🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Photo Gallery by 10Web <= 1.2.7 - Unauthenticated Blind SQL Injection via order_by Parameter

9.8

CVE-2015-1055

Jan 12, 2015

Researcher: Brandon Perry

cformsII < 14.8 - Arbitrary File Upload

9.8

CVE-2014-9473

Dec 29, 2014

Researcher: Zakhar Fedotkin

WordPress Download Manager <= 2.7.4 - Remote Code Execution

9.8

CVE ID Unknown

Dec 15, 2014

Researcher: MICKAEL NADEAU (Sucuri)

WP Symposium <= 14.11 - Arbitrary File Upload

9.8

CVE-2014-10021

Dec 11, 2014

Researcher: Claudio Viviani

Feedweb <= 3.0.7 - SQL Injection

9.8

CVE ID Unknown

Dec 7, 2014

Researchers:

ChurcHope <= 2.1 - Local File Inclusion

9.8

CVE ID Unknown

Dec 7, 2014

Researchers:

Satoshi <= 2.0 - Arbitrary File Upload

9.8

CVE ID Unknown

Dec 6, 2014

Researchers:

InfiniteWP Client <= 1.3.7 - PHP Object Injection

9.8

CVE ID Unknown

Dec 2, 2014

Researcher: Marc-Alexandre Montpas

InfiniteWP Client <= 1.3.7 - Privilege Escalation

9.8

CVE ID Unknown

Dec 2, 2014

Researcher: Marc-Alexandre Montpas

Showbiz Pro Responsive Teaser WordPress Plugin <= 1.7.1 - Arbitrary File Upload

9.8

CVE-2015-9499

Nov 25, 2014

Researcher: Simo Ben youssef

Slider Revolution < 3.0.96 & Showbiz Pro < 1.7.1 - Missing Authorization to Arbitrary File Upload

9.8

CVE-2014-9735

Nov 25, 2014

Researcher: Simo Ben youssef

Gallery Bank – WordPress Photo Gallery Plugin < 3.0.61 - Arbitrary File Upload

9.8

CVE ID Unknown

Nov 25, 2014

Researcher: Shahab Shamsi (Mohit Amn Security Team)

wpDataTables <= 1.5.3 - Arbitrary File Upload

9.8

CVE ID Unknown

Nov 25, 2014

Researcher: Claudio Viviani

wpDataTables (Premium) <= 1.5.3 - SQL Injection

9.8

CVE-2014-9175

Nov 23, 2014

Researcher: Claudio Viviani

SP Project & Document Manager < 2.4.4 - Multiple SQL Injection

9.8

CVE-2014-9178

Nov 20, 2014

Researcher: Dang Quoc Thai

WP Support Plus Responsive Ticket System <= 4.1 - Improper Authentication

9.8

CVE-2014-10389

Nov 15, 2014

Researcher: Fikri Fadzil

CM Download Manager <= 2.0.3 - Code Injection

9.8

CVE-2014-8877

Nov 10, 2014

Researcher: Phi Le Ngoc

Store Locator 2.3 - 3.11 - SQL Injection

9.8

CVE-2014-8621

Nov 5, 2014

Researcher: James Hooker

Creative Contact Form < 1.0.0 - Arbitrary File Upload

9.8

CVE-2014-8739

Oct 23, 2014

Researcher: Gianni Angelozzi

Calendar Event Multi View < 1.0.2 - SQL Injection

9.8

CVE-2014-8586

Oct 23, 2014

Researcher: Claudio Viviani

Title	CVE ID	CVSS	Researchers	Date
Photo Gallery by 10Web <= 1.2.7 - Unauthenticated Blind SQL Injection via order_by Parameter	CVE-2015-1055	9.8	Brandon Perry	January 12, 2015
cformsII < 14.8 - Arbitrary File Upload	CVE-2014-9473	9.8	Zakhar Fedotkin	December 29, 2014
WordPress Download Manager <= 2.7.4 - Remote Code Execution		9.8	MICKAEL NADEAU (Sucuri)	December 15, 2014
WP Symposium <= 14.11 - Arbitrary File Upload	CVE-2014-10021	9.8	Claudio Viviani	December 11, 2014
Feedweb <= 3.0.7 - SQL Injection		9.8		December 7, 2014
ChurcHope <= 2.1 - Local File Inclusion		9.8		December 7, 2014
Satoshi <= 2.0 - Arbitrary File Upload		9.8		December 6, 2014
InfiniteWP Client <= 1.3.7 - PHP Object Injection		9.8	Marc-Alexandre Montpas	December 2, 2014
InfiniteWP Client <= 1.3.7 - Privilege Escalation		9.8	Marc-Alexandre Montpas	December 2, 2014
Showbiz Pro Responsive Teaser WordPress Plugin <= 1.7.1 - Arbitrary File Upload	CVE-2015-9499	9.8	Simo Ben youssef	November 25, 2014
Slider Revolution < 3.0.96 & Showbiz Pro < 1.7.1 - Missing Authorization to Arbitrary File Upload	CVE-2014-9735	9.8	Simo Ben youssef	November 25, 2014
Gallery Bank – WordPress Photo Gallery Plugin < 3.0.61 - Arbitrary File Upload		9.8	Shahab Shamsi (Mohit Amn Security Team)	November 25, 2014
wpDataTables <= 1.5.3 - Arbitrary File Upload		9.8	Claudio Viviani	November 25, 2014
wpDataTables (Premium) <= 1.5.3 - SQL Injection	CVE-2014-9175	9.8	Claudio Viviani	November 23, 2014
SP Project & Document Manager < 2.4.4 - Multiple SQL Injection	CVE-2014-9178	9.8	Dang Quoc Thai	November 20, 2014
WP Support Plus Responsive Ticket System <= 4.1 - Improper Authentication	CVE-2014-10389	9.8	Fikri Fadzil	November 15, 2014
CM Download Manager <= 2.0.3 - Code Injection	CVE-2014-8877	9.8	Phi Le Ngoc	November 10, 2014
Store Locator 2.3 - 3.11 - SQL Injection	CVE-2014-8621	9.8	James Hooker	November 5, 2014
Creative Contact Form < 1.0.0 - Arbitrary File Upload	CVE-2014-8739	9.8	Gianni Angelozzi	October 23, 2014
Calendar Event Multi View < 1.0.2 - SQL Injection	CVE-2014-8586	9.8	Claudio Viviani	October 23, 2014

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 25, 2024 Vulns
1	Francesco Carlucci	23
2	stealthcopter	23
3	wesley (wcraft)	22
4	vgo0	19
5	Lucio Sá	17
6	Rafie Muhammad	11
7	Dave Jong	10
8	Ananda Dhakal	9
9	Krzysztof Zając	8
10	Marco Wotschka	7
11	Muhammad Daffa	6
12	Daniel Ruf	6
13	João Pedro Soares de Alcântara	5
14	Peter Thaleikis	5
15	Le Ngoc Anh	5
16	Fariq Fadillah Gusti Insani (fariqfgi)	5
17	Webbernaut	4
18	rezaduty	4
19	István Márton	4
20	LVT-tholv2k	4

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation