🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Researchers > Krzysztof Zając

Krzysztof Zając

Organization: CERT PL

All Time Ranking

415

All Time Discoveries

90 Day Published Submissions

18 Sep '24

Last Published Submission

About

Finding WordPress vulnerabilities using https://kazet.cc/2022/02/03/fuzzing-wordpress-plugins.html

9 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 201-220 of 415 Vulnerabilities

Essential Real Estate <= 4.3.5 - Missing Authorization to Stored Cross-Site Scripting

6.4

CVE-2023-6141

Dec 18, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Getwid – Gutenberg Blocks <= 2.0.2 - Improper Input Validation to Arbitrary Email Sending to Admin

5.3

CVE-2023-6042

Dec 15, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

WP VR <= 8.3.14 - Missing Authorization to Plugin Version Downgrade

5.3

CVE-2023-6529

Dec 14, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Html5 Video Player <= 2.5.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVE-2023-6485

Dec 8, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Simple Social Media Share Buttons <= 5.1.0 - Unauthenticated Password Protected Post Disclosure

5.3

CVE-2023-5845

Dec 6, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Royal Elementor Addons and Templates <= 1.3.80 - Missing Authorization to Private/Password Protected Post Read

5.3

CVE-2023-5922

Dec 6, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Get Use APIs – JSON Content Importer <= 1.5.3 - Reflected Cross-Site Scripting

6.1

CVE-2023-6268

Dec 4, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Hotel Booking Lite <= 4.8.4 - Insufficient Path Validation to Unauthenticated Arbitrary File Deletion and Download

9.8

CVE-2023-5991

Dec 1, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Quiz Maker <= 6.4.9.4 - Missing Authorization to Email Disclosure

5.3

CVE-2023-6155

Nov 30, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.15 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVE-2023-5931

Nov 29, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

BestWebSoft's Like & Share <= 2.73 - Unauthenticated Password Protected Post Disclosure

5.3

CVE-2023-6250

Nov 29, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Swift Performance Lite <= 2.3.6.14 - Missing Authorization to Unauthenticated Settings Export

5.3

CVE-2023-6289

Nov 27, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Simple Social Media Share Buttons <= 3.8.2 - Unauthenticated Password Protected Post Disclosure

5.3

CVE-2023-5949

Nov 23, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Product Catalog Mode For WooCommerce <= 5.0.2 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2023-5348

Nov 21, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

The Events Calendar <= 6.2.8 - Information Disclosure

5.3

CVE-2023-6203

Nov 20, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting

6.1

CVE-2023-5749

Nov 17, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Ultimate Responsive Image Slider <= 3.5.11 - Missing Authorization via AJAX action

4.3

CVE-2023-6077

Nov 16, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

eCommerce Product Catalog for WordPress <= 3.3.25 - Cross-Site Request Forgery

5.4

CVE-2023-5979

Nov 13, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Word Balloon <= 4.20.2 - Cross-Site Request Forgery

4.3

CVE-2023-5884

Nov 13, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Welcart e-Commerce <= 2.9.4 - Unauthenticated PHP Object Injection

9.8

CVE-2023-5952

Nov 10, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Essential Real Estate <= 4.3.5 - Missing Authorization to Stored Cross-Site Scripting	CVE-2023-6141	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	December 18, 2023
Getwid – Gutenberg Blocks <= 2.0.2 - Improper Input Validation to Arbitrary Email Sending to Admin	CVE-2023-6042	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	December 15, 2023
WP VR <= 8.3.14 - Missing Authorization to Plugin Version Downgrade	CVE-2023-6529	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	December 14, 2023
Html5 Video Player <= 2.5.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting	CVE-2023-6485	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	December 8, 2023
Simple Social Media Share Buttons <= 5.1.0 - Unauthenticated Password Protected Post Disclosure	CVE-2023-5845	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	December 6, 2023
Royal Elementor Addons and Templates <= 1.3.80 - Missing Authorization to Private/Password Protected Post Read	CVE-2023-5922	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	December 6, 2023
Get Use APIs – JSON Content Importer <= 1.5.3 - Reflected Cross-Site Scripting	CVE-2023-6268	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	December 4, 2023
Hotel Booking Lite <= 4.8.4 - Insufficient Path Validation to Unauthenticated Arbitrary File Deletion and Download	CVE-2023-5991	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	December 1, 2023
Quiz Maker <= 6.4.9.4 - Missing Authorization to Email Disclosure	CVE-2023-6155	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	November 30, 2023
rtMedia for WordPress, BuddyPress and bbPress <= 4.6.15 - Authenticated (Subscriber+) Arbitrary File Upload	CVE-2023-5931	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	November 29, 2023
BestWebSoft's Like & Share <= 2.73 - Unauthenticated Password Protected Post Disclosure	CVE-2023-6250	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	November 29, 2023
Swift Performance Lite <= 2.3.6.14 - Missing Authorization to Unauthenticated Settings Export	CVE-2023-6289	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	November 27, 2023
Simple Social Media Share Buttons <= 3.8.2 - Unauthenticated Password Protected Post Disclosure	CVE-2023-5949	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	November 23, 2023
Product Catalog Mode For WooCommerce <= 5.0.2 - Unauthenticated Stored Cross-Site Scripting	CVE-2023-5348	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	November 21, 2023
The Events Calendar <= 6.2.8 - Information Disclosure	CVE-2023-6203	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	November 20, 2023
EmbedPress <= 3.9.1 - Reflected Cross-Site Scripting	CVE-2023-5749	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	November 17, 2023
Ultimate Responsive Image Slider <= 3.5.11 - Missing Authorization via AJAX action	CVE-2023-6077	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	November 16, 2023
eCommerce Product Catalog for WordPress <= 3.3.25 - Cross-Site Request Forgery	CVE-2023-5979	5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L	November 13, 2023
Word Balloon <= 4.20.2 - Cross-Site Request Forgery	CVE-2023-5884	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	November 13, 2023
Welcart e-Commerce <= 2.9.4 - Unauthenticated PHP Object Injection	CVE-2023-5952	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	November 10, 2023

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation