🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Researchers > stealthcopter

stealthcopter

All Time Ranking

276

All Time Discoveries

90 Day Published Submissions

12 Sep '24

Last Published Submission

9 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 141-160 of 276 Vulnerabilities

Cowidgets – Elementor Addons <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via heading_tag Parameter

6.4

CVE-2024-4697

Jun 3, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Slider Revolution <= 6.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Elementor wrapperid and zindex

6.4

CVE-2024-4637

Jun 3, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Responsive <= 5.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-35654

Jun 3, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Royal Elementor Addons and Templates <= 1.3.975 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-4342

May 31, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Elements For Elementor <= 2.1 - Authenticated (Contributor+) Local File Inclusion via Multiple Widget Attributes

8.8

CVE-2024-5348

May 31, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Responsive Owl Carousel for Elementor <= 1.2.0 - Local File Inclusion

8.8

CVE-2024-5345

May 30, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Gum Elementor Addon <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Price Table and Post Slider Widgets

6.4

CVE-2024-4668

May 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Essential Addons for Elementor <= 5.9.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Feed

6.4

CVE-2024-5073

May 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Primary Addon for Elementor <= 1.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget

6.4

CVE-2024-5229

May 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP Photo Album Plus <= 8.7.02.003 - Unauthenticated Arbitrary Shortcode Execution

6.5

CVE-2024-4037

May 23, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor <= 1.10.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-5060

May 23, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

The Plus Addons for Elementor <= 5.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar, Header Meta Content, Scroll Navigation, Pricing Table, & Flip Box

6.4

CVE-2024-3718

May 23, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Hash Elements <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter in Multiple Widgets

6.4

CVE-2024-5177

May 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

LA-Studio Element Kit for Elementor <= 1.3.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVE-2024-4431

May 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Awesome Contact Form7 for Elementor <= 2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via AEP Contact Form 7 Widget

6.4

CVE-2024-4486

May 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress + Microsoft Office 365 / Azure AD | LOGIN <= 27.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via pintra Shortcode

6.4

CVE-2024-4706

May 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Premium Addons for Elementor <= 4.10.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via Menu and Shape Divider

6.4

CVE-2024-4378

May 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WPB Elementor Addons <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter

6.4

CVE-2024-4896

May 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

MemberPress <= 1.11.29 - Authenticated (Contributor+) Blind Server-Side Request Forgery via mepr-user-file Shortcode

8.5

CVE-2024-5031

May 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

MemberPress <= 1.11.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via arglist Parameter

6.4

CVE-2024-5025

May 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
Cowidgets – Elementor Addons <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via heading_tag Parameter	CVE-2024-4697	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	June 3, 2024
Slider Revolution <= 6.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via Elementor wrapperid and zindex	CVE-2024-4637	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	June 3, 2024
Responsive <= 5.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-35654	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	June 3, 2024
Royal Elementor Addons and Templates <= 1.3.975 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-4342	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 31, 2024
Elements For Elementor <= 2.1 - Authenticated (Contributor+) Local File Inclusion via Multiple Widget Attributes	CVE-2024-5348	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	May 31, 2024
Responsive Owl Carousel for Elementor <= 1.2.0 - Local File Inclusion	CVE-2024-5345	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	May 30, 2024
Gum Elementor Addon <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Price Table and Post Slider Widgets	CVE-2024-4668	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 29, 2024
Essential Addons for Elementor <= 5.9.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Feed	CVE-2024-5073	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 29, 2024
Primary Addon for Elementor <= 1.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget	CVE-2024-5229	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 24, 2024
WP Photo Album Plus <= 8.7.02.003 - Unauthenticated Arbitrary Shortcode Execution	CVE-2024-4037	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	May 23, 2024
LottieFiles – JSON Based Animation Lottie & Bodymovin for Elementor <= 1.10.9 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-5060	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 23, 2024
The Plus Addons for Elementor <= 5.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Progress Bar, Header Meta Content, Scroll Navigation, Pricing Table, & Flip Box	CVE-2024-3718	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 23, 2024
Hash Elements <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter in Multiple Widgets	CVE-2024-5177	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 22, 2024
LA-Studio Element Kit for Elementor <= 1.3.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter	CVE-2024-4431	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 22, 2024
Awesome Contact Form7 for Elementor <= 2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via AEP Contact Form 7 Widget	CVE-2024-4486	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 22, 2024
WordPress + Microsoft Office 365 / Azure AD \| LOGIN <= 27.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via pintra Shortcode	CVE-2024-4706	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 22, 2024
Premium Addons for Elementor <= 4.10.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via Menu and Shape Divider	CVE-2024-4378	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 22, 2024
WPB Elementor Addons <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter	CVE-2024-4896	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 21, 2024
MemberPress <= 1.11.29 - Authenticated (Contributor+) Blind Server-Side Request Forgery via mepr-user-file Shortcode	CVE-2024-5031	8.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N	May 21, 2024
MemberPress <= 1.11.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via arglist Parameter	CVE-2024-5025	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 21, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation