🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Recently viewed and most viewed products <= 1.1.1 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

5.5

CVE-2023-47646

Nov 7, 2023

Researcher: Emili Castells

Reusable Text Blocks <= 1.5.3 - Authenticated (Author+) Stored Cross-Site Scripting via Shortcode

5.5

CVE-2023-5745

Oct 23, 2023

Researcher: István Márton

WP Lightbox 2 <= 3.0.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

5.5

CVE-2023-45747

Oct 12, 2023

Researcher: Rio Darmawan

Simple Tweet <= 1.4.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

5.5

CVE-2023-45767

Oct 12, 2023

Researcher: Rio Darmawan

Get Custom Field Values <= 4.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin widget

5.5

CVE-2023-45604

Oct 11, 2023

Researcher: Satoo Nakano

WPLegalPages <= 2.9.2 - Authenticated (Author+) Stored Cross-Site Scripting via Shortcode

5.5

CVE-2023-4968

Oct 10, 2023

Researcher: István Márton

Statify – Extended Evaluation <= 2.6.3 - Authenticated (Admin+) CSV Injection

5.5

CVE ID Unknown

Sep 18, 2023

Researchers:

Fitness calculators plugin <= 2.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings

5.5

CVE-2023-40552

Aug 16, 2023

Researcher: Rio Darmawan

Assistant <= 1.4.3 - Authenticated (Editor+) Server Side Request Forgery

5.5

CVE-2023-5798

Jul 27, 2023

Researcher: Yuchen Ji

Church Admin <= 3.7.56 - Server-Side Request Forgery via church_admin_import_csv

5.5

CVE-2023-38515

Jul 26, 2023

Researcher: Yuchen Ji

HTTP Headers <= 1.18.11 - Server-Side Request Forgery

5.5

CVE-2023-37978

Jul 13, 2023

Researcher: emad

Animated Number Counters <= 1.6 - Authenticated (Editor+) Stored Cross-Site Scripting

5.5

CVE-2023-24393

Jul 4, 2023

Researcher: yuyudhn

WPGraphQL <= 1.14.5 - Authenticated (Editor+) Server-Side Request Forgery

5.5

CVE-2023-23684

Jun 28, 2023

Researcher: Ravi Dharmawan

TinyMCE Custom Styles <= 1.1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVE-2023-2967

Jun 19, 2023

Researcher: Yassir Sbai Fahim (iduzzel)

Quick/Bulk Order Form for WooCommerce <= 3.5.7 - Authenticated (Shop manager+) Stored Cross-Site Scripting

5.5

CVE-2023-34170

May 31, 2023

Researcher: Emili Castells

Blog-in-Blog <= 1.1.1 - Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode

5.5

CVE-2023-2436

May 30, 2023

Researcher: István Márton

Download Monitor <= 4.8.1 - Authenticated (Admin+) Server-Side Request Forgery

5.5

CVE-2023-31219

May 30, 2023

Researcher: Mika

WooCommerce Shipping & Tax <= 2.2.4 - Stored Cross-Site Scripting

5.5

CVE ID Unknown

May 23, 2023

Researchers:

AutomateWoo <= 5.7.1 - Authenticated (Shop manager+) SQL Injection

5.5

CVE-2023-32743

May 15, 2023

Researcher: Rafie Muhammad

Advanced Youtube Channel Pagination <= 1.0 - Authenticated(Administrator+) Stored Cross-Site Scripting

5.5

CVE-2023-28693

Apr 24, 2023

Researcher: qilin_99

Title	CVE ID	CVSS	Researchers	Date
Recently viewed and most viewed products <= 1.1.1 - Authenticated (Shop Manager+) Stored Cross-Site Scripting	CVE-2023-47646	5.5	Emili Castells	November 7, 2023
Reusable Text Blocks <= 1.5.3 - Authenticated (Author+) Stored Cross-Site Scripting via Shortcode	CVE-2023-5745	5.5	István Márton	October 23, 2023
WP Lightbox 2 <= 3.0.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings	CVE-2023-45747	5.5	Rio Darmawan	October 12, 2023
Simple Tweet <= 1.4.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings	CVE-2023-45767	5.5	Rio Darmawan	October 12, 2023
Get Custom Field Values <= 4.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin widget	CVE-2023-45604	5.5	Satoo Nakano	October 11, 2023
WPLegalPages <= 2.9.2 - Authenticated (Author+) Stored Cross-Site Scripting via Shortcode	CVE-2023-4968	5.5	István Márton	October 10, 2023
Statify – Extended Evaluation <= 2.6.3 - Authenticated (Admin+) CSV Injection		5.5		September 18, 2023
Fitness calculators plugin <= 2.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via admin settings	CVE-2023-40552	5.5	Rio Darmawan	August 16, 2023
Assistant <= 1.4.3 - Authenticated (Editor+) Server Side Request Forgery	CVE-2023-5798	5.5	Yuchen Ji	July 27, 2023
Church Admin <= 3.7.56 - Server-Side Request Forgery via church_admin_import_csv	CVE-2023-38515	5.5	Yuchen Ji	July 26, 2023
HTTP Headers <= 1.18.11 - Server-Side Request Forgery	CVE-2023-37978	5.5	emad	July 13, 2023
Animated Number Counters <= 1.6 - Authenticated (Editor+) Stored Cross-Site Scripting	CVE-2023-24393	5.5	yuyudhn	July 4, 2023
WPGraphQL <= 1.14.5 - Authenticated (Editor+) Server-Side Request Forgery	CVE-2023-23684	5.5	Ravi Dharmawan	June 28, 2023
TinyMCE Custom Styles <= 1.1.3 - Authenticated (Administrator+) Stored Cross-Site Scripting	CVE-2023-2967	5.5	Yassir Sbai Fahim (iduzzel)	June 19, 2023
Quick/Bulk Order Form for WooCommerce <= 3.5.7 - Authenticated (Shop manager+) Stored Cross-Site Scripting	CVE-2023-34170	5.5	Emili Castells	May 31, 2023
Blog-in-Blog <= 1.1.1 - Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-2436	5.5	István Márton	May 30, 2023
Download Monitor <= 4.8.1 - Authenticated (Admin+) Server-Side Request Forgery	CVE-2023-31219	5.5	Mika	May 30, 2023
WooCommerce Shipping & Tax <= 2.2.4 - Stored Cross-Site Scripting		5.5		May 23, 2023
AutomateWoo <= 5.7.1 - Authenticated (Shop manager+) SQL Injection	CVE-2023-32743	5.5	Rafie Muhammad	May 15, 2023
Advanced Youtube Channel Pagination <= 1.0 - Authenticated(Administrator+) Stored Cross-Site Scripting	CVE-2023-28693	5.5	qilin_99	April 24, 2023

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Apr 3, 2024 Vulns
1	Dhabaleshwar Das	80
2	Krzysztof Zając	46
3	Rafie Muhammad	45
4	Joshua Chan	45
5	Majed Refaea	39
6	stealthcopter	38
7	Francesco Carlucci	37
8	Ngô Thiên An (ancorn_)	35
9	wesley (wcraft)	31
10	Lucio Sá	29
11	Abdi Pranata	28
12	Dave Jong	27
13	Steven Julian	23
14	beluga	23
15	Khalid	22
16	LVT-tholv2k	20
17	Dimas Maulana	18
18	Webbernaut	16
19	Mika	16
20	Tim Coen	13

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation