🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Researchers > Krzysztof Zając

Krzysztof Zając

Organization: CERT PL

All Time Ranking

415

All Time Discoveries

90 Day Published Submissions

18 Sep '24

Last Published Submission

About

Finding WordPress vulnerabilities using https://kazet.cc/2022/02/03/fuzzing-wordpress-plugins.html

9 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 261-280 of 415 Vulnerabilities

Ad Invalid Click Protector (AICP) <= 1.2.5.2 - Cross-Site Request Forgery to Arbitrary Ban Deletion

4.3

CVE-2022-0191

Apr 13, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

ThirstyAffiliates Affiliate Link Manager <= 3.10.4 - Subscriber+ Arbitrary Affiliate Links Creation

5.4

CVE-2022-0398

Apr 10, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

English WordPress Admin <= 1.5.1.1 - Unauthenticated Open Redirect

7.2

CVE-2021-25111

Apr 8, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Nimble Page Builder <= 3.2.1 - Reflected Cross-Site Scripting

6.1

CVE-2022-0314

Apr 8, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Advanced Page Visit Counter <= 6.1.5 - Subscriber+ Blind SQL injection

8.8

CVE-2021-24957

Apr 8, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Content Egg <= 5.3.0 - Reflected Cross-Site Scripting

6.1

CVE-2022-0428

Apr 6, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Advanced Page Visit Counter <= 5.0.8 - Unauthenticated Cross-Site Scripting

7.2

CVE-2021-25086

Apr 5, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin <= 2.4.3 - Missing Authorization

4.3

CVE-2022-0287

Apr 4, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin <= 2.4.3 - Missing Authorization

6.5

CVE-2022-0363

Mar 29, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Caldera Forms <= 1.9.6 - Reflected Cross-Site Scripting via cf-api

6.1

CVE-2022-0879

Mar 28, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Favicon by RealFaviconGenerator <= 1.3.22 - Reflected Cross-Site Scripting

6.1

CVE-2022-0471

Mar 21, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Migration, Backup, Staging – WPvivid <= 0.9.69 - Reflected Cross-Site Scripting via sub_page Parameter

6.1

CVE-2022-0531

Mar 21, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

LearnPress <= 4.1.5 - Reflected Cross-Site Scripting

6.1

CVE-2022-0271

Mar 16, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

GridKit Portfolio <= 2.0.0 - Subscriber+ Stored Cross-Site Scripting

5.4

CVE-2021-25090

Mar 15, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Social Share, Social Login and Social Comments < 7.13.30 - Reflected Cross-Site Scripting

6.1

CVE-2021-24987

Mar 15, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Post Grid < 2.1.16 - Reflected Cross-Site Scripting

6.1

CVE-2022-0447

Mar 15, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Dropdown Menu Widget <= 1.9.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting

6.4

CVE-2021-25113

Mar 14, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Page Builder KingComposer <= 2.9.6 - Authenticated Arbitrary Profile Creation and Stored Cross-Site Scripting

8.5

CVE-2021-25048

Mar 14, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Material Design for Contact Form 7 <= 2.6.4 - Missing Authorization to Arbitrary Settings Update

6.5

CVE-2022-0404

Mar 11, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

WP Block and Stop Bad Bots <= 6.88 - SQL Injection

9.8

CVE-2021-25070

Mar 8, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Ad Invalid Click Protector (AICP) <= 1.2.5.2 - Cross-Site Request Forgery to Arbitrary Ban Deletion	CVE-2022-0191	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	April 13, 2022
ThirstyAffiliates Affiliate Link Manager <= 3.10.4 - Subscriber+ Arbitrary Affiliate Links Creation	CVE-2022-0398	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N	April 10, 2022
English WordPress Admin <= 1.5.1.1 - Unauthenticated Open Redirect	CVE-2021-25111	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	April 8, 2022
Nimble Page Builder <= 3.2.1 - Reflected Cross-Site Scripting	CVE-2022-0314	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	April 8, 2022
Advanced Page Visit Counter <= 6.1.5 - Subscriber+ Blind SQL injection	CVE-2021-24957	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 8, 2022
Content Egg <= 5.3.0 - Reflected Cross-Site Scripting	CVE-2022-0428	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	April 6, 2022
Advanced Page Visit Counter <= 5.0.8 - Unauthenticated Cross-Site Scripting	CVE-2021-25086	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	April 5, 2022
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin <= 2.4.3 - Missing Authorization	CVE-2022-0287	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	April 4, 2022
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin <= 2.4.3 - Missing Authorization	CVE-2022-0363	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	March 29, 2022
Caldera Forms <= 1.9.6 - Reflected Cross-Site Scripting via cf-api	CVE-2022-0879	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 28, 2022
Favicon by RealFaviconGenerator <= 1.3.22 - Reflected Cross-Site Scripting	CVE-2022-0471	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 21, 2022
Migration, Backup, Staging – WPvivid <= 0.9.69 - Reflected Cross-Site Scripting via sub_page Parameter	CVE-2022-0531	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 21, 2022
LearnPress <= 4.1.5 - Reflected Cross-Site Scripting	CVE-2022-0271	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 16, 2022
GridKit Portfolio <= 2.0.0 - Subscriber+ Stored Cross-Site Scripting	CVE-2021-25090	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	March 15, 2022
Social Share, Social Login and Social Comments < 7.13.30 - Reflected Cross-Site Scripting	CVE-2021-24987	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 15, 2022
Post Grid < 2.1.16 - Reflected Cross-Site Scripting	CVE-2022-0447	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 15, 2022
Dropdown Menu Widget <= 1.9.7 - Cross-Site Request Forgery to Stored Cross-Site Scripting	CVE-2021-25113	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	March 14, 2022
Page Builder KingComposer <= 2.9.6 - Authenticated Arbitrary Profile Creation and Stored Cross-Site Scripting	CVE-2021-25048	8.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N	March 14, 2022
Material Design for Contact Form 7 <= 2.6.4 - Missing Authorization to Arbitrary Settings Update	CVE-2022-0404	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	March 11, 2022
WP Block and Stop Bad Bots <= 6.88 - SQL Injection	CVE-2021-25070	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 8, 2022

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation