thaleikis	57
4	João Pedro Soares de Alcântara	55
5	Gab	45
6	stealthcopter	41
7	vgo0	40
8	LVT-tholv2k	29
9	Mika	29
10	Tonn	17
11	István Márton	15
12	Arkadiusz Hydzik	14
13	zer0gh0st	12
14	theviper17y	12
15	Le Ngoc Anh	12
16	Trương Hữu Phúc (truonghuuphuc)	9
17	Joshua Chan	9
18	wesley (wcraft)	9
19	Tieu Pham Trong Nhan	9
20	Ankit Patel	8

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation