🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > Lucio Sá

Lucio Sá

All Time Ranking

240

All Time Discoveries

90 Day Published Submissions

20 Nov '24

Last Published Submission

10 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 221-240 of 240 Vulnerabilities

Yuki <= 1.3.14 - Cross-Site Request Forgery to Theme Setting Reset

4.3

CVE-2024-1943

Feb 27, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan <= 4.52 - Missing Authorization to Authenticated (Subscriber+) Table Truncation

4.3

CVE-2024-1861

Feb 27, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Data Export

4.3

CVE-2024-1686

Feb 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Colibri Page Builder <= 1.0.253 - Cross-Site Request Fogery via cp_shortcode_refresh

4.3

CVE-2024-1362

Feb 22, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Colibri Page Builder <= 1.0.253 - Cross-Site Request Fogery via extend_builder

4.3

CVE-2024-1361

Feb 22, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Colibri WP <= 1.0.94 - Cross-Site Request Forgery to Limited Plugin Installation

4.3

CVE-2024-1360

Feb 22, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.3.41 - Missing Authorization

4.3

CVE-2024-1218

Feb 19, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EventPrime – Events Calendar, Bookings and Tickets <= 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Event Export

4.3

CVE-2024-1127

Feb 14, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EventPrime – Events Calendar, Bookings and Tickets <= 3.4.2 - Missing Authorization to Authenticated (Subscriber+) Attendee List Retrieval

4.3

CVE-2024-1126

Feb 14, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.11.1 - Missing Authorization via creating_pricing_table_page

4.3

CVE-2024-1390

Feb 13, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Quiz Maker <= 6.5.2.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification

4.3

CVE-2024-1078

Feb 6, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Getwid – Gutenberg Blocks <= 2.0.4 - Missing Authorization to Recaptcha API Key Modification

4.3

CVE-2023-6959

Jan 17, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

LightStart – Maintenance Mode, Coming Soon and Landing Page Builder <= 2.6.8 - Missing Authorization

4.3

CVE-2023-7019

Jan 5, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Easy Social Feed <= 6.5.2 - Missing Authorization to Settings Modification

4.3

CVE-2023-6883

Jan 2, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.3.0 - Missing Authorization to Order Export

4.3

CVE-2023-7068

Jan 2, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

SpeedyCache <= 1.1.3 - Missing Authorization to Plugin Options Update

4.3

CVE-2023-6598

Dec 16, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Stream <= 3.9.2 - Missing Authorization via load_alerts_settings

4.3

CVE-2022-43450

Apr 25, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Stream <= 3.9.2 - Cross-Site Request Forgery

4.3

CVE-2022-43490

Apr 18, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Essential Blocks for Gutenberg <= 3.8.5 - Cross-Site Request Forgery

4.3

CVE-2022-47594

Jan 20, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Minimal Coming Soon – Coming Soon Page <= 2.37 - Unauthenticated Maintenance Mode Bypass

3.7

CVE-2024-1075

Feb 5, 2024

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Title	CVE ID	CVSS	Vector	Date
Yuki <= 1.3.14 - Cross-Site Request Forgery to Theme Setting Reset	CVE-2024-1943	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	February 27, 2024
Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan <= 4.52 - Missing Authorization to Authenticated (Subscriber+) Table Truncation	CVE-2024-1861	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	February 27, 2024
Thank You Page Customizer for WooCommerce – Increase Your Sales <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Data Export	CVE-2024-1686	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	February 26, 2024
Colibri Page Builder <= 1.0.253 - Cross-Site Request Fogery via cp_shortcode_refresh	CVE-2024-1362	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	February 22, 2024
Colibri Page Builder <= 1.0.253 - Cross-Site Request Fogery via extend_builder	CVE-2024-1361	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	February 22, 2024
Colibri WP <= 1.0.94 - Cross-Site Request Forgery to Limited Plugin Installation	CVE-2024-1360	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	February 22, 2024
Contact Form builder with drag & drop for WordPress – Kali Forms <= 2.3.41 - Missing Authorization	CVE-2024-1218	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	February 19, 2024
EventPrime – Events Calendar, Bookings and Tickets <= 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Event Export	CVE-2024-1127	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	February 14, 2024
EventPrime – Events Calendar, Bookings and Tickets <= 3.4.2 - Missing Authorization to Authenticated (Subscriber+) Attendee List Retrieval	CVE-2024-1126	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	February 14, 2024
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.11.1 - Missing Authorization via creating_pricing_table_page	CVE-2024-1390	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	February 13, 2024
Quiz Maker <= 6.5.2.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Creation & Modification	CVE-2024-1078	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	February 6, 2024
Getwid – Gutenberg Blocks <= 2.0.4 - Missing Authorization to Recaptcha API Key Modification	CVE-2023-6959	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	January 17, 2024
LightStart – Maintenance Mode, Coming Soon and Landing Page Builder <= 2.6.8 - Missing Authorization	CVE-2023-7019	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	January 5, 2024
Easy Social Feed <= 6.5.2 - Missing Authorization to Settings Modification	CVE-2023-6883	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	January 2, 2024
WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.3.0 - Missing Authorization to Order Export	CVE-2023-7068	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	January 2, 2024
SpeedyCache <= 1.1.3 - Missing Authorization to Plugin Options Update	CVE-2023-6598	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	December 16, 2023
Stream <= 3.9.2 - Missing Authorization via load_alerts_settings	CVE-2022-43450	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	April 25, 2023
Stream <= 3.9.2 - Cross-Site Request Forgery	CVE-2022-43490	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	April 18, 2023
Essential Blocks for Gutenberg <= 3.8.5 - Cross-Site Request Forgery	CVE-2022-47594	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	January 20, 2023
Minimal Coming Soon – Coming Soon Page <= 2.37 - Unauthenticated Maintenance Mode Bypass	CVE-2024-1075	3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N	February 5, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation