Have you found a vulnerability in a WordPress plugin or theme? Report vulnerabilities in WordPress plugins and themes through our bug bounty program and earn a bounty on all in-scope submissions, while we handle the responsible disclosure process on your behalf.

Wordfence Intelligence > Vulnerability Researchers > Krzysztof Zając

Krzysztof Zając

Organization: CERT PL

All Time Ranking

461

All Time Discoveries

90 Day Published Submissions

1 Apr '25

Last Published Submission

About

Finding WordPress vulnerabilities using https://kazet.cc/2022/02/03/fuzzing-wordpress-plugins.html

10 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 1-20 of 461 Vulnerabilities

Demo Awesome <= 1.0.3 - Missing Authorization to Authenticated (Subscriber+) Plugin Activation

6.5

CVE-2024-13637

Apr 1, 2025

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Smart Maintenance Mode <= 1.5.2 - Reflected Cross-Site Scripting via setstatus Parameter

6.1

CVE-2025-1490

Mar 25, 2025

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

teachPress <= 9.0.9 - Cross-Site Request Forgery to Import Delete

4.3

CVE-2025-1320

Mar 24, 2025

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

WP Crowdfunding <= 2.1.13 - Missing Authorization to Authenticated (Subscriber+) Post Content Download

5.3

CVE-2025-1508

Mar 11, 2025

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Unauthenticated SQL Injection

7.5

CVE-2025-1323

Mar 7, 2025

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction

6.3

CVE-2025-1325

Mar 7, 2025

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Shortcode Cleaner Lite <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Export

6.5

CVE-2025-1481

Mar 7, 2025

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Authenticated (Contributor+) Protected Post Disclosure

4.3

CVE-2025-1322

Mar 7, 2025

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2025-1324

Mar 7, 2025

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Post Lockdown <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Post Disclosure

4.3

CVE-2025-1504

Mar 7, 2025

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Spreadsheet Integration <= 3.8.2 - Cross-Site Request Forgery to Arbitrary Post Publish

4.3

CVE-2025-1463

Mar 4, 2025

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Master Slider – Responsive Touch Slider <= 3.10.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode

6.4

CVE-2024-13757

Mar 4, 2025

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

teachPress <= 9.0.7 - Authenticated (Contributor+) SQL Injection

6.5

CVE-2025-1321

Mar 3, 2025

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

WP Posts Carousel <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play_timeout Parameter

6.4

CVE-2025-1491

Mar 1, 2025

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Secure Copy Content Protection and Content Locking <= 4.4.7 - Missing Authorization to Unauthenticated User Email Retrieval via ays_sccp_reports_user_search Function

5.3

CVE-2025-1404

Feb 28, 2025

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

TemplatesNext ToolKit <= 3.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-13559

Feb 28, 2025

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

IP2Location Redirection <= 1.33.3 - Missing Authorization to Unauthenticated Settings Export

5.3

CVE-2025-1502

Feb 28, 2025

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Product Catalog Simple <= 1.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via show_products Shortcode

6.4

CVE-2025-1405

Feb 27, 2025

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Subscriptions & Memberships for PayPal <= 1.1.6 - Cross-Site Request Forgery to Arbitrary Post Deletion

4.3

CVE-2024-13560

Feb 25, 2025

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

WPO365 | MICROSOFT 365 GRAPH MAILER <= 3.2 - Open Redirect via 'redirect_to' Parameter

4.7

CVE-2025-1488

Feb 23, 2025

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
Demo Awesome <= 1.0.3 - Missing Authorization to Authenticated (Subscriber+) Plugin Activation	CVE-2024-13637	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	April 1, 2025
Smart Maintenance Mode <= 1.5.2 - Reflected Cross-Site Scripting via setstatus Parameter	CVE-2025-1490	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 25, 2025
teachPress <= 9.0.9 - Cross-Site Request Forgery to Import Delete	CVE-2025-1320	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	March 24, 2025
WP Crowdfunding <= 2.1.13 - Missing Authorization to Authenticated (Subscriber+) Post Content Download	CVE-2025-1508	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	March 11, 2025
WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Unauthenticated SQL Injection	CVE-2025-1323	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	March 7, 2025
WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Exeuction	CVE-2025-1325	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	March 7, 2025
Shortcode Cleaner Lite <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Export	CVE-2025-1481	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	March 7, 2025
WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Authenticated (Contributor+) Protected Post Disclosure	CVE-2025-1322	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	March 7, 2025
WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2025-1324	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	March 7, 2025
Post Lockdown <= 4.0.2 - Missing Authorization to Authenticated (Subscriber+) Post Disclosure	CVE-2025-1504	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	March 7, 2025
Spreadsheet Integration <= 3.8.2 - Cross-Site Request Forgery to Arbitrary Post Publish	CVE-2025-1463	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	March 4, 2025
Master Slider – Responsive Touch Slider <= 3.10.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode	CVE-2024-13757	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	March 4, 2025
teachPress <= 9.0.7 - Authenticated (Contributor+) SQL Injection	CVE-2025-1321	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	March 3, 2025
WP Posts Carousel <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play_timeout Parameter	CVE-2025-1491	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	March 1, 2025
Secure Copy Content Protection and Content Locking <= 4.4.7 - Missing Authorization to Unauthenticated User Email Retrieval via ays_sccp_reports_user_search Function	CVE-2025-1404	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	February 28, 2025
TemplatesNext ToolKit <= 3.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-13559	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	February 28, 2025
IP2Location Redirection <= 1.33.3 - Missing Authorization to Unauthenticated Settings Export	CVE-2025-1502	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	February 28, 2025
Product Catalog Simple <= 1.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via show_products Shortcode	CVE-2025-1405	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	February 27, 2025
Subscriptions & Memberships for PayPal <= 1.1.6 - Cross-Site Request Forgery to Arbitrary Post Deletion	CVE-2024-13560	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	February 25, 2025
WPO365 \| MICROSOFT 365 GRAPH MAILER <= 3.2 - Open Redirect via 'redirect_to' Parameter	CVE-2025-1488	4.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N	February 23, 2025

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

Krzysztof Zając

Organization: CERT PL

About

10 Achievements

Showing 1-20 of 461 Vulnerabilities

Share this researcher's vulnerability discoveries

Cookie Options

Strictly Necessary

Performance/Analytical

Targeting