WordPress Vulnerability Database

Wordfence Intelligence   >   Vulnerability Database
WordPress Core
WordPress Plugins
WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title
Searches through the title of each vulnerability for matches.
date
Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.
cvss-rating
Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.
researcher
Returns vulnerabilities credited to researchers containing the given text.
software
Returns vulnerabilities discovered in software containing the given text.
software-slug
Returns vulnerabilities discovered in software exactly matching the given slug.
software-type
Use plugin, theme or core to limit the search to the specified type of software.
By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability
CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.6 - Information Exposure
5.3
CVE-2023-1263
Mar 7, 2023
Researcher: Marco Wotschka
Popup box <= 3.4.4 - Reflected Cross-Site Scripting via 'ays_pb_tab' Parameter
5.4
CVE-2023-27414
Mar 8, 2023
Researcher: Nguyen Xuan Chien
Drag and Drop Multiple File Upload PRO <= 2.10.9 - Directory Traversal
5.3
CVE-2023-1112
Mar 8, 2023
Researcher: Nicholas Ferreira
Daily Prayer Time <= 2023.03.20 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2023-27631
Mar 8, 2023
Researcher: yuyudhn
External Links <= 2.57 - Cross-Site Request Forgery via action_admin_action_wpel_dismiss_notice
4.3
CVE ID Unknown
Mar 8, 2023
Researchers:
GiveWP <= 2.25.1 - Cross-Site Request Forgery via process_bulk_action
5.4
CVE ID Unknown
Mar 8, 2023
Researchers:
Popup Maker <= 1.18.0 - Cross-Site Request Forgery via init
4.3
CVE ID Unknown
Mar 8, 2023
Researchers:
Affiliate Super Assistent <= 1.5.1 - Cross-Site Request Forgery to Settings Update and Cache Clearing
4.3
CVE-2023-27417
Mar 8, 2023
Researcher: Mika
Webmention <= 4.0.8 - Reflected Cross-Site Scripting via 'replytocom'
6.1
CVE ID Unknown
Mar 8, 2023
Researchers:
cformsII <= 15.0.4 - Cross-Site Request Forgery leading to Settings Updates
4.3
CVE-2023-25449
Mar 8, 2023
Researcher: Rio Darmawan
301 Redirects - Easy Redirect Manager <= 2.72 - Cross-Site Request Forgery via dismiss_notice
4.3
CVE ID Unknown
Mar 8, 2023
Researchers:
GiveWP <= 2.25.1 - Authenticated (Admin+) Server-Side Request Forgery via give_get_content_by_ajax_handler
4.1
CVE-2022-40312
Mar 8, 2023
Researcher: Rafie Muhammad
GiveWP <= 2.25.1 - Cross-Site Request Forgery to Cross-Site Scripting via render_dropdown
6.1
CVE ID Unknown
Mar 8, 2023
Researchers:
HT Easy GA4 ( Google Analytics 4 ) <= 1.0.6 - Cross-Site Request Forgery via plugin_activation
5.4
CVE-2023-23802
Mar 8, 2023
Researcher: István Márton
Clone <= 2.3.7 - Cross-Site Request Forgery via wp_ajax_tifm_save_decision
4.3
CVE ID Unknown
Mar 8, 2023
Researcher: Mika
Updraft Plus <= 1.22.24 - Information Disclosure via updraft_ajaxrestore
5.3
CVE ID Unknown
Mar 8, 2023
Researchers:
GiveWP <= 2.25.1 - Unauthenticated CSV Injection
8.3
CVE-2023-22719
Mar 8, 2023
Researcher: Rafshanzani Suhada
W4 Post List <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'w4pl[no_items_text]'
6.4
CVE-2023-27413
Mar 8, 2023
Researcher: Abdi Pranata
Image Over Image For WPBakery Page Builder <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
6.4
CVE-2023-0399
Mar 8, 2023
Researcher: István Márton
GiveWP <= 2.25.1 - Cross-Site Request Forgery via save
4.3
CVE ID Unknown
Mar 8, 2023
Researchers:
Title CVE ID CVSS Researchers Date
CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.6 - Information Exposure CVE-2023-1263 5.3 Marco Wotschka March 7, 2023
Popup box <= 3.4.4 - Reflected Cross-Site Scripting via 'ays_pb_tab' Parameter CVE-2023-27414 5.4 Nguyen Xuan Chien March 8, 2023
Drag and Drop Multiple File Upload PRO <= 2.10.9 - Directory Traversal CVE-2023-1112 5.3 Nicholas Ferreira March 8, 2023
Daily Prayer Time <= 2023.03.20 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2023-27631 6.4 yuyudhn March 8, 2023
External Links <= 2.57 - Cross-Site Request Forgery via action_admin_action_wpel_dismiss_notice 4.3 March 8, 2023
GiveWP <= 2.25.1 - Cross-Site Request Forgery via process_bulk_action 5.4 March 8, 2023
Popup Maker <= 1.18.0 - Cross-Site Request Forgery via init 4.3 March 8, 2023
Affiliate Super Assistent <= 1.5.1 - Cross-Site Request Forgery to Settings Update and Cache Clearing CVE-2023-27417 4.3 Mika March 8, 2023
Webmention <= 4.0.8 - Reflected Cross-Site Scripting via 'replytocom' 6.1 March 8, 2023
cformsII <= 15.0.4 - Cross-Site Request Forgery leading to Settings Updates CVE-2023-25449 4.3 Rio Darmawan March 8, 2023
301 Redirects - Easy Redirect Manager <= 2.72 - Cross-Site Request Forgery via dismiss_notice 4.3 March 8, 2023
GiveWP <= 2.25.1 - Authenticated (Admin+) Server-Side Request Forgery via give_get_content_by_ajax_handler CVE-2022-40312 4.1 Rafie Muhammad March 8, 2023
GiveWP <= 2.25.1 - Cross-Site Request Forgery to Cross-Site Scripting via render_dropdown 6.1 March 8, 2023
HT Easy GA4 ( Google Analytics 4 ) <= 1.0.6 - Cross-Site Request Forgery via plugin_activation CVE-2023-23802 5.4 István Márton March 8, 2023
Clone <= 2.3.7 - Cross-Site Request Forgery via wp_ajax_tifm_save_decision 4.3 Mika March 8, 2023
Updraft Plus <= 1.22.24 - Information Disclosure via updraft_ajaxrestore 5.3 March 8, 2023
GiveWP <= 2.25.1 - Unauthenticated CSV Injection CVE-2023-22719 8.3 Rafshanzani Suhada March 8, 2023
W4 Post List <= 2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'w4pl[no_items_text]' CVE-2023-27413 6.4 Abdi Pranata March 8, 2023
Image Over Image For WPBakery Page Builder <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2023-0399 6.4 István Márton March 8, 2023
GiveWP <= 2.25.1 - Cross-Site Request Forgery via save 4.3 March 8, 2023
Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All
Rank Name
Vulnerabilities since Apr 17, 2024
Vulns
1 stealthcopter 58
2 Dhabaleshwar Das 46
3 Ngô Thiên An (ancorn_) 37
4 Krzysztof Zając 35
5 Rafie Muhammad 35
6 wesley (wcraft) 33
7 Joshua Chan 32
8 Bob Matyas 29
9 Francesco Carlucci 24
10 Lucio Sá 23
11 Steven Julian 22
12 Benedictus Jovan (aillesiM) 18
13 Webbernaut 18
14 Khalid 16
15 Majed Refaea 16
16 Abdi Pranata 16
17 Dave Jong 15
18 Peng Zhou 12
19 István Márton 11
20 LVT-tholv2k 11

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation