WordPress vulnerabilities: known CVEs & security history
WordPress · CMS · 581 tracked CVEs · 1 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all WordPress release lines — 581 in total, with 1 actively exploited in the wild. A CVE here doesn't mean your version is affected — check WordPress's current status and the safe version to run.
Known WordPress CVEs
Actively-exploited and most-severe first. Showing the top 80 of 581. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2016-10033⚡ exploited | critical | 9.8 | 100% | 2016 |
| CVE-2020-36326 | critical | 9.8 | 3% | 2021 |
| CVE-2020-28037 | critical | 9.8 | 8% | 2020 |
| CVE-2020-28036 | critical | 9.8 | 5% | 2020 |
| CVE-2020-28035 | critical | 9.8 | 4% | 2020 |
| CVE-2020-28032 | critical | 9.8 | 16% | 2020 |
| CVE-2019-20041 | critical | 9.8 | 5% | 2019 |
| CVE-2019-17670 | critical | 9.8 | 5% | 2019 |
| CVE-2019-17669 | critical | 9.8 | 5% | 2019 |
| CVE-2018-20148 | critical | 9.8 | 31% | 2018 |
| CVE-2017-16510 | critical | 9.8 | 8% | 2017 |
| CVE-2017-14723 | critical | 9.8 | 10% | 2017 |
| CVE-2017-5611 | critical | 9.8 | 10% | 2017 |
| CVE-2016-10045 | critical | 9.8 | 98% | 2016 |
| CVE-2007-6013 | critical | 9.8 | 3% | 2007 |
| CVE-2020-28039 | critical | 9.1 | 4% | 2020 |
| CVE-2011-5254 | high | 10 | 3% | 2013 |
| CVE-2012-4874 | high | 10 | 3% | 2012 |
| CVE-2012-4033 | high | 10 | 3% | 2012 |
| CVE-2012-3576 | high | 10 | 18% | 2012 |
| CVE-2012-3575 | high | 10 | 16% | 2012 |
| CVE-2012-2400 | high | 10 | 3% | 2012 |
| CVE-2012-2399 | high | 10 | 9% | 2012 |
| CVE-2011-3125 | high | 10 | 2% | 2011 |
| CVE-2011-3122 | high | 10 | 3% | 2011 |
| CVE-2009-2853 | high | 10 | 5% | 2009 |
| CVE-2008-6767 | high | 10 | 5% | 2009 |
| CVE-2008-4796 | high | 10 | 9% | 2008 |
| CVE-2006-4028 | high | 10 | 4% | 2006 |
| CVE-2011-3129 | high | 9.3 | 2% | 2011 |
| CVE-2009-2396 | high | 9.3 | 6% | 2009 |
| CVE-2008-4769 | high | 9.3 | 9% | 2008 |
| CVE-2008-2392 | high | 9 | 4% | 2008 |
| CVE-2020-26596 | high | 8.8 | 5% | 2020 |
| CVE-2019-17675 | high | 8.8 | 3% | 2019 |
| CVE-2019-9787 | high | 8.8 | 44% | 2019 |
| CVE-2019-8942 | high | 8.8 | 83% | 2019 |
| CVE-2018-19296 | high | 8.8 | 2% | 2018 |
| CVE-2018-1000773 | high | 8.8 | 7% | 2018 |
| CVE-2017-1000600 | high | 8.8 | 4% | 2018 |
| CVE-2018-12895 | high | 8.8 | 63% | 2018 |
| CVE-2017-17091 | high | 8.8 | 8% | 2017 |
| CVE-2017-9064 | high | 8.8 | 2% | 2017 |
| CVE-2017-5492 | high | 8.8 | 2% | 2017 |
| CVE-2017-5489 | high | 8.8 | 1% | 2017 |
| CVE-2016-6635 | high | 8.8 | 2% | 2016 |
| CVE-2020-11026 | high | 8.7 | 2% | 2020 |
| CVE-2017-9066 | high | 8.6 | 4% | 2017 |
| CVE-2017-9062 | high | 8.6 | 2% | 2017 |
| CVE-2016-4029 | high | 8.6 | 5% | 2016 |
| CVE-2016-2222 | high | 8.6 | 9% | 2016 |
| CVE-2008-5695 | high | 8.5 | 12% | 2008 |
| CVE-2021-44223 | high | 8.1 | 29% | 2021 |
| CVE-2014-6412 | high | 8.1 | 5% | 2018 |
| CVE-2022-21662 | high | 8 | 65% | 2022 |
| CVE-2022-21661 | high | 8 | 98% | 2022 |
| CVE-2007-0539 | high | 7.8 | 3% | 2007 |
| CVE-2007-0262 | high | 7.8 | 2% | 2007 |
| CVE-2024-31210 | high | 7.6 | 1% | 2024 |
| CVE-2021-39202 | high | 7.6 | 1% | 2021 |
| CVE-2021-39201 | high | 7.6 | 2% | 2021 |
| CVE-2020-28033 | high | 7.5 | 3% | 2020 |
| CVE-2019-17673 | high | 7.5 | 3% | 2019 |
| CVE-2018-20151 | high | 7.5 | 7% | 2018 |
| CVE-2018-6389 | high | 7.5 | 73% | 2018 |
| CVE-2012-6707 | high | 7.5 | 1% | 2017 |
| CVE-2017-14722 | high | 7.5 | 8% | 2017 |
| CVE-2017-14719 | high | 7.5 | 13% | 2017 |
| CVE-2017-9065 | high | 7.5 | 4% | 2017 |
| CVE-2017-1001000 | high | 7.5 | 82% | 2017 |
| CVE-2017-5493 | high | 7.5 | 3% | 2017 |
| CVE-2016-5839 | high | 7.5 | 3% | 2016 |
| CVE-2016-5838 | high | 7.5 | 3% | 2016 |
| CVE-2016-5837 | high | 7.5 | 4% | 2016 |
| CVE-2016-5836 | high | 7.5 | 4% | 2016 |
| CVE-2016-5835 | high | 7.5 | 4% | 2016 |
| CVE-2016-5832 | high | 7.5 | 3% | 2016 |
| CVE-2015-2213 | high | 7.5 | 11% | 2015 |
| CVE-2003-1599 | high | 7.5 | 3% | 2014 |
| CVE-2003-1598 | high | 7.5 | 3% | 2014 |
501 older / lower-severity CVEs not shown — see WordPress's full record.
Is my WordPress version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your WordPress version → · Monitor WordPress for new CVEs →
WordPress vulnerabilities — frequently asked
How many known vulnerabilities does WordPress have?
IsItPatched tracks 581 CVEs for WordPress, 1 of which is actively exploited (CISA KEV). 16 are critical-severity and 139 high-severity. These span every release line — what matters is whether the version you run is affected.
Does WordPress have any actively-exploited vulnerabilities?
Yes — 1 WordPress CVE is in CISA's Known Exploited Vulnerabilities catalog, meaning it is confirmed exploited in the wild. Patch it as a priority.
What is the most severe WordPress vulnerability?
Among tracked issues, CVE-2016-10033 (CRITICAL, CVSS 9.8), which is actively exploited, ranks highest — a CWE-88 weakness.
Is WordPress safe to use?
It depends on the version. The latest supported WordPress release (7.0.0) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: WordPress security status · WordPress end-of-life · actively-exploited CVEs. Always verify against WordPress's advisories — see our disclaimer.