🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Wordfence Intelligence > Vulnerability Researchers > Marc-Alexandre Montpas

Marc-Alexandre Montpas

All Time Ranking

All Time Discoveries

Showing 1-20 of 49 Vulnerabilities

All in One SEO <= 2.2.4.1 - Privilege Escalation to Arbitrary Post Modification

4.3

CVE ID Unknown

May 31, 2014

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Pagelayer <= 1.7.9 - Authenticated(Administrator+) Stored Cross-Site Scripting via Header/Footer code

4.4

CVE-2023-5124

Jan 31, 2024

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

WordPress Core 4.7.0 - 6.3.1 - Sensitive Information Exposure via User Search REST Endpoint

5.3

CVE-2023-5561

Oct 12, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Smash Balloon Social Post Feed <= 4.0 - Arbitrary Plugin Settings Update to Stored Cross-Site Scripting

5.4

CVE-2021-24918

Oct 29, 2021

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

WP Google Maps <= 9.0.27 - Unauthenticated Stored Cross-Site Scripting via REST API

6.1

CVE-2023-6627

Dec 18, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Popup Builder <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting

6.1

CVE-2023-6000

Dec 11, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

WordPress Core < 5.5.2 - Reflected Cross-Site Scripting via Global Variables

6.1

CVE-2020-28034

Oct 29, 2020

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Media from FTP <= 11.15 - Improper Privilege Management

6.3

CVE ID Unknown

Jul 31, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

All in One SEO <= 2.1.5 - Missing Authorization

6.3

CVE ID Unknown

May 31, 2014

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Page Builder: Pagelayer <= 1.7.7 - Authenticated (Author+) Stored Cross-Site Scripting via Header/Footer

6.4

CVE-2023-5087

Sep 25, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Limit Login Attempts <= 1.7.1 - Authenticated(Subscriber+) Stored Cross-Site Scripting

6.4

CVE-2023-1861

Apr 10, 2023

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Elementor Website Builder <= 2.7.5 - Stored Cross-Site Scripting

6.4

CVE ID Unknown

Jan 29, 2020

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WordPress Core < 4.7.3 - Authenticated Cross-Site Scripting in Youtube URL Embeds

6.4

CVE-2017-6817

Mar 6, 2017

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

All in One SEO <= 2.1.5 - Cross-Site Scripting

6.4

CVE ID Unknown

May 31, 2014

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

UpdraftPlus WordPress Backup Plugin < 1.22.3 - Sensitive Information Disclosure

6.5

CVE-2022-0633

Feb 17, 2022

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Page Builder: Pagelayer – Drag and Drop website builder <= 1.7.6 - Missing Authorization to Stored Cross-Site Scripting

7.2

CVE-2023-4687

Sep 25, 2023

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

bbPress < 2.5.9 - Stored Cross-Site Scripting

7.2

CVE ID Unknown

May 3, 2016

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Jetpack <= 3.7.1 - Stored Cross-Site Scripting

7.2

CVE ID Unknown

Oct 1, 2015

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

WP Super Cache < 1.4.3 - Cross Site Scripting

7.2

CVE ID Unknown

Apr 7, 2015

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

WP Statistics < 8.3.1 - Multiple Cross-Site Scripting

7.2

CVE ID Unknown

Nov 20, 2014

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
All in One SEO <= 2.2.4.1 - Privilege Escalation to Arbitrary Post Modification		4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	May 31, 2014
Pagelayer <= 1.7.9 - Authenticated(Administrator+) Stored Cross-Site Scripting via Header/Footer code	CVE-2023-5124	4.4	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N	January 31, 2024
WordPress Core 4.7.0 - 6.3.1 - Sensitive Information Exposure via User Search REST Endpoint	CVE-2023-5561	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	October 12, 2023
Smash Balloon Social Post Feed <= 4.0 - Arbitrary Plugin Settings Update to Stored Cross-Site Scripting	CVE-2021-24918	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	October 29, 2021
WP Google Maps <= 9.0.27 - Unauthenticated Stored Cross-Site Scripting via REST API	CVE-2023-6627	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	December 18, 2023
Popup Builder <= 4.2.2 - Unauthenticated Stored Cross-Site Scripting	CVE-2023-6000	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	December 11, 2023
WordPress Core < 5.5.2 - Reflected Cross-Site Scripting via Global Variables	CVE-2020-28034	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	October 29, 2020
Media from FTP <= 11.15 - Improper Privilege Management		6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	July 31, 2023
All in One SEO <= 2.1.5 - Missing Authorization		6.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	May 31, 2014
Page Builder: Pagelayer <= 1.7.7 - Authenticated (Author+) Stored Cross-Site Scripting via Header/Footer	CVE-2023-5087	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 25, 2023
Limit Login Attempts <= 1.7.1 - Authenticated(Subscriber+) Stored Cross-Site Scripting	CVE-2023-1861	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	April 10, 2023
Elementor Website Builder <= 2.7.5 - Stored Cross-Site Scripting		6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	January 29, 2020
WordPress Core < 4.7.3 - Authenticated Cross-Site Scripting in Youtube URL Embeds	CVE-2017-6817	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	March 6, 2017
All in One SEO <= 2.1.5 - Cross-Site Scripting		6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	May 31, 2014
UpdraftPlus WordPress Backup Plugin < 1.22.3 - Sensitive Information Disclosure	CVE-2022-0633	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	February 17, 2022
Page Builder: Pagelayer – Drag and Drop website builder <= 1.7.6 - Missing Authorization to Stored Cross-Site Scripting	CVE-2023-4687	7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	September 25, 2023
bbPress < 2.5.9 - Stored Cross-Site Scripting		7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	May 3, 2016
Jetpack <= 3.7.1 - Stored Cross-Site Scripting		7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	October 1, 2015
WP Super Cache < 1.4.3 - Cross Site Scripting		7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	April 7, 2015
WP Statistics < 8.3.1 - Multiple Cross-Site Scripting		7.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N	November 20, 2014

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation