🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Wordfence Intelligence > Vulnerability Researchers > Francesco Carlucci

Francesco Carlucci

All Time Ranking

242

All Time Discoveries

About

Hacker and Digital Nomad, the worst combination ever :)

8 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 21-40 of 242 Vulnerabilities

Easy Digital Downloads <= 3.1.0.1.1 - Unauthenticated CSV Injection

8.8

CVE-2022-3600

Sep 28, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Post to CSV by BestWebSoft <= 1.3.8 - Authenticated (Author+) CSV Injection

6.8

CVE-2022-3393

Oct 3, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Contact Form Plugin by FluentForm <= 4.3.12 - CSV Injection

8.3

CVE-2022-3463

Oct 17, 2022

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

WPForms Pro <= 1.7.6 - CSV Injection

7.2

CVE-2022-3574

Oct 19, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Contact Form Entries <= 1.2.9 - CSV Injection

7.2

CVE-2022-3604

Oct 21, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Export customers list csv for WooCommerce <= 2.0.67 - CSV Injection

4.8

CVE-2022-3603

Nov 3, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Clerk <= 3.8.2 - Authorization Bypass via Insufficient Validation

5.6

CVE-2022-3907

Nov 10, 2022

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

WP CSV Exporter <= 1.3.6 - CSV Injection

7.7

CVE-2022-3605

Nov 29, 2022

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Display post meta, term meta, comment meta, and user meta <= 0.4.1 - Authenticated(Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-1661

May 30, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Stripe Payment Plugin for WooCommerce <= 3.7.9 - Missing Authorization to Arbitrary Order Status Modification

5.3

CVE-2023-4040

Aug 17, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Delete Usermetas <= 1.1.2 - Cross-Site Request Forgery

4.3

CVE-2023-5537

Oct 19, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

SALESmanago <= 3.2.4 - Log Injection via Weak Authentication Token

5.3

CVE-2023-4939

Oct 20, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Add Custom Body Class <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-5205

Oct 20, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Soisy Pagamento Rateale <= 6.0.1 - Missing Authorization to Sensitive Information Exposure

7.5

CVE-2023-5132

Oct 20, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Post Meta Data Manager <=1.2.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

8.8

CVE-2023-5425

Oct 27, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Post Meta Data Manager <=1.2.0 - Missing Authorization to User, Term, and Post Meta Deletion

7.5

CVE-2023-5426

Oct 27, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Post Meta Data Manager <= 1.2.1 - Cross-Site Request Forgery to Post, Term, and User Meta Deletion

4.3

CVE-2023-5776

Nov 20, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-6225

Nov 27, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 - Insecure Direct Object Reference to Information Disclosure

4.3

CVE-2023-6226

Nov 27, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Divi <= 4.23.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-6744

Dec 22, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
Easy Digital Downloads <= 3.1.0.1.1 - Unauthenticated CSV Injection	CVE-2022-3600	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	September 28, 2022
Post to CSV by BestWebSoft <= 1.3.8 - Authenticated (Author+) CSV Injection	CVE-2022-3393	6.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H	October 3, 2022
Contact Form Plugin by FluentForm <= 4.3.12 - CSV Injection	CVE-2022-3463	8.3	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H	October 17, 2022
WPForms Pro <= 1.7.6 - CSV Injection	CVE-2022-3574	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	October 19, 2022
Contact Form Entries <= 1.2.9 - CSV Injection	CVE-2022-3604	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	October 21, 2022
Export customers list csv for WooCommerce <= 2.0.67 - CSV Injection	CVE-2022-3603	4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	November 3, 2022
Clerk <= 3.8.2 - Authorization Bypass via Insufficient Validation	CVE-2022-3907	5.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L	November 10, 2022
WP CSV Exporter <= 1.3.6 - CSV Injection	CVE-2022-3605	7.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H	November 29, 2022
Display post meta, term meta, comment meta, and user meta <= 0.4.1 - Authenticated(Contributor+) Stored Cross-Site Scripting	CVE-2023-1661	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 30, 2023
Stripe Payment Plugin for WooCommerce <= 3.7.9 - Missing Authorization to Arbitrary Order Status Modification	CVE-2023-4040	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	August 17, 2023
Delete Usermetas <= 1.1.2 - Cross-Site Request Forgery	CVE-2023-5537	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	October 19, 2023
SALESmanago <= 3.2.4 - Log Injection via Weak Authentication Token	CVE-2023-4939	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	October 20, 2023
Add Custom Body Class <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-5205	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 20, 2023
Soisy Pagamento Rateale <= 6.0.1 - Missing Authorization to Sensitive Information Exposure	CVE-2023-5132	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	October 20, 2023
Post Meta Data Manager <=1.2.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation	CVE-2023-5425	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 27, 2023
Post Meta Data Manager <=1.2.0 - Missing Authorization to User, Term, and Post Meta Deletion	CVE-2023-5426	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	October 27, 2023
Post Meta Data Manager <= 1.2.1 - Cross-Site Request Forgery to Post, Term, and User Meta Deletion	CVE-2023-5776	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	November 20, 2023
WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2023-6225	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	November 27, 2023
WP Shortcodes Plugin — Shortcodes Ultimate <= 5.13.3 - Insecure Direct Object Reference to Information Disclosure	CVE-2023-6226	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	November 27, 2023
Divi <= 4.23.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2023-6744	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	December 22, 2023

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation