🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Researchers > Krzysztof Zając

Krzysztof Zając

Organization: CERT PL

All Time Ranking

415

All Time Discoveries

90 Day Published Submissions

18 Sep '24

Last Published Submission

About

Finding WordPress vulnerabilities using https://kazet.cc/2022/02/03/fuzzing-wordpress-plugins.html

9 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 81-100 of 415 Vulnerabilities

WP Compress – Image Optimizer <= 6.11.08 - Missing Authorization to Unauthenticated CDN Modification

7.5

CVE-2024-1934

Mar 21, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

WP Popup Builder <= 1.2.9 - Missing Authorization and Cross-Site Request Forgery

7.5

CVE-2022-2405

Sep 5, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Directorist <= 7.3.0 - Sensitive Information Disclosure

7.5

CVE-2022-2376

Aug 10, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Protect WP Admin <= 3.6 - Unauthenticated Plugin Deactivation

7.5

CVE-2021-24906

Dec 23, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Share This Image <= 2.03 - Open Redirect via link Parameter

7.2

CVE-2024-8761

Sep 16, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header

7.2

CVE-2024-4869

Jun 25, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

YITH WooCommerce Ajax Search <= 2.4.0 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-4455

May 23, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Poll Maker – Best WordPress Poll Plugin <= 5.1.8 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-3600

Apr 18, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

WP Meta SEO <= 4.5.12 - Unauthenticated Stored Cross-Site Scripting via Referer header

7.2

CVE-2023-6961

Apr 16, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

WooCommerce Google Feed Manager <= 2.4.2 - Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting

7.2

CVE-2024-3067

Apr 15, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Language Translate Widget for WordPress – ConveyThis <= 223 - Unauthenticated Stored Cross-Site Scripting via api_key

7.2

CVE-2023-6811

Apr 10, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Favorites <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

7.2

CVE-2024-2948

Mar 29, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting <= 1.12.9 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-0609

Mar 28, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Giveaways and Contests by RafflePress <= 1.12.5 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-1935

Feb 29, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Product Catalog Mode For WooCommerce <= 5.0.2 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2023-5348

Nov 21, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

WP-UserOnline <= 2.88.2 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2023-5560

Nov 6, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

WassUp Real Time Analytics <= 1.9.4.5 - Unauthenticated Stored Cross-Site Scripting via IP

7.2

CVE-2023-5653

Nov 6, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Webpushr <= 4.34.0 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2023-5620

Nov 6, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Five Star Restaurant Reservations <= 2.4.11 - Missing Authorization to Stored Cross-Site Scripting

7.2

CVE-2022-0421

Oct 31, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

English WordPress Admin <= 1.5.1.1 - Unauthenticated Open Redirect

7.2

CVE-2021-25111

Apr 8, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
WP Compress – Image Optimizer <= 6.11.08 - Missing Authorization to Unauthenticated CDN Modification	CVE-2024-1934	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	March 21, 2024
WP Popup Builder <= 1.2.9 - Missing Authorization and Cross-Site Request Forgery	CVE-2022-2405	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	September 5, 2022
Directorist <= 7.3.0 - Sensitive Information Disclosure	CVE-2022-2376	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	August 10, 2022
Protect WP Admin <= 3.6 - Unauthenticated Plugin Deactivation	CVE-2021-24906	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	December 23, 2021
Share This Image <= 2.03 - Open Redirect via link Parameter	CVE-2024-8761	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	September 16, 2024
WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) <= 3.2.0 - Unauthenticated Stored Cross-Site Scripting via Client-IP header	CVE-2024-4869	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	June 25, 2024
YITH WooCommerce Ajax Search <= 2.4.0 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-4455	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	May 23, 2024
Poll Maker – Best WordPress Poll Plugin <= 5.1.8 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting	CVE-2024-3600	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	April 18, 2024
WP Meta SEO <= 4.5.12 - Unauthenticated Stored Cross-Site Scripting via Referer header	CVE-2023-6961	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	April 16, 2024
WooCommerce Google Feed Manager <= 2.4.2 - Authenticated (Admin+) SQL Injection to Reflected Cross-Site Scripting	CVE-2024-3067	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	April 15, 2024
Language Translate Widget for WordPress – ConveyThis <= 223 - Unauthenticated Stored Cross-Site Scripting via api_key	CVE-2023-6811	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	April 10, 2024
Favorites <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-2948	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	March 29, 2024
WP ERP \| Complete HR solution with recruitment & job listings \| WooCommerce CRM & Accounting <= 1.12.9 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-0609	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	March 28, 2024
Giveaways and Contests by RafflePress <= 1.12.5 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-1935	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	February 29, 2024
Product Catalog Mode For WooCommerce <= 5.0.2 - Unauthenticated Stored Cross-Site Scripting	CVE-2023-5348	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	November 21, 2023
WP-UserOnline <= 2.88.2 - Unauthenticated Stored Cross-Site Scripting	CVE-2023-5560	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	November 6, 2023
WassUp Real Time Analytics <= 1.9.4.5 - Unauthenticated Stored Cross-Site Scripting via IP	CVE-2023-5653	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	November 6, 2023
Webpushr <= 4.34.0 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting	CVE-2023-5620	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	November 6, 2023
Five Star Restaurant Reservations <= 2.4.11 - Missing Authorization to Stored Cross-Site Scripting	CVE-2022-0421	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	October 31, 2022
English WordPress Admin <= 1.5.1.1 - Unauthenticated Open Redirect	CVE-2021-25111	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	April 8, 2022

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation