🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Wordfence Intelligence > Vulnerability Researchers > Francesco Carlucci

Francesco Carlucci

All Time Ranking

254

All Time Discoveries

About

Hacker and Digital Nomad, the worst combination ever :)

9 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 41-60 of 254 Vulnerabilities

Bulgarisation for WooCommerce <= 3.0.14 - Missing Authorization

7.3

CVE-2024-0683

Mar 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.1 - Missing Authorization

7.3

CVE-2024-0702

Feb 19, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EleForms – All In One Form Integration including DB for Elementor <= 2.9.9.7 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-2082

Apr 16, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Customily Product Personalizer <= 1.23.3 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2024-1774

Apr 9, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Contact Form Entries <= 1.2.9 - CSV Injection

7.2

CVE-2022-3604

Oct 21, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

WPForms Pro <= 1.7.6 - CSV Injection

7.2

CVE-2022-3574

Oct 19, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Index Now <= 2.6.3 - Cross-Site Request Forgery via reset_form

7.1

CVE-2024-0428

Jan 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Post to CSV by BestWebSoft <= 1.3.8 - Authenticated (Author+) CSV Injection

6.8

CVE-2022-3393

Oct 3, 2022

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H

Classified Listing – Classified ads & Business Directory Plugin <= 3.0.4 - Missing Authorization

6.5

CVE-2024-1352

Apr 4, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Beaver Themer <= 1.4.9 - Authenticated (Contributor+) Sensitive Information Exposure via shortcode

6.5

CVE-2023-6695

Apr 3, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Redirects <= 1.2.1 - Missing Authorization via save

6.5

CVE-2024-1566

Feb 27, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Plugin Groups <= 2.0.6 - Missing Authorization to Unauthenticated Denial of Service

6.5

CVE-2024-1108

Feb 20, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EventON - WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.8 (Free) - Cross-Site Request Forgery via save_virtual_event_settings

6.5

CVE-2023-6244

Jan 9, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EventON - WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 - Cross-Site Request Forgery via evo_eventpost_update_meta

6.5

CVE-2023-6242

Jan 9, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EventON - WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 - Missing Authorization to Arbitrary Post Meta Update via evo_eventpost_update_meta

6.5

CVE-2023-6158

Jan 9, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

WP-Members Membership Plugin <= 3.4.8 - Missing Authorization to Sensitive Information Exposure

6.5

CVE-2023-6733

Jan 3, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Get Custom Field Values < 4.0 - Arbitrary Post Metadata Access

6.5

CVE-2021-24872

Nov 9, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Themify Shortcodes <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via themify_button Shortcode

6.4

CVE-2024-4567

May 8, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Breakdance <= 1.7.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via custom postmeta

6.4

CVE-2023-6854

May 3, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Fancy Elementor Flipbox <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Elementor Flipbox Widget

6.4

CVE-2024-2349

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
Bulgarisation for WooCommerce <= 3.0.14 - Missing Authorization	CVE-2024-0683	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	March 12, 2024
Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.1 - Missing Authorization	CVE-2024-0702	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	February 19, 2024
EleForms – All In One Form Integration including DB for Elementor <= 2.9.9.7 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-2082	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	April 16, 2024
Customily Product Personalizer <= 1.23.3 - Unauthenticated Stored Cross-Site Scripting	CVE-2024-1774	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	April 9, 2024
Contact Form Entries <= 1.2.9 - CSV Injection	CVE-2022-3604	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	October 21, 2022
WPForms Pro <= 1.7.6 - CSV Injection	CVE-2022-3574	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	October 19, 2022
Index Now <= 2.6.3 - Cross-Site Request Forgery via reset_form	CVE-2024-0428	7.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H	January 12, 2024
Post to CSV by BestWebSoft <= 1.3.8 - Authenticated (Author+) CSV Injection	CVE-2022-3393	6.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H	October 3, 2022
Classified Listing – Classified ads & Business Directory Plugin <= 3.0.4 - Missing Authorization	CVE-2024-1352	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	April 4, 2024
Beaver Themer <= 1.4.9 - Authenticated (Contributor+) Sensitive Information Exposure via shortcode	CVE-2023-6695	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	April 3, 2024
Redirects <= 1.2.1 - Missing Authorization via save	CVE-2024-1566	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L	February 27, 2024
Plugin Groups <= 2.0.6 - Missing Authorization to Unauthenticated Denial of Service	CVE-2024-1108	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L	February 20, 2024
EventON - WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.8 (Free) - Cross-Site Request Forgery via save_virtual_event_settings	CVE-2023-6244	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	January 9, 2024
EventON - WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 - Cross-Site Request Forgery via evo_eventpost_update_meta	CVE-2023-6242	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	January 9, 2024
EventON - WordPress Virtual Event Calendar Plugin Pro <= 4.5.4 & Free <= 2.2.7 - Missing Authorization to Arbitrary Post Meta Update via evo_eventpost_update_meta	CVE-2023-6158	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L	January 9, 2024
WP-Members Membership Plugin <= 3.4.8 - Missing Authorization to Sensitive Information Exposure	CVE-2023-6733	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	January 3, 2024
Get Custom Field Values < 4.0 - Arbitrary Post Metadata Access	CVE-2021-24872	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	November 9, 2021
Themify Shortcodes <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via themify_button Shortcode	CVE-2024-4567	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 8, 2024
Breakdance <= 1.7.0 - Authenticated(Contributor+) Stored Cross-Site Scripting via custom postmeta	CVE-2023-6854	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 3, 2024
Fancy Elementor Flipbox <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Elementor Flipbox Widget	CVE-2024-2349	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 29, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation