🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers, top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > Peng Zhou

Peng Zhou

All Time Ranking

All Time Discoveries

90 Day Published Submissions

N/A

Last Published Submission

Showing 1-20 of 40 Vulnerabilities

DirectoryPress <= 3.6.10 - Authenticated (Contributor+) SQL Injection

9.9

CVE-2024-38755

Jul 11, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Podlove Podcast Publisher <= 4.0.12 - Authenticated (Contributor+) SQL Injection

9.9

CVE-2024-32139

Apr 12, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CubeWP – All-in-One Dynamic Content Framework <= 1.1.12 - Authenticated (Subscriber+) Arbitrary File Upload

9.9

CVE-2024-30500

Mar 28, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Realtyna Organic IDX plugin <= 4.14.13 - Authenticated (Admin+) Arbitrary File Upload

9.1

CVE-2024-38736

Jul 11, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Import Spreadsheets from Microsoft Excel <= 10.1.4 - Authenticated (Editor+) Arbitrary File Upload

9.1

CVE-2024-38734

Jul 11, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Newsletters <= 4.9.5 - Authenticated (Admin+) Arbitrary File Upload

9.1

CVE-2024-32954

Apr 22, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Shortcode Addons <= 3.2.5 - Authenticated (Admin+) Arbitrary File Upload

9.1

CVE-2024-31114

Mar 29, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Church Admin <= 4.4.6 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVE-2024-37418

Jul 4, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Church Admin <= 4.1.5 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVE-2024-31280

Apr 5, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tumult Hype Animations <= 1.9.12 - Authenticated (Author+) Arbitrary File Upload

8.8

CVE-2024-2890

Mar 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Quotes and Tips by BestWebSoft <= 1.44 - Authenticated (Admin+) Arbitrary File Upload

7.2

CVE-2024-3112

Jun 21, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Seraphinite Post .DOCX Source <= 2.16.9 - Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVE-2024-38728

Jul 11, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Tag Cloud Plugin – Tag Groups <= 2.0.3 - Missing Authorization to Information Exposure

5.3

CVE-2024-43237

Sep 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Masterstudy LMS Starter <= 1.1.8 - Unauthenticated Sensitive Information Exposure

5.3

CVE-2024-43990

Aug 29, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WP SMS <= 6.9.3 - Missing Authorization

5.3

CVE-2024-43331

Aug 16, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Create by Mediavine <= 1.9.8 - Unauthenticated Sensitive Information Exposure

5.3

CVE-2024-43264

Aug 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Store Locator Plus <= 2311.17.01 - Unauthenticated Sensitive Information Exposure

5.3

CVE-2024-43258

Aug 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Olive One Click Demo Import <= 1.1.2 - Unauthenticated Information Exposure

5.3

CVE-2024-38749

Jul 11, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

FileBird Document Library <= 2.0.6 - Unauthenticated Sensitive Information Exposure

5.3

CVE-2024-37504

Jul 4, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Table & Contact Form 7 Database – Tablesome <= 1.0.33 - Unauthenticated Sensitive Information Exposure

5.3

CVE-2024-37498

Jul 4, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Title	CVE ID	CVSS	Vector	Date
DirectoryPress <= 3.6.10 - Authenticated (Contributor+) SQL Injection	CVE-2024-38755	9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	July 11, 2024
Podlove Podcast Publisher <= 4.0.12 - Authenticated (Contributor+) SQL Injection	CVE-2024-32139	9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	April 12, 2024
CubeWP – All-in-One Dynamic Content Framework <= 1.1.12 - Authenticated (Subscriber+) Arbitrary File Upload	CVE-2024-30500	9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	March 28, 2024
Realtyna Organic IDX plugin <= 4.14.13 - Authenticated (Admin+) Arbitrary File Upload	CVE-2024-38736	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	July 11, 2024
Import Spreadsheets from Microsoft Excel <= 10.1.4 - Authenticated (Editor+) Arbitrary File Upload	CVE-2024-38734	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	July 11, 2024
Newsletters <= 4.9.5 - Authenticated (Admin+) Arbitrary File Upload	CVE-2024-32954	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	April 22, 2024
Shortcode Addons <= 3.2.5 - Authenticated (Admin+) Arbitrary File Upload	CVE-2024-31114	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	March 29, 2024
Church Admin <= 4.4.6 - Authenticated (Subscriber+) Arbitrary File Upload	CVE-2024-37418	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	July 4, 2024
Church Admin <= 4.1.5 - Authenticated (Subscriber+) Arbitrary File Upload	CVE-2024-31280	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 5, 2024
Tumult Hype Animations <= 1.9.12 - Authenticated (Author+) Arbitrary File Upload	CVE-2024-2890	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	March 26, 2024
Quotes and Tips by BestWebSoft <= 1.44 - Authenticated (Admin+) Arbitrary File Upload	CVE-2024-3112	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	June 21, 2024
Seraphinite Post .DOCX Source <= 2.16.9 - Authenticated (Subscriber+) Server-Side Request Forgery	CVE-2024-38728	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	July 11, 2024
WordPress Tag Cloud Plugin – Tag Groups <= 2.0.3 - Missing Authorization to Information Exposure	CVE-2024-43237	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	September 12, 2024
Masterstudy LMS Starter <= 1.1.8 - Unauthenticated Sensitive Information Exposure	CVE-2024-43990	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	August 29, 2024
WP SMS <= 6.9.3 - Missing Authorization	CVE-2024-43331	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	August 16, 2024
Create by Mediavine <= 1.9.8 - Unauthenticated Sensitive Information Exposure	CVE-2024-43264	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	August 12, 2024
Store Locator Plus <= 2311.17.01 - Unauthenticated Sensitive Information Exposure	CVE-2024-43258	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	August 12, 2024
Olive One Click Demo Import <= 1.1.2 - Unauthenticated Information Exposure	CVE-2024-38749	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	July 11, 2024
FileBird Document Library <= 2.0.6 - Unauthenticated Sensitive Information Exposure	CVE-2024-37504	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	July 4, 2024
Table & Contact Form 7 Database – Tablesome <= 1.0.33 - Unauthenticated Sensitive Information Exposure	CVE-2024-37498	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	July 4, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation