🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > Dave Jong

Dave Jong

Organization: Patchstack

All Time Ranking

260

All Time Discoveries

90 Day Published Submissions

N/A

Last Published Submission

Showing 41-60 of 260 Vulnerabilities

Api2Cart Bridge Connector <= 1.1.0 - Arbitrary File Upload

9.8

CVE-2022-42698

Oct 28, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Zynith SEO <= 7.4.9 - Missing Authorization to Unauthenticated Arbitrary Option Deletion

9.1

CVE-2024-43939

Aug 26, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Droip <= 1.1.1 - Unauthenticated Arbitrary File Deletion

9.1

CVE-2024-43955

Aug 26, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

WooCommerce PDF Vouchers <= 4.9.4 - Unauthenticated Arbitrary File Deletion

9.1

CVE-2024-39651

Aug 1, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Woocommerce OpenPos <= 6.4.4 - Unauthenticated Arbitrary File Deletion

9.1

CVE-2024-37932

Jul 9, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Jobmonster <= 4.7.0 - Unauthenticated Arbitrary File Deletion

9.1

CVE-2024-37928

Jul 9, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

WatchTowerHQ <= 3.6.15 - Unauthenticated Arbitrary File Deletion

9.1

CVE-2022-44584

Nov 1, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Bit Form Pro <= 2.6.4 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVE-2024-43249

Aug 12, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Bit Form Pro <= 2.6.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update

8.8

CVE-2024-43250

Aug 12, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Book Your Travel <= 8.18.17 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVE-2024-37952

Jul 4, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WishList Member X <= 3.25.1 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVE-2024-37107

Jun 20, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

XforWooCommerce <= 2.0.2 - Authenticated (Subscriber+) Local File Inclusion

8.8

CVE-2024-33628

Apr 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ARforms <= 6.4 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2024-32706

Apr 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Hercules Core <= 6.4 - Authenticated (Subscriber+) PHP Object Injection

8.8

CVE-2024-30228

Mar 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WP Media folder <= 5.7.2 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVE-2024-25909

Feb 15, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Profile Builder Pro <= 3.10.0 - Cross-Site Request Forgery

8.8

CVE-2024-22140

Jan 10, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Houzez CRM <= 1.3.4 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2023-36529

Jun 27, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CM Pop-Up banners <= 1.5.10 - Authenticated (Subscriber+) SQL Injection via getStatistics

8.8

CVE-2023-30750

May 3, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Intrepidity <= 1.5.1 - Cross-Site Request Forgery via mytheme_add_admin

8.8

CVE-2023-27634

Mar 13, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Corsa Theme <= 1.5 - Authenticated Arbitrary File Upload

8.8

CVE-2023-23970

Jan 23, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Api2Cart Bridge Connector <= 1.1.0 - Arbitrary File Upload	CVE-2022-42698	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 28, 2022
Zynith SEO <= 7.4.9 - Missing Authorization to Unauthenticated Arbitrary Option Deletion	CVE-2024-43939	9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H	August 26, 2024
Droip <= 1.1.1 - Unauthenticated Arbitrary File Deletion	CVE-2024-43955	9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H	August 26, 2024
WooCommerce PDF Vouchers <= 4.9.4 - Unauthenticated Arbitrary File Deletion	CVE-2024-39651	9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H	August 1, 2024
Woocommerce OpenPos <= 6.4.4 - Unauthenticated Arbitrary File Deletion	CVE-2024-37932	9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H	July 9, 2024
Jobmonster <= 4.7.0 - Unauthenticated Arbitrary File Deletion	CVE-2024-37928	9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H	July 9, 2024
WatchTowerHQ <= 3.6.15 - Unauthenticated Arbitrary File Deletion	CVE-2022-44584	9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H	November 1, 2022
Bit Form Pro <= 2.6.4 - Authenticated (Subscriber+) Arbitrary File Upload	CVE-2024-43249	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	August 12, 2024
Bit Form Pro <= 2.6.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update	CVE-2024-43250	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	August 12, 2024
Book Your Travel <= 8.18.17 - Authenticated (Subscriber+) Privilege Escalation	CVE-2024-37952	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	July 4, 2024
WishList Member X <= 3.25.1 - Authenticated (Subscriber+) Privilege Escalation	CVE-2024-37107	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	June 20, 2024
XforWooCommerce <= 2.0.2 - Authenticated (Subscriber+) Local File Inclusion	CVE-2024-33628	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 25, 2024
ARforms <= 6.4 - Authenticated (Subscriber+) SQL Injection	CVE-2024-32706	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 22, 2024
Hercules Core <= 6.4 - Authenticated (Subscriber+) PHP Object Injection	CVE-2024-30228	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	March 26, 2024
WP Media folder <= 5.7.2 - Authenticated (Subscriber+) Arbitrary File Upload	CVE-2024-25909	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 15, 2024
Profile Builder Pro <= 3.10.0 - Cross-Site Request Forgery	CVE-2024-22140	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	January 10, 2024
Houzez CRM <= 1.3.4 - Authenticated (Subscriber+) SQL Injection	CVE-2023-36529	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	June 27, 2023
CM Pop-Up banners <= 1.5.10 - Authenticated (Subscriber+) SQL Injection via getStatistics	CVE-2023-30750	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	May 3, 2023
Intrepidity <= 1.5.1 - Cross-Site Request Forgery via mytheme_add_admin	CVE-2023-27634	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	March 13, 2023
Corsa Theme <= 1.5 - Authenticated Arbitrary File Upload	CVE-2023-23970	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	January 23, 2023

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation