🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Wordfence Intelligence > Vulnerability Researchers > Krzysztof Zając

Krzysztof Zając

Organization: CERT PL

All Time Ranking

353

All Time Discoveries

About

Finding WordPress vulnerabilities using https://kazet.cc/2022/02/03/fuzzing-wordpress-plugins.html

8 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 1-20 of 353 Vulnerabilities

Integrate Google Drive <= 1.3.8 - Missing Authorization to Unauthenticated Settings Modification and Export

10.0

CVE-2024-2086

Mar 29, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Timetable and Event Schedule by MotoPress <= 2.4.11 - Authenticated (Contributor+) SQL Injection

9.9

CVE-2024-3342

Apr 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Create by Mediavine <= 1.9.4 - Unauthenticated SQL Injection via 'id'

9.8

CVE-2024-1711

Mar 19, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WP eCommerce <= 3.15.1 - Unauthenticated SQL Injection

9.8

CVE-2024-1514

Feb 27, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor <= 2.8.2 - Unauthenticated SQL Injection

9.8

CVE-2024-1698

Feb 26, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.2.5 - Unauthenticated SQL Injection

9.8

CVE-2024-1512

Feb 16, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Estatik Real Estate Plugin <= 4.1.0 - Unauthenticated PHP Object Injection

9.8

CVE-2023-6049

Dec 25, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Hotel Booking Lite <= 4.8.4 - Insufficient Path Validation to Unauthenticated Arbitrary File Deletion and Download

9.8

CVE-2023-5991

Dec 1, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Welcart e-Commerce <= 2.9.4 - Unauthenticated PHP Object Injection

9.8

CVE-2023-5952

Nov 10, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Five Star Restaurant Menu and Food Ordering <= 2.4.10 - Unauthenticated PHP Object Injection

9.8

CVE-2023-5340

Oct 27, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WP Hotel Booking <= 2.0.7 - Unauthenticated SQL Injection

9.8

CVE-2023-5652

Oct 26, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 4.2.16 - Unauthenticated Plugin Settings Reset

9.8

CVE-2022-0444

Jun 6, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WP Block and Stop Bad Bots <= 6.88 - SQL Injection

9.8

CVE-2021-25070

Mar 8, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Popup Builder <= 4.1.0 - SQL Injection

9.8

CVE-2022-0479

Mar 7, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

WPCargo <= 6.8.9 - Unauthenticated Remote Code Execution

9.8

CVE-2021-25003

Feb 21, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Photo Gallery by 10Web <= 1.5.87 - Unauthenticated SQL Injection via bwg_tag_id_bwg_thumbnails_0 Parameter

9.8

CVE-2022-0169

Feb 15, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

NotificationX <= 2.3.8 - Blind SQL Injection

9.8

CVE-2022-0349

Feb 2, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Page Views Count Plugin <= 2.4.14 - Unauthenticated SQL Injection

9.8

CVE-2022-0434

Feb 1, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

TI WooCommerce Wishlist / TI WooCommerce Wishlist Pro < 1.40.1 - Unauthenticated SQL Injection

9.8

CVE-2022-0412

Jan 31, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Paid Memberships Pro <= 2.6.6 - Unauthenticated SQL Injection

9.8

CVE-2021-25114

Jan 7, 2022

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Integrate Google Drive <= 1.3.8 - Missing Authorization to Unauthenticated Settings Modification and Export	CVE-2024-2086	10.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L	March 29, 2024
Timetable and Event Schedule by MotoPress <= 2.4.11 - Authenticated (Contributor+) SQL Injection	CVE-2024-3342	9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	April 26, 2024
Create by Mediavine <= 1.9.4 - Unauthenticated SQL Injection via 'id'	CVE-2024-1711	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 19, 2024
WP eCommerce <= 3.15.1 - Unauthenticated SQL Injection	CVE-2024-1514	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 27, 2024
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor <= 2.8.2 - Unauthenticated SQL Injection	CVE-2024-1698	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 26, 2024
MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.2.5 - Unauthenticated SQL Injection	CVE-2024-1512	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 16, 2024
Estatik Real Estate Plugin <= 4.1.0 - Unauthenticated PHP Object Injection	CVE-2023-6049	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	December 25, 2023
Hotel Booking Lite <= 4.8.4 - Insufficient Path Validation to Unauthenticated Arbitrary File Deletion and Download	CVE-2023-5991	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	December 1, 2023
Welcart e-Commerce <= 2.9.4 - Unauthenticated PHP Object Injection	CVE-2023-5952	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	November 10, 2023
Five Star Restaurant Menu and Food Ordering <= 2.4.10 - Unauthenticated PHP Object Injection	CVE-2023-5340	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 27, 2023
WP Hotel Booking <= 2.0.7 - Unauthenticated SQL Injection	CVE-2023-5652	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 26, 2023
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin <= 4.2.16 - Unauthenticated Plugin Settings Reset	CVE-2022-0444	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	June 6, 2022
WP Block and Stop Bad Bots <= 6.88 - SQL Injection	CVE-2021-25070	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 8, 2022
Popup Builder <= 4.1.0 - SQL Injection	CVE-2022-0479	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	March 7, 2022
WPCargo <= 6.8.9 - Unauthenticated Remote Code Execution	CVE-2021-25003	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 21, 2022
Photo Gallery by 10Web <= 1.5.87 - Unauthenticated SQL Injection via bwg_tag_id_bwg_thumbnails_0 Parameter	CVE-2022-0169	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 15, 2022
NotificationX <= 2.3.8 - Blind SQL Injection	CVE-2022-0349	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 2, 2022
Page Views Count Plugin <= 2.4.14 - Unauthenticated SQL Injection	CVE-2022-0434	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	February 1, 2022
TI WooCommerce Wishlist / TI WooCommerce Wishlist Pro < 1.40.1 - Unauthenticated SQL Injection	CVE-2022-0412	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	January 31, 2022
Paid Memberships Pro <= 2.6.6 - Unauthenticated SQL Injection	CVE-2021-25114	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	January 7, 2022

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation