🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > Daniel Ruf

Daniel Ruf

All Time Ranking

154

All Time Discoveries

90 Day Published Submissions

N/A

Last Published Submission

Showing 101-120 of 154 Vulnerabilities

Ultimate Noindex Nofollow Tool <= 1.1.2 - Cross-Site Request Forgery to Settings Update

6.1

CVE-2023-7196

Jan 23, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Marketing Twitter Bot <= 1.11 - Cross-Site Request Forgery to Settings Update and Cross-Site Scripting

6.1

CVE-2023-7197

Jan 23, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Voting Record <= 2.0 - Cross-Site Request Forgery to Settings Update and Cross-Site Scripting

6.1

CVE-2023-7083

Jan 10, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

WP Plugin Lister <= 2.1.0 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting

6.1

CVE-2023-6503

Jan 3, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Autotitle for WordPress <= 1.0.3 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting

6.1

CVE-2023-6946

Jan 2, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Progressive License <= 1.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVE-2022-2171

Jul 7, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

WP Post Styling <= 1.3.0 - Cross-Site Request Forgery

6.1

CVE-2022-1845

May 31, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

MailPress <= 7.2.1 - Cross-Site Request Forgery

6.1

CVE-2022-1843

May 31, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

WP-EMail <= 2.68.2 - Cross-Site Request Forgery to Log Deletion

6.1

CVE-2022-1630

May 30, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Wyzi - Social Directory WordPress Theme <= 2.4.2 - Reflected Cross-Site Scripting

6.1

CVE-2022-1164

Feb 6, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Careerfy < 3.9.0 - Cross-Site Scripting

6.1

CVE-2022-1169

Jun 3, 2020

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Noo JobMonster < 4.5.2.9 - Reflected Cross-Site Scripting

6.1

CVE-2022-1170

Oct 24, 2019

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

WP Total Hacks <= 4.7.2 - Authenticated (Subscriber+) Plugin Options Update to Cross-Site Scripting

5.5

CVE-2022-3096

Oct 10, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Flexi Quote Rotator <= 0.9.4 - Authenticated Stored Cross-Site Scripting

5.5

CVE ID Unknown

Jul 6, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Misiek Photo Album <= 1.4.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

5.4

CVE-2024-7818

Aug 22, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Auto-hyperlink URLs <= 5.4.1 - Tab Nabbing

5.4

CVE-2022-2600

Aug 1, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Shortcut Macros <= 1.3 - Missing Authorization to Settings Update

5.4

CVE-2022-1956

Jun 16, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Files Download Delay <= 1.0.6 - Missing Authorization to Settings Reset

5.4

CVE-2022-1570

May 15, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Change WP Admin Login <= 1.0.9 - Missing Authorization Checks

5.4

CVE-2022-1589

May 9, 2022

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N

User Access Manager <= 2.2.16 - IP Spoofing

5.3

CVE-2022-1601

Aug 4, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Title	CVE ID	CVSS	Vector	Date
Ultimate Noindex Nofollow Tool <= 1.1.2 - Cross-Site Request Forgery to Settings Update	CVE-2023-7196	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	January 23, 2024
Marketing Twitter Bot <= 1.11 - Cross-Site Request Forgery to Settings Update and Cross-Site Scripting	CVE-2023-7197	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	January 23, 2024
Voting Record <= 2.0 - Cross-Site Request Forgery to Settings Update and Cross-Site Scripting	CVE-2023-7083	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	January 10, 2024
WP Plugin Lister <= 2.1.0 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting	CVE-2023-6503	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	January 3, 2024
Autotitle for WordPress <= 1.0.3 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting	CVE-2023-6946	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	January 2, 2024
Progressive License <= 1.1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting	CVE-2022-2171	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	July 7, 2022
WP Post Styling <= 1.3.0 - Cross-Site Request Forgery	CVE-2022-1845	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	May 31, 2022
MailPress <= 7.2.1 - Cross-Site Request Forgery	CVE-2022-1843	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	May 31, 2022
WP-EMail <= 2.68.2 - Cross-Site Request Forgery to Log Deletion	CVE-2022-1630	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	May 30, 2022
Wyzi - Social Directory WordPress Theme <= 2.4.2 - Reflected Cross-Site Scripting	CVE-2022-1164	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	February 6, 2021
Careerfy < 3.9.0 - Cross-Site Scripting	CVE-2022-1169	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	June 3, 2020
Noo JobMonster < 4.5.2.9 - Reflected Cross-Site Scripting	CVE-2022-1170	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	October 24, 2019
WP Total Hacks <= 4.7.2 - Authenticated (Subscriber+) Plugin Options Update to Cross-Site Scripting	CVE-2022-3096	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	October 10, 2022
Flexi Quote Rotator <= 0.9.4 - Authenticated Stored Cross-Site Scripting		5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	July 6, 2022
Misiek Photo Album <= 1.4.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting	CVE-2024-7818	5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	August 22, 2024
Auto-hyperlink URLs <= 5.4.1 - Tab Nabbing	CVE-2022-2600	5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	August 1, 2022
Shortcut Macros <= 1.3 - Missing Authorization to Settings Update	CVE-2022-1956	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	June 16, 2022
Files Download Delay <= 1.0.6 - Missing Authorization to Settings Reset	CVE-2022-1570	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	May 15, 2022
Change WP Admin Login <= 1.0.9 - Missing Authorization Checks	CVE-2022-1589	5.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N	May 9, 2022
User Access Manager <= 2.2.16 - IP Spoofing	CVE-2022-1601	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	August 4, 2023

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation