Have you found a vulnerability in a WordPress plugin or theme? Report vulnerabilities in WordPress plugins and themes through our bug bounty program and earn a bounty on all in-scope submissions, while we handle the responsible disclosure process on your behalf.

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Mang Board WP <= 1.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVE-2024-22306

Jan 26, 2024

Researcher: Byeongjun Jo

Meks Smart Social Widget <= 1.6.3 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-0664

Jan 26, 2024

Researcher: arpeetrathi

WP RSS Aggregator <= 4.23.4 - Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source

4.4

CVE-2024-0630

Jan 25, 2024

Researcher: Colin Xu

WPFront Notification Bar <= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class]

4.4

CVE-2024-0625

Jan 24, 2024

Researcher: Sh

WebSub (FKA. PubSubHubbub) <= 3.1.4 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-0688

Jan 24, 2024

Researcher: Sh

Better Follow Button for Jetpack <= 8.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2023-7168

Jan 23, 2024

Researcher: Bob Matyas

illi Link Party! <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2023-7230

Jan 23, 2024

Researcher: Bob Matyas

WolfNet IDX for WordPress <= 1.19.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2023-6783

Jan 23, 2024

Researcher: Ma Long

Sticky Buttons <= 3.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-0703

Jan 22, 2024

Researcher: Dipak Panchal (th3.d1p4k)

Content Views <= 3.6.2 - Authenticated(Administrator+) Stored Cross-Site Scripting via settings

4.4

CVE-2024-0612

Jan 22, 2024

Researcher: Akbar Kustirama

Chartjs <= 2023.2 - Authenticated(Editor+) Stored Cross-Site Scripting via chart

4.4

CVE-2023-6082

Jan 19, 2024

Researchers: Sergen Koç, Asif Nawaz Minhas

Chartjs <= 2023.2 - Authenticated(Editor+) Stored Cross-Site Scripting

4.4

CVE-2023-6081

Jan 19, 2024

Researchers: Sergen Koç, Asif Nawaz Minhas

GigPress <= 2.3.29 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2023-7233

Jan 19, 2024

Researcher: Bob Matyas

Fluent Forms <= 5.1.5 - Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title

4.4

CVE-2024-0618

Jan 18, 2024

Researcher: Akbar Kustirama

HD Quiz <= 1.8.11 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

4.4

CVE-2024-22161

Jan 16, 2024

Researcher: Myungju Kim

Stock Locations for WooCommerce <= 2.5.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings

4.4

CVE-2024-22153

Jan 16, 2024

Researcher: Mika

Ultimate Maps by Supsystic <= 1.2.15 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2023-6732

Jan 12, 2024

Researcher: Mert Umut

Hubbub Lite <= 1.31.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2023-7154

Jan 11, 2024

Researcher: Tycho Niestadt

EventON - WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.7 (Free) - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2023-6005

Jan 10, 2024

Researcher: Miguel Santareno

Woocommerce Vietnam Checkout <= 2.0.8 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE ID Unknown

Jan 10, 2024

Researchers:

Title	CVE ID	CVSS	Researchers	Date
Mang Board WP <= 1.7.7 - Authenticated (Administrator+) Stored Cross-Site Scripting	CVE-2024-22306	4.4	Byeongjun Jo	January 26, 2024
Meks Smart Social Widget <= 1.6.3 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-0664	4.4	arpeetrathi	January 26, 2024
WP RSS Aggregator <= 4.23.4 - Authenticated (Admin+) Stored Cross-Site Scripting via RSS Feed Source	CVE-2024-0630	4.4	Colin Xu	January 25, 2024
WPFront Notification Bar <= 3.3.2 - Authenticated (Admin+) Stored Cross-Site Scripting via wpfront-notification-bar-options[custom_class]	CVE-2024-0625	4.4	Sh	January 24, 2024
WebSub (FKA. PubSubHubbub) <= 3.1.4 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-0688	4.4	Sh	January 24, 2024
Better Follow Button for Jetpack <= 8.0 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2023-7168	4.4	Bob Matyas	January 23, 2024
illi Link Party! <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2023-7230	4.4	Bob Matyas	January 23, 2024
WolfNet IDX for WordPress <= 1.19.1 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2023-6783	4.4	Ma Long	January 23, 2024
Sticky Buttons <= 3.2.2 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-0703	4.4	Dipak Panchal (th3.d1p4k)	January 22, 2024
Content Views <= 3.6.2 - Authenticated(Administrator+) Stored Cross-Site Scripting via settings	CVE-2024-0612	4.4	Akbar Kustirama	January 22, 2024
Chartjs <= 2023.2 - Authenticated(Editor+) Stored Cross-Site Scripting via chart	CVE-2023-6082	4.4	Sergen Koç, Asif Nawaz Minhas	January 19, 2024
Chartjs <= 2023.2 - Authenticated(Editor+) Stored Cross-Site Scripting	CVE-2023-6081	4.4	Sergen Koç, Asif Nawaz Minhas	January 19, 2024
GigPress <= 2.3.29 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2023-7233	4.4	Bob Matyas	January 19, 2024
Fluent Forms <= 5.1.5 - Authenticated(Administrator+) Stored Cross-Site Scripting via imported form title	CVE-2024-0618	4.4	Akbar Kustirama	January 18, 2024
HD Quiz <= 1.8.11 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings	CVE-2024-22161	4.4	Myungju Kim	January 16, 2024
Stock Locations for WooCommerce <= 2.5.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via settings	CVE-2024-22153	4.4	Mika	January 16, 2024
Ultimate Maps by Supsystic <= 1.2.15 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2023-6732	4.4	Mert Umut	January 12, 2024
Hubbub Lite <= 1.31.1 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2023-7154	4.4	Tycho Niestadt	January 11, 2024
EventON - WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.7 (Free) - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2023-6005	4.4	Miguel Santareno	January 10, 2024
Woocommerce Vietnam Checkout <= 2.0.8 - Authenticated (Admin+) Stored Cross-Site Scripting		4.4		January 10, 2024

Submit Vulnerability

«
‹
1
2
...
918
919
920
...
1093
1094
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Dec 11, 2024 Vulns
1	SOPROBRO	82
2	vgo0	58
3	Peter Thaleikis	38
4	João Pedro Soares de Alcântara	36
5	Mika	35
6	Rafie Muhammad	33
7	Lucio Sá	24
8	Francesco Carlucci	21
9	zaim	21
10	yudha	17
11	theviper17y	15
12	ardias	15
13	LVT-tholv2k	13
14	zakaria	12
15	Tieu Pham Trong Nhan	11
16	Webbernaut	11
17	thiennv	10
18	Bonds	9
19	Arkadiusz Hydzik	9
20	stealthcopter	8

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation