🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > Sean Murphy

Sean Murphy

134

All Time Ranking

All Time Discoveries

90 Day Published Submissions

15 Nov '24

Last Published Submission

5 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 1-20 of 21 Vulnerabilities

GutenKit <= 2.1.0 - Unauthenticated Arbitrary File Upload

9.8

CVE-2024-9234

Oct 10, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Hunk Companion <= 1.8.4 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation

9.8

CVE-2024-9707

Oct 10, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EWWW Image Optimizer <= 2.8.4 - Remote Code Execution

9.6

CVE-2016-20010

Jun 8, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Custom Searchable Data Entry System <= 1.7.1 - Unauthenticated Database Wiping

9.1

CVE ID Unknown

Mar 6, 2020

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

WP Maintenance Mode <= 2.0.6 - Remote Code Execution

9.1

CVE-2018-20156

Dec 14, 2018

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PostX <= 4.1.16 - Missing Authorization to Arbitrary Plugin Installation/Activation

8.8

CVE-2024-10728

Nov 15, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Th Shop Mania <= 1.4.9 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

8.8

CVE-2024-10674

Nov 8, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Top Store <= 1.5.4 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

8.8

CVE-2024-10673

Nov 8, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Mapster WP Maps <= 1.5.0 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update

8.8

CVE-2024-9235

Oct 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Instant Images <= 6.1.0 - Authenticated (Author+) Arbitrary Options Update

8.8

CVE-2024-0869

Jan 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution

8.8

CVE-2019-15324

Jul 15, 2019

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Hustle <= 7.8.3 - Sensitive Information Exposure via Exposed Hubspot API Keys

8.6

CVE-2024-0368

Mar 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Email Log <= 2.4.8 - Unauthenticated Hook Injection

8.1

CVE-2024-0867

May 23, 2024

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Check & Log Email <= 1.0.9 - Unauthenticated Hook Injection

8.1

CVE-2024-0866

Mar 25, 2024

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Forminator <= 1.29.1 - HubSpot Developer API Key Sensitive Information Exposure

7.5

CVE-2024-7389

Aug 1, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 - Unauthenticated Stored Cross-Site Scripting via device

7.2

CVE-2023-7027

Jan 2, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

AMP for WP <= 1.0.93.1 - Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data

6.5

CVE-2024-1043

Feb 6, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

ColorMag <= 3.1.2 - Missing Authorization to Arbitrary Plugin Installation

6.5

CVE-2024-0679

Jan 19, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Modern Events Calendar Lite <= 5.1.6 - Missing Authorization to Stored Cross-Site Scripting and Settings Update

5.4

CVE-2020-9459

Feb 27, 2020

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

WP Maintenance Mode <= 2.0.6 - Missing Authorization

5.4

CVE-2018-20155

Jul 6, 2016

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Title	CVE ID	CVSS	Vector	Date
GutenKit <= 2.1.0 - Unauthenticated Arbitrary File Upload	CVE-2024-9234	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 10, 2024
Hunk Companion <= 1.8.4 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation	CVE-2024-9707	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 10, 2024
EWWW Image Optimizer <= 2.8.4 - Remote Code Execution	CVE-2016-20010	9.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	June 8, 2016
Custom Searchable Data Entry System <= 1.7.1 - Unauthenticated Database Wiping		9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H	March 6, 2020
WP Maintenance Mode <= 2.0.6 - Remote Code Execution	CVE-2018-20156	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	December 14, 2018
PostX <= 4.1.16 - Missing Authorization to Arbitrary Plugin Installation/Activation	CVE-2024-10728	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	November 15, 2024
Th Shop Mania <= 1.4.9 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation	CVE-2024-10674	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	November 8, 2024
Top Store <= 1.5.4 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation	CVE-2024-10673	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	November 8, 2024
Mapster WP Maps <= 1.5.0 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update	CVE-2024-9235	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 24, 2024
Instant Images <= 6.1.0 - Authenticated (Author+) Arbitrary Options Update	CVE-2024-0869	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	January 29, 2024
Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution	CVE-2019-15324	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	July 15, 2019
Hustle <= 7.8.3 - Sensitive Information Exposure via Exposed Hubspot API Keys	CVE-2024-0368	8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N	March 12, 2024
Email Log <= 2.4.8 - Unauthenticated Hook Injection	CVE-2024-0867	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	May 23, 2024
Check & Log Email <= 1.0.9 - Unauthenticated Hook Injection	CVE-2024-0866	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	March 25, 2024
Forminator <= 1.29.1 - HubSpot Developer API Key Sensitive Information Exposure	CVE-2024-7389	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	August 1, 2024
POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 - Unauthenticated Stored Cross-Site Scripting via device	CVE-2023-7027	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	January 2, 2024
AMP for WP <= 1.0.93.1 - Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data	CVE-2024-1043	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H	February 6, 2024
ColorMag <= 3.1.2 - Missing Authorization to Arbitrary Plugin Installation	CVE-2024-0679	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	January 19, 2024
Modern Events Calendar Lite <= 5.1.6 - Missing Authorization to Stored Cross-Site Scripting and Settings Update	CVE-2020-9459	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	February 27, 2020
WP Maintenance Mode <= 2.0.6 - Missing Authorization	CVE-2018-20155	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	July 6, 2016

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation