Have you found a vulnerability in a WordPress plugin or theme? Report vulnerabilities in WordPress plugins and themes through our bug bounty program and earn a bounty on all in-scope submissions, while we handle the responsible disclosure process on your behalf.

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Ninja Forms <= 3.3.8 - Insufficient Restrictions during Export Personal Data requests

9.1

CVE-2018-20981

Jul 6, 2018

Researchers:

WordPress Core < 4.9.7 - Authenticated Arbitrary File Deletion

8.8

CVE-2018-12895

Jul 5, 2018

Researchers: Matt Barry, Karim El Ouerghemmi, Slavco Mihajloski

Ultimate Member <= 2.0.17 - Authenticated Cross-Site Scripting

6.1

CVE-2018-13136

Jul 3, 2018

Researchers:

FV Flowplayer Video Player 6.1.2 - 6.6.4 - Cross-Site Scripting

6.1

CVE-2018-0642

Jul 2, 2018

Researcher: Chris Liu

3CX Live Chat <= 8.0.07 - Cross-Site Scripting

6.1

CVE-2018-11105

Jul 2, 2018

Researcher: RiieCco

Open Graph and Twitter Card Tags <= 2.2.4.1 - Unauthenticated Cross-Site Scripting

6.5

CVE ID Unknown

Jun 27, 2018

Researcher: Thomas Chauchefoin

iThemes Security <= 7.0.2 - Authenticated SQL Injection

7.2

CVE-2018-12636

Jun 25, 2018

Researcher: Çlirim Emini

JS Help Desk – Best Help Desk & Support Plugin <= 2.0.5 - Cross-Site Request Forgery

8.8

CVE-2018-21002

Jun 25, 2018

Researchers:

WordPress Comments Import & Export <= 2.0.4 - CSV Injection

6.1

CVE-2018-11526

Jun 21, 2018

Researcher: Bhushan B. Patil

Ultimate Form Builder Lite <= 1.3.7 - Cross-Site Scripting

6.4

CVE ID Unknown

Jun 20, 2018

Researcher: Neven Birusk

PublishPress Capabilities <= 1.5.8 - Authenticated SQL Injection

7.2

CVE ID Unknown

Jun 20, 2018

Researchers:

Advanced Order Export For WooCommerce <= 1.5.4 - CSV Injection

7.8

CVE-2018-11525

Jun 20, 2018

Researcher: Bhushan B. Patil

Tooltipy < 5.1 - Cross-Site Request Forgery

6.5

CVE-2018-1000505

Jun 20, 2018

Researcher: dwxsupport

Tooltipy (tooltips for WP) <= 5.0 - Reflected Cross-Site Scripting

6.1

CVE-2018-1000512

Jun 12, 2018

Researcher: Mallory Adams

Quick Chat <= 4.14 - SQL Injection

8.8

CVE-2019-1010104

Jun 12, 2018

Researcher: Amine Taouirsa

Pie Register <= 3.0.9 - SQL Injection

9.8

CVE-2018-10969

Jun 12, 2018

Researcher: Manuel Garcia Cardenas

Booking calendar, Appointment Booking System < 2.2.3 - Unauthenticated Parameter Manipulation

7.5

CVE-2018-10363

Jun 7, 2018

Researcher: B0UG

Mass Pages/Posts Creator <= 1.2.2 - Missing Authorization

7.3

CVE-2018-11580

Jun 7, 2018

Researcher: Jack K.

Digital Goods < 2.2 - Cross-Site Request Forgery

6.5

CVE-2018-11633

Jun 3, 2018

Researcher: ThreatPress

wpForo Forum < 1.4.12 - Reflected Cross-Site Scripting

6.1

CVE-2018-11709

Jun 1, 2018

Researcher: Ryan Dewhurst

Title	CVE ID	CVSS	Researchers	Date
Ninja Forms <= 3.3.8 - Insufficient Restrictions during Export Personal Data requests	CVE-2018-20981	9.1		July 6, 2018
WordPress Core < 4.9.7 - Authenticated Arbitrary File Deletion	CVE-2018-12895	8.8	Matt Barry, Karim El Ouerghemmi, Slavco Mihajloski	July 5, 2018
Ultimate Member <= 2.0.17 - Authenticated Cross-Site Scripting	CVE-2018-13136	6.1		July 3, 2018
FV Flowplayer Video Player 6.1.2 - 6.6.4 - Cross-Site Scripting	CVE-2018-0642	6.1	Chris Liu	July 2, 2018
3CX Live Chat <= 8.0.07 - Cross-Site Scripting	CVE-2018-11105	6.1	RiieCco	July 2, 2018
Open Graph and Twitter Card Tags <= 2.2.4.1 - Unauthenticated Cross-Site Scripting		6.5	Thomas Chauchefoin	June 27, 2018
iThemes Security <= 7.0.2 - Authenticated SQL Injection	CVE-2018-12636	7.2	Çlirim Emini	June 25, 2018
JS Help Desk – Best Help Desk & Support Plugin <= 2.0.5 - Cross-Site Request Forgery	CVE-2018-21002	8.8		June 25, 2018
WordPress Comments Import & Export <= 2.0.4 - CSV Injection	CVE-2018-11526	6.1	Bhushan B. Patil	June 21, 2018
Ultimate Form Builder Lite <= 1.3.7 - Cross-Site Scripting		6.4	Neven Birusk	June 20, 2018
PublishPress Capabilities <= 1.5.8 - Authenticated SQL Injection		7.2		June 20, 2018
Advanced Order Export For WooCommerce <= 1.5.4 - CSV Injection	CVE-2018-11525	7.8	Bhushan B. Patil	June 20, 2018
Tooltipy < 5.1 - Cross-Site Request Forgery	CVE-2018-1000505	6.5	dwxsupport	June 20, 2018
Tooltipy (tooltips for WP) <= 5.0 - Reflected Cross-Site Scripting	CVE-2018-1000512	6.1	Mallory Adams	June 12, 2018
Quick Chat <= 4.14 - SQL Injection	CVE-2019-1010104	8.8	Amine Taouirsa	June 12, 2018
Pie Register <= 3.0.9 - SQL Injection	CVE-2018-10969	9.8	Manuel Garcia Cardenas	June 12, 2018
Booking calendar, Appointment Booking System < 2.2.3 - Unauthenticated Parameter Manipulation	CVE-2018-10363	7.5	B0UG	June 7, 2018
Mass Pages/Posts Creator <= 1.2.2 - Missing Authorization	CVE-2018-11580	7.3	Jack K.	June 7, 2018
Digital Goods < 2.2 - Cross-Site Request Forgery	CVE-2018-11633	6.5	ThreatPress	June 3, 2018
wpForo Forum < 1.4.12 - Reflected Cross-Site Scripting	CVE-2018-11709	6.1	Ryan Dewhurst	June 1, 2018

Submit Vulnerability

«
‹
1
2
...
921
922
923
...
1093
1094
›
»

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Dec 10, 2024 Vulns
1	SOPROBRO	103
2	vgo0	66
3	Mika	49
4	Peter Thaleikis	49
5	João Pedro Soares de Alcântara	45
6	Rafie Muhammad	33
7	zaim	25
8	Lucio Sá	25
9	Francesco Carlucci	22
10	stealthcopter	22
11	theviper17y	20
12	ardias	17
13	yudha	17
14	zakaria	16
15	thiennv	16
16	Tieu Pham Trong Nhan	14
17	LVT-tholv2k	13
18	Trương Hữu Phúc (truonghuuphuc)	13
19	Colin Xu	13
20	Bonds	11

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation