WordPress Vulnerability Database

Wordfence Intelligence   >   Vulnerability Database
WordPress Core
WordPress Plugins
WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title
Searches through the title of each vulnerability for matches.
date
Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.
cvss-rating
Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.
researcher
Returns vulnerabilities credited to researchers containing the given text.
software
Returns vulnerabilities discovered in software containing the given text.
software-slug
Returns vulnerabilities discovered in software exactly matching the given slug.
software-type
Use plugin, theme or core to limit the search to the specified type of software.
By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability
Custom Field For WP Job Manager <= 1.2 - Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode
4.3
CVE-2023-7049
Aug 15, 2024
Researcher: Francesco Carlucci
Theme My Login <= 7.1.7 - Cross-Site Request Forgery to Settings Update
4.3
CVE-2024-7422
Aug 15, 2024
Researcher: vgo0
ElementsKit Pro <= 3.6.6 - Authenticated (Contributor+) Sensitive Information Exposure
4.3
CVE-2024-7063
Aug 14, 2024
Researcher: Webbernaut
Analytify <= 5.3.1 - Cross-Site Request Forgery to Opt-out
4.3
CVE-2024-43265
Aug 12, 2024
Researcher: Dhabaleshwar Das
Leopard - WordPress offload media <= 2.0.36 - Authenticated (Subscriber+) Sensitive Information Exposure
4.3
CVE-2024-43257
Aug 12, 2024
Researcher: Dave Jong
Bit Form Pro <= 2.6.4 - Authenticated (Subscriber+) Sensitive Information Exposure
4.3
CVE-2024-43251
Aug 12, 2024
Researcher: Dave Jong
Clearfy Cache <= 2.2.4 - Missing Authorization
4.3
CVE-2024-43260
Aug 12, 2024
Researcher: Joshua Chan
Backup and Restore WordPress <= 1.50 - Cross-Site Request Forgery
4.3
CVE-2024-43269
Aug 12, 2024
Researcher: Ananda Dhakal
Smart Online Order for Clover <= 1.5.6 - Missing Authorization
4.3
CVE-2024-43254
Aug 12, 2024
Researcher: Dhabaleshwar Das
Leopard - WordPress offload media <= 2.0.36 - Missing Authorization to Authenticated (Subscriber+) Settings Update
4.3
CVE-2024-43256
Aug 12, 2024
Researcher: Dave Jong
WHMpress <= 6.2-revision-5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
4.3
CVE-2024-43247
Aug 12, 2024
Researcher: Dave Jong
Icegram Collect – Easy Form, Lead Collection and Subscription plugin <= 1.3.14 - Missing Authorization
4.3
CVE-2024-43273
Aug 12, 2024
Researcher: Dhabaleshwar Das
WP Job Portal <= 2.1.8 - Authenticated (Subscriber+) Insecure Direct Object Reference
4.3
CVE-2024-43266
Aug 12, 2024
Researcher: LuxF0z
Backup and Restore WordPress <= 1.50 - Missing Authorization
4.3
CVE-2024-43268
Aug 12, 2024
Researcher: Ananda Dhakal
DN Popup <= 1.2.2 - Cross-Site Request Forgery to Settings Update
4.3
CVE-2024-7690
Aug 12, 2024
Researcher: Bob Matyas
WP MultiTasking <= 0.1.12 - Cross-Site Request Forgery to Settings Update
4.3
CVE-2024-6852
Aug 10, 2024
Researcher: Norbert Hofmann
WP MultiTasking <= 0.1.12 - Cross-Site Request Forgery to Exit Popup Update
4.3
CVE-2024-6855
Aug 10, 2024
Researcher: Norbert Hofmann
WP MultiTasking <= 0.1.12 - Cross-Site Request Forgery to Welcome Popup Update
4.3
CVE-2024-6853
Aug 10, 2024
Researcher: Norbert Hofmann
TrueBooker <= 1.0.2 - Cross-Site Request Forgery to Settings Update
4.3
CVE-2024-6925
Aug 10, 2024
Researcher: Bob Matyas
WP MultiTasking <= 0.1.12 - Cross-Site Request Forgery to SMTP Settings Update
4.3
CVE-2024-6856
Aug 10, 2024
Researcher: Norbert Hofmann
Title CVE ID CVSS Researchers Date
Custom Field For WP Job Manager <= 1.2 - Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode CVE-2023-7049 4.3 Francesco Carlucci August 15, 2024
Theme My Login <= 7.1.7 - Cross-Site Request Forgery to Settings Update CVE-2024-7422 4.3 vgo0 August 15, 2024
ElementsKit Pro <= 3.6.6 - Authenticated (Contributor+) Sensitive Information Exposure CVE-2024-7063 4.3 Webbernaut August 14, 2024
Analytify <= 5.3.1 - Cross-Site Request Forgery to Opt-out CVE-2024-43265 4.3 Dhabaleshwar Das August 12, 2024
Leopard - WordPress offload media <= 2.0.36 - Authenticated (Subscriber+) Sensitive Information Exposure CVE-2024-43257 4.3 Dave Jong August 12, 2024
Bit Form Pro <= 2.6.4 - Authenticated (Subscriber+) Sensitive Information Exposure CVE-2024-43251 4.3 Dave Jong August 12, 2024
Clearfy Cache <= 2.2.4 - Missing Authorization CVE-2024-43260 4.3 Joshua Chan August 12, 2024
Backup and Restore WordPress <= 1.50 - Cross-Site Request Forgery CVE-2024-43269 4.3 Ananda Dhakal August 12, 2024
Smart Online Order for Clover <= 1.5.6 - Missing Authorization CVE-2024-43254 4.3 Dhabaleshwar Das August 12, 2024
Leopard - WordPress offload media <= 2.0.36 - Missing Authorization to Authenticated (Subscriber+) Settings Update CVE-2024-43256 4.3 Dave Jong August 12, 2024
WHMpress <= 6.2-revision-5 - Missing Authorization to Authenticated (Subscriber+) Settings Update CVE-2024-43247 4.3 Dave Jong August 12, 2024
Icegram Collect – Easy Form, Lead Collection and Subscription plugin <= 1.3.14 - Missing Authorization CVE-2024-43273 4.3 Dhabaleshwar Das August 12, 2024
WP Job Portal <= 2.1.8 - Authenticated (Subscriber+) Insecure Direct Object Reference CVE-2024-43266 4.3 LuxF0z August 12, 2024
Backup and Restore WordPress <= 1.50 - Missing Authorization CVE-2024-43268 4.3 Ananda Dhakal August 12, 2024
DN Popup <= 1.2.2 - Cross-Site Request Forgery to Settings Update CVE-2024-7690 4.3 Bob Matyas August 12, 2024
WP MultiTasking <= 0.1.12 - Cross-Site Request Forgery to Settings Update CVE-2024-6852 4.3 Norbert Hofmann August 10, 2024
WP MultiTasking <= 0.1.12 - Cross-Site Request Forgery to Exit Popup Update CVE-2024-6855 4.3 Norbert Hofmann August 10, 2024
WP MultiTasking <= 0.1.12 - Cross-Site Request Forgery to Welcome Popup Update CVE-2024-6853 4.3 Norbert Hofmann August 10, 2024
TrueBooker <= 1.0.2 - Cross-Site Request Forgery to Settings Update CVE-2024-6925 4.3 Bob Matyas August 10, 2024
WP MultiTasking <= 0.1.12 - Cross-Site Request Forgery to SMTP Settings Update CVE-2024-6856 4.3 Norbert Hofmann August 10, 2024
Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All
Rank Name
Vulnerabilities since Nov 21, 2024
Vulns
1 SOPROBRO 139
2 vgo0 68
3 Peter Thaleikis 66
4 Francesco Carlucci 39
5 Mika 37
6 João Pedro Soares de Alcântara 37
7 stealthcopter 23
8 theviper17y 19
9 zaim 19
10 Gab 16
11 thiennv 16
12 zakaria 15
13 ardias 15
14 Arkadiusz Hydzik 15
15 Colin Xu 13
16 mikemyers 12
17 Tieu Pham Trong Nhan 12
18 zer0gh0st 11
19 LVT-tholv2k 11
20 yudha 11

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation