🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Researchers > Francesco Carlucci

Francesco Carlucci

All Time Ranking

341

All Time Discoveries

90 Day Published Submissions

13 Sep '24

Last Published Submission

About

Hacker and Digital Nomad, the worst combination ever :)

11 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 261-280 of 341 Vulnerabilities

Oxygen Builder <= 4.8.3 - Missing Authorization to Authenticated (Subscriber+) Stylesheet Update

4.3

CVE-2024-6688

Aug 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Custom Field For WP Job Manager <= 1.2 - Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode

4.3

CVE-2023-7049

Aug 15, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Breakdance <= 1.7.2 - Missing Authorization

4.3

CVE-2024-5331

Jul 31, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Tutor LMS – Migration Tool <= 2.2.2 - Missing Authorization in tutor_import_from_xml

4.3

CVE-2024-1804

Jul 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Event post <= 5.9.6 - Cross-Site Request Forgery

4.3

CVE-2024-1375

Jul 11, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Just Custom Fields <= 3.3.2 - Cross-Site Request Forgery via AJAX actions

4.3

CVE-2024-6168

Jul 8, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Just Custom Fields <= 3.3.2 - Missing Authorization via AJAX actions

4.3

CVE-2024-6167

Jul 8, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Bricks Builder <= 1.9.8 - Insecure Direct Object Reference

4.3

CVE-2024-4874

Jun 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Hide Dashboard Notifications <= 1.3 - Missing Authorization to Authenticated(Contributor+) Plugin Settings Modification

4.3

CVE-2024-1955

Jun 20, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Schema App Structured Data <= 2.2.0 - Cross-Site Request Forgery

4.3

CVE-2024-0892

Jun 13, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Custom Field Template <= 2.6.1 - Authenticated(Contributor+) Information Exposure

4.3

CVE-2023-6748

Jun 10, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Advanced Custom Fields <= 6.2.10 - Authenticated (Contributor+) Arbitrary Custom Field Access

4.3

CVE-2024-4565

May 30, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Schema App Structured Data <= 2.2.0 - Missing Authorization

4.3

CVE-2024-0893

May 23, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Event post <= 5.9.4 - Missing Authorization

4.3

CVE-2024-1376

May 23, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease <= 2.6.6 - Missing Authorization to Sensitive Information Exposure

4.3

CVE-2024-0437

May 14, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

ClickCease Click Fraud Protection <= 3.2.4 - Improper Authorization to sensitive information exposure via get_settings

4.3

CVE-2023-6810

May 6, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Import and export users and customers <= 1.26.5 - Missing Authorization

4.3

CVE-2024-1050

May 3, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

SimpleShop <= 2.10.0 - Cross-Site Request Forgery

4.3

CVE-2024-1230

May 3, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

ACF Front End Editor <= 2.0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update

4.3

CVE-2024-3072

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

ACF On-The-Go <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update

4.3

CVE-2024-3071

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
Oxygen Builder <= 4.8.3 - Missing Authorization to Authenticated (Subscriber+) Stylesheet Update	CVE-2024-6688	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	August 26, 2024
Custom Field For WP Job Manager <= 1.2 - Insecure Direct Object Reference to Sensitive Information Exposure via Shortcode	CVE-2023-7049	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	August 15, 2024
Breakdance <= 1.7.2 - Missing Authorization	CVE-2024-5331	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	July 31, 2024
Tutor LMS – Migration Tool <= 2.2.2 - Missing Authorization in tutor_import_from_xml	CVE-2024-1804	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	July 26, 2024
Event post <= 5.9.6 - Cross-Site Request Forgery	CVE-2024-1375	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	July 11, 2024
Just Custom Fields <= 3.3.2 - Cross-Site Request Forgery via AJAX actions	CVE-2024-6168	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	July 8, 2024
Just Custom Fields <= 3.3.2 - Missing Authorization via AJAX actions	CVE-2024-6167	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	July 8, 2024
Bricks Builder <= 1.9.8 - Insecure Direct Object Reference	CVE-2024-4874	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	June 21, 2024
Hide Dashboard Notifications <= 1.3 - Missing Authorization to Authenticated(Contributor+) Plugin Settings Modification	CVE-2024-1955	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	June 20, 2024
Schema App Structured Data <= 2.2.0 - Cross-Site Request Forgery	CVE-2024-0892	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	June 13, 2024
Custom Field Template <= 2.6.1 - Authenticated(Contributor+) Information Exposure	CVE-2023-6748	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	June 10, 2024
Advanced Custom Fields <= 6.2.10 - Authenticated (Contributor+) Arbitrary Custom Field Access	CVE-2024-4565	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	May 30, 2024
Schema App Structured Data <= 2.2.0 - Missing Authorization	CVE-2024-0893	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	May 23, 2024
Event post <= 5.9.4 - Missing Authorization	CVE-2024-1376	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	May 23, 2024
Password Protected – Ultimate Plugin to Password Protect Your WordPress Content with Ease <= 2.6.6 - Missing Authorization to Sensitive Information Exposure	CVE-2024-0437	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	May 14, 2024
ClickCease Click Fraud Protection <= 3.2.4 - Improper Authorization to sensitive information exposure via get_settings	CVE-2023-6810	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	May 6, 2024
Import and export users and customers <= 1.26.5 - Missing Authorization	CVE-2024-1050	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	May 3, 2024
SimpleShop <= 2.10.0 - Cross-Site Request Forgery	CVE-2024-1230	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	May 3, 2024
ACF Front End Editor <= 2.0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update	CVE-2024-3072	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	April 29, 2024
ACF On-The-Go <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Update	CVE-2024-3071	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	April 29, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation