Wordfence Intelligence   >   Vulnerability Researchers   >   Miguel Santareno

Miguel Santareno

304
All Time Ranking
14
All Time Discoveries
0
90 Day Published Submissions
17 Feb '26
Last Published Submission

About

OSINT, Darknet, Bug Bounty :)

3 Achievements

Learn more about Achievements
Submitted 5 Vulnerabilities
Submitted 5 Vulnerabilities
February 17, 2026
Submitted XSS Vulnerability
Submitted XSS Vulnerability
September 9, 2025
Submitted 1 Vulnerability
Submitted 1 Vulnerability
September 9, 2024
Learn more Learn more about Achievements

14 Vulnerabilities

Membership Plugin – Restrict Content <= 3.2.18 - Authenticated (Administrator+) Stored Cross-Site Scripting via Invoice Settings
4.4
CVE-2026-1304
Feb 17, 2026
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Welcart e-Commerce <= 2.11.22 - Authenticated (Editor+) Stored Cross-Site Scripting via order_mail
5.5
CVE-2025-10651
Oct 21, 2025
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
The Events Calendar <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure
5.3
CVE-2025-9808
Sep 15, 2025
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Welcart e-Commerce <= 2.11.20 - Authenticated (Editor+) Stored Cross-Site Scripting
5.5
CVE-2025-9367
Sep 9, 2025
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
EventPrime <= 4.0.4.3 - Missing Authorization to Unauthenticated Private or Password-Protected Events Disclosure
5.3
CVE-2024-8369
Sep 9, 2024
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EventON - WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.7 (Free) - Authenticated (Admin+) Stored Cross-Site Scripting
4.4
CVE-2023-6005
Jan 10, 2024
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
EventPrime <= 3.3.5 - Missing Authorization to Private Event Disclosure
5.3
CVE-2023-6447
Dec 29, 2023
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EventON <= 2.1.7 - Authenticated (Admin+) HTML Injection
3.0
CVE-2023-6046
Nov 9, 2023
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N
EventPrime < 3.2.0 - Reflected Cross-Site Scripting via keyword and ep_filter_date
6.1
CVE-2023-4250
Oct 9, 2023
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EventPrime < 3.2.0 - Reflected HTML Content Injection
4.3
CVE-2023-5238
Oct 9, 2023
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EventON <= 2.1.7 - Authenticated (Admin+) Stored Cross-Site Scripting
4.4
CVE-2023-4388
Sep 21, 2023
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Elementor <= 3.5.4 - DOM-Based iFrame Injection
6.1
CVE-2022-4953
Jul 19, 2023
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EventON <= 2.1 - Insecure Direct Object Reference to Unauthorized Post Access
7.5
CVE-2023-3219
Jun 19, 2023
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EventON <= 2.1 - Missing Authorization to Event Access
5.3
CVE-2023-2796
Jun 19, 2023
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Title CVE ID CVSS Vector Date
Membership Plugin – Restrict Content <= 3.2.18 - Authenticated (Administrator+) Stored Cross-Site Scripting via Invoice Settings CVE-2026-1304 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N February 17, 2026
Welcart e-Commerce <= 2.11.22 - Authenticated (Editor+) Stored Cross-Site Scripting via order_mail CVE-2025-10651 5.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N October 21, 2025
The Events Calendar <= 6.15.2 - Missing Authorization to Unauthenticated Password-Protected Information Disclosure CVE-2025-9808 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N September 15, 2025
Welcart e-Commerce <= 2.11.20 - Authenticated (Editor+) Stored Cross-Site Scripting CVE-2025-9367 5.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N September 9, 2025
EventPrime <= 4.0.4.3 - Missing Authorization to Unauthenticated Private or Password-Protected Events Disclosure CVE-2024-8369 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N September 9, 2024
EventON - WordPress Virtual Event Calendar Plugin <= 4.5.4 (Pro) & <= 2.2.7 (Free) - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2023-6005 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N January 10, 2024
EventPrime <= 3.3.5 - Missing Authorization to Private Event Disclosure CVE-2023-6447 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N December 29, 2023
EventON <= 2.1.7 - Authenticated (Admin+) HTML Injection CVE-2023-6046 3.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N November 9, 2023
EventPrime < 3.2.0 - Reflected Cross-Site Scripting via keyword and ep_filter_date CVE-2023-4250 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N October 9, 2023
EventPrime < 3.2.0 - Reflected HTML Content Injection CVE-2023-5238 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N October 9, 2023
EventON <= 2.1.7 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2023-4388 4.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N September 21, 2023
Elementor <= 3.5.4 - DOM-Based iFrame Injection CVE-2022-4953 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N July 19, 2023
EventON <= 2.1 - Insecure Direct Object Reference to Unauthorized Post Access CVE-2023-3219 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N June 19, 2023
EventON <= 2.1 - Missing Authorization to Event Access CVE-2023-2796 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N June 19, 2023

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation