Wordfence Intelligence   >   Vulnerability Researchers   >   stealthcopter

stealthcopter

9
All Time Ranking
597
All Time Discoveries
2
90 Day Published Submissions
26 May '26
Last Published Submission

About

As one of the top WordPress bug hunters, I specialize in providing professional, in-depth secure code reviews to help developers and organizations fortify their software. Please feel free to reach out for inquiries regarding contract work.

13 Achievements

Learn more about Achievements
Resourceful Researcher
Resourceful Researcher
April 18, 2026
Submitted LFI Vulnerability
Submitted LFI Vulnerability
September 30, 2025
Submitted SQLi Vulnerability
Submitted SQLi Vulnerability
July 30, 2025
Refer a Researcher
Refer a Researcher
March 21, 2025
Submitted 200 Vulnerabilities
Submitted 200 Vulnerabilities
October 16, 2024
Submitted XSS Vulnerability
Submitted XSS Vulnerability
September 4, 2024
Submitted 100 Vulnerabilities
Submitted 100 Vulnerabilities
June 5, 2024
Submitted 75 Vulnerabilities
Submitted 75 Vulnerabilities
May 21, 2024
Submitted 50 Vulnerabilities
Submitted 50 Vulnerabilities
May 9, 2024
Submitted 25 Vulnerabilities
Submitted 25 Vulnerabilities
April 19, 2024
Submitted 10 Vulnerabilities
Submitted 10 Vulnerabilities
March 8, 2024
Submitted 5 Vulnerabilities
Submitted 5 Vulnerabilities
February 20, 2024
Submitted 1 Vulnerability
Submitted 1 Vulnerability
January 22, 2024
Learn more Learn more about Achievements

Showing 1-20 of 597 Vulnerabilities

CleanTalk Anti-Spam. Spam Firewall & Bot protection < 6.79 - Unauthenticated Stored Cross-Site Scripting
7.2
CVE-2026-8071
Jun 11, 2026
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Email Encoder – Protect Email Addresses and Phone Numbers < 2.4.7 - Unauthenticated Stored Cross-Site Scripting
7.2
CVE-2026-5776
Jun 11, 2026
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
FV Flowplayer Video Player <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting via Comment Text
7.2
CVE-2026-7556
Jun 8, 2026
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Email Encoder < 0.3.12 (premium) < 1.0.25 (free) - Unauthenticated Stored Cross-Site Scripting
7.2
CVE-2026-5305
Jun 4, 2026
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Xpro Elementor Addons - Pro <= 1.4.7 - Authenticated (Contributor+) Arbitrary File Read via Draw SVG
6.5
CVE-2025-0898
May 26, 2026
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Widget Options <= 4.2.2 - Authenticated (Contributor+) Remote Code Execution via Display Logic
8.8
CVE-2026-2052
May 1, 2026
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Check & Log Email – Easy Email Testing & Mail logging < 2.0.13 - Unauthenticated Stored Cross-Site Scripting
7.2
CVE-2026-5306
Apr 28, 2026
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes
6.4
CVE-2026-2430
Mar 20, 2026
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
JetEngine <= 3.7.2 - Authenticated (Contributor+) Remote Code Execution
8.8
CVE-2026-28134
Feb 26, 2026
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Responsive Lightbox & Gallery < 2.6.1 - Unauthenticated Stored Cross-Site Scripting
7.2
CVE-2025-15386
Feb 3, 2026
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 - Unauthenticated Post Disclosure in class-cubewp-search-ajax-hooks.php
4.3
CVE-2025-6461
Jan 24, 2026
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
MapSVG <= 8.7.3 - Authenticated (Contributor+) Arbitrary File Upload
8.8
CVE-2025-68562
Dec 24, 2025
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Brizy – Page Builder <= 2.7.16 - Authenticated (Contributor+) Sensitive Information Exposure via get_users Function
6.5
CVE-2025-0969
Dec 12, 2025
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
a3 Lazy Load <= 2.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2025-9873
Dec 12, 2025
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Royal Elementor Addons and Templates <= 1.7.1036 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2025-6251
Nov 18, 2025
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Include fussball.de Widgets <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'api' and 'type'
6.4
CVE-2025-11129
Nov 10, 2025
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Delicious Recipes <= 1.9.0 - Authenticated (Contributor+) Arbitrary File Upload
8.8
CVE-2025-11755
Oct 31, 2025
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Kallyas <= 4.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2025-6988
Oct 31, 2025
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution
8.8
CVE-2025-6990
Oct 31, 2025
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
User Toolkit <= 1.2.3 - Unauthenticated Privilege Escalation
9.8
CVE-2024-50503
Oct 28, 2025
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Title CVE ID CVSS Vector Date
CleanTalk Anti-Spam. Spam Firewall & Bot protection < 6.79 - Unauthenticated Stored Cross-Site Scripting CVE-2026-8071 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N June 11, 2026
Email Encoder – Protect Email Addresses and Phone Numbers < 2.4.7 - Unauthenticated Stored Cross-Site Scripting CVE-2026-5776 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N June 11, 2026
FV Flowplayer Video Player <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting via Comment Text CVE-2026-7556 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N June 8, 2026
Email Encoder < 0.3.12 (premium) < 1.0.25 (free) - Unauthenticated Stored Cross-Site Scripting CVE-2026-5305 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N June 4, 2026
Xpro Elementor Addons - Pro <= 1.4.7 - Authenticated (Contributor+) Arbitrary File Read via Draw SVG CVE-2025-0898 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N May 26, 2026
Widget Options <= 4.2.2 - Authenticated (Contributor+) Remote Code Execution via Display Logic CVE-2026-2052 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H May 1, 2026
Check & Log Email – Easy Email Testing & Mail logging < 2.0.13 - Unauthenticated Stored Cross-Site Scripting CVE-2026-5306 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N April 28, 2026
Autoptimize <= 3.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lazy-loaded Image Attributes CVE-2026-2430 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N March 20, 2026
JetEngine <= 3.7.2 - Authenticated (Contributor+) Remote Code Execution CVE-2026-28134 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H February 26, 2026
Responsive Lightbox & Gallery < 2.6.1 - Unauthenticated Stored Cross-Site Scripting CVE-2025-15386 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N February 3, 2026
CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 - Unauthenticated Post Disclosure in class-cubewp-search-ajax-hooks.php CVE-2025-6461 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N January 24, 2026
MapSVG <= 8.7.3 - Authenticated (Contributor+) Arbitrary File Upload CVE-2025-68562 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H December 24, 2025
Brizy – Page Builder <= 2.7.16 - Authenticated (Contributor+) Sensitive Information Exposure via get_users Function CVE-2025-0969 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N December 12, 2025
a3 Lazy Load <= 2.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-9873 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N December 12, 2025
Royal Elementor Addons and Templates <= 1.7.1036 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-6251 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N November 18, 2025
Include fussball.de Widgets <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'api' and 'type' CVE-2025-11129 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N November 10, 2025
Delicious Recipes <= 1.9.0 - Authenticated (Contributor+) Arbitrary File Upload CVE-2025-11755 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H October 31, 2025
Kallyas <= 4.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-6988 6.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N October 31, 2025
Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution CVE-2025-6990 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H October 31, 2025
User Toolkit <= 1.2.3 - Unauthenticated Privilege Escalation CVE-2024-50503 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H October 28, 2025

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation