🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Wordfence Intelligence > Vulnerability Researchers > Emili Castells

Emili Castells

All Time Ranking

All Time Discoveries

Showing 21-38 of 38 Vulnerabilities

Direct Checkout – Quick View – Buy Now For WooCommerce <= 1.5.8 - Authenticated (Shop manager+) Stored Cross-Site Scripting via Custom CSS Code

5.5

CVE-2023-47657

Nov 7, 2023

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Recently viewed and most viewed products <= 1.1.1 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

5.5

CVE-2023-47646

Nov 7, 2023

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Extra Product Options for WooCommerce <= 3.0.3 - Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings

5.5

CVE-2023-47658

Nov 7, 2023

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Live Gold Price & Silver Price Charts Widgets <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

5.5

CVE-2023-47662

Nov 7, 2023

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Quick/Bulk Order Form for WooCommerce <= 3.5.7 - Authenticated (Shop manager+) Stored Cross-Site Scripting

5.5

CVE-2023-34170

May 31, 2023

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Simple User Listing <= 1.9.2 - Reflected Cross-Site Scripting via as

6.1

CVE-2023-32298

Oct 25, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Lava Directory Manager <= 1.1.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

6.4

CVE-2023-47659

Nov 7, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Rolo Slider <= 1.0.9 - Missing Authorization to Authenticated(Subscriber+) Settings Change

6.5

CVE-2024-1438

Feb 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Easy Newsletter Signups <= 1.0.4 - Missing Authorization

6.5

CVE-2023-41664

Sep 1, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Zippy <= 1.6.2 - Missing Authorization via adminInit

6.5

CVE-2023-34381

Jul 12, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Lava Directory Manager <= 1.1.34 - Unauthenticated Stored Cross-Site Scripting via New Listing

7.2

CVE-2023-46081

Oct 16, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Booking Ultra Pro <= 1.1.12 - Authenticated (Contributor+) Privilege Escalation

8.8

CVE-2024-32960

Apr 23, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8

CVE-2024-32507

Apr 15, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Contact Form Generator <= 2.7.1 - Authenticated (Contributor+) SQL Injection

8.8

CVE-2023-35911

Oct 9, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Export Import Menus <= 1.8.0 - Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVE-2023-34385

Sep 4, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Quasar form <= 6.1 - Authenticated (Subscriber+) SQL Injection via 'id'

8.8

CVE-2023-35910

Jul 24, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Sirv <= 7.2.2 - Missing Authorization to Arbitrary Options Update

9.8

CVE-2024-32959

Apr 23, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Photos and Files Contest Gallery <= 21.3.4 - Authenticated (Contributor+) SQL Injection

9.9

CVE-2024-30236

Mar 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Direct Checkout – Quick View – Buy Now For WooCommerce <= 1.5.8 - Authenticated (Shop manager+) Stored Cross-Site Scripting via Custom CSS Code	CVE-2023-47657	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	November 7, 2023
Recently viewed and most viewed products <= 1.1.1 - Authenticated (Shop Manager+) Stored Cross-Site Scripting	CVE-2023-47646	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	November 7, 2023
Extra Product Options for WooCommerce <= 3.0.3 - Authenticated (Shop manager+) Stored Cross-Site Scripting via plugin settings	CVE-2023-47658	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	November 7, 2023
Live Gold Price & Silver Price Charts Widgets <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings	CVE-2023-47662	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	November 7, 2023
Quick/Bulk Order Form for WooCommerce <= 3.5.7 - Authenticated (Shop manager+) Stored Cross-Site Scripting	CVE-2023-34170	5.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N	May 31, 2023
Simple User Listing <= 1.9.2 - Reflected Cross-Site Scripting via as	CVE-2023-32298	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	October 25, 2023
Lava Directory Manager <= 1.1.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode	CVE-2023-47659	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	November 7, 2023
Rolo Slider <= 1.0.9 - Missing Authorization to Authenticated(Subscriber+) Settings Change	CVE-2024-1438	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	February 26, 2024
Easy Newsletter Signups <= 1.0.4 - Missing Authorization	CVE-2023-41664	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	September 1, 2023
Zippy <= 1.6.2 - Missing Authorization via adminInit	CVE-2023-34381	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L	July 12, 2023
Lava Directory Manager <= 1.1.34 - Unauthenticated Stored Cross-Site Scripting via New Listing	CVE-2023-46081	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	October 16, 2023
Booking Ultra Pro <= 1.1.12 - Authenticated (Contributor+) Privilege Escalation	CVE-2024-32960	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 23, 2024
Login with phone number <= 1.7.16 - Unauthorized Account Password Change to Privilege Escalation	CVE-2024-32507	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 15, 2024
Contact Form Generator <= 2.7.1 - Authenticated (Contributor+) SQL Injection	CVE-2023-35911	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 9, 2023
Export Import Menus <= 1.8.0 - Authenticated (Subscriber+) Arbitrary File Upload	CVE-2023-34385	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	September 4, 2023
Quasar form <= 6.1 - Authenticated (Subscriber+) SQL Injection via 'id'	CVE-2023-35910	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	July 24, 2023
Sirv <= 7.2.2 - Missing Authorization to Arbitrary Options Update	CVE-2024-32959	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	April 23, 2024
Photos and Files Contest Gallery <= 21.3.4 - Authenticated (Contributor+) SQL Injection	CVE-2024-30236	9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	March 26, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation