🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Error Log Viewer <= 1.1.1 - Arbitrary File Deletion

5.5

CVE-2021-24966

Nov 10, 2021

Researcher: Ceylan Bozogullarindan

Booking Package <= 1.5.10 - Reflected Cross-Site Scripting

6.1

CVE-2021-20840

Nov 10, 2021

Researcher: Gen Sato

WordPress Core < 5.8.2 - ca-bundle.crt contains expired certificate DST Root CA X3

5.3

CVE ID Unknown

Nov 10, 2021

Researchers:

Get Custom Field Values <= 4.0.0 - Contributor+ Stored Cross-Site Scripting

6.4

CVE-2021-24871

Nov 9, 2021

Researcher: Francesco Carlucci

Get Custom Field Values < 4.0 - Arbitrary Post Metadata Access

6.5

CVE-2021-24872

Nov 9, 2021

Researcher: Francesco Carlucci

LearnPress <= 4.1.3 - Authenticated SQL Injection

9.8

CVE-2021-24951

Nov 9, 2021

Researcher: ZhongFu Su

Tawk.To Live Chat <= 0.5.4 - Missing Authorization to Visitor Monitoring & Chat Removal

8.0

CVE-2021-24914

Nov 8, 2021

Researcher: Quentin VILLAIN (3wsec)

LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting via rul_login_url, rul_logout_url Parameter

6.1

CVE-2021-24939

Nov 8, 2021

Researcher: ZhongFu Su

Email Log <= 2.4.7 - Reflected Cross-Site Scripting

6.1

CVE-2021-24924

Nov 8, 2021

Researcher: ZhongFu Su

WP Data Access <= 4.3.1 - Admin+ SQL Injection

7.2

CVE-2021-24866

Nov 8, 2021

Researcher: ZhongFu Su

Secure Copy Content Protection and Content Locking <= 2.8.1 - Unauthenticated SQL Injection

9.8

CVE-2021-24931

Nov 8, 2021

Researcher: Krzysztof Zając

Backup and Restore plugin – WordPress <= 1.0.3 - Authenticated (Admin+) Arbitrary File Deletion

5.5

CVE ID Unknown

Nov 8, 2021

Researcher: Murat DEMIRCI

WooCommerce Currency Switcher <= 1.3.7 - Reflected Cross-Site Scripting

6.1

CVE-2021-24938

Nov 8, 2021

Researcher: ZhongFu Su

Registrations for the Events Calendar <= 2.7.5 - Unauthenticated SQL Injection

9.8

CVE-2021-24943

Nov 8, 2021

Researcher: Krzysztof Zając

Bookly <= 20.3 - Staff Member Stored Cross-Site Scripting

5.4

CVE-2021-24930

Nov 8, 2021

Researcher: Mesut Cetin

Testimonial Builder <= 1.6.1 - Authenticated Stored Cross-Site Scripting

6.4

CVE-2021-36857

Nov 7, 2021

Researcher: Ngo Van Thien

Visual Form Builder <= 3.0.5 - CSV Injection

5.3

CVE-2022-0142

Nov 3, 2021

Researcher: Vishnupriya Ilango

Event Manager and Tickets Selling Plugin for WooCommerce < 3.5.3 - Arbitrary Settings Change

6.5

CVE ID Unknown

Nov 3, 2021

Researcher: WPScanTeam

Nitro by WooRockets <= 1.7.9 - Missing Authorization to Arbitrary Plugin Installation

7.5

CVE ID Unknown

Nov 3, 2021

Researcher: Brad Patton

WP Google Fonts <= 3.1.4 - Reflected Cross-Site Scripting

6.1

CVE-2021-24935

Nov 3, 2021

Researcher: ZhongFu Su

Title	CVE ID	CVSS	Researchers	Date
Error Log Viewer <= 1.1.1 - Arbitrary File Deletion	CVE-2021-24966	5.5	Ceylan Bozogullarindan	November 10, 2021
Booking Package <= 1.5.10 - Reflected Cross-Site Scripting	CVE-2021-20840	6.1	Gen Sato	November 10, 2021
WordPress Core < 5.8.2 - ca-bundle.crt contains expired certificate DST Root CA X3		5.3		November 10, 2021
Get Custom Field Values <= 4.0.0 - Contributor+ Stored Cross-Site Scripting	CVE-2021-24871	6.4	Francesco Carlucci	November 9, 2021
Get Custom Field Values < 4.0 - Arbitrary Post Metadata Access	CVE-2021-24872	6.5	Francesco Carlucci	November 9, 2021
LearnPress <= 4.1.3 - Authenticated SQL Injection	CVE-2021-24951	9.8	ZhongFu Su	November 9, 2021
Tawk.To Live Chat <= 0.5.4 - Missing Authorization to Visitor Monitoring & Chat Removal	CVE-2021-24914	8.0	Quentin VILLAIN (3wsec)	November 8, 2021
LoginWP < 3.0.0.5 - Reflected Cross-Site Scripting via rul_login_url, rul_logout_url Parameter	CVE-2021-24939	6.1	ZhongFu Su	November 8, 2021
Email Log <= 2.4.7 - Reflected Cross-Site Scripting	CVE-2021-24924	6.1	ZhongFu Su	November 8, 2021
WP Data Access <= 4.3.1 - Admin+ SQL Injection	CVE-2021-24866	7.2	ZhongFu Su	November 8, 2021
Secure Copy Content Protection and Content Locking <= 2.8.1 - Unauthenticated SQL Injection	CVE-2021-24931	9.8	Krzysztof Zając	November 8, 2021
Backup and Restore plugin – WordPress <= 1.0.3 - Authenticated (Admin+) Arbitrary File Deletion		5.5	Murat DEMIRCI	November 8, 2021
WooCommerce Currency Switcher <= 1.3.7 - Reflected Cross-Site Scripting	CVE-2021-24938	6.1	ZhongFu Su	November 8, 2021
Registrations for the Events Calendar <= 2.7.5 - Unauthenticated SQL Injection	CVE-2021-24943	9.8	Krzysztof Zając	November 8, 2021
Bookly <= 20.3 - Staff Member Stored Cross-Site Scripting	CVE-2021-24930	5.4	Mesut Cetin	November 8, 2021
Testimonial Builder <= 1.6.1 - Authenticated Stored Cross-Site Scripting	CVE-2021-36857	6.4	Ngo Van Thien	November 7, 2021
Visual Form Builder <= 3.0.5 - CSV Injection	CVE-2022-0142	5.3	Vishnupriya Ilango	November 3, 2021
Event Manager and Tickets Selling Plugin for WooCommerce < 3.5.3 - Arbitrary Settings Change		6.5	WPScanTeam	November 3, 2021
Nitro by WooRockets <= 1.7.9 - Missing Authorization to Arbitrary Plugin Installation		7.5	Brad Patton	November 3, 2021
WP Google Fonts <= 3.1.4 - Reflected Cross-Site Scripting	CVE-2021-24935	6.1	ZhongFu Su	November 3, 2021

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Mar 25, 2024 Vulns
1	Dhabaleshwar Das	72
2	Krzysztof Zając	44
3	Francesco Carlucci	37
4	wesley (wcraft)	37
5	Dimas Maulana	33
6	Ngô Thiên An (ancorn_)	33
7	LVT-tholv2k	30
8	Majed Refaea	27
9	Rafie Muhammad	26
10	Joshua Chan	22
11	Lucio Sá	22
12	Abdi Pranata	22
13	stealthcopter	21
14	beluga	20
15	Mika	18
16	Webbernaut	16
17	Steven Julian	15
18	Dave Jong	12
19	Khalid	12
20	João Pedro Soares de Alcântara	11

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation