🦸 Calling all superheroes! Introducing the WordPress Superhero Challenge for the Wordfence Bug Bounty Program: Earn up to $31,200 for High Impact Vulnerabilities! Through October 14th, 2024, all vulnerabilities reported in plugins or themes with >= 5,000,000 active installs will be 3x our highest bounty rewards making our top reward $31,200. Check out the updated bounties here!

Wordfence Intelligence > Vulnerability Researchers > Webbernaut

Webbernaut

All Time Ranking

123

All Time Discoveries

90 Day Published Submissions

10 Sep '24

Last Published Submission

About

WordPress developer and security enthusiast.

9 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 1-20 of 123 Vulnerabilities

Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0 -Authenticated (Contributor+) Remote Code Execution

9.9

CVE-2024-3105

Jun 14, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

WPZOOM Addons for Elementor (Templates, Widgets) <= 1.1.37 - Unauthenticated Local File Inclusion

9.8

CVE-2024-5147

May 21, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

HT Mega – Absolute Addons For Elementor <= 2.4.5 - Authenticated (Contributor+) Directory Traversal

8.8

CVE-2024-1974

May 23, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ElementsKit Pro <= 3.6.0 - Authenticated (Contributor+) Local File Inclusion via Price Menu, Hotspot, and Advanced Toggle Widgets

8.8

CVE-2024-3500

Apr 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

ElementsKit Elementor addons <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Onepage Scroll Module

8.8

CVE-2024-3499

Apr 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Hubbub Lite – Fast, Reliable Social Network Sharing Buttons <= 1.33.1 - PHP Object Injection

7.5

CVE-2024-2501

Mar 27, 2024

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Brizy – Page Builder <= 2.4.43 - Authenticated (Contributor+) Store Cross-Site Scripting via Widget Link To URL

7.4

CVE-2024-3667

Jun 4, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Event Calendar

7.4

CVE-2024-1536

Mar 11, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.1 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Navigation Menu Widget

7.2

CVE-2024-5542

Jun 6, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

WP-Members Membership Plugin <= 3.4.9.2 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-1852

Apr 1, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.7.2 - Authenticated (Contributor+) Arbitrary File Read

6.5

CVE-2024-4359

Aug 8, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.1 - Missing Authorization to MA Template Creation or Modification

6.5

CVE-2024-5382

Jun 6, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.4 - Authenticated (Contributor+) Stored Cross-Site Scritping

6.5

CVE-2024-0586

Jan 17, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Advanced WordPress Backgrounds <= 1.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via imageTag Parameter

6.4

CVE-2024-8045

Sep 10, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

RD Station <= 5.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-6894

Sep 4, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Elementor Addon Elements <= 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVE-2024-7122

Aug 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Piotnet Addons For Elementor <= 2.4.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVE-2024-5502

Aug 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP Last Modified Info <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via lmt-post-modified-info Shortcode

6.4

CVE-2024-6864

Aug 19, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

ElementsKit Pro <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-7064

Aug 14, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Gallery and Countdown Widgets

6.4

CVE-2024-7247

Aug 12, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0 -Authenticated (Contributor+) Remote Code Execution	CVE-2024-3105	9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	June 14, 2024
WPZOOM Addons for Elementor (Templates, Widgets) <= 1.1.37 - Unauthenticated Local File Inclusion	CVE-2024-5147	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	May 21, 2024
HT Mega – Absolute Addons For Elementor <= 2.4.5 - Authenticated (Contributor+) Directory Traversal	CVE-2024-1974	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	May 23, 2024
ElementsKit Pro <= 3.6.0 - Authenticated (Contributor+) Local File Inclusion via Price Menu, Hotspot, and Advanced Toggle Widgets	CVE-2024-3500	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 25, 2024
ElementsKit Elementor addons <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Onepage Scroll Module	CVE-2024-3499	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 22, 2024
Hubbub Lite – Fast, Reliable Social Network Sharing Buttons <= 1.33.1 - PHP Object Injection	CVE-2024-2501	7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	March 27, 2024
Brizy – Page Builder <= 2.4.43 - Authenticated (Contributor+) Store Cross-Site Scripting via Widget Link To URL	CVE-2024-3667	7.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L	June 4, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Event Calendar	CVE-2024-1536	7.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L	March 11, 2024
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.1 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Navigation Menu Widget	CVE-2024-5542	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	June 6, 2024
WP-Members Membership Plugin <= 3.4.9.2 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-1852	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	April 1, 2024
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.7.2 - Authenticated (Contributor+) Arbitrary File Read	CVE-2024-4359	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	August 8, 2024
Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor <= 2.0.6.1 - Missing Authorization to MA Template Creation or Modification	CVE-2024-5382	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L	June 6, 2024
Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.4 - Authenticated (Contributor+) Stored Cross-Site Scritping	CVE-2024-0586	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	January 17, 2024
Advanced WordPress Backgrounds <= 1.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via imageTag Parameter	CVE-2024-8045	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 10, 2024
RD Station <= 5.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-6894	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 4, 2024
Elementor Addon Elements <= 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets	CVE-2024-7122	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	August 29, 2024
Piotnet Addons For Elementor <= 2.4.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets	CVE-2024-5502	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	August 22, 2024
WP Last Modified Info <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via lmt-post-modified-info Shortcode	CVE-2024-6864	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	August 19, 2024
ElementsKit Pro <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-7064	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	August 14, 2024
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Gallery and Countdown Widgets	CVE-2024-7247	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	August 12, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation