🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers, top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Event Espresso Free/Lite <= 3.1.37.12.L - Unauthenticated SQL Injection

9.8

CVE-2017-14760

Sep 30, 2019

Researcher: minhtuanact

Theme Editor <= 2.1 - Cross-Site Request Forgery

8.8

CVE ID Unknown

Sep 30, 2019

Researchers:

Visualizer: Tables and Charts Manager for WordPress <= 3.3.0 - Server-Side Request Forgery

9.3

CVE-2019-16932

Sep 28, 2019

Researcher: Nathan Davison

Visualizer: Tables and Charts Manager for WordPress <= 3.3.0 - Stored Cross-Site Scripting

6.1

CVE-2019-16931

Sep 28, 2019

Researcher: Nathan Davison

GiveWP <= 2.5.4 - Authorization Bypass

7.5

CVE-2019-20360

Sep 26, 2019

Researchers: Chloe Chamberland, Matt Barry

Yoast Duplicate Post <= 3.2.3 - Authenticated (Admin+) Stored Cross-Site Scripting

5.5

CVE ID Unknown

Sep 26, 2019

Researcher: Unk9vvN

Easy Fancybox <= 1.8.17 - Authenticated Stored Cross-Site Scripting

5.5

CVE-2019-16524

Sep 25, 2019

Researcher: Jakob Hagl

Rich Reviews <= 1.7.4 - Stored Cross-Site Scripting

7.2

CVE-2019-25216

Sep 24, 2019

Researcher: Mikey Veenstra

Simple Fields <= 1.4.11 - Cross-Site Scripting

7.2

CVE ID Unknown

Sep 24, 2019

Researchers:

Zoner - Real Estate WordPress Theme < 4.2 - Cross-Site Scripting

6.1

CVE ID Unknown

Sep 24, 2019

Researcher: RE-ALTER

DELUCKS SEO < 2.1.8 - Stored Cross Site Scripting

7.2

CVE-2019-25146

Sep 21, 2019

Researcher: Jerome Bruandet

WP Google Map Plugin <= 4.0.9 - Cross-Site Request Forgery to PHP Object Injection

8.8

CVE ID Unknown

Sep 21, 2019

Researchers:

WP MAPS – Easiest & Most Advanced WordPress Plugin for Google Maps <= 4.0.9 - Reflected Cross-Site Scripting

6.1

CVE ID Unknown

Sep 21, 2019

Researchers:

Motors – Car Dealer, Classifieds & Listing <= 1.4.0 - Stored Cross-Site Scripting

6.1

CVE-2019-17229

Sep 20, 2019

Researcher: Jerome Bruandet

Ultimate FAQ <= 1.8.24 - Cross-Site Scripting

6.1

CVE-2019-17233

Sep 20, 2019

Researcher: Jerome Bruandet

Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated Settings Import/Export

6.5

CVE-2019-17228

Sep 20, 2019

Researcher: Jerome Bruandet

Ultimate FAQ <= 1.8.24 - Unauthenticated Options Import/Export

9.1

CVE-2019-17232

Sep 20, 2019

Researcher: Jerome Bruandet

Export Users to CSV < 1.4 - CSV Injection

7.4

CVE-2020-9466

Sep 19, 2019

Researcher: Jinson Varghese Behanan

WooCommerce AJAX Product Filters <= 1.3.6 - Arbitrary Settings Update

8.3

CVE ID Unknown

Sep 18, 2019

Researcher: Sucuri Research Team

Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.6.24 - Unauthenticated Stored Cross-Site Scripting

6.1

CVE ID Unknown

Sep 16, 2019

Researchers:

Title	CVE ID	CVSS	Researchers	Date
Event Espresso Free/Lite <= 3.1.37.12.L - Unauthenticated SQL Injection	CVE-2017-14760	9.8	minhtuanact	September 30, 2019
Theme Editor <= 2.1 - Cross-Site Request Forgery		8.8		September 30, 2019
Visualizer: Tables and Charts Manager for WordPress <= 3.3.0 - Server-Side Request Forgery	CVE-2019-16932	9.3	Nathan Davison	September 28, 2019
Visualizer: Tables and Charts Manager for WordPress <= 3.3.0 - Stored Cross-Site Scripting	CVE-2019-16931	6.1	Nathan Davison	September 28, 2019
GiveWP <= 2.5.4 - Authorization Bypass	CVE-2019-20360	7.5	Chloe Chamberland, Matt Barry	September 26, 2019
Yoast Duplicate Post <= 3.2.3 - Authenticated (Admin+) Stored Cross-Site Scripting		5.5	Unk9vvN	September 26, 2019
Easy Fancybox <= 1.8.17 - Authenticated Stored Cross-Site Scripting	CVE-2019-16524	5.5	Jakob Hagl	September 25, 2019
Rich Reviews <= 1.7.4 - Stored Cross-Site Scripting	CVE-2019-25216	7.2	Mikey Veenstra	September 24, 2019
Simple Fields <= 1.4.11 - Cross-Site Scripting		7.2		September 24, 2019
Zoner - Real Estate WordPress Theme < 4.2 - Cross-Site Scripting		6.1	RE-ALTER	September 24, 2019
DELUCKS SEO < 2.1.8 - Stored Cross Site Scripting	CVE-2019-25146	7.2	Jerome Bruandet	September 21, 2019
WP Google Map Plugin <= 4.0.9 - Cross-Site Request Forgery to PHP Object Injection		8.8		September 21, 2019
WP MAPS – Easiest & Most Advanced WordPress Plugin for Google Maps <= 4.0.9 - Reflected Cross-Site Scripting		6.1		September 21, 2019
Motors – Car Dealer, Classifieds & Listing <= 1.4.0 - Stored Cross-Site Scripting	CVE-2019-17229	6.1	Jerome Bruandet	September 20, 2019
Ultimate FAQ <= 1.8.24 - Cross-Site Scripting	CVE-2019-17233	6.1	Jerome Bruandet	September 20, 2019
Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated Settings Import/Export	CVE-2019-17228	6.5	Jerome Bruandet	September 20, 2019
Ultimate FAQ <= 1.8.24 - Unauthenticated Options Import/Export	CVE-2019-17232	9.1	Jerome Bruandet	September 20, 2019
Export Users to CSV < 1.4 - CSV Injection	CVE-2020-9466	7.4	Jinson Varghese Behanan	September 19, 2019
WooCommerce AJAX Product Filters <= 1.3.6 - Arbitrary Settings Update		8.3	Sucuri Research Team	September 18, 2019
Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.6.24 - Unauthenticated Stored Cross-Site Scripting		6.1		September 16, 2019

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Oct 2, 2024 Vulns
1	Francesco Carlucci	53
2	João Pedro Soares de Alcântara	52
3	István Márton	50
4	stealthcopter	46
5	vgo0	43
6	SOPROBRO	33
7	Mika	32
8	Peter Thaleikis	27
9	theviper17y	18
10	Trương Hữu Phúc (truonghuuphuc)	16
11	LVT-tholv2k	15
12	Rafie Muhammad	14
13	wesley (wcraft)	12
14	Colin Xu	10
15	Le Ngoc Anh	9
16	Hakiduck	9
17	Joshua Chan	8
18	Ankit Patel	8
19	Webbernaut	7
20	Robert DeVore	7

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation