🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > Francesco Carlucci

Francesco Carlucci

All Time Ranking

481

All Time Discoveries

158

90 Day Published Submissions

22 Nov '24

Last Published Submission

About

Hacker and Digital Nomad, the worst combination ever :)

12 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 61-80 of 481 Vulnerabilities

Soisy Pagamento Rateale <= 6.0.1 - Missing Authorization to Sensitive Information Exposure

7.5

CVE-2023-5132

Oct 20, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

UX Flat <= 4.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

7.4

CVE-2024-2459

Mar 19, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Add Subtitle <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

7.4

CVE-2021-24897

Jan 26, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Uix Slideshow <= 1.6.5 - Unauthenticated Arbitrary Shortcode Execution

7.3

CVE-2024-9839

Nov 15, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Enable Shortcodes inside Widgets,Comments and Experts <= 1.0.0 - Unauthenticated Arbitrary Shortcode Execution

7.3

CVE-2024-9846

Oct 29, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Uix Shortcodes – Compatible with Gutenberg <= 1.9.9 - Unauthenticated Arbitrary Shortcode Execution

7.3

CVE-2024-9772

Oct 25, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add

7.3

CVE-2024-9061

Oct 15, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

AADMY – Add Auto Date Month Year Into Posts <= 2.0.1 - Unauthenticated Arbitrary Shortcode Execution

7.3

CVE-2024-9837

Oct 14, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Shortcodes AnyWhere <= 1.0.1 - Unauthenticated Arbitrary Shortcode Execution

7.3

CVE-2024-9581

Oct 9, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Special Text Boxes <= 6.2.4 - Unauthenticated Arbitrary Shortcode Execution

7.3

CVE-2024-8481

Sep 24, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Simple Spoiler 1.2 - 1.3 - Unauthenticated Arbitrary Shortcode Execution

7.3

CVE-2024-8479

Sep 13, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Affiliate Super Assistent <= 1.5.3 - Unauthenticated Arbitrary Shortcode Execution

7.3

CVE-2024-8478

Sep 9, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling Plugin <= 1.0.21 - Missing Authorization to Limited Privilege Escalation

7.3

CVE-2024-1094

Jun 13, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Bulgarisation for WooCommerce <= 3.0.14 - Missing Authorization

7.3

CVE-2024-0683

Mar 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Bulgarisation for WooCommerce <= 3.0.14 - Cross-Site Request Forgery

7.3

CVE-2024-2395

Mar 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.1 - Missing Authorization

7.3

CVE-2024-0702

Feb 19, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Grid View Gallery <= 1.0 - Authenticated (Editor+) PHP Object Injection

7.2

CVE-2024-11409

Nov 20, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SendPulse Free Web Push <= 1.3.6 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-9184

Oct 16, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-8914

Sep 23, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Simple Job Board <= 2.12.3 - Authenticated (Editor+) PHP Object Injection

7.2

CVE-2024-7351

Aug 23, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Soisy Pagamento Rateale <= 6.0.1 - Missing Authorization to Sensitive Information Exposure	CVE-2023-5132	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	October 20, 2023
UX Flat <= 4.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-2459	7.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L	March 19, 2024
Add Subtitle <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2021-24897	7.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L	January 26, 2022
Uix Slideshow <= 1.6.5 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-9839	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	November 15, 2024
Enable Shortcodes inside Widgets,Comments and Experts <= 1.0.0 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-9846	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	October 29, 2024
Uix Shortcodes – Compatible with Gutenberg <= 1.9.9 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-9772	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	October 25, 2024
WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add	CVE-2024-9061	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	October 15, 2024
AADMY – Add Auto Date Month Year Into Posts <= 2.0.1 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-9837	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	October 14, 2024
Shortcodes AnyWhere <= 1.0.1 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-9581	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	October 9, 2024
Special Text Boxes <= 6.2.4 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-8481	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	September 24, 2024
Simple Spoiler 1.2 - 1.3 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-8479	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	September 13, 2024
Affiliate Super Assistent <= 1.5.3 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-8478	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	September 9, 2024
Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling Plugin <= 1.0.21 - Missing Authorization to Limited Privilege Escalation	CVE-2024-1094	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	June 13, 2024
Bulgarisation for WooCommerce <= 3.0.14 - Missing Authorization	CVE-2024-0683	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	March 12, 2024
Bulgarisation for WooCommerce <= 3.0.14 - Cross-Site Request Forgery	CVE-2024-2395	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	March 12, 2024
Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.1 - Missing Authorization	CVE-2024-0702	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	February 19, 2024
Grid View Gallery <= 1.0 - Authenticated (Editor+) PHP Object Injection	CVE-2024-11409	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	November 20, 2024
SendPulse Free Web Push <= 1.3.6 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-9184	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	October 16, 2024
Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-8914	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	September 23, 2024
Simple Job Board <= 2.12.3 - Authenticated (Editor+) PHP Object Injection	CVE-2024-7351	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	August 23, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation