🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

JSmol2WP <= 1.07 - Server-Side Request Forgery

7.5

CVE-2018-20463

Dec 25, 2018

Researchers:

Export WordPress Data with Advanced Filters <= 1.4.1 - Cross-Site Request Forgery

8.8

CVE-2018-20968

Dec 19, 2018

Researchers:

Two Factor Authentication <= 1.3.12 - Cross-Site Request Forgery

8.8

CVE-2018-20231

Dec 18, 2018

Researcher: Martijn Korse

WP Maintenance Mode <= 2.0.6 - Remote Code Execution

9.1

CVE-2018-20156

Dec 14, 2018

Researcher: Sean Murphy

Read and Understood < 2.2 - Cross-Site Scripting

5.5

CVE-2018-5668

Dec 13, 2018

Researcher: d4wner

WordPress Core < 5.0.1 - PHP Object Injection

8.8

CVE-2018-20148

Dec 12, 2018

Researcher: Sam Thomas

WordPress Core < 5.0.1 - Arbitrary File Deletion

7.7

CVE-2018-20147

Dec 12, 2018

Researcher: Karim El Ouerghemmi

WordPress Core < 5.0.1 - Authenticated Stored Cross-Site Scripting via Comments

6.4

CVE-2018-20153

Dec 12, 2018

Researcher: Tim Coen

WordPress Core < 5.0.1 - Stored Cross-Site Scripting via File Uploads

6.4

CVE-2018-20149

Dec 12, 2018

Researchers: Tim Coen, Slavco Mihajloski

WordPress Core < 5.0.1 Reflected Cross-Site Scripting

6.1

CVE-2018-20150

Dec 12, 2018

Researcher: Tim Coen

WordPress Core < 5.0.1 - Sensitive Information Disclosure

7.5

CVE-2018-20151

Dec 12, 2018

Researcher: Team Yoast

WordPress Core < 5.0.1 - Authorization Bypass

4.3

CVE-2018-20152

Dec 12, 2018

Researcher: Simon Scannell

Import users from CSV with meta <= 1.12 - Import Cross-Site Scripting

6.1

CVE-2018-20101

Dec 11, 2018

Researcher: Slawek Zytko

WebP Express < 0.14.11 - Arbitrary File Read

7.5

CVE-2019-15330

Dec 11, 2018

Researchers:

Jetpack <= 6.4.2 - Cross-Site Scripting via post_meta

5.4

CVE ID Unknown

Dec 11, 2018

Researcher: RIPS Technologies

Smush – Lazy Load Images, Optimize & Compress Images <= 2.9.1 - Cross-Site Scripting

9.8

CVE ID Unknown

Dec 10, 2018

Researchers:

Smush – Lazy Load Images, Optimize & Compress Images <= 3.0.0 - Authenticated PHAR Deserialization

8.8

CVE ID Unknown

Dec 10, 2018

Researchers:

Contact Form by WPForms <= 1.4.8 - Reflected Cross-Site Scripting

7.1

CVE ID Unknown

Dec 10, 2018

Researcher: RIPS Technologies

CSS & JavaScript Toolbox <= 8.4.1 - Information Exposure

5.8

CVE ID Unknown

Dec 8, 2018

Researcher: KingSkrupellos

Advanced Custom Fields <= 5.7.7 - Author+ Stored Cross-Site Scripting

5.4

CVE-2018-20986

Dec 7, 2018

Researchers:

Title	CVE ID	CVSS	Researchers	Date
JSmol2WP <= 1.07 - Server-Side Request Forgery	CVE-2018-20463	7.5		December 25, 2018
Export WordPress Data with Advanced Filters <= 1.4.1 - Cross-Site Request Forgery	CVE-2018-20968	8.8		December 19, 2018
Two Factor Authentication <= 1.3.12 - Cross-Site Request Forgery	CVE-2018-20231	8.8	Martijn Korse	December 18, 2018
WP Maintenance Mode <= 2.0.6 - Remote Code Execution	CVE-2018-20156	9.1	Sean Murphy	December 14, 2018
Read and Understood < 2.2 - Cross-Site Scripting	CVE-2018-5668	5.5	d4wner	December 13, 2018
WordPress Core < 5.0.1 - PHP Object Injection	CVE-2018-20148	8.8	Sam Thomas	December 12, 2018
WordPress Core < 5.0.1 - Arbitrary File Deletion	CVE-2018-20147	7.7	Karim El Ouerghemmi	December 12, 2018
WordPress Core < 5.0.1 - Authenticated Stored Cross-Site Scripting via Comments	CVE-2018-20153	6.4	Tim Coen	December 12, 2018
WordPress Core < 5.0.1 - Stored Cross-Site Scripting via File Uploads	CVE-2018-20149	6.4	Tim Coen, Slavco Mihajloski	December 12, 2018
WordPress Core < 5.0.1 Reflected Cross-Site Scripting	CVE-2018-20150	6.1	Tim Coen	December 12, 2018
WordPress Core < 5.0.1 - Sensitive Information Disclosure	CVE-2018-20151	7.5	Team Yoast	December 12, 2018
WordPress Core < 5.0.1 - Authorization Bypass	CVE-2018-20152	4.3	Simon Scannell	December 12, 2018
Import users from CSV with meta <= 1.12 - Import Cross-Site Scripting	CVE-2018-20101	6.1	Slawek Zytko	December 11, 2018
WebP Express < 0.14.11 - Arbitrary File Read	CVE-2019-15330	7.5		December 11, 2018
Jetpack <= 6.4.2 - Cross-Site Scripting via post_meta		5.4	RIPS Technologies	December 11, 2018
Smush – Lazy Load Images, Optimize & Compress Images <= 2.9.1 - Cross-Site Scripting		9.8		December 10, 2018
Smush – Lazy Load Images, Optimize & Compress Images <= 3.0.0 - Authenticated PHAR Deserialization		8.8		December 10, 2018
Contact Form by WPForms <= 1.4.8 - Reflected Cross-Site Scripting		7.1	RIPS Technologies	December 10, 2018
CSS & JavaScript Toolbox <= 8.4.1 - Information Exposure		5.8	KingSkrupellos	December 8, 2018
Advanced Custom Fields <= 5.7.7 - Author+ Stored Cross-Site Scripting	CVE-2018-20986	5.4		December 7, 2018

Submit Vulnerability

«
‹
1
2
...
836
837
838
...
1015
1016
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Oct 20, 2024 Vulns
1	SOPROBRO	211
2	João Pedro Soares de Alcântara	61
3	Francesco Carlucci	55
4	Gab	44
5	stealthcopter	39
6	Peter Thaleikis	39
7	István Márton	35
8	Mika	29
9	vgo0	25
10	LVT-tholv2k	23
11	wesley (wcraft)	15
12	Trương Hữu Phúc (truonghuuphuc)	15
13	theviper17y	14
14	zer0gh0st	13
15	Tonn	12
16	Arkadiusz Hydzik	10
17	Tieu Pham Trong Nhan	9
18	Le Ngoc Anh	8
19	incognito	8
20	Webbernaut	8

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation