VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 12 known issues Latest disclosed Jan 06, 2026

BulletProof Security Vulnerabilities

Review known vulnerability records for the WordPress plugin BulletProof Security (`bulletproof-security`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-67931, CVE-2022-1265 and CVE-2022-0590, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
12
High or Critical
2
Patch Coverage
100%
Last Updated
Jan 14, 2026
Priority CVE Quick Links

Fast paths into BulletProof Security CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs
10
CVE-2014-7959 High .51.1
CVE-2014-7959 BulletProof Security SQL Injection

BulletProof Security < .51.1 - SQL Injection

CVE-2022-1265 Medium 6.1
CVE-2022-1265 BulletProof Security Stored Cross-Site Scripting

BulletProof Security <= 6.0 - Stored Cross-Site Scripting

CVE-2013-3487 Medium .49
CVE-2013-3487 BulletProof Security Cross-Site Scripting

BulletProof Security <= .48.9 - Cross-Site Scripting

CVE-2012-4268 Medium .47.1
CVE-2012-4268 BulletProof Security Cross-Site Scripting

BulletProof Security < .47.1 - Reflected Cross-Site Scripting

CVE-2022-0590 Medium 5.8
CVE-2022-0590 BulletProof Security Stored Cross-Site Scripting

BulletProof Security <= 5.7 - Admin+ Stored Cross-Site Scripting

CVE-2014-7958 Medium .51.1
CVE-2014-7958 BulletProof Security Cross-Site Scripting

BulletProof Security < .51.1 - Cross-Site Scripting

CVE-2025-67931 Medium 7.0
CVE-2025-67931 BulletProof Security Sensitive Information Exposure

BulletProof Security <= 6.9 - Unauthenticated Sensitive Information Exposure

CVE-2021-39327 Medium 5.2
CVE-2021-39327 BulletProof Security Vulnerability

BulletProof Security <= 5.1 - Sensitive Information Disclosure

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for BulletProof Security so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
12 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 2 high severity findings.
Recent CVEs
CVE-2025-67931, CVE-2022-1265 and CVE-2022-0590
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for BulletProof Security

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-67931
CVE-2025-67931: BulletProof Security <= 6.9 - Unauthenticated Sensitive Information Exposure

The BulletProof Security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.9. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.

Published
Jan 06, 2026
Patched Release
7.0
Affected Versions
Versions up to 6.9
Next Step
Update to 7.0 or newer if supported.
Open CVE-2025-67931 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-1265
CVE-2022-1265: BulletProof Security <= 6.0 - Stored Cross-Site Scripting

The BulletProof Security WordPress plugin before 6.1 does not sanitize and escape some of its CAPTCHA settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Published
Apr 19, 2022
Patched Release
6.1
Affected Versions
Versions before 6.1
Next Step
Update to 6.1 or newer if supported.
Open CVE-2022-1265 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2022-0590
CVE-2022-0590: BulletProof Security <= 5.7 - Admin+ Stored Cross-Site Scripting

The BulletProof Security WordPress plugin before 5.8 does not sanitise and escape some of its settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.

Published
Feb 22, 2022
Patched Release
5.8
Affected Versions
Versions before 5.8
Next Step
Update to 5.8 or newer if supported.
Open CVE-2022-0590 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2021-39327
CVE-2021-39327: BulletProof Security <= 5.1 - Sensitive Information Disclosure

The BulletProof Security WordPress plugin is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible ~/db_backup_log.txt file which grants attackers the full path of the site, in addition to the path of database backup files. This a...

Published
Sep 16, 2021
Patched Release
5.2
Affected Versions
Versions up to 5.1
Next Step
Update to 5.2 or newer if supported.
Open CVE-2021-39327 Report Open CVE Reference
Plugin Medium Patched: Yes
BulletProof Security <= .53.3 - Authenticated Cross-Site Scripting

The BulletProof Security plugin for WordPress is vulnerable to Cross-Site Scripting via the ‘user-agent-ignore’ parameter in versions up to, and including, .53.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inje...

Published
May 11, 2016
Patched Release
.53.4
Affected Versions
Versions before .53.4
Next Step
Update to .53.4 or newer if supported.
Open Full Report
Plugin High Patched: Yes
BulletProof Security <= .53.2 - Cross-Site Scripting

The BulletProof Security plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, .53.2 due to insufficient input sanitization and output escaping on the bulletproof_security_options_email[bps_send_email_cc] and bulletproof_security_options_ema...

Published
Mar 17, 2016
Patched Release
.53.3
Affected Versions
Versions up to .53.2
Next Step
Update to .53.3 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes CVE-2014-7958
CVE-2014-7958: BulletProof Security < .51.1 - Cross-Site Scripting

CVE-2014-7958: Cross-site scripting (XSS) vulnerability in admin/htaccess/bpsunlock.php in the BulletProof Security plugin before .51.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dbhost parameter.

Published
Nov 05, 2014
Patched Release
.51.1
Affected Versions
Versions before .51.1
Next Step
Update to .51.1 or newer if supported.
Open CVE-2014-7958 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2014-8749
CVE-2014-8749: BulletProof Security < .51.1 - Server-Side Request Forgery

Server-side request forgery (SSRF) vulnerability in admin/htaccess/bpsunlock.php in the BulletProof Security plugin before .51.1 for WordPress allows remote attackers to trigger outbound requests that authenticate to arbitrary databases via the dbhost parameter.

Published
Nov 05, 2014
Patched Release
.51.1
Affected Versions
Versions up to .51
Next Step
Update to .51.1 or newer if supported.
Open CVE-2014-8749 Report Open CVE Reference
Plugin High Patched: Yes CVE-2014-7959
CVE-2014-7959: BulletProof Security < .51.1 - SQL Injection

SQL injection vulnerability in admin/htaccess/bpsunlock.php in the BulletProof Security plugin before .51.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the tableprefix parameter.

Published
Oct 07, 2014
Patched Release
.51.1
Affected Versions
Versions before .51.1
Next Step
Update to .51.1 or newer if supported.
Open CVE-2014-7959 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2015-9230
CVE-2015-9230: BulletProof Security < .52.5 - Cross-Site Scripting

In the admin/db-backup-security/db-backup-security.php page in the BulletProof Security plugin before .52.5 for WordPress, XSS is possible for remote authenticated administrators via the DBTablePrefix parameter.

Published
Sep 30, 2014
Patched Release
.52.5
Affected Versions
Versions before .52.5
Next Step
Update to .52.5 or newer if supported.
Open CVE-2015-9230 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2013-3487
CVE-2013-3487: BulletProof Security <= .48.9 - Cross-Site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in the security log in the BulletProof Security plugin before .49 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified HTML header fields to (1) 400.php, (2) 403.php, or (3) 403.php.

Published
Aug 01, 2014
Patched Release
.49
Affected Versions
Versions up to .48.9
Next Step
Update to .49 or newer if supported.
Open CVE-2013-3487 Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2012-4268
CVE-2012-4268: BulletProof Security < .47.1 - Reflected Cross-Site Scripting

Cross-site scripting (XSS) vulnerability in bulletproof-security/admin/options.php in the BulletProof Security plugin before .47.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the HTTP_ACCEPT_ENCODING header.

Published
May 11, 2012
Patched Release
.47.1
Affected Versions
Versions before .47.1
Next Step
Update to .47.1 or newer if supported.
Open CVE-2012-4268 Report Open CVE Reference