🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > Ram

Ram

Organization: Wordfence

All Time Ranking

156

All Time Discoveries

90 Day Published Submissions

N/A

Last Published Submission

1 Achievement

Learn more about Achievements

Learn more Learn more about Achievements

Showing 121-140 of 156 Vulnerabilities

HT Mega - Absolute Addons for Elementor Page Builder <= 1.5.5 - Contributor+ Stored Cross-Site Scripting

5.4

CVE-2021-24261

Apr 13, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Sina Extension for Elementor <= 3.3.11 - Stored Cross-Site Scripting

5.4

CVE-2021-24269

Apr 13, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Essential Addons for Elementor Lite <= 4.5.3 - Cross-Site Scripting

5.4

CVE-2021-24255

Apr 13, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

WP Page Builder <= 1.2.3 - Insecure Default to Unauthorized Page Editing

5.4

CVE-2021-24207

Apr 8, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

WordPress Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X <= 0.98 - Authenticated Stored Cross-Site Scripting

5.4

CVE-2020-11508

Apr 7, 2020

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

IMPress for IDX Broker <= 2.6.1 - Authenticated Stored Cross-Site Scripting

5.4

CVE-2020-11512

Mar 26, 2020

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Modern Events Calendar Lite <= 5.1.6 - Missing Authorization to Stored Cross-Site Scripting and Settings Update

5.4

CVE-2020-9459

Feb 27, 2020

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Gutenberg Template Library & Redux Framework <= 4.2.11 - Missing Authorization to Sensitive Information Disclosure

5.3

CVE-2021-38314

Sep 1, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_thankyou shortcode

4.9

CVE-2023-0710

Jun 8, 2023

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

Nested Pages <= 3.1.15 - Open Redirect

4.7

CVE-2021-38343

Aug 25, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Product Vendors <= 2.0.35 - Reflected Cross Site Scripting

4.7

CVE-2017-20193

Aug 22, 2017

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Custom Permalinks <= 2.6.0 - Authenticated(Editor+) Stored Cross-Site Scripting

4.4

CVE-2023-0926

Aug 23, 2024

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Tutor LMS <= 2.7.4 - Cross-Site Request Forgery via 'addon_enable_disable'

4.3

CVE-2023-2919

Sep 9, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Bricks <= 1.8.1 - Cross-Site Request Forgery via save_settings

4.3

CVE-2023-3408

Aug 16, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode

4.3

CVE-2023-0689

Aug 30, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

FULL - Customer <= 2.2.3 - Authenticated(Subscriber+) Information Disclosure via Health Check

4.3

CVE-2023-4242

Aug 8, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode

4.3

CVE-2023-0691

Jun 8, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_payment_status' shortcode

4.3

CVE-2023-0692

Jun 8, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Getwid – Gutenberg Blocks <= 1.8.3 - Improper Authorization via get_remote_templates REST endpoint

4.3

CVE-2023-1910

Jun 6, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

VK Blocks <= 1.57.0.5 - Authenticated(Contributor+) Settings Update

4.3

CVE-2023-0583

Jun 2, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
HT Mega - Absolute Addons for Elementor Page Builder <= 1.5.5 - Contributor+ Stored Cross-Site Scripting	CVE-2021-24261	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	April 13, 2021
Sina Extension for Elementor <= 3.3.11 - Stored Cross-Site Scripting	CVE-2021-24269	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	April 13, 2021
Essential Addons for Elementor Lite <= 4.5.3 - Cross-Site Scripting	CVE-2021-24255	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	April 13, 2021
WP Page Builder <= 1.2.3 - Insecure Default to Unauthorized Page Editing	CVE-2021-24207	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	April 8, 2021
WordPress Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X <= 0.98 - Authenticated Stored Cross-Site Scripting	CVE-2020-11508	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	April 7, 2020
IMPress for IDX Broker <= 2.6.1 - Authenticated Stored Cross-Site Scripting	CVE-2020-11512	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	March 26, 2020
Modern Events Calendar Lite <= 5.1.6 - Missing Authorization to Stored Cross-Site Scripting and Settings Update	CVE-2020-9459	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	February 27, 2020
Gutenberg Template Library & Redux Framework <= 4.2.11 - Missing Authorization to Sensitive Information Disclosure	CVE-2021-38314	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	September 1, 2021
Metform Elementor Contact Form Builder <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via mf_thankyou shortcode	CVE-2023-0710	4.9	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N	June 8, 2023
Nested Pages <= 3.1.15 - Open Redirect	CVE-2021-38343	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N	August 25, 2021
Product Vendors <= 2.0.35 - Reflected Cross Site Scripting	CVE-2017-20193	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N	August 22, 2017
Custom Permalinks <= 2.6.0 - Authenticated(Editor+) Stored Cross-Site Scripting	CVE-2023-0926	4.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N	August 23, 2024
Tutor LMS <= 2.7.4 - Cross-Site Request Forgery via 'addon_enable_disable'	CVE-2023-2919	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	September 9, 2024
Bricks <= 1.8.1 - Cross-Site Request Forgery via save_settings	CVE-2023-3408	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	August 16, 2024
Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_first_name' shortcode	CVE-2023-0689	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	August 30, 2023
FULL - Customer <= 2.2.3 - Authenticated(Subscriber+) Information Disclosure via Health Check	CVE-2023-4242	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	August 8, 2023
Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via mf_last_name shortcode	CVE-2023-0691	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	June 8, 2023
Metform Elementor Contact Form Builder <= 3.3.1 - Authenticated (Subscriber+) Information Disclosure via 'mf_payment_status' shortcode	CVE-2023-0692	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	June 8, 2023
Getwid – Gutenberg Blocks <= 1.8.3 - Improper Authorization via get_remote_templates REST endpoint	CVE-2023-1910	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	June 6, 2023
VK Blocks <= 1.57.0.5 - Authenticated(Contributor+) Settings Update	CVE-2023-0583	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	June 2, 2023

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation