🦸 💥 Calling all superheroes and hunters! Introducing the End of Year Holiday Extravaganza and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program

Through December 9th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 Active Installations are in-scope for ALL researchers, all plugins and themes that are hosted in the WordPress.org repository with at least 50 active installs that have been updated in the last 2 years will be in-scope for ALL researchers, the minimum bounty awarded for all in-scope submissions will be $5, and ALL researchers earn automatic bonuses of 5%-180% for valid submissions in software with 1,000 - 4,999,999 active installs, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > RE-ALTER

RE-ALTER

All Time Ranking

280

All Time Discoveries

90 Day Published Submissions

N/A

Last Published Submission

About

𝕯𝖎𝖘𝖙𝖚𝖗𝖇 𝖙𝖍𝖊 𝕻𝖊𝖆𝖈𝖊 // Darkness lurking below the surface?

Showing 121-140 of 280 Vulnerabilities

JS Help Desk <= 2.7.1 - Missing Authorization

6.3

CVE-2022-46840

Jan 27, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Social Share Buttons by Supsystic <= 2.2.3 - Missing Authorization

6.3

CVE-2022-27235

Jun 9, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Spiffy Calendar <= 4.9.0 - Edit/Delete event via IDOR

6.3

CVE-2022-29434

Feb 10, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Contact Form & Lead Form Elementor Builder < 1.7.4 - Arbitrary Settings Change

6.3

CVE-2022-23180

Feb 1, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Goya <= 1.0.8.7 - Unauthenticated Reflected Cross-Site Scripting via Multiple Parameters

6.1

CVE-2023-4017

Jun 28, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Jobeleon Theme <= 1.9.1 - Reflected Cross-Site Scripting

6.1

CVE-2022-47153

Mar 28, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

New User Approve <= 2.5.1 - Cross-Site Request Forgery via admin_notices

6.1

CVE-2023-50902

Dec 26, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Multiple Plugins by KlbTheme <= (Various Versions) - Reflected Cross-Site Scripting

6.1

CVE-2023-49839

Dec 7, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Machic Core <= 1.2.6 - Reflected Cross-Site Scripting

6.1

CVE-2023-49186

Dec 7, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Ultimate Addons for Contact Form 7 <= 3.2.0 - Reflected Cross-Site Scripting

6.1

CVE-2023-49766

Dec 4, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Adifier (Premium Theme) < 3.1.4 - Reflected Cross-Site Scripting

6.1

CVE-2023-49187

Nov 29, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Form Maker by 10Web <= 1.15.18 - Reflected Cross-Site Scripting

6.1

CVE-2023-45070

Oct 3, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Social Media & Share Icons <= 2.8.3 - Reflected Cross-Site Scripting

6.1

CVE-2023-41238

Aug 29, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Multiple DeoThemes Themes <= (Various Versions) - Reflected Cross-Site Scripting

6.1

CVE-2023-3708

Jul 17, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Balkon <= 1.3.2 - Reflected Cross-Site Scripting

6.1

CVE-2023-36502

Jun 23, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

TheRoof <= 1.0.3 - Reflected Cross-Site Scripting

6.1

CVE-2023-29430

Apr 6, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Outdoor <= 3.9.6 - Reflected Cross-Site Scripting

6.1

CVE-2023-29236

Apr 4, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Real Estate 7 <= 3.3.4 - Reflected Cross-Site Scripting via ct_additional_features

6.1

CVE ID Unknown

Feb 28, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Event Calendar <= 1.4.6 - Reflected Cross-Site Scripting

6.1

CVE-2022-36390

Aug 25, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Quick Restaurant Reservations <= 1.4.1 - Reflected Cross-Site Scripting

6.1

CVE-2022-29923

May 12, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
JS Help Desk <= 2.7.1 - Missing Authorization	CVE-2022-46840	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	January 27, 2023
Social Share Buttons by Supsystic <= 2.2.3 - Missing Authorization	CVE-2022-27235	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	June 9, 2022
Spiffy Calendar <= 4.9.0 - Edit/Delete event via IDOR	CVE-2022-29434	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	February 10, 2022
Contact Form & Lead Form Elementor Builder < 1.7.4 - Arbitrary Settings Change	CVE-2022-23180	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	February 1, 2022
Goya <= 1.0.8.7 - Unauthenticated Reflected Cross-Site Scripting via Multiple Parameters	CVE-2023-4017	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	June 28, 2024
Jobeleon Theme <= 1.9.1 - Reflected Cross-Site Scripting	CVE-2022-47153	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 28, 2024
New User Approve <= 2.5.1 - Cross-Site Request Forgery via admin_notices	CVE-2023-50902	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	December 26, 2023
Multiple Plugins by KlbTheme <= (Various Versions) - Reflected Cross-Site Scripting	CVE-2023-49839	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	December 7, 2023
Machic Core <= 1.2.6 - Reflected Cross-Site Scripting	CVE-2023-49186	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	December 7, 2023
Ultimate Addons for Contact Form 7 <= 3.2.0 - Reflected Cross-Site Scripting	CVE-2023-49766	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	December 4, 2023
Adifier (Premium Theme) < 3.1.4 - Reflected Cross-Site Scripting	CVE-2023-49187	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	November 29, 2023
Form Maker by 10Web <= 1.15.18 - Reflected Cross-Site Scripting	CVE-2023-45070	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	October 3, 2023
Social Media & Share Icons <= 2.8.3 - Reflected Cross-Site Scripting	CVE-2023-41238	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	August 29, 2023
Multiple DeoThemes Themes <= (Various Versions) - Reflected Cross-Site Scripting	CVE-2023-3708	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	July 17, 2023
Balkon <= 1.3.2 - Reflected Cross-Site Scripting	CVE-2023-36502	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	June 23, 2023
TheRoof <= 1.0.3 - Reflected Cross-Site Scripting	CVE-2023-29430	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	April 6, 2023
Outdoor <= 3.9.6 - Reflected Cross-Site Scripting	CVE-2023-29236	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	April 4, 2023
Real Estate 7 <= 3.3.4 - Reflected Cross-Site Scripting via ct_additional_features		6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	February 28, 2023
Event Calendar <= 1.4.6 - Reflected Cross-Site Scripting	CVE-2022-36390	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	August 25, 2022
Quick Restaurant Reservations <= 1.4.1 - Reflected Cross-Site Scripting	CVE-2022-29923	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	May 12, 2022

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation