🦸 🧭 Calling all superheroes and explorers! Introducing the WordPress Superhero Challenge and WordPress XSSplorer Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities AND XSS vulnerabilities are in scope for all researchers in plugins/themes >= 1,000 Active Installs!

Through October 7th, 2024 all Cross-Site Scripting (XSS) vulnerabilities in plugins/themes with >= 1,000 Active Installs will be in scope for all researchers regardless of researcher tier. In addition, through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200.

Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Researchers > stealthcopter

stealthcopter

All Time Ranking

273

All Time Discoveries

90 Day Published Submissions

5 Sep '24

Last Published Submission

9 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 201-220 of 273 Vulnerabilities

WP Recipe Maker <= 9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wprm-recipe-roundup-item Shortcode

6.4

CVE-2024-3490

May 1, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Unique <= 0.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-33952

Apr 30, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Pliska <= 0.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Author Display Name

6.4

CVE-2024-33954

Apr 30, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Freesia Empire <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-33955

Apr 30, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Elementor Addon Elements <= 1.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-3743

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-3550

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.5.9 - Contributor+ Stored Cross-Site Scripting

6.4

CVE-2024-4265

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Share This Image <= 1.98 - Open Redirect

5.4

CVE-2024-33930

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Adventure Journal <= 1.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-33953

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Form Maker by 10Web <= 1.15.24 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting

4.4

CVE-2024-2258

Apr 26, 2024

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

WP ULike <= 4.6.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVE-2024-1759

Apr 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Virtue <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Author

6.4

CVE-2024-4034

Apr 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

ColorNews <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-33540

Apr 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP Portfolio <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-33537

Apr 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

User Meta <= 3.0 - Unauthenticated Sensitive Information Exposure

5.3

CVE-2024-33575

Apr 25, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.8 - Unauthenticated Arbitrary Shortcode Execution

6.5

CVE-2024-3734

Apr 24, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery & Interactive Circle

6.4

CVE-2024-3728

Apr 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Photo Gallery - GT3 Image Gallery & Gutenberg Block Gallery <= 2.7.7.21 - Authenticated (Author+) Cross-Site Scripting

6.4

CVE-2024-4035

Apr 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Premium Addons for Elementor <= 4.10.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'arrow_style'

6.4

CVE-2024-3647

Apr 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Exclusive Addons for Elementor <= 2.6.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action

6.4

CVE-2024-3985

Apr 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
WP Recipe Maker <= 9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wprm-recipe-roundup-item Shortcode	CVE-2024-3490	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 1, 2024
Unique <= 0.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-33952	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 30, 2024
Pliska <= 0.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Author Display Name	CVE-2024-33954	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 30, 2024
Freesia Empire <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-33955	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 30, 2024
Elementor Addon Elements <= 1.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-3743	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 29, 2024
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-3550	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 29, 2024
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.5.9 - Contributor+ Stored Cross-Site Scripting	CVE-2024-4265	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 29, 2024
Share This Image <= 1.98 - Open Redirect	CVE-2024-33930	5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N	April 29, 2024
Adventure Journal <= 1.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-33953	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 29, 2024
Form Maker by 10Web <= 1.15.24 - Authenticated (Subscriber+) Stored Self-Based Cross-Site Scripting	CVE-2024-2258	4.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N	April 26, 2024
WP ULike <= 4.6.9 - Authenticated (Subscriber+) Stored Cross-Site Scripting	CVE-2024-1759	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 26, 2024
Virtue <= 3.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Author	CVE-2024-4034	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 25, 2024
ColorNews <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-33540	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 25, 2024
WP Portfolio <= 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-33537	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 25, 2024
User Meta <= 3.0 - Unauthenticated Sensitive Information Exposure	CVE-2024-33575	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	April 25, 2024
FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.8 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-3734	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L	April 24, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery & Interactive Circle	CVE-2024-3728	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 24, 2024
Photo Gallery - GT3 Image Gallery & Gutenberg Block Gallery <= 2.7.7.21 - Authenticated (Author+) Cross-Site Scripting	CVE-2024-4035	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 24, 2024
Premium Addons for Elementor <= 4.10.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'arrow_style'	CVE-2024-3647	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 24, 2024
Exclusive Addons for Elementor <= 2.6.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call to Action	CVE-2024-3985	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 22, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation