🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Wordfence Intelligence > Vulnerability Researchers > Joshua Chan

Joshua Chan

All Time Ranking

All Time Discoveries

About

Penetration Tester, Security Researcher

Showing 1-20 of 97 Vulnerabilities

WooCommerce Shipping Label <= 2.3.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

3.3

CVE-2024-32834

Apr 22, 2024

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

WP Discourse <= 2.5.1 - Missing Authorization

4.3

CVE-2024-35168

May 10, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.0 - Cross-Site Request Forgery

4.3

CVE-2024-34817

May 9, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

WP ADA Compliance Check Basic – Most Comprehensive Web Accessibility Solution for WordPress <= 3.1.3 - Cross-Site Request Forgery

4.3

CVE-2024-32947

Apr 22, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

SEO Booster <= 3.8.9 - Cross-Site Request Forgery

4.3

CVE-2024-32438

Apr 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Wallet System for WooCommerce <= 2.5.9 - Cross-Site Request Forgery

4.3

CVE-2024-32446

Apr 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

WP Client Reports <= 1.0.22 - Cross-Site Request Forgery

4.3

CVE-2024-32439

Apr 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Ads.txt Admin <= 1.3 - Cross-Site Request Forgery

4.3

CVE-2024-32448

Apr 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Sync Post With Other Site <= 1.5.1 - Cross-Site Request Forgery

4.3

CVE-2024-32082

Apr 11, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

ReDi Restaurant Reservation <= 24.0128 - Cross-Site Request Forgery via redi_restaurant_admin_options_page()

4.3

CVE-2024-31385

Apr 10, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Benchmark Email Lite <= 4.1 - Cross-Site Request Forgery via page_settings()

4.3

CVE-2024-31360

Apr 8, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

RegistrationMagic <= 5.3.0.0 - Cross-Site Request Forgery

4.3

CVE-2024-2951

Mar 26, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

DSGVO All in one for WP <= 4.3 - Cross-Site Request Forgery

4.3

CVE-2024-27967

Mar 13, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Debug Log Manager <= 2.2.1 - Missing Authorization

4.3

CVE-2023-6136

Nov 23, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Archives Calendar Widget <= 1.0.15 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-33950

Apr 30, 2024

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Meks Smart Social Widget <= 1.6.4 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-33693

Apr 26, 2024

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

CF7 File Download – File Download for CF7 <= 2.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-33697

Apr 26, 2024

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Fan Page Widget by ThemeNcode <= 2.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-33695

Apr 26, 2024

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Smart Recent Posts Widget <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-33692

Apr 26, 2024

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Ad Widget <= 2.20.0 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-33696

Apr 26, 2024

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
WooCommerce Shipping Label <= 2.3.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting	CVE-2024-32834	3.3	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N	April 22, 2024
WP Discourse <= 2.5.1 - Missing Authorization	CVE-2024-35168	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	May 10, 2024
Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.0 - Cross-Site Request Forgery	CVE-2024-34817	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	May 9, 2024
WP ADA Compliance Check Basic – Most Comprehensive Web Accessibility Solution for WordPress <= 3.1.3 - Cross-Site Request Forgery	CVE-2024-32947	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	April 22, 2024
SEO Booster <= 3.8.9 - Cross-Site Request Forgery	CVE-2024-32438	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	April 12, 2024
Wallet System for WooCommerce <= 2.5.9 - Cross-Site Request Forgery	CVE-2024-32446	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	April 12, 2024
WP Client Reports <= 1.0.22 - Cross-Site Request Forgery	CVE-2024-32439	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	April 12, 2024
Ads.txt Admin <= 1.3 - Cross-Site Request Forgery	CVE-2024-32448	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	April 12, 2024
Sync Post With Other Site <= 1.5.1 - Cross-Site Request Forgery	CVE-2024-32082	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	April 11, 2024
ReDi Restaurant Reservation <= 24.0128 - Cross-Site Request Forgery via redi_restaurant_admin_options_page()	CVE-2024-31385	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	April 10, 2024
Benchmark Email Lite <= 4.1 - Cross-Site Request Forgery via page_settings()	CVE-2024-31360	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	April 8, 2024
RegistrationMagic <= 5.3.0.0 - Cross-Site Request Forgery	CVE-2024-2951	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	March 26, 2024
DSGVO All in one for WP <= 4.3 - Cross-Site Request Forgery	CVE-2024-27967	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	March 13, 2024
Debug Log Manager <= 2.2.1 - Missing Authorization	CVE-2023-6136	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L	November 23, 2023
Archives Calendar Widget <= 1.0.15 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-33950	4.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N	April 30, 2024
Meks Smart Social Widget <= 1.6.4 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-33693	4.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N	April 26, 2024
CF7 File Download – File Download for CF7 <= 2.0 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-33697	4.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N	April 26, 2024
Fan Page Widget by ThemeNcode <= 2.0 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-33695	4.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N	April 26, 2024
Smart Recent Posts Widget <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-33692	4.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N	April 26, 2024
WordPress Ad Widget <= 2.20.0 - Authenticated (Admin+) Stored Cross-Site Scripting	CVE-2024-33696	4.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N	April 26, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation