🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Extensive VC Addons for WPBakery page builder <= 1.9 - Unauthenticated Local File Inclusion

9.1

CVE-2023-0159

Jan 23, 2023

Researcher: dc11

WooCommerce Chained Products < 2.12.0 - Missing Authorization to Arbitrary Options Update

9.1

CVE-2022-4872

Jan 4, 2023

Researcher: WPScanTeam

Images Optimize and Upload CF7 <= 2.1.4 - Missing Authorization to Arbitrary File Deletion

9.1

CVE-2022-4101

Dec 21, 2022

Researcher: cydave

Comic Book Management System < 2.2.0 - Authenticated (Administrator+) SQL Injection

9.1

CVE-2022-3856

Nov 14, 2022

Researchers: Kunal Sharma, Daniel Krohmer

Firebase PHP-JWT < 6.0.0 - Algorithm Confusion

9.1

CVE-2021-46743

Nov 11, 2022

Researchers:

WatchTowerHQ <= 3.6.15 - Unauthenticated Arbitrary File Deletion

9.1

CVE-2022-44584

Nov 1, 2022

Researcher: Dave Jong

SearchWP Live Ajax Search <= 1.6.2 - Directory Traversal and Local File Inclusion

9.1

CVE-2022-3227

Sep 15, 2022

Researcher: Muhammad Zeeshan (Xib3rR4dAr)

Alphabetic Pagination <= 3.0.7 - Missing Authorization to Unauthenticated Arbitrary Options Update

9.1

CVE ID Unknown

Aug 25, 2022

Researchers:

WP All Import <= 3.6.7 - Authenticated (Administrator+) Arbitrary Code Execution

9.1

CVE-2022-36386

Jun 28, 2022

Researcher: Universe

Formcraft3 <= 3.8.27 - Server Side Request Forgery

9.1

CVE-2022-0591

Feb 28, 2022

Researcher: Brandon James Roldan (tomorrowisnew)

Blackhole for Bad Bots <= 3.3.1 - Arbitrary IP Address Blocking via IP Spoofing

9.1

CVE-2022-1165

Jan 31, 2022

Researcher: Daniel Ruf

JS Job Manager < 1.1.9 - Arbitrary Plugin Installation/Activation

9.1

CVE ID Unknown

Sep 30, 2021

Researcher: spacehen

WordPress Automatic Plugin <= 3.53.2 - Unauthenticated Arbitrary Options Update

9.1

CVE-2021-4374

Sep 6, 2021

Researcher: Jerome Bruandet

OMGF <= 4.5.3 - Unauthenticated Path Traversal in REST API

9.1

CVE-2021-24638

Aug 23, 2021

Researcher: apple502j

Import XML and RSS Feeds <= 2.0.2 - Server-Side Request Forgery

9.1

CVE-2020-24148

Apr 13, 2021

Researcher: Suzhou Aurora Infinity Information Technology Co

WordPress Importer : Import any XML File to WordPress < 1.0.1 - Server-Side Request Forgery

9.1

CVE-2020-24147

Apr 13, 2021

Researcher: Suzhou Aurora Infinity Information Technology Co

Multiple Thrive Themes < 2.0.0 - Arbitrary File Upload

9.1

CVE-2021-24220

Mar 24, 2021

Researcher: Wordfence

uListing <= 1.6.6 - Unauthenticated Arbitrary Post/Page Deletion

9.1

CVE-2021-4357

Jan 28, 2021

Researcher: Jerome Bruandet

Modal Survey <= 2.0.1.8 - PHP Object Injection

9.1

CVE ID Unknown

Jan 8, 2021

Researcher: Pagely

Realia <= 1.4.0 - Arbitrary Post Deletion

9.1

CVE ID Unknown

Oct 15, 2020

Researchers: Erwan LR, RE-ALTER

Title	CVE ID	CVSS	Researchers	Date
Extensive VC Addons for WPBakery page builder <= 1.9 - Unauthenticated Local File Inclusion	CVE-2023-0159	9.1	dc11	January 23, 2023
WooCommerce Chained Products < 2.12.0 - Missing Authorization to Arbitrary Options Update	CVE-2022-4872	9.1	WPScanTeam	January 4, 2023
Images Optimize and Upload CF7 <= 2.1.4 - Missing Authorization to Arbitrary File Deletion	CVE-2022-4101	9.1	cydave	December 21, 2022
Comic Book Management System < 2.2.0 - Authenticated (Administrator+) SQL Injection	CVE-2022-3856	9.1	Kunal Sharma, Daniel Krohmer	November 14, 2022
Firebase PHP-JWT < 6.0.0 - Algorithm Confusion	CVE-2021-46743	9.1		November 11, 2022
WatchTowerHQ <= 3.6.15 - Unauthenticated Arbitrary File Deletion	CVE-2022-44584	9.1	Dave Jong	November 1, 2022
SearchWP Live Ajax Search <= 1.6.2 - Directory Traversal and Local File Inclusion	CVE-2022-3227	9.1	Muhammad Zeeshan (Xib3rR4dAr)	September 15, 2022
Alphabetic Pagination <= 3.0.7 - Missing Authorization to Unauthenticated Arbitrary Options Update		9.1		August 25, 2022
WP All Import <= 3.6.7 - Authenticated (Administrator+) Arbitrary Code Execution	CVE-2022-36386	9.1	Universe	June 28, 2022
Formcraft3 <= 3.8.27 - Server Side Request Forgery	CVE-2022-0591	9.1	Brandon James Roldan (tomorrowisnew)	February 28, 2022
Blackhole for Bad Bots <= 3.3.1 - Arbitrary IP Address Blocking via IP Spoofing	CVE-2022-1165	9.1	Daniel Ruf	January 31, 2022
JS Job Manager < 1.1.9 - Arbitrary Plugin Installation/Activation		9.1	spacehen	September 30, 2021
WordPress Automatic Plugin <= 3.53.2 - Unauthenticated Arbitrary Options Update	CVE-2021-4374	9.1	Jerome Bruandet	September 6, 2021
OMGF <= 4.5.3 - Unauthenticated Path Traversal in REST API	CVE-2021-24638	9.1	apple502j	August 23, 2021
Import XML and RSS Feeds <= 2.0.2 - Server-Side Request Forgery	CVE-2020-24148	9.1	Suzhou Aurora Infinity Information Technology Co	April 13, 2021
WordPress Importer : Import any XML File to WordPress < 1.0.1 - Server-Side Request Forgery	CVE-2020-24147	9.1	Suzhou Aurora Infinity Information Technology Co	April 13, 2021
Multiple Thrive Themes < 2.0.0 - Arbitrary File Upload	CVE-2021-24220	9.1	Wordfence	March 24, 2021
uListing <= 1.6.6 - Unauthenticated Arbitrary Post/Page Deletion	CVE-2021-4357	9.1	Jerome Bruandet	January 28, 2021
Modal Survey <= 2.0.1.8 - PHP Object Injection		9.1	Pagely	January 8, 2021
Realia <= 1.4.0 - Arbitrary Post Deletion		9.1	Erwan LR, RE-ALTER	October 15, 2020

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 27, 2024 Vulns
1	Francesco Carlucci	34
2	stealthcopter	24
3	vgo0	24
4	wesley (wcraft)	23
5	Lucio Sá	18
6	Krzysztof Zając	10
7	Peter Thaleikis	8
8	Webbernaut	7
9	Marco Wotschka	7
10	TANG Cheuk Hei (siunam)	5
11	Le Ngoc Anh	5
12	rezaduty	5
13	Muhammad Daffa	5
14	Daniel Ruf	5
15	zer0gh0st	5
16	Fariq Fadillah Gusti Insani (fariqfgi)	4
17	LVT-tholv2k	3
18	Robert DeVore	3
19	João Pedro Soares de Alcântara	3
20	Arkadiusz Hydzik	3

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation