🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Wordfence Intelligence > Vulnerability Researchers > Krzysztof Zając

Krzysztof Zając

Organization: CERT PL

All Time Ranking

361

All Time Discoveries

About

Finding WordPress vulnerabilities using https://kazet.cc/2022/02/03/fuzzing-wordpress-plugins.html

8 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 341-360 of 361 Vulnerabilities

Floating Chat Widget: Contact Icons, Messages, Telegram, Email, SMS, Call Button - Chaty <= 2.8.2 Reflected Cross-Site Scripting

6.1

CVE-2021-25016

Dec 6, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

UpdraftPlus WordPress Backup Plugin <= 1.16.65 - Reflected Cross-Site Scripting

6.1

CVE-2021-25022

Dec 6, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

PowerPack Addons for Elementor <= 2.6.1 - Reflected Cross-Site Scripting

6.1

CVE-2021-25027

Dec 6, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Site Reviews <= 5.17.2 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2021-24973

Dec 6, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

WooCommerce PDF Invoices & Packing Slips <= 2.10.4 - Reflected Cross-Site Scripting via tab and section parameter

4.8

CVE-2021-24991

Dec 6, 2021

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Booking Calendar <= 8.9.1 - Reflected Cross-Site Scripting

6.1

CVE-2021-25040

Dec 6, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Events Made Easy <= 2.2.35 - Subscriber+ SQL Injection

8.8

CVE-2021-25030

Dec 6, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WP Coder <= 2.5.1 - Remote File Inclusion leading to Remote Code Execution via Cross-Site Request Forgery

8.8

CVE-2021-25053

Dec 5, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Modal Window – create popup modal window <= 5.2.1 - Cross-Site Request Forgery to Remote Code Execution

8.8

CVE-2021-25051

Dec 5, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Button Generator – easily Button Builder <= 2.3.2 - Cross-Site Request Forgery

8.8

CVE-2021-25052

Dec 5, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Modern Events Calendar Lite <= 6.1.6 - Subscriber+ Category Add Leading to Stored Cross-Site Scripting

5.4

CVE-2021-25046

Dec 3, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

WP RSS Aggregator <= 4.19.2 - Subscriber+ Stored Cross-Site Scripting

5.4

CVE-2021-24988

Nov 29, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Contact Form & Lead Form Elementor Builder <= 1.6.3 - Unauthenticated Stored Cross-Site Scripting

7.2

CVE-2021-24967

Nov 29, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

WordPress Download Manager <= 3.2.21 - Cross-Site Scripting

6.4

CVE-2021-24969

Nov 29, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Modern Events Calendar Lite <= 6.1.4 - Unauthenticated Blind SQL Injection via time Parameter

9.8

CVE-2021-24946

Nov 15, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Modern Events Calendar Lite <= 6.1.0 - Reflected Cross-Site Scripting via current_month_divider parameter

6.1

CVE-2021-24925

Nov 15, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Like Button Rating <= 2.6.37 - Unauthorised Vote Export to Email & IP Addresses Disclosure

6.5

CVE-2021-24945

Nov 11, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Meks Easy Photo Feed Widget < 1.2.4 - Authenticated Stored Cross-Site Scripting

5.4

CVE-2021-24958

Nov 10, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Secure Copy Content Protection and Content Locking <= 2.8.1 - Unauthenticated SQL Injection

9.8

CVE-2021-24931

Nov 8, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Registrations for the Events Calendar <= 2.7.5 - Unauthenticated SQL Injection

9.8

CVE-2021-24943

Nov 8, 2021

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Floating Chat Widget: Contact Icons, Messages, Telegram, Email, SMS, Call Button - Chaty <= 2.8.2 Reflected Cross-Site Scripting	CVE-2021-25016	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	December 6, 2021
UpdraftPlus WordPress Backup Plugin <= 1.16.65 - Reflected Cross-Site Scripting	CVE-2021-25022	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	December 6, 2021
PowerPack Addons for Elementor <= 2.6.1 - Reflected Cross-Site Scripting	CVE-2021-25027	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	December 6, 2021
Site Reviews <= 5.17.2 - Unauthenticated Stored Cross-Site Scripting	CVE-2021-24973	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	December 6, 2021
WooCommerce PDF Invoices & Packing Slips <= 2.10.4 - Reflected Cross-Site Scripting via tab and section parameter	CVE-2021-24991	4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	December 6, 2021
Booking Calendar <= 8.9.1 - Reflected Cross-Site Scripting	CVE-2021-25040	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	December 6, 2021
Events Made Easy <= 2.2.35 - Subscriber+ SQL Injection	CVE-2021-25030	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	December 6, 2021
WP Coder <= 2.5.1 - Remote File Inclusion leading to Remote Code Execution via Cross-Site Request Forgery	CVE-2021-25053	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	December 5, 2021
Modal Window – create popup modal window <= 5.2.1 - Cross-Site Request Forgery to Remote Code Execution	CVE-2021-25051	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	December 5, 2021
Button Generator – easily Button Builder <= 2.3.2 - Cross-Site Request Forgery	CVE-2021-25052	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	December 5, 2021
Modern Events Calendar Lite <= 6.1.6 - Subscriber+ Category Add Leading to Stored Cross-Site Scripting	CVE-2021-25046	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	December 3, 2021
WP RSS Aggregator <= 4.19.2 - Subscriber+ Stored Cross-Site Scripting	CVE-2021-24988	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	November 29, 2021
Contact Form & Lead Form Elementor Builder <= 1.6.3 - Unauthenticated Stored Cross-Site Scripting	CVE-2021-24967	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	November 29, 2021
WordPress Download Manager <= 3.2.21 - Cross-Site Scripting	CVE-2021-24969	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	November 29, 2021
Modern Events Calendar Lite <= 6.1.4 - Unauthenticated Blind SQL Injection via time Parameter	CVE-2021-24946	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	November 15, 2021
Modern Events Calendar Lite <= 6.1.0 - Reflected Cross-Site Scripting via current_month_divider parameter	CVE-2021-24925	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	November 15, 2021
Like Button Rating <= 2.6.37 - Unauthorised Vote Export to Email & IP Addresses Disclosure	CVE-2021-24945	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	November 11, 2021
Meks Easy Photo Feed Widget < 1.2.4 - Authenticated Stored Cross-Site Scripting	CVE-2021-24958	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	November 10, 2021
Secure Copy Content Protection and Content Locking <= 2.8.1 - Unauthenticated SQL Injection	CVE-2021-24931	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	November 8, 2021
Registrations for the Events Calendar <= 2.7.5 - Unauthenticated SQL Injection	CVE-2021-24943	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	November 8, 2021

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation