WPScan Vulnerability Database

Cataloging 13939 WordPress Core, Plugin and Theme vulnerabilities

Latest WordPress Vulnerabilities


2019-03-13 WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
2019-02-19 WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
2018-12-13 WordPress <= 5.0 - Authenticated File Delete
2018-12-13 WordPress <= 5.0 - Authenticated Post Type Bypass
2018-12-13 WordPress <= 5.0 - PHP Object Injection via Meta Data
2018-12-13 WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
2018-12-13 WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins

Latest Plugin Vulnerabilities


2019-03-21 Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update
2019-03-17 Easy WP SMTP <= 1.3.9 - Unauthenticated Arbitrary wp_options Import
2019-03-16 GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
2019-03-15 Better Search 2.2.2 - Unauthenticated SQL Injection
2019-03-14 SG Optimizer <= 5.0.12 - Unauthenticated File Upload
2019-03-11 Abandoned Cart Lite for WooCommerce <= 5.1.3 - Stored Cross-Site Scripting (XSS)
2019-03-10 WP Fastest Cache <= 0.8.9.0 - Unauthenticated Arbitrary File Deletion

Latest Theme Vulnerabilities


2019-02-14 Newspaper Theme <= 9.2.2 - Cross-Site Scripting (XSS)
2018-12-04 JobCareer | Job Board Responsive WordPress Theme <= 2.4 - User enumeration & ...
2018-10-30 ElegantThemes (divi, extra, divi-builder) - Authenticated Stored Cross-Site S...
2018-08-19 Supreme Directory Theme <= 1.1.8 - Unauthenticated Cross-Site Scripting (XSS)
2018-05-10 BBE Theme <= 1.52 - Direct Object Reference
2018-02-08 Swape Theme - Authentication Bypass and Stored XSS
2018-01-27 Enfold Theme <= 4.2 - Rewrite Portfolio Permalink Structure & Information Dis...

Most Viewed Vulnerabilities


2014-11-25 WordPress <= 4.0 - CSRF in wp-login.php Password Reset
2018-09-04 Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation
2018-06-27 WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
2014-08-01 Contact Form 7 <= 3.7.1 - CAPTCHA Bypass
2018-12-13 WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
2018-12-13 WordPress <= 5.0 - Authenticated File Delete
2018-12-13 WordPress <= 5.0 - PHP Object Injection via Meta Data