This repository is a source for vulnerable wordpress plugins. It can be used for evaluating security testing techniques in the realm of websec, and it's especially intended for fuzzer evaluations.
In this section, you will learn how to setup a vulnerable WordPress 6.7.1 instance. Please don't expose this to the internet! The website will contain several critial vulnerabilities! You are responsible for your own actions.
Please install WP-CLI on your machine. You can find detailed installation instructions here. The advanced usage is well-documented on developer.wordpress.org.
wp core download --path=/var/www/html --version=6.7.1 --locale=en_USwp config create \
--dbname=your_db_name \
--dbuser=your_db_user \
--prompt=dbpasswp db createwp core install \
--url=wordpress.local \
--title="Vulnerable WordPress" \
--admin_user=admin \
--admin_password=admin \
--admin_email=webmaster@wordpress.localgit clone https://github.com/david-prv/vulnerable-wordpress-plugins -b main /var/www/html/wp-content/pluginspython3 install_dependencies.py --yes /var/www/html/wp-content/pluginswp plugin activate --allThat's it, you're done!
List is sorted by their number of active installations.
- CVE: CVE-2022-0775 (Improper Authorization)
- CVSS: 5.4 (Medium)
- Publicly Published: February 22, 2022
- Last Updated: February 6, 2024
- Researcher: Krzysztof Zając - CERT PL
- Active Installations: 8,000,000
- CVE: CVE-2024-3246 (CSRF)
- CVSS: 6.1 (Medium)
- Publicly Published: July 23, 2024
- Last Updated: July 24, 2024
- Researcher: Krzysztof Zając - CERT PL
- Active Installations: 6,000,000
- CVE: CVE-2024-5612 (XSS)
- CVSS: 6.4 (Medium)
- Publicly Published: June 6, 2024
- Last Updated: June 7, 2024
- Researcher: wesley (wcraft)
- Active Installations: 2,000,000
- CVE: CVE-2022-44737 (CSRF)
- CVSS: 8.8 (High)
- Publicly Published: November 22, 2022
- Last Updated: January 22, 2024
- Researcher: Rafie Muhammad - Patchstack
- Active Installations: 1,000,000
- CVE: CVE-2024-1592 (XSS)
- CVSS: 4.3 (Medium)
- Publicly Published: March 1, 2024
- Last Updated: March 2, 2024
- Researcher: Krzysztof Zając - CERT PL
- Active Installations: 1,000,000
- CVE: CVE-2020-8772 (Authentication Bypass)
- CVSS: 9.8 (Critical)
- Publicly Published: January 14, 2020
- Last Updated: January 10, 2023
- Researcher: WebARX Security - WebARX Security
- Active Installations: 200,000
- CVE: CVE-2024-8353 (Object Injection)
- CVSS: 10.0 (Critical)
- Publicly Published: September 27, 2024
- Last Updated: September 28, 2024
- Researcher: cuokon
- Active Installations: 100,000
- CVE: CVE-2022-3911 (Missing Authorization)
- CVSS: 8.8 (High)
- Publicly Published: December 12, 2022
- Last Updated: February 2, 2023
- Researcher: Krzysztof Zając - CERT PL
- Active Installations: 100,000
- CVE: CVE-2024-10913 (Object Injection)
- CVSS: 8.8 (High)
- Publicly Published: November 19, 2024
- Last Updated: November 20, 2024
- Researcher: Webbernaut
- Active Installations: 70,000
- CVE: CVE-2019-9978 (XSS)
- CVSS: 7.2 (High)
- Publicly Published: March 21, 2019
- Last Updated: January 22, 2024
- Researcher: Andrew Wilder
- Active Installations: 20,000
- CVE: CVE-2024-7350 (Authentication Bypass)
- CVSS: 9.8 (Critical)
- Publicly Published: August 7, 2024
- Last Updated: August 8, 2024
- Researcher: Gibran Abdillah
- Active Installations: 20,000
- CVE: CVE-2024-29102 (XSS)
- CVSS: 7.2 (High)
- Publicly Published: March 15, 2024
- Last Updated: March 20, 2024
- Researcher: RE-ALTER
- Active Installations: 6,000