WPScan Vulnerability Database

Cataloging 16776 WordPress Core, Plugin and Theme vulnerabilities

Latest WordPress Vulnerabilities


2019-10-14 WordPress <= 5.2.3 - Admin Referrer Validation
2019-10-14 WordPress <= 5.2.3 - JSON Request Cache Poisoning
2019-10-14 WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation
2019-10-14 WordPress <= 5.2.3 - Stored XSS in Customizer
2019-10-14 WordPress <= 5.2.3 - Stored XSS in Style Tags
2019-10-14 WordPress <= 5.2.3 - Viewing Unauthenticated Posts
2019-09-05 WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation

Latest Plugin Vulnerabilities


2019-10-14 Lara Google Analytics <= 2.0.4 - Authenticated Stored XSS
2019-10-14 Popup-Maker < 1.8.12 - Multiple Vulnerabilities
2019-10-11 wpDataTables <= 2.0.7 - XSS & SQL Injection
2019-10-09 iThemes Sync <= 2.0.17 - Insufficient Secure Key Validation
2019-10-08 All In One WP Security & Firewall <= 4.4.1 - Open Redirect & Hidden Login Pag...
2019-10-07 Export Users to CSV < 1.4 - Unauthorised CSV Access
2019-10-02 Download Plugins and Themes from Dashboard <= 1.5.0 - Unauthenticated Stored XSS

Latest Theme Vulnerabilities


2019-10-09 SoundPress <= 2.2.6 - Cross-Site Scripting (XSS)
2019-09-08 Nexos - Real Estate <= 1.6 - SQL Injection & Persistent XSS
2019-09-08 Reality | Estate Multipurpose <= 2.3.0 - Multiple Persistent XSS
2019-09-08 Selio - Real Estate Directory <= 1.1 - SQL Injection & Persistent XSS
2019-07-29 Real Estate 7 <= 2.9.0 - Stored XSS & IDOR
2019-07-05 Zoner - Real Estate <= 4.1 - Reflected & Stored XSS
2019-05-05 Traveler - Travel Booking WordPress Theme 2.7.1 - Reflected & Stored XSS

Most Viewed Vulnerabilities


2018-09-04 Contact Form 7 <= 5.0.3 - register_post_type() Privilege Escalation
2019-03-13 WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
2014-08-01 Contact Form 7 <= 3.7.1 - CAPTCHA Bypass
2014-11-25 WordPress <= 4.0 - CSRF in wp-login.php Password Reset
2018-06-27 WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
2018-12-13 WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
2018-12-13 WordPress <= 5.0 - PHP Object Injection via Meta Data