🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Wordfence Intelligence > Vulnerability Researchers > Lucio Sá

Lucio Sá

All Time Ranking

126

All Time Discoveries

8 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 1-20 of 126 Vulnerabilities

ReviewX – Multi-criteria Rating & Reviews for WooCommerce <= 1.6.27 - Missing Authorization

4.3

CVE-2024-3609

May 16, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Alt Text AI – Automatically generate image alt text for SEO and accessibility <= 1.4.9 - Authenticated (Subscriber+) SQL Injection

8.8

CVE-2024-4847

May 14, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

WP Compress – Image Optimizer [All-In-One] <= 6.20.01 - Missing Authorization

6.5

CVE-2024-4445

May 13, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Starter Templates — Elementor, WordPress & Beaver Builder Templates <= 4.1.6 - Authenticated (Contributor+) Server-Side Request Forgery

4.3

CVE-2024-1467

May 8, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Pure Chat – Live Chat Plugin & More! <= 2.22 - Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVE-2024-3595

May 8, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Swift Performance Lite <= 2.3.6.18 - Incorrect Authorization to Authenticated (Subscriber+) Settings Modification

5.4

CVE-2024-3722

May 8, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Stop Spammers Security | Block Spam Users, Comments, Forms <= 2024.4 - Cross-Site Request Forgery (CSRF) via sfs_process

5.4

CVE-2023-7065

May 3, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Follow Us Badges <= 3.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpsite_follow_us_badges Shortcode

6.4

CVE-2024-3280

May 1, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.3.8 - Missing Authorization

6.3

CVE-2024-3942

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Woo Total Sales <= 3.1.4 - Missing Authorization to Unauthenticated Sales Report Retrieval

5.3

CVE-2024-1688

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce <= 3.4.7 - Authenticated(Subscriber+) Stored Cross-Site Scripting via Templates

6.4

CVE-2024-1679

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce <= 3.4.7 - Improper Authorization

6.3

CVE-2024-1677

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Different Menu in Different Pages – Control Menu Visibility (All in One) <= 2.3.2 - Missing Authorization to Menu Duplication

4.3

CVE-2024-3206

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) <= 5.2.3 - Missing Authorization

5.4

CVE-2024-1809

Apr 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Admin Bar Remover <= 1.0.2.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3

CVE-2024-1716

Apr 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

ARForms Form Builder <= 1.6.4 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion

7.1

CVE-2024-1945

Apr 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

PropertyHive <= 2.0.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

4.3

CVE-2024-3607

Apr 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Classified Listing – Classified ads & Business Directory Plugin <= 3.0.10.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion

5.3

CVE-2024-3893

Apr 24, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

WP Datepicker <= 2.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVE-2024-3895

Apr 23, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Elespare – Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! <= 2.1.2 - Missing Authorization to Subscriber+ Arbitrary Post Creation

4.3

CVE-2024-0900

Apr 22, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
ReviewX – Multi-criteria Rating & Reviews for WooCommerce <= 1.6.27 - Missing Authorization	CVE-2024-3609	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	May 16, 2024
Alt Text AI – Automatically generate image alt text for SEO and accessibility <= 1.4.9 - Authenticated (Subscriber+) SQL Injection	CVE-2024-4847	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	May 14, 2024
WP Compress – Image Optimizer [All-In-One] <= 6.20.01 - Missing Authorization	CVE-2024-4445	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N	May 13, 2024
Starter Templates — Elementor, WordPress & Beaver Builder Templates <= 4.1.6 - Authenticated (Contributor+) Server-Side Request Forgery	CVE-2024-1467	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	May 8, 2024
Pure Chat – Live Chat Plugin & More! <= 2.22 - Authenticated (Subscriber+) Stored Cross-Site Scripting	CVE-2024-3595	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 8, 2024
Swift Performance Lite <= 2.3.6.18 - Incorrect Authorization to Authenticated (Subscriber+) Settings Modification	CVE-2024-3722	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N	May 8, 2024
Stop Spammers Security \| Block Spam Users, Comments, Forms <= 2024.4 - Cross-Site Request Forgery (CSRF) via sfs_process	CVE-2023-7065	5.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L	May 3, 2024
Follow Us Badges <= 3.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpsite_follow_us_badges Shortcode	CVE-2024-3280	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 1, 2024
MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.3.8 - Missing Authorization	CVE-2024-3942	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	April 29, 2024
Woo Total Sales <= 3.1.4 - Missing Authorization to Unauthenticated Sales Report Retrieval	CVE-2024-1688	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	April 29, 2024
Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce <= 3.4.7 - Authenticated(Subscriber+) Stored Cross-Site Scripting via Templates	CVE-2024-1679	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 29, 2024
Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce <= 3.4.7 - Improper Authorization	CVE-2024-1677	6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	April 29, 2024
Different Menu in Different Pages – Control Menu Visibility (All in One) <= 2.3.2 - Missing Authorization to Menu Duplication	CVE-2024-3206	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	April 29, 2024
Analytify – Google Analytics Dashboard For WordPress (GA4 analytics made easy) <= 5.2.3 - Missing Authorization	CVE-2024-1809	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N	April 29, 2024
Admin Bar Remover <= 1.0.2.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update	CVE-2024-1716	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	April 26, 2024
ARForms Form Builder <= 1.6.4 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Option Deletion	CVE-2024-1945	7.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H	April 25, 2024
PropertyHive <= 2.0.12 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion	CVE-2024-3607	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L	April 24, 2024
Classified Listing – Classified ads & Business Directory Plugin <= 3.0.10.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Deletion	CVE-2024-3893	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	April 24, 2024
WP Datepicker <= 2.1.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update	CVE-2024-3895	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 23, 2024
Elespare – Build Your Blog, News & Magazine Websites with Expert-Designed Template Kits. One Click Import: No Coding Skills Required! <= 2.1.2 - Missing Authorization to Subscriber+ Arbitrary Post Creation	CVE-2024-0900	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	April 22, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation