🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > Francesco Carlucci

Francesco Carlucci

All Time Ranking

481

All Time Discoveries

158

90 Day Published Submissions

22 Nov '24

Last Published Submission

About

Hacker and Digital Nomad, the worst combination ever :)

12 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 361-380 of 481 Vulnerabilities

Anonymous Restricted Content <= 1.6.2 - Protection Mechanism Bypass

5.3

CVE-2024-0909

Feb 2, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

ThemeIsle SDK <= Various Versions - Missing Authorization

5.3

CVE-2024-1047

Feb 1, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

ARMember <= 4.0.24 - Improper Access Control to Sensitive Information Exposure via REST API

5.3

CVE-2024-0969

Feb 1, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via restore_records()

5.3

CVE-2024-0907

Jan 31, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via set_starred()

5.3

CVE-2024-1129

Jan 31, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via set_read()

5.3

CVE-2024-1130

Jan 31, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

SALESmanago <= 3.2.4 - Log Injection via Weak Authentication Token

5.3

CVE-2023-4939

Oct 20, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Stripe Payment Plugin for WooCommerce <= 3.7.9 - Missing Authorization to Arbitrary Order Status Modification

5.3

CVE-2023-4040

Aug 17, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

AI ChatBot <= 5.3.4 - Missing Authorization via openai_file_list_callback

5.0

CVE-2024-0451

May 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

AI ChatBot <= 5.3.4 - Missing Authorization via openai_file_upload_callback

5.0

CVE-2024-0452

May 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

AI ChatBot <= 5.3.4 - Missing Authorization via openai_file_delete_callback

5.0

CVE-2024-0453

May 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

ArtiBot Free Chat Bot for WordPress WebSites <= 1.1.6 - Missing Authorization to Settings Update

5.0

CVE-2024-0447

Feb 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Export customers list csv for WooCommerce <= 2.0.67 - CSV Injection

4.8

CVE-2022-3603

Nov 3, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

ArtiBot Free Chat Bot for WordPress WebSites <= 1.1.6 - Authenticated (Admin+) Cross-Site Scripting

4.4

CVE-2024-0449

Feb 27, 2024

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

WPDash Notes <= 1.3.5 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

4.3

CVE-2024-9223

Nov 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Enter Addons – Ultimate Template Builder for Elementor <= 2.1.9 - Authenticated (Contributor+) Post Disclosure

4.3

CVE-2024-10868

Nov 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Easy Twitter Feed – Twitter feeds plugin for WP <= 1.2.6 - Authenticated (Contributor+) Post Exposure

4.3

CVE-2024-10666

Nov 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) <= 1.1.8 - Insecure Direct Object Reference to Sensitive Information Exposure via UA_Template Shortcode

4.3

CVE-2024-10696

Nov 20, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

If-So Dynamic Content Personalization <= 1.9.2.1 - Authenticated (Contributor+) Post Disclosure

4.3

CVE-2024-10796

Nov 20, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Button Block – Get fully customizable & multi-functional buttons <= 1.1.4 - Authenticated (Contributor+) Post Disclosure

4.3

CVE-2024-10671

Nov 20, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Title	CVE ID	CVSS	Vector	Date
Anonymous Restricted Content <= 1.6.2 - Protection Mechanism Bypass	CVE-2024-0909	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	February 2, 2024
ThemeIsle SDK <= Various Versions - Missing Authorization	CVE-2024-1047	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	February 1, 2024
ARMember <= 4.0.24 - Improper Access Control to Sensitive Information Exposure via REST API	CVE-2024-0969	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	February 1, 2024
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via restore_records()	CVE-2024-0907	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	January 31, 2024
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via set_starred()	CVE-2024-1129	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	January 31, 2024
NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.5.6 - Missing Authorization via set_read()	CVE-2024-1130	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	January 31, 2024
SALESmanago <= 3.2.4 - Log Injection via Weak Authentication Token	CVE-2023-4939	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	October 20, 2023
Stripe Payment Plugin for WooCommerce <= 3.7.9 - Missing Authorization to Arbitrary Order Status Modification	CVE-2023-4040	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	August 17, 2023
AI ChatBot <= 5.3.4 - Missing Authorization via openai_file_list_callback	CVE-2024-0451	5.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N	May 21, 2024
AI ChatBot <= 5.3.4 - Missing Authorization via openai_file_upload_callback	CVE-2024-0452	5.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N	May 21, 2024
AI ChatBot <= 5.3.4 - Missing Authorization via openai_file_delete_callback	CVE-2024-0453	5.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N	May 21, 2024
ArtiBot Free Chat Bot for WordPress WebSites <= 1.1.6 - Missing Authorization to Settings Update	CVE-2024-0447	5.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N	February 26, 2024
Export customers list csv for WooCommerce <= 2.0.67 - CSV Injection	CVE-2022-3603	4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	November 3, 2022
ArtiBot Free Chat Bot for WordPress WebSites <= 1.1.6 - Authenticated (Admin+) Cross-Site Scripting	CVE-2024-0449	4.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N	February 27, 2024
WPDash Notes <= 1.3.5 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure	CVE-2024-9223	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	November 22, 2024
Enter Addons – Ultimate Template Builder for Elementor <= 2.1.9 - Authenticated (Contributor+) Post Disclosure	CVE-2024-10868	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	November 22, 2024
Easy Twitter Feed – Twitter feeds plugin for WP <= 1.2.6 - Authenticated (Contributor+) Post Exposure	CVE-2024-10666	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	November 21, 2024
UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) <= 1.1.8 - Insecure Direct Object Reference to Sensitive Information Exposure via UA_Template Shortcode	CVE-2024-10696	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	November 20, 2024
If-So Dynamic Content Personalization <= 1.9.2.1 - Authenticated (Contributor+) Post Disclosure	CVE-2024-10796	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	November 20, 2024
Button Block – Get fully customizable & multi-functional buttons <= 1.1.4 - Authenticated (Contributor+) Post Disclosure	CVE-2024-10671	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	November 20, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation