🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Researchers > Krzysztof Zając

Krzysztof Zając

Organization: CERT PL

All Time Ranking

415

All Time Discoveries

90 Day Published Submissions

18 Sep '24

Last Published Submission

About

Finding WordPress vulnerabilities using https://kazet.cc/2022/02/03/fuzzing-wordpress-plugins.html

9 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 281-300 of 415 Vulnerabilities

Google Pagespeed Insights <= 4.0.3 - Reflected Cross-Site Scripting

6.1

CVE-2022-0431

Mar 8, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Menu Image, Icons made easy <= 3.0.7 - Authenticated Cross-Site Scripting

6.4

CVE-2022-0450

Mar 7, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Akismet Privacy Policies <= 2.0.1 - Reflected Cross-Site Scripting

6.1

CVE-2021-25071

Mar 7, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Popup Builder <= 4.1.0 - SQL Injection

9.8

CVE-2022-0479

Mar 7, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WPC Smart Wishlist for WooCommerce <= 2.9.3 - Reflected Cross-Site Scripting

6.1

CVE-2022-0397

Mar 1, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Pz-LinkCard <= 2.4.5.1 - Reflected Cross-Site Scripting

6.1

CVE-2021-25012

Mar 1, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

3D FlipBook <= 1.12.0 - Subscriber+ Stored Cross-Site Scripting

6.4

CVE-2022-0423

Feb 28, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

SEO Plugin by Squirrly SEO <= 11.1.11 - Reflected Cross-Site Scripting

6.1

CVE-2021-25019

Feb 28, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

miniOrange's Google Authenticator <= 5.4.52 - Unauthenticated Arbitrary Options Deletion

8.1

CVE-2022-0229

Feb 28, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Advanced Contact form 7 DB <= 1.8.6 - Authenticated Arbitrary File Deletion

8.8

CVE-2021-24905

Feb 22, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WooCommerce <= 6.2.0 - Incorrect Authorization Checks on REST API Endpoints

5.4

CVE-2022-0775

Feb 22, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

WPCargo <= 6.8.9 - Unauthenticated Remote Code Execution

9.8

CVE-2021-25003

Feb 21, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Cookie Information | Free GDPR Consent Solution <= 2.0.7 - Reflected Cross-Site Scripting

6.1

CVE-2022-0147

Feb 21, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Master Addons for Elementor <= 1.8.1 - Reflected Cross-Site Scripting

6.1

CVE-2022-0327

Feb 21, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ARI Fancy Lightbox <= 1.3.8 - Reflected Cross-Site Scripting

6.1

CVE-2022-0161

Feb 17, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Page Builder KingComposer <= 2.9.6 - Open Redirect

8.8

CVE-2022-0165

Feb 16, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Better WordPress Google XML Sitemaps <= 1.4.1 - Unauthenticated Stored Cross-Site Scripting

6.1

CVE-2022-0230

Feb 16, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Advanced Product Labels for WooCommerce <= 1.2.3.6 - Reflected Cross-Site Scripting

6.1

CVE-2022-0399

Feb 15, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Photo Gallery by 10Web <= 1.5.87 - Unauthenticated SQL Injection via bwg_tag_id_bwg_thumbnails_0 Parameter

9.8

CVE-2022-0169

Feb 15, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WP Cerber Security <= 8.9.5.2 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2022-0429

Feb 14, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
Google Pagespeed Insights <= 4.0.3 - Reflected Cross-Site Scripting	CVE-2022-0431	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 8, 2022
Menu Image, Icons made easy <= 3.0.7 - Authenticated Cross-Site Scripting	CVE-2022-0450	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	March 7, 2022
Akismet Privacy Policies <= 2.0.1 - Reflected Cross-Site Scripting	CVE-2021-25071	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 7, 2022
Popup Builder <= 4.1.0 - SQL Injection	CVE-2022-0479	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 7, 2022
WPC Smart Wishlist for WooCommerce <= 2.9.3 - Reflected Cross-Site Scripting	CVE-2022-0397	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 1, 2022
Pz-LinkCard <= 2.4.5.1 - Reflected Cross-Site Scripting	CVE-2021-25012	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 1, 2022
3D FlipBook <= 1.12.0 - Subscriber+ Stored Cross-Site Scripting	CVE-2022-0423	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	February 28, 2022
SEO Plugin by Squirrly SEO <= 11.1.11 - Reflected Cross-Site Scripting	CVE-2021-25019	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	February 28, 2022
miniOrange's Google Authenticator <= 5.4.52 - Unauthenticated Arbitrary Options Deletion	CVE-2022-0229	8.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H	February 28, 2022
Advanced Contact form 7 DB <= 1.8.6 - Authenticated Arbitrary File Deletion	CVE-2021-24905	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 22, 2022
WooCommerce <= 6.2.0 - Incorrect Authorization Checks on REST API Endpoints	CVE-2022-0775	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	February 22, 2022
WPCargo <= 6.8.9 - Unauthenticated Remote Code Execution	CVE-2021-25003	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 21, 2022
Cookie Information \| Free GDPR Consent Solution <= 2.0.7 - Reflected Cross-Site Scripting	CVE-2022-0147	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	February 21, 2022
Master Addons for Elementor <= 1.8.1 - Reflected Cross-Site Scripting	CVE-2022-0327	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	February 21, 2022
ARI Fancy Lightbox <= 1.3.8 - Reflected Cross-Site Scripting	CVE-2022-0161	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	February 17, 2022
Page Builder KingComposer <= 2.9.6 - Open Redirect	CVE-2022-0165	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	February 16, 2022
Better WordPress Google XML Sitemaps <= 1.4.1 - Unauthenticated Stored Cross-Site Scripting	CVE-2022-0230	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	February 16, 2022
Advanced Product Labels for WooCommerce <= 1.2.3.6 - Reflected Cross-Site Scripting	CVE-2022-0399	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	February 15, 2022
Photo Gallery by 10Web <= 1.5.87 - Unauthenticated SQL Injection via bwg_tag_id_bwg_thumbnails_0 Parameter	CVE-2022-0169	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 15, 2022
WP Cerber Security <= 8.9.5.2 - Unauthenticated Stored Cross-Site Scripting	CVE-2022-0429	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	February 14, 2022

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation