WordPress Vulnerability Database

Wordfence Intelligence   >   Vulnerability Database
WordPress Core
WordPress Plugins
WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title
Searches through the title of each vulnerability for matches.
date
Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.
cvss-rating
Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.
researcher
Returns vulnerabilities credited to researchers containing the given text.
software
Returns vulnerabilities discovered in software containing the given text.
software-slug
Returns vulnerabilities discovered in software exactly matching the given slug.
software-type
Use plugin, theme or core to limit the search to the specified type of software.
By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability
iThemes Security < 5.3.5 - Authenticated Cross-Site Scripting
3.3
CVE ID Unknown
Apr 5, 2016
Researcher: PenTest Partners
affiliate-toolkit – WordPress Affiliate Plugin <= 3.3.9 - Open Redirect via atkpout.php
3.4
CVE-2023-45105
Oct 6, 2023
Researcher: minhtuanact
tarteaucitron.js – Cookies legislation & GDPR (WordPress plugin) <= 1.6 - Cross-Site Scripting
3.4
CVE-2021-36889
Dec 17, 2021
Researcher: Vladislav Pokrovsky (ΞX.MI)
Feed Them Social <= 4.2.0 - Cross-Site Request Forgery via review_nag_check
3.5
CVE-2024-24710
Jan 31, 2024
Researcher: Abdi Pranata
WordPress Core < 5.4.2 - Arbitrary User Meta Update
3.5
CVE-2020-4050
Jun 10, 2020
Researcher: Simon Scannell
WordPress Core < 4.8.2 - Open Redirect in Admin Dashboard
3.5
CVE-2017-14725
Sep 19, 2017
Researcher: Yasin Soliman (ysx)
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) <= 5.1.2 - Cross-Site Scripting
3.5
CVE-2014-9174
Nov 26, 2014
Researcher: SecuBeastTeam
Minimal Coming Soon – Coming Soon Page <= 2.37 - Unauthenticated Maintenance Mode Bypass
3.7
CVE-2024-1075
Feb 5, 2024
Researcher: Lucio Sá
WPS Hide Login <= 1.9.11 - Hidden Login Page Location Disclosure
3.7
CVE-2023-49748
Jan 10, 2024
Researcher: Naveen Muthusamy
Abandoned Cart Lite for WooCommerce <= 5.16.0 - Improper Authorization via wcal_preview_emails
3.7
CVE ID Unknown
Nov 21, 2023
Researchers:
Job Manager & Career <= 1.4.3 - Sensitive Information Exposure
3.7
CVE-2023-5906
Nov 6, 2023
Researcher: Dmitrii Ignatyev
WP Job Openings <= 3.4.2 - Information Exposure
3.7
CVE-2023-4933
Sep 25, 2023
Researcher: Dmitrii Ignatyev
Video Conferencing with Zoom <= 4.2.1 - Sensitive Information Exposure
3.7
CVE-2023-3947
Jul 25, 2023
Researcher: István Márton
Brizy Page Builder <= 2.4.18 - IP Address Spoofing to Protection Mechanism Bypass
3.7
CVE-2023-2897
May 31, 2023
Researcher: Alex Thomas
Freesoul Deactivate Plugins <= 1.9.4.0 - Information Disclosure
3.7
CVE-2023-22687
Jan 13, 2023
Researcher: Justiice
WordPress Core < 6.0.3 - Shared User Instance Weakness
3.7
CVE ID Unknown
Oct 18, 2022
Researchers: Alex Concha, Ben Bidner
WordPress Core < 6.0.3 - Information Disclosure (Multi-Part Email Leak)
3.7
CVE ID Unknown
Oct 18, 2022
Researcher: Thomas Kräftner
loader-utils (JS package) < 3.2.1 - Regular Expression Denial of Service
3.7
CVE-2022-37599
Oct 11, 2022
Researchers:
loader-utils (JS package) < 3.2.1 - Regular Expression Denial of Service
3.7
CVE-2022-37603
Oct 11, 2022
Researchers:
terser (JS Package) < 5.14.2 - Denial of Service
3.7
CVE-2022-25858
Jul 14, 2022
Researchers:
Title CVE ID CVSS Researchers Date
iThemes Security < 5.3.5 - Authenticated Cross-Site Scripting 3.3 PenTest Partners April 5, 2016
affiliate-toolkit – WordPress Affiliate Plugin <= 3.3.9 - Open Redirect via atkpout.php CVE-2023-45105 3.4 minhtuanact October 6, 2023
tarteaucitron.js – Cookies legislation & GDPR (WordPress plugin) <= 1.6 - Cross-Site Scripting CVE-2021-36889 3.4 Vladislav Pokrovsky (ΞX.MI) December 17, 2021
Feed Them Social <= 4.2.0 - Cross-Site Request Forgery via review_nag_check CVE-2024-24710 3.5 Abdi Pranata January 31, 2024
WordPress Core < 5.4.2 - Arbitrary User Meta Update CVE-2020-4050 3.5 Simon Scannell June 10, 2020
WordPress Core < 4.8.2 - Open Redirect in Admin Dashboard CVE-2017-14725 3.5 Yasin Soliman (ysx) September 19, 2017
MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) <= 5.1.2 - Cross-Site Scripting CVE-2014-9174 3.5 SecuBeastTeam November 26, 2014
Minimal Coming Soon – Coming Soon Page <= 2.37 - Unauthenticated Maintenance Mode Bypass CVE-2024-1075 3.7 Lucio Sá February 5, 2024
WPS Hide Login <= 1.9.11 - Hidden Login Page Location Disclosure CVE-2023-49748 3.7 Naveen Muthusamy January 10, 2024
Abandoned Cart Lite for WooCommerce <= 5.16.0 - Improper Authorization via wcal_preview_emails 3.7 November 21, 2023
Job Manager & Career <= 1.4.3 - Sensitive Information Exposure CVE-2023-5906 3.7 Dmitrii Ignatyev November 6, 2023
WP Job Openings <= 3.4.2 - Information Exposure CVE-2023-4933 3.7 Dmitrii Ignatyev September 25, 2023
Video Conferencing with Zoom <= 4.2.1 - Sensitive Information Exposure CVE-2023-3947 3.7 István Márton July 25, 2023
Brizy Page Builder <= 2.4.18 - IP Address Spoofing to Protection Mechanism Bypass CVE-2023-2897 3.7 Alex Thomas May 31, 2023
Freesoul Deactivate Plugins <= 1.9.4.0 - Information Disclosure CVE-2023-22687 3.7 Justiice January 13, 2023
WordPress Core < 6.0.3 - Shared User Instance Weakness 3.7 Alex Concha, Ben Bidner October 18, 2022
WordPress Core < 6.0.3 - Information Disclosure (Multi-Part Email Leak) 3.7 Thomas Kräftner October 18, 2022
loader-utils (JS package) < 3.2.1 - Regular Expression Denial of Service CVE-2022-37599 3.7 October 11, 2022
loader-utils (JS package) < 3.2.1 - Regular Expression Denial of Service CVE-2022-37603 3.7 October 11, 2022
terser (JS Package) < 5.14.2 - Denial of Service CVE-2022-25858 3.7 July 14, 2022
Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All
Rank Name
Vulnerabilities since Apr 14, 2024
Vulns
1 stealthcopter 50
2 Rafie Muhammad 41
3 Ngô Thiên An (ancorn_) 40
4 Krzysztof Zając 39
5 wesley (wcraft) 33
6 Joshua Chan 31
7 Francesco Carlucci 30
8 Dhabaleshwar Das 27
9 Abdi Pranata 26
10 Lucio Sá 24
11 Steven Julian 24
12 LVT-tholv2k 20
13 Majed Refaea 20
14 Dave Jong 19
15 Webbernaut 19
16 Dimas Maulana 19
17 Khalid 19
18 Bob Matyas 17
19 beluga 16
20 Benedictus Jovan (aillesiM) 16

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation