🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms < 1.1.1 - SQL Injection

9.8

CVE-2015-9335

Oct 9, 2015

Researchers:

Support Ticket System < 1.2.1 - SQL Injection

9.8

CVE-2015-7670

Oct 6, 2015

Researcher: Ibéria Medeiros

Easy2Map <= 1.2.9 - Directory Traversal and Local File Inclusion

9.8

CVE-2015-7669

Oct 5, 2015

Researcher: Ibéria Medeiros

mTheme-Unus (All Versions) - Local File Inclusion

9.8

CVE ID Unknown

Sep 27, 2015

Researcher: FullSecurity.org

Appointment Booking Calendar <= 1.1.7 - SQL Injection

9.8

CVE-2015-7319

Sep 26, 2015

Researcher: Ibéria Medeiros

MyPixs <= 0.3 - Local File Inclusion

9.8

CVE-2015-1000012

Sep 15, 2015

Researcher: Larry W. Cashdollar

CP Reservation Calendar < 1.1.7 - SQL Injection

9.8

CVE-2015-7235

Sep 15, 2015

Researchers: Christian Mondrago, Uriel Zarate

WP Limit Login Attempts < 2.0.1 - SQL Injection

9.8

CVE-2015-6829

Sep 5, 2015

Researcher: Scott Arciszewski

Memphis Documents Library <= 2.6.16 - Local File Inclusion

9.8

CVE-2014-10384

Sep 4, 2015

Researchers:

Memphis Documents Library <= 2.6.16 - Remote File Inclusion

9.8

CVE-2014-10383

Sep 4, 2015

Researchers:

BJ Lazy Load < 1.0 - Remote File Inclusion via TimThumb

9.8

CVE-2015-9415

Sep 2, 2015

Researcher: Julio Potier

Car Rental System < 3.1 - SQL Injection

9.8

CVE ID Unknown

Aug 26, 2015

Researcher: Manish Kishan Tanwar

DukaPress <= 2.5.9 - Blind SQL Injection

9.8

CVE-2015-1000011

Aug 22, 2015

Researcher: Larry W. Cashdollar

404 to 301 – Redirect, Log and Notify 404 Errors <= 2.0.2 - SQL Injection

9.8

CVE-2015-9323

Aug 20, 2015

Researcher: Marcin Probola

WP OAuth Server (OAuth Authentication) < 3.1.5 - Pseudorandom Number Generation

9.8

CVE-2015-9435

Aug 12, 2015

Researcher: Mallory Adams

Events Manager <= 5.5.7.1 - Code Injection

9.8

CVE-2015-9298

Aug 10, 2015

Researcher: bit9.com team

WP Symposium <= 15.8 - Unauthenticated SQL Injection

9.8

CVE-2015-6522

Aug 9, 2015

Researchers:

Email Before Download <= 3.4 - SQL Injection

9.8

CVE ID Unknown

Jul 28, 2015

Researcher: Clément Notin

NEX-Forms – Ultimate Form Builder < 4.6.1 - SQL Injection

9.8

CVE-2015-9452

Jul 16, 2015

Researcher: Marcin Probola

Plugmatter Optin Feature Box < 2.0.14 - SQL Injection

9.8

CVE-2015-9451

Jul 16, 2015

Researcher: Marcin Probola

Title	CVE ID	CVSS	Researchers	Date
Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms < 1.1.1 - SQL Injection	CVE-2015-9335	9.8		October 9, 2015
Support Ticket System < 1.2.1 - SQL Injection	CVE-2015-7670	9.8	Ibéria Medeiros	October 6, 2015
Easy2Map <= 1.2.9 - Directory Traversal and Local File Inclusion	CVE-2015-7669	9.8	Ibéria Medeiros	October 5, 2015
mTheme-Unus (All Versions) - Local File Inclusion		9.8	FullSecurity.org	September 27, 2015
Appointment Booking Calendar <= 1.1.7 - SQL Injection	CVE-2015-7319	9.8	Ibéria Medeiros	September 26, 2015
MyPixs <= 0.3 - Local File Inclusion	CVE-2015-1000012	9.8	Larry W. Cashdollar	September 15, 2015
CP Reservation Calendar < 1.1.7 - SQL Injection	CVE-2015-7235	9.8	Christian Mondrago, Uriel Zarate	September 15, 2015
WP Limit Login Attempts < 2.0.1 - SQL Injection	CVE-2015-6829	9.8	Scott Arciszewski	September 5, 2015
Memphis Documents Library <= 2.6.16 - Local File Inclusion	CVE-2014-10384	9.8		September 4, 2015
Memphis Documents Library <= 2.6.16 - Remote File Inclusion	CVE-2014-10383	9.8		September 4, 2015
BJ Lazy Load < 1.0 - Remote File Inclusion via TimThumb	CVE-2015-9415	9.8	Julio Potier	September 2, 2015
Car Rental System < 3.1 - SQL Injection		9.8	Manish Kishan Tanwar	August 26, 2015
DukaPress <= 2.5.9 - Blind SQL Injection	CVE-2015-1000011	9.8	Larry W. Cashdollar	August 22, 2015
404 to 301 – Redirect, Log and Notify 404 Errors <= 2.0.2 - SQL Injection	CVE-2015-9323	9.8	Marcin Probola	August 20, 2015
WP OAuth Server (OAuth Authentication) < 3.1.5 - Pseudorandom Number Generation	CVE-2015-9435	9.8	Mallory Adams	August 12, 2015
Events Manager <= 5.5.7.1 - Code Injection	CVE-2015-9298	9.8	bit9.com team	August 10, 2015
WP Symposium <= 15.8 - Unauthenticated SQL Injection	CVE-2015-6522	9.8		August 9, 2015
Email Before Download <= 3.4 - SQL Injection		9.8	Clément Notin	July 28, 2015
NEX-Forms – Ultimate Form Builder < 4.6.1 - SQL Injection	CVE-2015-9452	9.8	Marcin Probola	July 16, 2015
Plugmatter Optin Feature Box < 2.0.14 - SQL Injection	CVE-2015-9451	9.8	Marcin Probola	July 16, 2015

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 24, 2024 Vulns
1	stealthcopter	23
2	vgo0	19
3	wesley (wcraft)	19
4	Francesco Carlucci	18
5	Lucio Sá	14
6	Rafie Muhammad	11
7	Dave Jong	10
8	Ananda Dhakal	9
9	Marco Wotschka	7
10	Daniel Ruf	6
11	Krzysztof Zając	6
12	Muhammad Daffa	6
13	João Pedro Soares de Alcântara	5
14	Fariq Fadillah Gusti Insani (fariqfgi)	5
15	Le Ngoc Anh	5
16	István Márton	4
17	Peter Thaleikis	4
18	LVT-tholv2k	4
19	Webbernaut	4
20	rezaduty	4

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation