🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Researchers > Rafshanzani Suhada

Rafshanzani Suhada

All Time Ranking

All Time Discoveries

90 Day Published Submissions

11 Jul '24

Last Published Submission

5 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 1-20 of 99 Vulnerabilities

Simple File List <= 6.1.9 - Unauthenticated Arbitrary File Deletion

9.1

CVE-2023-44227

Sep 28, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Form Builder <= 1.9.9.0 - Unauthenticated CSV Injection

8.3

CVE-2023-23796

Jun 28, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

GiveWP <= 2.25.1 - Unauthenticated CSV Injection

8.3

CVE-2023-22719

Mar 8, 2023

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Backup Migration <= 1.3.6 - Unauthenticated Arbitrary Backup Download to Sensitive Information Exposure

7.5

CVE-2023-6266

Nov 30, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

YaySMTP – Simple WP SMTP Mail <= 2.2 - Sensitive Information Disclosure

7.5

CVE-2022-2369

Jul 11, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Master Addons for Elementor <= 2.0.5.3 - Missing Authorization

7.3

CVE-2023-40679

Aug 22, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Groundhogg <= 2.7.11 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2023-34179

May 30, 2023

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Arigato Autoresponder and Newsletter <= 2.7.1 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2023-25020

Feb 6, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Simple Payment Donations <= 4.2.0 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2022-2565

Aug 10, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Fluent Support <= 1.5.7 - Authenticated (Administrator+) SQL Injection

7.2

CVE-2022-2559

Aug 2, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Formidable Form Builder <= 5.5.6 - Cross-Site Request Forgery

7.1

CVE-2023-24419

Feb 1, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

Pods <= 2.9.10.2 - Cross-Site Request Forgery

7.1

CVE-2023-23790

Jan 20, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

Booking Calendar <= 9.4.2 - Authenticated (Admin+) SQL Injection

6.6

CVE-2023-23991

Jan 20, 2023

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Contact Form builder with drag & drop - Kali Forms <= 2.3.28 - Missing Authorization via get_log

6.5

CVE-2023-45275

Oct 6, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Email download link <= 3.7 - Unauthenticated Sensitive Information Exposure

6.5

CVE-2023-36523

Jun 27, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Form Builder <= 1.9.9.0 - Cross-Site Request Forgery

6.5

CVE-2023-23795

Jun 19, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

oik <= 4.10.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via bw_button Shortcode

6.4

CVE-2024-6391

Jul 8, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Ultimate Blocks – WordPress Blocks Plugin <= 3.0.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via metabox

6.4

CVE-2023-6692

Jun 18, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Master Slider - Responsive Touch Slider <= 3.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-6382

May 31, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Shariff Wrapper <= 4.6.9 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-6500

Mar 12, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
Simple File List <= 6.1.9 - Unauthenticated Arbitrary File Deletion	CVE-2023-44227	9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H	September 28, 2023
Form Builder <= 1.9.9.0 - Unauthenticated CSV Injection	CVE-2023-23796	8.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L	June 28, 2023
GiveWP <= 2.25.1 - Unauthenticated CSV Injection	CVE-2023-22719	8.3	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H	March 8, 2023
Backup Migration <= 1.3.6 - Unauthenticated Arbitrary Backup Download to Sensitive Information Exposure	CVE-2023-6266	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	November 30, 2023
YaySMTP – Simple WP SMTP Mail <= 2.2 - Sensitive Information Disclosure	CVE-2022-2369	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	July 11, 2022
Master Addons for Elementor <= 2.0.5.3 - Missing Authorization	CVE-2023-40679	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	August 22, 2023
Groundhogg <= 2.7.11 - Authenticated (Administrator+) SQL Injection	CVE-2023-34179	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	May 30, 2023
Arigato Autoresponder and Newsletter <= 2.7.1 - Unauthenticated Stored Cross-Site Scripting	CVE-2023-25020	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	February 6, 2023
Simple Payment Donations <= 4.2.0 - Unauthenticated Stored Cross-Site Scripting	CVE-2022-2565	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	August 10, 2022
Fluent Support <= 1.5.7 - Authenticated (Administrator+) SQL Injection	CVE-2022-2559	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	August 2, 2022
Formidable Form Builder <= 5.5.6 - Cross-Site Request Forgery	CVE-2023-24419	7.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L	February 1, 2023
Pods <= 2.9.10.2 - Cross-Site Request Forgery	CVE-2023-23790	7.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L	January 20, 2023
Booking Calendar <= 9.4.2 - Authenticated (Admin+) SQL Injection	CVE-2023-23991	6.6	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H	January 20, 2023
Contact Form builder with drag & drop - Kali Forms <= 2.3.28 - Missing Authorization via get_log	CVE-2023-45275	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	October 6, 2023
Email download link <= 3.7 - Unauthenticated Sensitive Information Exposure	CVE-2023-36523	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	June 27, 2023
Form Builder <= 1.9.9.0 - Cross-Site Request Forgery	CVE-2023-23795	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	June 19, 2023
oik <= 4.10.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via bw_button Shortcode	CVE-2024-6391	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	July 8, 2024
Ultimate Blocks – WordPress Blocks Plugin <= 3.0.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via metabox	CVE-2023-6692	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	June 18, 2024
Master Slider - Responsive Touch Slider <= 3.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-6382	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 31, 2024
Shariff Wrapper <= 4.6.9 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-6500	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	March 12, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation