🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > theviper17y

theviper17y

105

All Time Ranking

All Time Discoveries

90 Day Published Submissions

30 Oct '24

Last Published Submission

4 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 1-20 of 28 Vulnerabilities

Linear <= 2.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-52426

Nov 13, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Web Stories Widgets For Elementor <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-52354

Nov 8, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Elo Rating Shortcode <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-51678

Nov 1, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Themedy Toolbox <= 1.0.16 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-50547

Oct 31, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Awesome Progress Bar <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-50548

Oct 31, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP Simple Anchors Links <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpanchor Shortcode

6.4

CVE-2024-9446

Oct 30, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Widget or Sidebar Shortcode <= 0.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-9885

Oct 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP Baidu Map <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-9886

Oct 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

T(-) Countdown <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2024-9884

Oct 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WPC Smart Messages for WooCommerce <= 4.2.1 - Authenticated (Subscriber+) Local File Inclusion

8.8

CVE-2024-10436

Oct 28, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Kodex Posts likes <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-50464

Oct 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CodePen Embedded Pens Shortcode <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-50440

Oct 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Compact WP Audio Player <= 1.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via sc_embed_player Shortcode

6.4

CVE-2024-10176

Oct 23, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP Flow Plus <= 5.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-49695

Oct 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

AI Image Generator for Your Content & Featured Images – AI Postpix <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVE-2024-49671

Oct 21, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Advanced Category and Custom Taxonomy Image <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via ad_tax_image Shortcode

6.4

CVE-2024-9425

Oct 17, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Point Maker <= 0.1.4 - Authenticated (Contributor+) Local File Inclusion

8.8

CVE-2024-49317

Oct 15, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

My Favorites <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-49263

Oct 14, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

IdeaPush <= 8.69 - Cross-Site Request Forgery

4.3

CVE-2024-49275

Oct 14, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Tito <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-49241

Oct 14, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
Linear <= 2.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-52426	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	November 13, 2024
Web Stories Widgets For Elementor <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-52354	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	November 8, 2024
Elo Rating Shortcode <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-51678	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	November 1, 2024
Themedy Toolbox <= 1.0.16 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-50547	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 31, 2024
Awesome Progress Bar <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-50548	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 31, 2024
WP Simple Anchors Links <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpanchor Shortcode	CVE-2024-9446	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 30, 2024
Widget or Sidebar Shortcode <= 0.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-9885	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 29, 2024
WP Baidu Map <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-9886	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 29, 2024
T(-) Countdown <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2024-9884	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 29, 2024
WPC Smart Messages for WooCommerce <= 4.2.1 - Authenticated (Subscriber+) Local File Inclusion	CVE-2024-10436	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 28, 2024
Kodex Posts likes <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-50464	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 24, 2024
CodePen Embedded Pens Shortcode <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-50440	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 24, 2024
Compact WP Audio Player <= 1.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via sc_embed_player Shortcode	CVE-2024-10176	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 23, 2024
WP Flow Plus <= 5.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-49695	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 21, 2024
AI Image Generator for Your Content & Featured Images – AI Postpix <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload	CVE-2024-49671	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 21, 2024
Advanced Category and Custom Taxonomy Image <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via ad_tax_image Shortcode	CVE-2024-9425	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 17, 2024
Point Maker <= 0.1.4 - Authenticated (Contributor+) Local File Inclusion	CVE-2024-49317	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 15, 2024
My Favorites <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-49263	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 14, 2024
IdeaPush <= 8.69 - Cross-Site Request Forgery	CVE-2024-49275	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	October 14, 2024
Tito <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-49241	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 14, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation