🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Researchers > Krzysztof Zając

Krzysztof Zając

Organization: CERT PL

All Time Ranking

415

All Time Discoveries

90 Day Published Submissions

18 Sep '24

Last Published Submission

About

Finding WordPress vulnerabilities using https://kazet.cc/2022/02/03/fuzzing-wordpress-plugins.html

9 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 121-140 of 415 Vulnerabilities

easy.jobs <= 2.4.6 - Missing Authorization to Settings Update

6.5

CVE-2023-6843

Jan 21, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

10Web Booster <= 2.24.14 - Unauthenticated Arbitrary Option Deletion

6.5

CVE-2023-5559

Oct 29, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Templately <= 2.2.5 - Improper Authorization to Arbitrary Post Deletion

6.5

CVE-2023-5454

Oct 16, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Royal Elementor Addons <=1.3.55 - Missing Authorization to Subscriber+ Arbitrary Post Creation

6.5

CVE-2022-4103

Dec 15, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin <= 2.4.3 - Missing Authorization

6.5

CVE-2022-0363

Mar 29, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Material Design for Contact Form 7 <= 2.6.4 - Missing Authorization to Arbitrary Settings Update

6.5

CVE-2022-0404

Mar 11, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Smart Forms < 2.6.71 - Missing Authorization to Sensitive Information Disclosure

6.5

CVE-2022-0163

Feb 14, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent < 2.14.2 - Cross-Site Request Forgery

6.5

CVE-2022-0445

Feb 7, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Easy Pricing Tables <= 3.1.2 - Arbitrary Post Removal via Cross-Site Request Forgery

6.5

CVE-2021-25098

Feb 1, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

WP Google Map <= 1.8.3 - Arbitrary Post Deletion and Plugin Settings Update via Cross-Site Request Forgery

6.5

CVE-2021-25081

Jan 27, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Ultimate Product Catalog – WordPress Catalog Plugin <= 5.0.25 - Cross-Site Request Forgery

6.5

CVE-2021-24993

Jan 6, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Rearrange Woocommerce Products <= 3.0.7 - Subscriber+ SQL Injection

6.5

CVE-2021-24928

Jan 5, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

NextScripts: Social Networks Auto-Poster <= 4.3.24 - Arbitrary Post Deletion via Cross-Site Request Forgery

6.5

CVE-2021-25072

Jan 3, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Accept Donations with PayPal <= 1.3.3 - Arbitrary Post Deletion via Cross-Site Request Forgery

6.5

CVE-2021-24989

Dec 9, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Like Button Rating <= 2.6.37 - Unauthorised Vote Export to Email & IP Addresses Disclosure

6.5

CVE-2021-24945

Nov 11, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

WP Custom Fields Search <= 1.2.35 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpcfs-preset Shortcode

6.4

CVE-2024-8364

Sep 18, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Slider comparison image before and after <= 0.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-8543

Sep 9, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Share This Image <= 2.02 - Authenticated (Contributor+) Stored Cross-Site Scripting via STI Buttons Shortcode

6.4

CVE-2024-8363

Sep 4, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Easy Testimonials <= 3.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-2337

Jul 19, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce <= 3.1.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events' Shortcode

6.4

CVE-2024-2691

Jul 15, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
easy.jobs <= 2.4.6 - Missing Authorization to Settings Update	CVE-2023-6843	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	January 21, 2024
10Web Booster <= 2.24.14 - Unauthenticated Arbitrary Option Deletion	CVE-2023-5559	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L	October 29, 2023
Templately <= 2.2.5 - Improper Authorization to Arbitrary Post Deletion	CVE-2023-5454	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	October 16, 2023
Royal Elementor Addons <=1.3.55 - Missing Authorization to Subscriber+ Arbitrary Post Creation	CVE-2022-4103	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	December 15, 2022
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin <= 2.4.3 - Missing Authorization	CVE-2022-0363	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	March 29, 2022
Material Design for Contact Form 7 <= 2.6.4 - Missing Authorization to Arbitrary Settings Update	CVE-2022-0404	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	March 11, 2022
Smart Forms < 2.6.71 - Missing Authorization to Sensitive Information Disclosure	CVE-2022-0163	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	February 14, 2022
WordPress Real Cookie Banner: GDPR (DSGVO) & ePrivacy Cookie Consent < 2.14.2 - Cross-Site Request Forgery	CVE-2022-0445	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	February 7, 2022
Easy Pricing Tables <= 3.1.2 - Arbitrary Post Removal via Cross-Site Request Forgery	CVE-2021-25098	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	February 1, 2022
WP Google Map <= 1.8.3 - Arbitrary Post Deletion and Plugin Settings Update via Cross-Site Request Forgery	CVE-2021-25081	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	January 27, 2022
Ultimate Product Catalog – WordPress Catalog Plugin <= 5.0.25 - Cross-Site Request Forgery	CVE-2021-24993	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	January 6, 2022
Rearrange Woocommerce Products <= 3.0.7 - Subscriber+ SQL Injection	CVE-2021-24928	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	January 5, 2022
NextScripts: Social Networks Auto-Poster <= 4.3.24 - Arbitrary Post Deletion via Cross-Site Request Forgery	CVE-2021-25072	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	January 3, 2022
Accept Donations with PayPal <= 1.3.3 - Arbitrary Post Deletion via Cross-Site Request Forgery	CVE-2021-24989	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	December 9, 2021
Like Button Rating <= 2.6.37 - Unauthorised Vote Export to Email & IP Addresses Disclosure	CVE-2021-24945	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	November 11, 2021
WP Custom Fields Search <= 1.2.35 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpcfs-preset Shortcode	CVE-2024-8364	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 18, 2024
Slider comparison image before and after <= 0.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-8543	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 9, 2024
Share This Image <= 2.02 - Authenticated (Contributor+) Stored Cross-Site Scripting via STI Buttons Shortcode	CVE-2024-8363	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 4, 2024
Easy Testimonials <= 3.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-2337	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	July 19, 2024
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce <= 3.1.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events' Shortcode	CVE-2024-2691	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	July 15, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation