🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

WordPress Vulnerability Database

Wordfence Intelligence > Vulnerability Database

WordPress Core

WordPress Plugins

WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title

Searches through the title of each vulnerability for matches.

date

Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.

cvss-rating

Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.

researcher

Returns vulnerabilities credited to researchers containing the given text.

software

Returns vulnerabilities discovered in software containing the given text.

software-slug

Returns vulnerabilities discovered in software exactly matching the given slug.

software-type

Use plugin, theme or core to limit the search to the specified type of software.

By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.17 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-4156

Apr 30, 2024

Researcher: wesley (wcraft)

Barcode Scanner with Inventory & Order Manager <= 1.5.4 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2024-2661

Apr 30, 2024

Researcher: Peter Thaleikis

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.6.1 - Missing Authorization

4.3

CVE-2024-3936

Apr 30, 2024

Researcher: Pavel Palii

ElementsKit Elementor addons 3.0.7 - 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion Widget

6.4

CVE-2024-3650

Apr 30, 2024

Researcher: wesley (wcraft)

Jeg Elementor Kit <= 2.6.4 - Authenticated (Contributor+) Cross-Site Scripting via Elementor Widget URL Custom Attributes

6.4

CVE-2024-0334

Apr 30, 2024

Researcher: Webbernaut

Slider Revolution <= 6.7.7 - Authenticated (Author+) Stored Cross-Site Scripting via htmltag Parameter

6.4

CVE-2024-4092

Apr 30, 2024

Researcher: wesley (wcraft)

Cost Calculator Builder Pro <= 3.1.67 - Unauthenticated Cross-Site Scripting via SVG Upload

7.2

CVE-2024-4097

Apr 30, 2024

Researcher: andrea bocchetti

Jeg Elementor Kit <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

6.4

CVE-2024-3161

Apr 30, 2024

Researcher: Webbernaut

ACF On-The-Go <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update

4.3

CVE-2024-3071

Apr 29, 2024

Researcher: Francesco Carlucci

Inline Google Spreadsheet Viewer <= 0.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-3674

Apr 29, 2024

Researcher: Krzysztof Zając

Premium Addons for Elementor <= 4.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVE-2024-4203

Apr 29, 2024

Researcher: Ngô Thiên An (ancorn_)

Event Monster <= 1.3.4 - Authenticated(Contributor+) PHP Object Injection via Custom Meta

7.5

CVE-2024-1895

Apr 29, 2024

Researcher: Francesco Carlucci

Subway – Private Site Option <= 2.1.4 - Improper Access Control to Sensitive Information Exposure via REST API

5.3

CVE-2024-1678

Apr 29, 2024

Researcher: Francesco Carlucci

Grid Gallery – Photo Image Grid Gallery <= 1.4.3 - Authenticated(Contributor+) PHP Object Injection via shortcode

7.5

CVE-2024-1897

Apr 29, 2024

Researcher: Francesco Carlucci

Mhr Post Ticker <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-3021

Apr 29, 2024

Researcher: Benedictus Jovan

Different Menu in Different Pages – Control Menu Visibility (All in One) <= 2.3.2 - Missing Authorization to Menu Duplication

4.3

CVE-2024-3206

Apr 29, 2024

Researcher: Lucio Sá

All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic <= 4.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-3554

Apr 29, 2024

Researcher: Krzysztof Zając

Admin Page Spider <= 3.20 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-2401

Apr 29, 2024

Researcher: Dikshita Trivedi (Cybersecdexter)

Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce <= 3.4.6 - Authenticated(Subscriber+) Stored Cross-Site Scripting via Templates

6.4

CVE-2024-1679

Apr 29, 2024

Researcher: Lucio Sá

Fancy Elementor Flipbox <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Elementor Flipbox Widget

6.4

CVE-2024-2349

Apr 29, 2024

Researcher: Francesco Carlucci

Title	CVE ID	CVSS	Researchers	Date
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.17 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-4156	6.4	wesley (wcraft)	April 30, 2024
Barcode Scanner with Inventory & Order Manager <= 1.5.4 - Authenticated (Subscriber+) SQL Injection	CVE-2024-2661	8.8	Peter Thaleikis	April 30, 2024
The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.6.1 - Missing Authorization	CVE-2024-3936	4.3	Pavel Palii	April 30, 2024
ElementsKit Elementor addons 3.0.7 - 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Accordion Widget	CVE-2024-3650	6.4	wesley (wcraft)	April 30, 2024
Jeg Elementor Kit <= 2.6.4 - Authenticated (Contributor+) Cross-Site Scripting via Elementor Widget URL Custom Attributes	CVE-2024-0334	6.4	Webbernaut	April 30, 2024
Slider Revolution <= 6.7.7 - Authenticated (Author+) Stored Cross-Site Scripting via htmltag Parameter	CVE-2024-4092	6.4	wesley (wcraft)	April 30, 2024
Cost Calculator Builder Pro <= 3.1.67 - Unauthenticated Cross-Site Scripting via SVG Upload	CVE-2024-4097	7.2	andrea bocchetti	April 30, 2024
Jeg Elementor Kit <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget	CVE-2024-3161	6.4	Webbernaut	April 30, 2024
ACF On-The-Go <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update	CVE-2024-3071	4.3	Francesco Carlucci	April 29, 2024
Inline Google Spreadsheet Viewer <= 0.13.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-3674	6.4	Krzysztof Zając	April 29, 2024
Premium Addons for Elementor <= 4.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-4203	5.4	Ngô Thiên An (ancorn_)	April 29, 2024
Event Monster <= 1.3.4 - Authenticated(Contributor+) PHP Object Injection via Custom Meta	CVE-2024-1895	7.5	Francesco Carlucci	April 29, 2024
Subway – Private Site Option <= 2.1.4 - Improper Access Control to Sensitive Information Exposure via REST API	CVE-2024-1678	5.3	Francesco Carlucci	April 29, 2024
Grid Gallery – Photo Image Grid Gallery <= 1.4.3 - Authenticated(Contributor+) PHP Object Injection via shortcode	CVE-2024-1897	7.5	Francesco Carlucci	April 29, 2024
Mhr Post Ticker <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-3021	4.4	Benedictus Jovan	April 29, 2024
Different Menu in Different Pages – Control Menu Visibility (All in One) <= 2.3.2 - Missing Authorization to Menu Duplication	CVE-2024-3206	4.3	Lucio Sá	April 29, 2024
All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic <= 4.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-3554	6.4	Krzysztof Zając	April 29, 2024
Admin Page Spider <= 3.20 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-2401	4.4	Dikshita Trivedi (Cybersecdexter)	April 29, 2024
Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce <= 3.4.6 - Authenticated(Subscriber+) Stored Cross-Site Scripting via Templates	CVE-2024-1679	6.4	Lucio Sá	April 29, 2024
Fancy Elementor Flipbox <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Elementor Flipbox Widget	CVE-2024-2349	6.4	Francesco Carlucci	April 29, 2024

Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All

Rank	Name	Vulnerabilities since Apr 3, 2024 Vulns
1	Dhabaleshwar Das	80
2	Joshua Chan	45
3	Rafie Muhammad	45
4	Krzysztof Zając	44
5	Majed Refaea	39
6	stealthcopter	38
7	Ngô Thiên An (ancorn_)	34
8	Francesco Carlucci	33
9	Abdi Pranata	28
10	wesley (wcraft)	28
11	Lucio Sá	28
12	Dave Jong	27
13	Steven Julian	23
14	beluga	23
15	Khalid	22
16	LVT-tholv2k	20
17	Dimas Maulana	18
18	Mika	16
19	Webbernaut	16
20	CatFather	13

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation