🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers, top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > Lucio Sá

Lucio Sá

All Time Ranking

237

All Time Discoveries

90 Day Published Submissions

7 Oct '24

Last Published Submission

10 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 1-20 of 237 Vulnerabilities

Easy Mega Menu Plugin for WordPress – ThemeHunk <= 1.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVE-2024-8433

Oct 7, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Spice Starter Sites <= 1.2.5 - Missing Authorization to Unauthenticated Demo Content Import

5.3

CVE-2024-8430

Sep 30, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table. <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update

6.3

CVE-2024-6590

Sep 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Easy Mega Menu Plugin for WordPress – ThemeHunk <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Settings Updates

4.3

CVE-2024-8434

Sep 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 - Authenticated (Subscriber+) SQL Injection

9.9

CVE-2024-8436

Sep 23, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Appointment & Event Booking Calendar Plugin – Webba Booking <= 5.0.48 - Missing Authorization to Authenticated (Subscriber+) CSS Settings Update

4.3

CVE-2024-8432

Sep 23, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 - Missing Authorization to Authenticated (Subscriber+) Gallery Manipulation

4.3

CVE-2024-8437

Sep 23, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Classified Listing – Classified ads & Business Directory Plugin <= 3.1.7 - Missing Authorization

6.3

CVE-2024-7888

Sep 12, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update

4.3

CVE-2024-7721

Sep 10, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.32 - Missing Authorization in multiple functions via h5vp_ajax_handler

5.3

CVE-2024-7727

Sep 10, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Frontend Dashboard <= 2.2.4 - Authenticated (Subscriber+) Arbitrary Function Call

8.8

CVE-2024-8268

Sep 9, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Revision Manager TMC <= 2.8.19 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending

4.3

CVE-2024-7622

Sep 6, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3

CVE-2024-8427

Sep 5, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Geo Controller <= 8.7.3 - Missing Authorization to Authenticated (Subscriber+) Menu Creation/Deletion

4.3

CVE-2024-7380

Sep 4, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Geo Controller <= 8.6.9 - Missing Authorization to Unauthenticated Shortcode Execution

5.3

CVE-2024-7381

Sep 4, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Media Library Folders <= 8.2.3 - Missing Authorization on Various Functions

6.3

CVE-2024-7858

Aug 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Premium Portfolio Features for Phlox theme <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-1384

Aug 28, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP Accessibility Helper <= 0.6.2.8 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

5.4

CVE-2024-5987

Aug 28, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free <= 3.7.3.2 - Missing Authorization to Unauthenticated Arbitrary Media Deletion

5.3

CVE-2024-5857

Aug 28, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Media Library Folders <= 8.2.2 - Authenticated (Subscriber+) Second-Order SQL Injection

9.8

CVE-2024-7857

Aug 28, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
Easy Mega Menu Plugin for WordPress – ThemeHunk <= 1.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting	CVE-2024-8433	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	October 7, 2024
Spice Starter Sites <= 1.2.5 - Missing Authorization to Unauthenticated Demo Content Import	CVE-2024-8430	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	September 30, 2024
Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. Also, Display Google sheet as a Table. <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update	CVE-2024-6590	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	September 24, 2024
Easy Mega Menu Plugin for WordPress – ThemeHunk <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Settings Updates	CVE-2024-8434	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	September 24, 2024
WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 - Authenticated (Subscriber+) SQL Injection	CVE-2024-8436	9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	September 23, 2024
Appointment & Event Booking Calendar Plugin – Webba Booking <= 5.0.48 - Missing Authorization to Authenticated (Subscriber+) CSS Settings Update	CVE-2024-8432	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	September 23, 2024
WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 - Missing Authorization to Authenticated (Subscriber+) Gallery Manipulation	CVE-2024-8437	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	September 23, 2024
Classified Listing – Classified ads & Business Directory Plugin <= 3.1.7 - Missing Authorization	CVE-2024-7888	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	September 12, 2024
HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update	CVE-2024-7721	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	September 10, 2024
HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.32 - Missing Authorization in multiple functions via h5vp_ajax_handler	CVE-2024-7727	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	September 10, 2024
Frontend Dashboard <= 2.2.4 - Authenticated (Subscriber+) Arbitrary Function Call	CVE-2024-8268	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	September 9, 2024
Revision Manager TMC <= 2.8.19 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending	CVE-2024-7622	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	September 6, 2024
Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update	CVE-2024-8427	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	September 5, 2024
Geo Controller <= 8.7.3 - Missing Authorization to Authenticated (Subscriber+) Menu Creation/Deletion	CVE-2024-7380	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	September 4, 2024
Geo Controller <= 8.6.9 - Missing Authorization to Unauthenticated Shortcode Execution	CVE-2024-7381	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	September 4, 2024
Media Library Folders <= 8.2.3 - Missing Authorization on Various Functions	CVE-2024-7858	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	August 29, 2024
Premium Portfolio Features for Phlox theme <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-1384	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	August 28, 2024
WP Accessibility Helper <= 0.6.2.8 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update	CVE-2024-5987	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	August 28, 2024
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free <= 3.7.3.2 - Missing Authorization to Unauthenticated Arbitrary Media Deletion	CVE-2024-5857	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	August 28, 2024
Media Library Folders <= 8.2.2 - Authenticated (Subscriber+) Second-Order SQL Injection	CVE-2024-7857	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	August 28, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation