🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Researchers > Krzysztof Zając

Krzysztof Zając

Organization: CERT PL

All Time Ranking

415

All Time Discoveries

90 Day Published Submissions

18 Sep '24

Last Published Submission

About

Finding WordPress vulnerabilities using https://kazet.cc/2022/02/03/fuzzing-wordpress-plugins.html

9 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 41-60 of 415 Vulnerabilities

Easy Property Listings <= 3.5.2 - Authenticated(Contributor+) SQL Injection via Shortcode

8.8

CVE-2024-1893

Mar 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.7.7 - Authenticated (Contributor+) SQL Injection via Shortcode

8.8

CVE-2024-2342

Mar 20, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.7.7 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2024-2341

Mar 20, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress <= 6.8.6 - Authenticated (Contributor+) SQL Injection via Shortcode

8.8

CVE-2024-1799

Mar 19, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 5.3.0.0 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVE-2024-1991

Mar 14, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

HUSKY – Products Filter for WooCommerce Professional <= 1.3.5.2 - Authenticated (Contributor+) SQL Injection

8.8

CVE-2024-1795

Mar 14, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce <= 7.0.7 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2024-1203

Feb 27, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2024-0594

Feb 9, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.15 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVE-2023-5931

Nov 29, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

iubenda <= 3.3.2 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVE-2022-3911

Dec 12, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Icegram Express <= 5.4.19 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2022-3981

Nov 21, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Easy Digital Downloads <= 2.11.7 - Cross-Site Request Forgery to Arbitrary Post Deletion

8.8

CVE-2022-2387

Oct 17, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

WP Coder <= 2.5.2 - Cross-Site Request Forgery

8.8

CVE-2022-2388

Jul 26, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Advanced Page Visit Counter <= 6.1.5 - Subscriber+ Blind SQL injection

8.8

CVE-2021-24957

Apr 8, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Advanced Contact form 7 DB <= 1.8.6 - Authenticated Arbitrary File Deletion

8.8

CVE-2021-24905

Feb 22, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Page Builder KingComposer <= 2.9.6 - Open Redirect

8.8

CVE-2022-0165

Feb 16, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

WP Visitor Statistics (Real Time Traffic) <= 5.5 - SQL Injection

8.8

CVE-2022-0410

Feb 14, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Email Subscribers & Newsletters <= 5.3.1 - Authenticated (or Cross-Site Request Forgery) Blind SQL Injection

8.8

CVE-2022-0439

Feb 11, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Asgaros Forum < 2.0.0 - SQL Injection

8.8

CVE-2022-0411

Jan 31, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WP Email Users <= 1.7.6 - SQL Injection

8.8

CVE-2021-24959

Jan 31, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Easy Property Listings <= 3.5.2 - Authenticated(Contributor+) SQL Injection via Shortcode	CVE-2024-1893	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	March 21, 2024
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.7.7 - Authenticated (Contributor+) SQL Injection via Shortcode	CVE-2024-2342	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	March 20, 2024
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.7.7 - Authenticated (Subscriber+) SQL Injection	CVE-2024-2341	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	March 20, 2024
GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress <= 6.8.6 - Authenticated (Contributor+) SQL Injection via Shortcode	CVE-2024-1799	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	March 19, 2024
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 5.3.0.0 - Authenticated (Subscriber+) Privilege Escalation	CVE-2024-1991	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	March 14, 2024
HUSKY – Products Filter for WooCommerce Professional <= 1.3.5.2 - Authenticated (Contributor+) SQL Injection	CVE-2024-1795	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	March 14, 2024
Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce <= 7.0.7 - Authenticated (Subscriber+) SQL Injection	CVE-2024-1203	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 27, 2024
Awesome Support – WordPress HelpDesk & Support Plugin <= 6.1.7 - Authenticated (Subscriber+) SQL Injection	CVE-2024-0594	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 9, 2024
rtMedia for WordPress, BuddyPress and bbPress <= 4.6.15 - Authenticated (Subscriber+) Arbitrary File Upload	CVE-2023-5931	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	November 29, 2023
iubenda <= 3.3.2 - Authenticated (Subscriber+) Privilege Escalation	CVE-2022-3911	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	December 12, 2022
Icegram Express <= 5.4.19 - Authenticated (Subscriber+) SQL Injection	CVE-2022-3981	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	November 21, 2022
Easy Digital Downloads <= 2.11.7 - Cross-Site Request Forgery to Arbitrary Post Deletion	CVE-2022-2387	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	October 17, 2022
WP Coder <= 2.5.2 - Cross-Site Request Forgery	CVE-2022-2388	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	July 26, 2022
Advanced Page Visit Counter <= 6.1.5 - Subscriber+ Blind SQL injection	CVE-2021-24957	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 8, 2022
Advanced Contact form 7 DB <= 1.8.6 - Authenticated Arbitrary File Deletion	CVE-2021-24905	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 22, 2022
Page Builder KingComposer <= 2.9.6 - Open Redirect	CVE-2022-0165	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	February 16, 2022
WP Visitor Statistics (Real Time Traffic) <= 5.5 - SQL Injection	CVE-2022-0410	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 14, 2022
Email Subscribers & Newsletters <= 5.3.1 - Authenticated (or Cross-Site Request Forgery) Blind SQL Injection	CVE-2022-0439	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	February 11, 2022
Asgaros Forum < 2.0.0 - SQL Injection	CVE-2022-0411	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	January 31, 2022
WP Email Users <= 1.7.6 - SQL Injection	CVE-2021-24959	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	January 31, 2022

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation