Have you found a vulnerability in a WordPress plugin or theme? Report vulnerabilities in WordPress plugins and themes through our bug bounty program and earn a bounty on all in-scope submissions, while we handle the responsible disclosure process on your behalf.

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

MonsterInsights – Google Analytics Dashboard for WordPress <= 7.1 - Stored Cross-Site Scripting

6.4

CVE ID Unknown

Sep 18, 2018

Researcher: RIPS Technologies

Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting

6.1

CVE-2018-1002007

Sep 18, 2018

Researcher: Larry W. Cashdollar

Arigato Autoresponder and Newsletter <= 2.5.1.8 - Cross-Site Scripting

4.8

CVE-2018-1002005

Sep 18, 2018

Researcher: Larry W. Cashdollar

File Manager <= 3.0 - Stored Cross-Site Scripting

6.1

CVE-2018-16967

Sep 17, 2018

Researcher: Mohammed Ansari

File Manager <= 3.0 - Cross-Site Request Forgery

8.8

CVE-2018-16966

Sep 17, 2018

Researcher: Mohammed Ansari

File Manager <= 3.0 - Unauthenticated Arbitrary File Upload/Download

9.8

CVE-2018-25105

Sep 17, 2018

Researchers:

Unyson <= 2.7.18 - Sensitive Information Exposure

5.3

CVE ID Unknown

Sep 15, 2018

Researcher: Jonas Lejon

I Recommend This < 3.8.2 - Cross-Site Scripting

7.2

CVE ID Unknown

Sep 11, 2018

Researchers:

UserPro <= 4.9.27 - Privilege Escalation

9.8

CVE ID Unknown

Sep 10, 2018

Researcher: Noman Riffat

wpForo < = 1.5.1 - Privilege Escalation

9.8

CVE-2018-16613

Sep 6, 2018

Researcher: 9emin1

File Manager <= 2.9 - Reflected Cross-Site Scripting

6.1

CVE-2018-16363

Sep 6, 2018

Researcher: ly55521

WordPress Core < 5.0.1 - PHAR Unserialization

7.5

CVE-2018-1000773

Sep 6, 2018

Researcher: Sam Thomas

Contact Form 7 <= 5.0.3 - Authorization Bypass

6.3

CVE-2018-20979

Sep 4, 2018

Researcher: Simon Scannell

Service Finder - Provider and Business Listing Theme < 3.2 - Path Traversal

7.5

CVE ID Unknown

Sep 1, 2018

Researcher: telahdihapus

UserPro <= 4.9.23 - Unauthenticated Cross-Site Scripting

6.1

CVE-2018-16285

Aug 31, 2018

Researchers:

Jibu Pro <= 1.7 - Authenticated Stored Cross-Site Scripting

6.4

CVE-2018-17138

Aug 29, 2018

Researcher: Renos Nikolaou

Duplicator <= 1.2.41 - Sensitive Information Disclosure leading to Remote Code Execution

9.8

CVE-2018-17207

Aug 29, 2018

Researchers: Thomas Chauchefoin, Julien Legras

WooCommerce <= 3.4.4 - Authenticated PHP Object Injection

6.6

CVE ID Unknown

Aug 29, 2018

Researchers:

Quizlord <= 2.0 - Authenticated Stored Cross-Site Scripting

6.4

CVE-2018-17140

Aug 29, 2018

Researcher: Renos Nikolaou

Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.3.13 - Cross-Site Scripting

8.3

CVE ID Unknown

Aug 27, 2018

Researcher: Adam Roberts

Title	CVE ID	CVSS	Researchers	Date
MonsterInsights – Google Analytics Dashboard for WordPress <= 7.1 - Stored Cross-Site Scripting		6.4	RIPS Technologies	September 18, 2018
Arigato Autoresponder and Newsletter <= 2.5.1.8 - Reflected Cross-Site Scripting	CVE-2018-1002007	6.1	Larry W. Cashdollar	September 18, 2018
Arigato Autoresponder and Newsletter <= 2.5.1.8 - Cross-Site Scripting	CVE-2018-1002005	4.8	Larry W. Cashdollar	September 18, 2018
File Manager <= 3.0 - Stored Cross-Site Scripting	CVE-2018-16967	6.1	Mohammed Ansari	September 17, 2018
File Manager <= 3.0 - Cross-Site Request Forgery	CVE-2018-16966	8.8	Mohammed Ansari	September 17, 2018
File Manager <= 3.0 - Unauthenticated Arbitrary File Upload/Download	CVE-2018-25105	9.8		September 17, 2018
Unyson <= 2.7.18 - Sensitive Information Exposure		5.3	Jonas Lejon	September 15, 2018
I Recommend This < 3.8.2 - Cross-Site Scripting		7.2		September 11, 2018
UserPro <= 4.9.27 - Privilege Escalation		9.8	Noman Riffat	September 10, 2018
wpForo < = 1.5.1 - Privilege Escalation	CVE-2018-16613	9.8	9emin1	September 6, 2018
File Manager <= 2.9 - Reflected Cross-Site Scripting	CVE-2018-16363	6.1	ly55521	September 6, 2018
WordPress Core < 5.0.1 - PHAR Unserialization	CVE-2018-1000773	7.5	Sam Thomas	September 6, 2018
Contact Form 7 <= 5.0.3 - Authorization Bypass	CVE-2018-20979	6.3	Simon Scannell	September 4, 2018
Service Finder - Provider and Business Listing Theme < 3.2 - Path Traversal		7.5	telahdihapus	September 1, 2018
UserPro <= 4.9.23 - Unauthenticated Cross-Site Scripting	CVE-2018-16285	6.1		August 31, 2018
Jibu Pro <= 1.7 - Authenticated Stored Cross-Site Scripting	CVE-2018-17138	6.4	Renos Nikolaou	August 29, 2018
Duplicator <= 1.2.41 - Sensitive Information Disclosure leading to Remote Code Execution	CVE-2018-17207	9.8	Thomas Chauchefoin, Julien Legras	August 29, 2018
WooCommerce <= 3.4.4 - Authenticated PHP Object Injection		6.6		August 29, 2018
Quizlord <= 2.0 - Authenticated Stored Cross-Site Scripting	CVE-2018-17140	6.4	Renos Nikolaou	August 29, 2018
Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress <= 3.3.13 - Cross-Site Scripting		8.3	Adam Roberts	August 27, 2018

Submit Vulnerability

«
‹
1
2
...
919
920
921
...
1093
1094
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Dec 11, 2024 Vulns
1	SOPROBRO	82
2	vgo0	58
3	Peter Thaleikis	38
4	João Pedro Soares de Alcântara	36
5	Mika	35
6	Rafie Muhammad	33
7	Lucio Sá	24
8	Francesco Carlucci	21
9	zaim	21
10	yudha	17
11	theviper17y	15
12	ardias	15
13	LVT-tholv2k	13
14	zakaria	12
15	Tieu Pham Trong Nhan	11
16	Webbernaut	11
17	thiennv	10
18	Bonds	9
19	Arkadiusz Hydzik	9
20	stealthcopter	8

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation