🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > István Márton

István Márton

Organization: Wordfence

All Time Ranking

935

All Time Discoveries

90 Day Published Submissions

16 Oct '24

Last Published Submission

About

I'm an experienced WordPress developer, with a focus on plugin development at Lana Solutions. I have spent years focusing on perfecting my skills as a developer, and have recently redirected efforts towards WordPress testing, audits, and vulnerability research. Currently, I'm a vulnerability research contractor for Wordfence and continue to defy the norms by maintaining status as the #1 Researcher in WordPress due to the volume of vulnerabilities I'm able to discover and responsibly disclose.

7 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 841-860 of 935 Vulnerabilities

The Post Grid <= 7.2.7 - Cross-Site Request Forgery

4.3

CVE-2023-39923

Aug 7, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

ACF Photo Gallery Field <= 1.9 - Authenticated (Subscriber+) Arbitrary Usermeta Update

4.3

CVE-2023-3957

Jul 26, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exit Popups & Onsite Retargeting by OptiMonk <= 2.0.4 - Cross-Site Request Forgery

4.3

CVE-2023-37891

Jul 11, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Classified Listing <= 2.4.5 - Cross-Site Request Forgery via rtcl_ajax_thumbnail_delete

4.3

CVE-2023-37387

Jul 5, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Media Library Helper by Codexin <= 1.2.0 - Cross-Site Request Forgery via rate_the_plugin_action

4.3

CVE-2023-37386

Jul 5, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

myCred <= 2.5 - Cross-Site Request Forgery

4.3

CVE-2023-35096

Jun 14, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

WPC Smart Wishlist for WooCommerce <= 4.7.1 - Cross-Site Request Forgery via wishlist_add and wishlist_remove

4.3

CVE-2023-34386

Jun 3, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Kebo Twitter Feed <= 1.5.12 - Cross-Site Request Forgery via kebo_twitter_menu_render

4.3

CVE-2023-34384

Jun 3, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

WP Hide Post <= 2.0.10 - Cross-Site Request Forgery via save_bulk_edit_data

4.3

CVE-2023-34378

Jun 3, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Constant Contact Forms <= 1.14.0 - Missing Authorization via constant_contact_optin_ajax_handler

4.3

CVE-2023-34387

Jun 3, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Social Media & Share Icons <= 2.8.1 - Missing Authorization via handle_installation

4.3

CVE-2023-34009

Jun 2, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Download Plugin <= 2.0.4 - Cross-Site Request Forgery

4.3

CVE-2022-36345

May 24, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Groundhogg <= 2.7.9.8 - Missing Authorization to Admin Account and Ticket Creation

4.3

CVE-2023-2715

May 19, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Groundhogg <= 2.7.9.8 - Missing Authorization to Update License

4.3

CVE-2023-2714

May 19, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

WP Reactions Lite <= 1.3.8 - Cross-Site Request Forgery via AJAX action

4.3

CVE-2023-32587

May 12, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Forget About Shortcode Buttons <= 2.1.2 - Missing Authorization via fasc_buttons

4.3

CVE-2023-32579

May 11, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Soundcloud Is Gold <= 2.5.1 - Missing Authorization to Soundcloud User Add

4.3

CVE-2023-32586

May 11, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

WP Job Portal <= 2.0.1 - Cross-Site Request Forgery to Settings Modification

4.3

CVE-2022-41786

May 5, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Newsletter Popup <= 1.2 - Cross-Site Request Forgery to Record Deletion

4.3

CVE-2023-0766

May 2, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

WooCommerce Multivendor Marketplace – REST API <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API

4.3

CVE-2023-2275

Apr 26, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Title	CVE ID	CVSS	Vector	Date
The Post Grid <= 7.2.7 - Cross-Site Request Forgery	CVE-2023-39923	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	August 7, 2023
ACF Photo Gallery Field <= 1.9 - Authenticated (Subscriber+) Arbitrary Usermeta Update	CVE-2023-3957	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	July 26, 2023
Exit Popups & Onsite Retargeting by OptiMonk <= 2.0.4 - Cross-Site Request Forgery	CVE-2023-37891	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	July 11, 2023
Classified Listing <= 2.4.5 - Cross-Site Request Forgery via rtcl_ajax_thumbnail_delete	CVE-2023-37387	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	July 5, 2023
Media Library Helper by Codexin <= 1.2.0 - Cross-Site Request Forgery via rate_the_plugin_action	CVE-2023-37386	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	July 5, 2023
myCred <= 2.5 - Cross-Site Request Forgery	CVE-2023-35096	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	June 14, 2023
WPC Smart Wishlist for WooCommerce <= 4.7.1 - Cross-Site Request Forgery via wishlist_add and wishlist_remove	CVE-2023-34386	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	June 3, 2023
Kebo Twitter Feed <= 1.5.12 - Cross-Site Request Forgery via kebo_twitter_menu_render	CVE-2023-34384	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	June 3, 2023
WP Hide Post <= 2.0.10 - Cross-Site Request Forgery via save_bulk_edit_data	CVE-2023-34378	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	June 3, 2023
Constant Contact Forms <= 1.14.0 - Missing Authorization via constant_contact_optin_ajax_handler	CVE-2023-34387	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	June 3, 2023
Social Media & Share Icons <= 2.8.1 - Missing Authorization via handle_installation	CVE-2023-34009	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	June 2, 2023
Download Plugin <= 2.0.4 - Cross-Site Request Forgery	CVE-2022-36345	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	May 24, 2023
Groundhogg <= 2.7.9.8 - Missing Authorization to Admin Account and Ticket Creation	CVE-2023-2715	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	May 19, 2023
Groundhogg <= 2.7.9.8 - Missing Authorization to Update License	CVE-2023-2714	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	May 19, 2023
WP Reactions Lite <= 1.3.8 - Cross-Site Request Forgery via AJAX action	CVE-2023-32587	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	May 12, 2023
Forget About Shortcode Buttons <= 2.1.2 - Missing Authorization via fasc_buttons	CVE-2023-32579	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	May 11, 2023
Soundcloud Is Gold <= 2.5.1 - Missing Authorization to Soundcloud User Add	CVE-2023-32586	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	May 11, 2023
WP Job Portal <= 2.0.1 - Cross-Site Request Forgery to Settings Modification	CVE-2022-41786	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	May 5, 2023
Newsletter Popup <= 1.2 - Cross-Site Request Forgery to Record Deletion	CVE-2023-0766	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	May 2, 2023
WooCommerce Multivendor Marketplace – REST API <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST API	CVE-2023-2275	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L	April 26, 2023

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation