WordPress Vulnerability Database

Wordfence Intelligence   >   Vulnerability Database
WordPress Core
WordPress Plugins
WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title
Searches through the title of each vulnerability for matches.
date
Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.
cvss-rating
Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.
researcher
Returns vulnerabilities credited to researchers containing the given text.
software
Returns vulnerabilities discovered in software containing the given text.
software-slug
Returns vulnerabilities discovered in software exactly matching the given slug.
software-type
Use plugin, theme or core to limit the search to the specified type of software.
By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability
Cart66 Cloud <= 2.3.7 - Unauthenticated Information Exposure
5.3
CVE-2025-2841
Apr 11, 2025
Researcher: Avraham Shemesh
Developer Toolbar <= 1.0.3 - Unauthenticated Information Exposure
5.3
CVE-2025-2881
Apr 11, 2025
Researcher: Avraham Shemesh
WordPress Mega Menu – QuadMenu <= 3.2.0 - Cross-Site Request Forgery to Limited User Meta Update
4.3
CVE-2025-2871
Apr 11, 2025
Researcher: Peter Thaleikis
Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.34 Reflected Cross-Site Scripting via 'image_id' Parameter
6.1
CVE-2025-2269
Apr 11, 2025
Researcher: Ivan Kuzymchak
WP Project Manager <= 2.6.22 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
6.4
CVE-2025-2541
Apr 10, 2025
Researcher: Avraham Shemesh
Z Companion <= 1.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
6.4
CVE-2025-2575
Apr 10, 2025
Researcher: Avraham Shemesh
Cost Calculator Builder <= 3.2.67 - Authenticated (Subscriber+) SQL Injection via order_ids Parameter
6.5
CVE-2025-2128
Apr 10, 2025
Researcher: mikemyers
SMTP for Amazon SES – YaySMTP <= 1.8 - Unauthenticated Stored Cross-Site Scripting via Email Logs
7.2
CVE-2025-3434
Apr 10, 2025
Researcher: zer0gh0st
Everest Forms <= 3.1.1 - Reflected Cross-Site Scripting
6.1
CVE-2025-3421
Apr 10, 2025
Researcher: mikemyers
Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress <= 3.1.1 - Unauthenticated PHP Object Injection
9.8
CVE-2025-3439
Apr 10, 2025
Researcher: kuaile
Everest Forms <= 3.1.1 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
5.4
CVE-2025-3422
Apr 10, 2025
Researcher: mikemyers
InstaWP Connect <= 0.1.0.85 - Unauthenticated Local PHP File Inclusion
9.8
CVE-2025-2636
Apr 10, 2025
Researcher: Cheng Liu
Accredible Certificates & Open Badges <= 1.4.9 - Authenticated (Administrator+) SQL Injection via orderby Parameter
4.9
CVE-2024-13909
Apr 9, 2025
Researcher: oncybersec
Payment Forms for Paystack <= 4.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2024-10894
Apr 9, 2025
Researcher: Peter Thaleikis
Embedder 1.3 - 1.3.5 - Authenticated (Subscriber+) Arbitrary Options Update
8.8
CVE-2025-3417
Apr 9, 2025
Researcher: kr0d
azurecurve Shortcodes in Comments <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution
7.3
CVE-2025-2809
Apr 9, 2025
Researcher: Avraham Shemesh
ORDER POST <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution
7.3
CVE-2025-2805
Apr 9, 2025
Researcher: Avraham Shemesh
Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) 1.2.8 - 1.4.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update
6.5
CVE-2025-2719
Apr 9, 2025
Researcher: kr0d
SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation
8.1
CVE-2025-3102
Apr 9, 2025
Researcher: mikemyers
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts <= 2.6.22 - Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload
6.4
CVE-2025-3100
Apr 8, 2025
Researcher: siavashvafshar
Title CVE ID CVSS Researchers Date
Cart66 Cloud <= 2.3.7 - Unauthenticated Information Exposure CVE-2025-2841 5.3 Avraham Shemesh April 11, 2025
Developer Toolbar <= 1.0.3 - Unauthenticated Information Exposure CVE-2025-2881 5.3 Avraham Shemesh April 11, 2025
WordPress Mega Menu – QuadMenu <= 3.2.0 - Cross-Site Request Forgery to Limited User Meta Update CVE-2025-2871 4.3 Peter Thaleikis April 11, 2025
Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.34 Reflected Cross-Site Scripting via 'image_id' Parameter CVE-2025-2269 6.1 Ivan Kuzymchak April 11, 2025
WP Project Manager <= 2.6.22 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload CVE-2025-2541 6.4 Avraham Shemesh April 10, 2025
Z Companion <= 1.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload CVE-2025-2575 6.4 Avraham Shemesh April 10, 2025
Cost Calculator Builder <= 3.2.67 - Authenticated (Subscriber+) SQL Injection via order_ids Parameter CVE-2025-2128 6.5 mikemyers April 10, 2025
SMTP for Amazon SES – YaySMTP <= 1.8 - Unauthenticated Stored Cross-Site Scripting via Email Logs CVE-2025-3434 7.2 zer0gh0st April 10, 2025
Everest Forms <= 3.1.1 - Reflected Cross-Site Scripting CVE-2025-3421 6.1 mikemyers April 10, 2025
Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress <= 3.1.1 - Unauthenticated PHP Object Injection CVE-2025-3439 9.8 kuaile April 10, 2025
Everest Forms <= 3.1.1 - Authenticated (Subscriber+) Arbitrary Shortcode Execution CVE-2025-3422 5.4 mikemyers April 10, 2025
InstaWP Connect <= 0.1.0.85 - Unauthenticated Local PHP File Inclusion CVE-2025-2636 9.8 Cheng Liu April 10, 2025
Accredible Certificates & Open Badges <= 1.4.9 - Authenticated (Administrator+) SQL Injection via orderby Parameter CVE-2024-13909 4.9 oncybersec April 9, 2025
Payment Forms for Paystack <= 4.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-10894 6.4 Peter Thaleikis April 9, 2025
Embedder 1.3 - 1.3.5 - Authenticated (Subscriber+) Arbitrary Options Update CVE-2025-3417 8.8 kr0d April 9, 2025
azurecurve Shortcodes in Comments <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution CVE-2025-2809 7.3 Avraham Shemesh April 9, 2025
ORDER POST <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution CVE-2025-2805 7.3 Avraham Shemesh April 9, 2025
Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) 1.2.8 - 1.4.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update CVE-2025-2719 6.5 kr0d April 9, 2025
SureTriggers <= 1.0.78 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation CVE-2025-3102 8.1 mikemyers April 9, 2025
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts <= 2.6.22 - Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Upload CVE-2025-3100 6.4 siavashvafshar April 8, 2025
Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All
Rank Name
Vulnerabilities since Mar 12, 2025
Vulns
1 Trương Hữu Phúc (truonghuuphuc) 68
2 Nabil Irawan 63
3 Kévin Mosbahi (Mika) 62
4 João Pedro Soares de Alcântara 59
5 LVT-tholv2k 49
6 Peter Thaleikis 47
7 muhammad yudha 42
8 Nguyen Xuan Chien 41
9 SOPROBRO 40
10 0xd4rk5id3 39
11 Abdi Pranata 39
12 johska 37
13 Skalucy 32
14 theviper17y 30
15 stealthcopter 24
16 mikemyers 23
17 Nguyen Xuan Chien 19
18 Lucio Sá 17
19 Pham Van Tam 16
20 Avraham Shemesh 16

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

This site uses cookies in accordance with our Privacy Policy.