WordPress Vulnerability Database

Wordfence Intelligence   >   Vulnerability Database
WordPress Core
WordPress Plugins
WordPress Themes

Search All Vulnerabilities

Tip: You can search by CVE ID, software name or slug, or the researcher name. Expand to read about more advanced search options.

If you want to perform more advanced lookups, you can use keywords to further refine your search.

For example, woocommerce researcher:"chloe chamberland" would search for any vulnerabilities discovered by Chloe Chamberland in software that has WooCommerce in the title.

Keywords are added in keyword:value format. If the value contains spaces, you must enclose it in quotation marks.

You can use the following keywords to add criteria to your search:

title
Searches through the title of each vulnerability for matches.
date
Returns vulnerabilities by publication date. Use YYYY-MM-DD, YYYY-MM or YYYY format.
cvss-rating
Use low, medium, high or critical to limit the search to vulnerabilities with the specified rating.
researcher
Returns vulnerabilities credited to researchers containing the given text.
software
Returns vulnerabilities discovered in software containing the given text.
software-slug
Returns vulnerabilities discovered in software exactly matching the given slug.
software-type
Use plugin, theme or core to limit the search to the specified type of software.
By selecting “Search” you acknowledge that you have read and agree to the Wordfence Intelligence Terms and Conditions.

All Vulnerabilities

Submit Vulnerability
WP-UserOnline <= 2.88.0 - Authenticated (Admin+) Stored Cross-Site Scripting
5.5
CVE-2022-2941
Aug 22, 2022
Researcher: Juampa Rodríguez
Better Messages <= 1.9.10.57 - Resource Exhaustion
7.7
CVE-2022-33142
Aug 22, 2022
Researcher: Dhakal Ananda
WordPress Infinite Scroll – Ajax Load More <= 5.5.3 - Authenticated (Admin+) Arbitrary File Read
4.9
CVE-2022-2943
Aug 22, 2022
Researcher: Muhammad Zeeshan (Xib3rR4dAr)
Social Media Share Buttons <= 3.8.3 - Authenticated (Admin+) Stored Cross-Site Scripting
5.5
CVE ID Unknown
Aug 19, 2022
Researchers:
Craw Data <= 1.0.0 - Server Side Request Forgery
7.4
CVE-2022-2912
Aug 19, 2022
Researcher: Dhanesh Sivasamy
BuddyPress xProfile Checkout Manager for WooCommerce <= 1.3.5 - Stored Cross-Site Scripting
5.5
CVE ID Unknown
Aug 18, 2022
Researchers:
WP Server Health Stats <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting
5.5
CVE-2022-2887
Aug 18, 2022
Researchers:
OneTone Companion <= 1.1.1 - Open Mailer
5.8
CVE ID Unknown
Aug 18, 2022
Researchers:
Post SMTP Mailer/Email Log <= 2.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting
5.5
CVE-2022-2351
Aug 18, 2022
Researchers:
Scroll To Top <= 1.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
5.5
CVE-2022-2710
Aug 17, 2022
Researcher: Asif Nawaz Minhas
Gallery PhotoBlocks <= 1.2.8 - Missing Authorization Checks
5.4
CVE ID Unknown
Aug 17, 2022
Researchers:
Float to Top Button <= 2.3.6 - Authenticated (Admin+) Stored Cross-Site Scripting
5.5
CVE ID Unknown
Aug 17, 2022
Researchers:
WP STAGING – Backup Duplicator & Migration <= 2.9.17 - Authenticated (Administrator+) Stored Cross-Site Scripting
5.5
CVE-2022-2737
Aug 17, 2022
Researcher: Raad Haddad
Make, formerly Integromat Connector <= 1.5.1 - Missing Authorization to Arbitrary Options Update
8.8
CVE ID Unknown
Aug 17, 2022
Researchers:
All-in-One Video Gallery 2.5.8 - 2.6.0 - Arbitrary File Download & Server-Side Request Forgery
7.5
CVE-2022-2633
Aug 17, 2022
Researcher: Gabriele Zuddas
Mobile Events Manager <= 1.4.7 - Authenticated (Administrator+) CSV Injection
2.7
CVE-2022-1194
Aug 17, 2022
Researcher: Varun Thorat
Download Manager <= 3.2.49 - Authenticated (Contributor+) PHAR Deserialization
8.8
CVE-2022-2436
Aug 17, 2022
Researcher: Rasoul Jahanshahi
Accordion <= 2.2.43 - Authenticated (Admin+) Stored Cross-Site Scripting
5.5
CVE ID Unknown
Aug 17, 2022
Researchers:
Titan Anti Spam & Security <= 7.3.0 - IP Spoofing to Protection Bypass
5.3
CVE-2022-2877
Aug 17, 2022
Researcher: Daniel Ruf
Calendar Event Multi View <= 1.4.06 - Missing Authorization to Stored Cross-Site Scripting
7.2
CVE-2022-2846
Aug 16, 2022
Researchers:
Title CVE ID CVSS Researchers Date
WP-UserOnline <= 2.88.0 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2022-2941 5.5 Juampa Rodríguez August 22, 2022
Better Messages <= 1.9.10.57 - Resource Exhaustion CVE-2022-33142 7.7 Dhakal Ananda August 22, 2022
WordPress Infinite Scroll – Ajax Load More <= 5.5.3 - Authenticated (Admin+) Arbitrary File Read CVE-2022-2943 4.9 Muhammad Zeeshan (Xib3rR4dAr) August 22, 2022
Social Media Share Buttons <= 3.8.3 - Authenticated (Admin+) Stored Cross-Site Scripting 5.5 August 19, 2022
Craw Data <= 1.0.0 - Server Side Request Forgery CVE-2022-2912 7.4 Dhanesh Sivasamy August 19, 2022
BuddyPress xProfile Checkout Manager for WooCommerce <= 1.3.5 - Stored Cross-Site Scripting 5.5 August 18, 2022
WP Server Health Stats <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2022-2887 5.5 August 18, 2022
OneTone Companion <= 1.1.1 - Open Mailer 5.8 August 18, 2022
Post SMTP Mailer/Email Log <= 2.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2022-2351 5.5 August 18, 2022
Scroll To Top <= 1.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2022-2710 5.5 Asif Nawaz Minhas August 17, 2022
Gallery PhotoBlocks <= 1.2.8 - Missing Authorization Checks 5.4 August 17, 2022
Float to Top Button <= 2.3.6 - Authenticated (Admin+) Stored Cross-Site Scripting 5.5 August 17, 2022
WP STAGING – Backup Duplicator & Migration <= 2.9.17 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2022-2737 5.5 Raad Haddad August 17, 2022
Make, formerly Integromat Connector <= 1.5.1 - Missing Authorization to Arbitrary Options Update 8.8 August 17, 2022
All-in-One Video Gallery 2.5.8 - 2.6.0 - Arbitrary File Download & Server-Side Request Forgery CVE-2022-2633 7.5 Gabriele Zuddas August 17, 2022
Mobile Events Manager <= 1.4.7 - Authenticated (Administrator+) CSV Injection CVE-2022-1194 2.7 Varun Thorat August 17, 2022
Download Manager <= 3.2.49 - Authenticated (Contributor+) PHAR Deserialization CVE-2022-2436 8.8 Rasoul Jahanshahi August 17, 2022
Accordion <= 2.2.43 - Authenticated (Admin+) Stored Cross-Site Scripting 5.5 August 17, 2022
Titan Anti Spam & Security <= 7.3.0 - IP Spoofing to Protection Bypass CVE-2022-2877 5.3 Daniel Ruf August 17, 2022
Calendar Event Multi View <= 1.4.06 - Missing Authorization to Stored Cross-Site Scripting CVE-2022-2846 7.2 August 16, 2022
Submit Vulnerability

Researcher Hall of Fame (Past 30 days)

View All
Rank Name
Vulnerabilities since Apr 18, 2024
Vulns
1 stealthcopter 60
2 Dhabaleshwar Das 46
3 Ngô Thiên An (ancorn_) 37
4 Rafie Muhammad 35
5 wesley (wcraft) 33
6 Joshua Chan 32
7 Krzysztof Zając 29
8 Bob Matyas 26
9 Francesco Carlucci 24
10 Steven Julian 22
11 Lucio Sá 22
12 Benedictus Jovan (aillesiM) 18
13 Webbernaut 18
14 Abdi Pranata 16
15 Khalid 16
16 Majed Refaea 16
17 Dave Jong 15
18 Peng Zhou 12
19 Dmitrii Ignatyev 11
20 LVT-tholv2k 11

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation