WordPress Black Ops

Spy on your competitors!

See inside their WordPress!

Millions of WordPress EXPOSED.

Search the WordPress Black Ops Database





According to statistics from 40,000+ WordPress websites in Alexa top 1 million, more than 70% of WordPress installations are vulnerable to hacker attacks.

Of all the hacked WordPress sites Sucuri looked at, almost 40% were running out-of-date WordPress core.

"According to the WPScan Vulnerability Database, ~74% of the known vulnerabilities they logged are in the WordPress core software..."

In a survey from Wordfence of hacked website owners, over 60% of the website owners who knew how the hacker got in attributed it to a plugin or theme vulnerability.

WordPress Core Vulnerabilities (

2021-05-13 WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer

2021-04-15 WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure

2021-04-15 WordPress 5.6-5.7 - Authenticated XXE Within the Media Library Affecting PHP 8

2020-10-29 WordPress < 5.5.2 - Hardening Deserialization Requests

2020-10-29 WordPress < 5.5.2 - Unauthenticated DoS Attack to RCE

2020-10-29 WordPress < 5.5.2 - Cross-Site Request Forgery (CSRF) to Change Theme Background

2020-10-29 WordPress < 5.5.2 - Protected Meta That Could Lead to Arbitrary File Deletion

2020-10-29 WordPress < 5.5.2 - Disable Spam Embeds from Disabled Sites on a Multisite Network

2020-10-29 WordPress < 5.5.2 - Cross-Site Scripting (XSS) via Global Variables

2020-10-29 WordPress < 5.5.2 - Stored XSS in Post Slugs

2020-10-29 WordPress < 5.5.2 - XML-RPC Privilege Escalation

2020-06-11 WordPress < 5.4.2 - Disclosure of Password-Protected Page/Post Comments

2020-06-11 WordPress < 5.4.2 - Open Redirection

2020-06-11 WordPress < 5.4.2 - Authenticated XSS via Media Files

2020-06-11 WordPress < 5.4.2 - Authenticated Stored XSS via Theme Upload

2020-06-11 WordPress < 5.4.2 - Misuse of set-screen-option Leading to Privilege Escalation

2020-06-10 WordPress < 5.4.2 - Authenticated XSS in Block Editor

2020-04-29 WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads

2020-04-29 WordPress < 5.4.1 - Unauthenticated Users View Private Posts

2020-04-29 WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Search Block

2020-04-29 WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer

2020-04-29 WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated

2020-04-29 WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache

2020-01-21 WordPress <= 5.2.3 - Hardening Bypass

2019-12-13 WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links

2019-12-13 WordPress <= 5.3 - Improper Access Controls in REST API

2019-12-13 WordPress <= 5.3 - Stored XSS via Block Editor Content

2019-12-13 WordPress <= 5.3 - Stored XSS via Crafted Links

2019-12-13 WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass

2019-10-14 WordPress <= 5.2.3 - Admin Referrer Validation

2019-10-14 WordPress <= 5.2.3 - JSON Request Cache Poisoning

2019-10-14 WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation

See More Core Vulns

This is just a small sample. Of course, all these vulns have been fixed in the newest version, but with our database, you can find domains that are still running these old vulnerable versions.

Wordpress Plugin Vulnerabilities (

2020-03-04 Appointment Booking Calendar < 1.3.35 - Authenticated Stored Cross-Site Scrip...

2020-03-04 Appointment Booking Calendar < 1.3.35 - CSV Injection

2020-03-04 WooCommerce Smart Coupons < 4.6.5 - Unauthenticated Coupon Creation

2020-03-02 Testimonial < 2.1.7 - Authenticated Stored Cross-Site Scripting (XSS)

2020-02-29 Booked < 2.2.6 - Broken Authentication to Export Users Data in CSV

2020-02-27 10Web Map Builder for Google Maps < 1.0.64 - Unauthenticated Stored XSS via P..

2020-02-27 Async Javascript < - Subscriber+ Stored XSS via Plugin Settings Ch...

2017-05-24 AffiliateWP AffiliateWP <= 2.0.9 - Authenticated Cross-Site Scripting (XSS)

2014-08-01 a-forms A Forms 1.4.0 - a-forms.php a_form_section_page Function message Parameter XSS

2014-08-01 a-forms A Forms 1.4.0 - a-forms.php a_form_initial_page Function Multiple Parameter XSS

2014-08-01 a-forms A Forms 1.4.0 - a-forms.php a_form_page Function Multiple Parameter XSS

2014-08-01 a-forms A Forms 1.4.0 - a-forms.php a_form_shortcode Function Multiple Parameter XSS

2014-08-01 a-forms A Forms 1.4.0 - a-forms.php a_form_tracking_page Function Multiple Parameter XSS

2014-08-01 a-forms A Forms 1.4.0 - a-forms.php a_form_tracking_page FunctionMultiple Parameters SQL Injection

2014-08-01 a-forms A Forms 1.4.0 - a-forms.php add_field_to_section Function Multiple Parameter XSS

2014-08-01 a-forms A Forms 1.4.0 - a-forms.php aform_css_file_selector() Function css_file_selection Parameter XSS

2014-08-01 a-forms A Forms 1.4.0 - Form Submission CSRF

2014-08-01 a-gallery A Gallery 0.9 - Shell Upload

2014-08-01 a-to-z-category-listing A to Z Category Listing <= 1.3 - SQL Injection

2014-08-01 ab-categories-search-widget AB Categories Search Widget 0.1 - s Parameter Reflected XSS

2015-03-23 ab-google-map-travel AB Google Map Travel (AB-MAP) <= 3.4 - CSRF/Stored XSS

2014-08-01 abc-test ABC Test - "id" Cross-Site Scripting

2019-10-25 about-author About Author <= 1.3.9 - Authenticated Stored Cross-Site Scripting (XSS)

2020-03-24 abstract-submission Multiple plugins - Unauthenticated Dompdf Local File Inclusion (LFI)

2016-03-21 abtest ABtest - File Inclusion

2014-08-01 abtest ABtest - Directory Traversal

2018-11-20 accelerated-mobile-pages Accelerated Mobile Pages < - Stored XSS

2018-10-20 accelerated-mobile-pages Accelerated Mobile Pages <= - Multiple Unauthenticated Vulnerabilities 2014-08-01 accept-signups Accept Signups 0.1 - XSS

2021-03-26 accessally AccessAlly < 3.5.7 - $_SERVER Superglobal Leakage

2020-01-21 accessally AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution

2017-12-19 accesspress-anonymous-post-pro AccessPress Anonymous Post Pro < 3.2.0 - Unauthenticated Arbitrary File Upload

See More Plugin Vulns.

Wordpress Theme Vulnerabilities (

2020-02-17 Fruitful Theme <= 3.8 - Unauthenticated Reflected Cross-Site Scripting (XSS)

2020-01-27 CarSpot < 2.2.3 - Multiple Vulnerabilities

2020-01-16 Reality <= 2.5.1 - Unauthenticated Reflected XSS

2020-01-15 ListingPro < 2.5.4 - Unauthenticated Reflected XSS

2020-01-14 Real Estate 7 < 2.9.5 - Multiple Vulnerabilities

2020-01-13 Travel Booking < - Reflected & Persistent XSS Issues

2020-01-11 Houzez < 1.8.4 - Unauthenticated Cross-Site Scripting (XSS)

2020-05-01 Avada Avada < 6.2.3 - Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS

2017-04-26 Avada Avada Theme <= 5.1.4 - Stored Cross-Site Scripting (XSS) & CSRF

2015-02-11 awake WordPress Slider Revolution - Local File Disclosure

2014-11-30 awake WordPress Slider Revolution Shell Upload

2014-08-01 abundance Abundance - Unspecified XSS

2015-05-15 axioma ThemeMakers Themes - Information Disclosure

2020-10-01 antreas Multiple Themes - Unauthenticated Function Injection

2014-08-01 agritourismo-theme Agritourismo - Remote File Upload

2016-08-22 akal Akal Theme - Reflected Cross-Site Scripting (XSS)

2014-08-01 alltuts Site5 Wordpress Themes Email Spoofing

2014-08-01 allure-real-estate-theme-for-placester allure-real-estate-theme-for-placester <= 0.1.1 - XSS in ZeroClipboard.swf

2014-08-01 allure-real-estate-theme-for-real-estate allure-real-estate-theme-for-real-estate <= 0.1.1 - XSS in ZeroClipboard.swf

2013-06-09 ambience Ambience Theme <= 1.0 - Cross-Site Scripting (XSS)

2014-08-01 amoveo Amoveo - Arbitrary File Upload

2014-08-01 amplus Amplus - CSRF

2007-06-15 andyblue Andyblue < 20070607 - XSS

2014-08-01 anthology Anthology - Remote File Upload

2016-03-03 antioch Antioch Theme - Arbitrary File Download

2011-09-27 antisnews Antisnews < 1.10 - XSS

2014-08-01 appius appius - Arbitrary File Upload

2014-08-01 appius appius - Custom Background Shell Upload

See More Theme Vulns.

Warning: WordPress is NOT secure.

As a mindful person, shouldn't you warn your friends?

You might save them a lot of time or a lot of money!

(share? tweet?)

*shrug* up to you.

Search the WordPress Black Ops Database







How To Hack WordPress:

  • Go to the official Exploit Database
  • In their search box, put "wordpress"
  • Browse the list of vulnerable plugins
  • Choose one and click it's name for the exact exploit
  • You can find sites using it in our database HERE
Search just the plugin name:

WordPress Plugin LifterLMS 4.21.0 - Stored Cross-Site Scripting (XSS)

Search our database with LifterLMS.

If we have some listed, you'll see their domain names.

  • Install that plugin on YOUR OWN WordPress blog.

The exploit that you get from Exploit Database will probably be with Metaspoit, but hopefully all the information is in that code.

Messing with someone else's site is against the law!
 is a data-mining service crawling the web in order to collect valuable insider information on millions of WordPress blogs.

Other data-mining services like ahrefs,, and are all about checking backlinks and trying to assign a ranking-weight to each domain; they don't provide the same information that we do.

No one does, not even Google!




However, we believe those services are overpriced.

Just look at what they want to charge you:

Service Smallest plan Premium plan
$99/month     $1,000/mo
$99/month     $1,000/mo
$99/month     $1,000/mo    





We have the biggest, best, largest, most complete
list of WordPress blogs on the internet!


We have no competition!

We could charge $99/mo also.

But, Our plans are simple and we think everyone
should be able to afford a Premium account!


Guest Account, no registration.
Everyone gets a free guest account with no registration.
25 rows per query.
10 queries per day.


Premium Membership (Beta Version) $29.95/month

Only: $9.95/month for the first 25 members! (5 spots remaining)
Up to 20,000 rows per query.
100 queries per day.


Why is the price so low?

  • Because we want to launch with a bang,

  • Because this is the Beta version,
  • (there will surely be a few glitches here and there),

  • Because we run without a fancy air conditioned office,

  • and because we run with a very small staff, me!




Search the WordPress Black Ops Database


Has your wife or girlfriend been disappointed by the size of your penis? Has she ever cried "more"? That's what happened to me for many years until I found this site: [url=""]Want A Bigger Penis?[/url]. I ordered a three months supply and my wife (and my girlfriend lol) are not praising my manliness. how to have a bigger penis how to have a bigger penis how to have a bigger penis how to have a bigger penis how to have a bigger penis how to have a bigger penis how to have a bigger penis how to have a bigger penis Do you suffer from premature ejaculation? It is very frustrating to end the sex so quickly and leave your woman just laying there wanting more. That was my life until I found this easy solution Right away I order a three month supply and now my girl is smiling all day long! Articles on WordPress

How Does WordPress Work?
Chances are that you have already heard of WordPress. But what is WordPress? Simply put, WordPress is web software that you can use to create your own website or blog. Since it was released in 2003, WordPress has become one of the most popular web publishing platforms, and today it powers more than 70 million websites. Because it is built on industry standard php and mySQL, the WordPress hosting platform can run on just about any modern server.
How to Make Money With WordPress
WordPress is probably the number one free blogging platform in today's society. Thus thousands of bloggers around the world use WordPress to power their blogs (including me). But how can WordPress, a FREE blogging platform, earn you some significant income? Here is a step-by-step guide showing how to make money with WordPress.



Web Analytics