Wordfence Intelligence   >   Vulnerability Researchers   >   Majed Refaea

Majed Refaea

39
All Time Ranking
101
All Time Discoveries
0
90 Day Published Submissions
N/A
Last Published Submission

Showing 1-20 of 101 Vulnerabilities

Zita Elementor Site Library <= 1.6.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload
9.9
CVE-2024-37420
Jun 28, 2024
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Ali2Woo Lite <= 3.4.4 - Cross-Site Request Forgery to PHP Object Injection
9.6
CVE-2024-37212
Jun 20, 2024
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
OSS Aliyun <= 1.4.10 - Authenticated (Administrator+) SQL Injection
9.1
CVE-2024-30494
Mar 28, 2024
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
InstaWP Connect <= 0.1.0.8 - Authenticated (Subscriber+) Remote Code Execution
8.8
CVE-2024-25918
Feb 14, 2024
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
InstaWP Connect <= 0.1.0.9 - Authenticated (Subscriber+) SQL Injection
8.8
CVE-2024-23507
Jan 24, 2024
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
InstaWP Connect <= 0.1.0.8 - Missing Authorization to Arbitrary Options Update
8.8
CVE-2024-22145
Jan 17, 2024
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Debug Log Manager <= 2.3.1 - Unauthenticated Stored Cross-Site Scripting
7.2
CVE-2024-32582
Apr 16, 2024
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
RapidLoad Power-Up for Autoptimize <= 2.2.11 - Unauthenticated Server-Side Request Forgery
7.2
CVE-2024-31288
Apr 5, 2024
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Builderall Builder for WordPress <= 2.0.1 - Unauthenticated Server-Side Request Forgery
7.2
CVE-2024-30532
Mar 29, 2024
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Brave Popup Builder <= 0.6.5 - Unauthenticated Server-Side Request Forgery
7.2
CVE-2024-30453
Mar 28, 2024
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Multiple Page Generator Plugin – MPG <= 3.4.0 - Authenticated (Editor+) Remote Code Execution
7.2
CVE-2024-27951
Mar 13, 2024
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Ovic Importer <= 1.6.3 - Authenticated (Subscriber+) Arbitrary File Download
6.5
CVE-2024-35754
Jun 6, 2024
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Advanced Local Pickup for WooCommerce <= 1.6.2 - Missing Authorization
6.5
CVE-2024-31283
Apr 5, 2024
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
BeePress <= 6.9.8 - Cross-Site Request Forgery via beepress-pro.php
6.5
CVE-2024-27197
Feb 26, 2024
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Photo Engine <= 6.3.1 - Authenticated (Author+) Stored Cross-Site Scripting
6.4
CVE-2024-39660
Aug 1, 2024
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
WappPress <= 6.0.4 - Authenticated (Subscriber+) Server-Side Request Forgery
6.4
CVE-2024-38758
Jul 11, 2024
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Zoho Campaigns <= 2.0.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting
6.4
CVE-2024-38752
Jul 11, 2024
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Magical Addons For Elementor <= 1.1.41 - Authenticated (Subscriber+) Server-Side Request Forgery
6.4
CVE-2024-38730
Jul 11, 2024
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
WP GoToWebinar <= 15.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting
6.4
CVE-2024-38671
Jul 10, 2024
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Ali2Woo Lite <= 3.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting
6.4
CVE-2024-37214
Jun 20, 2024
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Title CVE ID CVSS Vector Date
Zita Elementor Site Library <= 1.6.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload CVE-2024-37420 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H June 28, 2024
Ali2Woo Lite <= 3.4.4 - Cross-Site Request Forgery to PHP Object Injection CVE-2024-37212 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H June 20, 2024
OSS Aliyun <= 1.4.10 - Authenticated (Administrator+) SQL Injection CVE-2024-30494 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H March 28, 2024
InstaWP Connect <= 0.1.0.8 - Authenticated (Subscriber+) Remote Code Execution CVE-2024-25918 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H February 14, 2024
InstaWP Connect <= 0.1.0.9 - Authenticated (Subscriber+) SQL Injection CVE-2024-23507 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H January 24, 2024
InstaWP Connect <= 0.1.0.8 - Missing Authorization to Arbitrary Options Update CVE-2024-22145 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H January 17, 2024
Debug Log Manager <= 2.3.1 - Unauthenticated Stored Cross-Site Scripting CVE-2024-32582 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N April 16, 2024
RapidLoad Power-Up for Autoptimize <= 2.2.11 - Unauthenticated Server-Side Request Forgery CVE-2024-31288 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N April 5, 2024
Builderall Builder for WordPress <= 2.0.1 - Unauthenticated Server-Side Request Forgery CVE-2024-30532 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N March 29, 2024
Brave Popup Builder <= 0.6.5 - Unauthenticated Server-Side Request Forgery CVE-2024-30453 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N March 28, 2024
Multiple Page Generator Plugin – MPG <= 3.4.0 - Authenticated (Editor+) Remote Code Execution CVE-2024-27951 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H March 13, 2024
Ovic Importer <= 1.6.3 - Authenticated (Subscriber+) Arbitrary File Download CVE-2024-35754 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N June 6, 2024
Advanced Local Pickup for WooCommerce <= 1.6.2 - Missing Authorization CVE-2024-31283 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N April 5, 2024
BeePress <= 6.9.8 - Cross-Site Request Forgery via beepress-pro.php CVE-2024-27197 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N February 26, 2024
Photo Engine <= 6.3.1 - Authenticated (Author+) Stored Cross-Site Scripting CVE-2024-39660 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N August 1, 2024
WappPress <= 6.0.4 - Authenticated (Subscriber+) Server-Side Request Forgery CVE-2024-38758 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N July 11, 2024
Zoho Campaigns <= 2.0.8 - Authenticated (Subscriber+) Stored Cross-Site Scripting CVE-2024-38752 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N July 11, 2024
Magical Addons For Elementor <= 1.1.41 - Authenticated (Subscriber+) Server-Side Request Forgery CVE-2024-38730 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N July 11, 2024
WP GoToWebinar <= 15.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting CVE-2024-38671 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N July 10, 2024
Ali2Woo Lite <= 3.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting CVE-2024-37214 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N June 20, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation