🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

YITH Custom Login <= 1.7.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.0

CVE-2024-35732

Jun 6, 2024

Researcher: STEALIEN

Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.1 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Navigation Menu Widget

7.2

CVE-2024-5542

Jun 6, 2024

Researcher: Webbernaut

Newsletters <= 4.9.5 - Reflected Cross-Site Scripting

6.1

CVE-2024-35718

Jun 6, 2024

Researcher: beluga

Rife Free <= 2.4.19 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-35708

Jun 6, 2024

Researcher: stealthcopter

Copymatic – AI Content Writer & Generator <= 1.9 - Missing Authorization

4.3

CVE-2024-35716

Jun 6, 2024

Researcher: Majed Refaea

Royal Elementor Addons and Templates <= 1.3.976 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Uploads

6.4

CVE-2024-4489

Jun 6, 2024

Researcher: wesley (wcraft)

Sensei LMS <= 4.23.1 & Sensei Pro (WC Paid Courses) <= 4.24.0.1.24.0 - Missing Authorization

5.3

CVE-2024-35686

Jun 6, 2024

Researcher: Rafie Muhammad

WP Docs <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-35695

Jun 6, 2024

Researcher: LVT-tholv2k

Kadence Blocks Pro <= 2.3.7 - Authenticated (Contributor+) Information Exposure

4.3

CVE-2024-1330

Jun 6, 2024

Researcher: Scott Kingsley Clark

BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-35704

Jun 6, 2024

Researcher: Ngô Thiên An (ancorn_)

Strategery Migrations <= 1.0 - Unauthenticated Arbitrary File Deletion

7.5

CVE-2024-35745

Jun 6, 2024

Researcher: YC_Infosec

Radcliffe 2 <= 2.0.17 - Missing Authorization

5.3

CVE-2024-35685

Jun 6, 2024

Researcher: Rafie Muhammad

WooCommerce Tools <= 1.2.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Module Deactivation

5.3

CVE-2024-1689

Jun 6, 2024

Researcher: Lucio Sá

WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection

4.7

CVE-2023-5424

Jun 6, 2024

Researcher: Duc Manh

Eduma <= 5.4.7 - Reflected Cross-Site Scripting

6.1

CVE-2024-35697

Jun 6, 2024

Researcher: Rafie Muhammad

Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress <= 9.0.1 - Authenticated (Contributor+) SQL Injection

9.9

CVE-2024-3592

Jun 6, 2024

Researcher: Lucio Sá

BuddyPress Cover <= 2.1.4.2 - Unauthenticated Arbitrary File Upload

10.0

CVE-2024-35746

Jun 6, 2024

Researcher: YC_Infosec

Album Gallery – WordPress Gallery <= 1.5.7 - Missing Authorization

4.3

CVE-2024-35720

Jun 6, 2024

Researcher: Steven Julian

WooCommerce Dropshipping <= 5.0.4 - Missing Authorization to Unauthenticated Arbitrary Email Send

5.3

CVE-2024-35748

Jun 6, 2024

Researcher: Dave Jong

Kenta Blocks – Responsive Blocks and block templates library <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVE-2024-35731

Jun 6, 2024

Researcher: João G. Barbosa (4rCanJ0x!)

Title	CVE ID	CVSS	Researchers	Date
YITH Custom Login <= 1.7.0 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-35732	4.0	STEALIEN	June 6, 2024
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.1 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Navigation Menu Widget	CVE-2024-5542	7.2	Webbernaut	June 6, 2024
Newsletters <= 4.9.5 - Reflected Cross-Site Scripting	CVE-2024-35718	6.1	beluga	June 6, 2024
Rife Free <= 2.4.19 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-35708	6.4	stealthcopter	June 6, 2024
Copymatic – AI Content Writer & Generator <= 1.9 - Missing Authorization	CVE-2024-35716	4.3	Majed Refaea	June 6, 2024
Royal Elementor Addons and Templates <= 1.3.976 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Uploads	CVE-2024-4489	6.4	wesley (wcraft)	June 6, 2024
Sensei LMS <= 4.23.1 & Sensei Pro (WC Paid Courses) <= 4.24.0.1.24.0 - Missing Authorization	CVE-2024-35686	5.3	Rafie Muhammad	June 6, 2024
WP Docs <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-35695	6.4	LVT-tholv2k	June 6, 2024
Kadence Blocks Pro <= 2.3.7 - Authenticated (Contributor+) Information Exposure	CVE-2024-1330	4.3	Scott Kingsley Clark	June 6, 2024
BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-35704	6.4	Ngô Thiên An (ancorn_)	June 6, 2024
Strategery Migrations <= 1.0 - Unauthenticated Arbitrary File Deletion	CVE-2024-35745	7.5	YC_Infosec	June 6, 2024
Radcliffe 2 <= 2.0.17 - Missing Authorization	CVE-2024-35685	5.3	Rafie Muhammad	June 6, 2024
WooCommerce Tools <= 1.2.9 - Missing Authorization to Authenticated (Subscriber+) Plugin Module Deactivation	CVE-2024-1689	5.3	Lucio Sá	June 6, 2024
WS Form LITE <= 1.9.217 - Unauthenticated CSV Injection	CVE-2023-5424	4.7	Duc Manh	June 6, 2024
Eduma <= 5.4.7 - Reflected Cross-Site Scripting	CVE-2024-35697	6.1	Rafie Muhammad	June 6, 2024
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress <= 9.0.1 - Authenticated (Contributor+) SQL Injection	CVE-2024-3592	9.9	Lucio Sá	June 6, 2024
BuddyPress Cover <= 2.1.4.2 - Unauthenticated Arbitrary File Upload	CVE-2024-35746	10.0	YC_Infosec	June 6, 2024
Album Gallery – WordPress Gallery <= 1.5.7 - Missing Authorization	CVE-2024-35720	4.3	Steven Julian	June 6, 2024
WooCommerce Dropshipping <= 5.0.4 - Missing Authorization to Unauthenticated Arbitrary Email Send	CVE-2024-35748	5.3	Dave Jong	June 6, 2024
Kenta Blocks – Responsive Blocks and block templates library <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-35731	5.4	João G. Barbosa (4rCanJ0x!)	June 6, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Aug 29, 2024 Vulns
1	Francesco Carlucci	33
2	vgo0	27
3	wesley (wcraft)	21
4	Lucio Sá	13
5	Krzysztof Zając	10
6	stealthcopter	10
7	Marco Wotschka	7
8	Peter Thaleikis	7
9	Webbernaut	6
10	TANG Cheuk Hei (siunam)	5
11	Daniel Ruf	5
12	rezaduty	5
13	zer0gh0st	4
14	LVT-tholv2k	3
15	Robert DeVore	3
16	Le Ngoc Anh	3
17	RyotaK	2
18	Jorge Diaz (ddiax)	2
19	Tonn	2
20	Ankit Patel	2

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation