WordPress Vulnerability Database

Wordfence Intelligence   >   Vulnerability Database
WordPress Core
WordPress Plugins
WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title
Searches through the title of each vulnerability for matches.
date
Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.
cvss-rating
Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.
researcher
Returns vulnerabilities credited to researchers containing the given text.
software
Returns vulnerabilities discovered in software containing the given text.
software-slug
Returns vulnerabilities discovered in software exactly matching the given slug.
software-type
Use plugin, theme or core to limit the search to the specified type of software.
By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability
Content Audit <= 1.9.1 - Cross-Site Request Forgery to Cross-Site Scripting
6.1
CVE-2017-18560
Sep 26, 2017
Researchers: Mallory Adams, dwxsupport
Mojoomla School Management System (Unspecified Version) - Authenticated (Student+) SQL Injection
8.8
CVE-2017-14843
Sep 26, 2017
Researcher: Ihsan Sencan
WP Jobs < 1.7 - Cross-Site Scripting
6.1
CVE-2017-14751
Sep 26, 2017
Researcher: Huzaifa Ali
WPCHURCH - Church Management System for Wordpress Theme < 13-07-2019 - SQL Injection
8.8
CVE-2017-14845
Sep 26, 2017
Researcher: Ihsan Sencan
SMSmaster – Multipurpose SMS Gateway for Wordpress (All Versions) - Authenticated SQL Injection
8.8
CVE-2017-14842
Sep 26, 2017
Researcher: Ihsan Sencan
WPAMS - Apartment Management System for wordpress Theme < 17-07-2019 - SQL Injection
8.8
CVE-2017-14847
Sep 26, 2017
Researcher: Ihsan Sencan
Gallery – Image and Video Gallery with Thumbnails < 1.2.1 - SQL Injection
9.8
CVE-2017-14125
Sep 22, 2017
Researcher: Manuel Garcia Cardenas
Smush – Lazy Load Images, Optimize & Compress Images <= 2.7.5 - Directory Traversal
5.3
CVE-2017-15079
Sep 21, 2017
Researcher: Ricardo Sanchez
Student Result or Employee Database <= 1.6.3 - Authentication Bypass
9.8
CVE-2017-14766
Sep 21, 2017
Researcher: Benjamin Lim
2kb Amazon Affiliates Store < 2.1.1 - Reflected Cross-Site Scripting
6.1
CVE-2017-14622
Sep 20, 2017
Researcher: Ricardo Sanchez
WordPress Core < 4.8.2 - Directory Traversal during unzip
4.3
CVE-2017-14719
Sep 19, 2017
Researcher: Alex Chapman (noxrnet)
WordPress Core < 4.8.2 - Directory Traversal via Customizer
4.9
CVE-2017-14722
Sep 19, 2017
Researcher: Weston Ruter
WordPress Core < 4.8.2 - Cross-Site Scripting via Shortcodes
6.4
CVE-2017-14726
Sep 19, 2017
Researcher: Rodolfo Assis (@brutelogic)
WordPress Core < 4.8.2 - Stored Cross-Site Scripting via Plugin Names
5.5
CVE-2017-14721
Sep 19, 2017
Researcher: 陈瑞琦 (Chen Ruiqi)
WordPress Core < 4.8.2 - Cross-Site Scripting via Template Name
6.4
CVE-2017-14720
Sep 19, 2017
Researcher: Luka Sikic
WordPress Core < 4.8.2 - Cross-Site Scripting in oEmbed
6.4
CVE-2017-14724
Sep 19, 2017
Researcher: xknown
WordPress Core < 4.8.2 - Cross-Site Scripting via Javascript: and Data: URLs
6.4
CVE-2017-14718
Sep 19, 2017
Researcher: Anas Roubi (qasuar)
WordPress Core < 4.8.2 - Open Redirect in Admin Dashboard
3.5
CVE-2017-14725
Sep 19, 2017
Researcher: Yasin Soliman (ysx)
WordPress Core < 4.8.2 - SQL Injection via Mishandled Placeholders
9.8
CVE-2017-14723
Sep 19, 2017
Researcher: Slavco Mihajloski
Post Pay Counter < 2.731 - PHP Object Injection
9.8
CVE-2017-18583
Sep 16, 2017
Researchers:
Title CVE ID CVSS Researchers Date
Content Audit <= 1.9.1 - Cross-Site Request Forgery to Cross-Site Scripting CVE-2017-18560 6.1 Mallory Adams, dwxsupport September 26, 2017
Mojoomla School Management System (Unspecified Version) - Authenticated (Student+) SQL Injection CVE-2017-14843 8.8 Ihsan Sencan September 26, 2017
WP Jobs < 1.7 - Cross-Site Scripting CVE-2017-14751 6.1 Huzaifa Ali September 26, 2017
WPCHURCH - Church Management System for Wordpress Theme < 13-07-2019 - SQL Injection CVE-2017-14845 8.8 Ihsan Sencan September 26, 2017
SMSmaster – Multipurpose SMS Gateway for Wordpress (All Versions) - Authenticated SQL Injection CVE-2017-14842 8.8 Ihsan Sencan September 26, 2017
WPAMS - Apartment Management System for wordpress Theme < 17-07-2019 - SQL Injection CVE-2017-14847 8.8 Ihsan Sencan September 26, 2017
Gallery – Image and Video Gallery with Thumbnails < 1.2.1 - SQL Injection CVE-2017-14125 9.8 Manuel Garcia Cardenas September 22, 2017
Smush – Lazy Load Images, Optimize & Compress Images <= 2.7.5 - Directory Traversal CVE-2017-15079 5.3 Ricardo Sanchez September 21, 2017
Student Result or Employee Database <= 1.6.3 - Authentication Bypass CVE-2017-14766 9.8 Benjamin Lim September 21, 2017
2kb Amazon Affiliates Store < 2.1.1 - Reflected Cross-Site Scripting CVE-2017-14622 6.1 Ricardo Sanchez September 20, 2017
WordPress Core < 4.8.2 - Directory Traversal during unzip CVE-2017-14719 4.3 Alex Chapman (noxrnet) September 19, 2017
WordPress Core < 4.8.2 - Directory Traversal via Customizer CVE-2017-14722 4.9 Weston Ruter September 19, 2017
WordPress Core < 4.8.2 - Cross-Site Scripting via Shortcodes CVE-2017-14726 6.4 Rodolfo Assis (@brutelogic) September 19, 2017
WordPress Core < 4.8.2 - Stored Cross-Site Scripting via Plugin Names CVE-2017-14721 5.5 陈瑞琦 (Chen Ruiqi) September 19, 2017
WordPress Core < 4.8.2 - Cross-Site Scripting via Template Name CVE-2017-14720 6.4 Luka Sikic September 19, 2017
WordPress Core < 4.8.2 - Cross-Site Scripting in oEmbed CVE-2017-14724 6.4 xknown September 19, 2017
WordPress Core < 4.8.2 - Cross-Site Scripting via Javascript: and Data: URLs CVE-2017-14718 6.4 Anas Roubi (qasuar) September 19, 2017
WordPress Core < 4.8.2 - Open Redirect in Admin Dashboard CVE-2017-14725 3.5 Yasin Soliman (ysx) September 19, 2017
WordPress Core < 4.8.2 - SQL Injection via Mishandled Placeholders CVE-2017-14723 9.8 Slavco Mihajloski September 19, 2017
Post Pay Counter < 2.731 - PHP Object Injection CVE-2017-18583 9.8 September 16, 2017
Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All
Rank Name
Vulnerabilities since Dec 9, 2024
Vulns
1 SOPROBRO 85
2 vgo0 62
3 Peter Thaleikis 42
4 Mika 29
5 Francesco Carlucci 24
6 Lucio Sá 23
7 zaim 23
8 João Pedro Soares de Alcântara 18
9 stealthcopter 17
10 yudha 16
11 theviper17y 14
12 Tieu Pham Trong Nhan 13
13 zakaria 13
14 thiennv 13
15 Colin Xu 12
16 ardias 11
17 zer0gh0st 10
18 mikemyers 9
19 Arkadiusz Hydzik 9
20 Webbernaut 9

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation