🦸 👻 Calling all superheroes and haunters! Introducing the Cybersecurity Month Spooktacular Haunt and the WordPress Superhero Challenge for the Wordfence Bug Bounty Program! Through November 11th, 2024, all in-scope vulnerability types for WordPress plugins/themes with >= 1,000 active installations are in-scope for ALL researchers, top-tier researchers earn automatic bonuses of between 10% to 120% for valid submissions, pending report limits are increased for all, and it's possible to earn up to $31,200 for high impact vulnerabilities!

Review what's in scope for your tier and updated bounties with bonuses here!

Wordfence Intelligence > Vulnerability Researchers > wesley (wcraft)

wesley (wcraft)

All Time Ranking

248

All Time Discoveries

90 Day Published Submissions

16 Oct '24

Last Published Submission

10 Achievements

Learn more about Achievements

Learn more Learn more about Achievements

Showing 1-20 of 248 Vulnerabilities

WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.25 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover

9.8

CVE-2024-9263

Oct 16, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.7.1 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover

8.8

CVE-2024-9215

Oct 16, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Nextend Social Login Pro <= 3.1.14 - Authentication Bypass

9.8

CVE-2024-9893

Oct 15, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AppPresser – Mobile App Framework <= 4.4.4 - Privilege Escalation and Account Takeover via Weak OTP

8.1

CVE-2024-9305

Oct 15, 2024

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Slider Revolution <= 6.7.18 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVE-2024-8107

Sep 30, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Starter Templates <= 4.4.0 - Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVE-2024-47345

Sep 27, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.12 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation

8.8

CVE-2024-8290

Sep 24, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

REST API TO MiniProgram <= 4.7.1 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover

9.8

CVE-2024-8485

Sep 24, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

REST API TO MiniProgram <= 4.7.1 - Unauthenticated SQL Injection

7.5

CVE-2024-8484

Sep 24, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Ninja Forms Contact Form <= 3.8.15 - Reflected Self-Based Cross-Site Scripting via Referer

4.7

CVE-2024-3866

Sep 24, 2024

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress <= 1.8.1.14 - Insecure Direct Object Reference to Account Takeover and Privilege Escalation

9.8

CVE-2024-8791

Sep 23, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

BA Book Everything <= 1.6.20 - Unauthenticated Arbitrary User Password Reset

5.3

CVE-2024-8794

Sep 23, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

BA Book Everything <= 1.6.20 - Cross-Site Request Forgery to Email Address Update/Account Takeover

8.8

CVE-2024-8795

Sep 23, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

PropertyHive <= 2.0.19 - Cross-Site Request Forgery via save_account_details

8.8

CVE-2024-8490

Sep 16, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.11 - Authenticated (Contributor+) Privilege Escalation

8.8

CVE-2024-8246

Sep 13, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Betheme | Responsive Multipurpose WordPress & WooCommerce Theme <= 27.5.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File

6.4

CVE-2024-5567

Sep 12, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Avada | Website Builder For WordPress & eCommerce <= 3.11.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via fusion_button Shortcode

6.4

CVE-2024-5628

Sep 12, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.3 - Unauthorized User Registration

7.3

CVE-2024-8269

Sep 12, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Elementor Website Builder – More than Just a Page Builder <= 3.23.4 - Authenticated (Contributor+) Stored Cross-Site Scripting in the URL Parameter in Multiple Widgets

5.4

CVE-2024-5416

Sep 10, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Post Grid and Gutenberg Blocks 2.2.87 - 2.2.90 - Authenticated (Subscriber+) Privilege Escalation

8.8

CVE-2024-8253

Sep 10, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Title	CVE ID	CVSS	Vector	Date
WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.25 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover	CVE-2024-9263	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 16, 2024
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.7.1 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover	CVE-2024-9215	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	October 16, 2024
Nextend Social Login Pro <= 3.1.14 - Authentication Bypass	CVE-2024-9893	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	October 15, 2024
AppPresser – Mobile App Framework <= 4.4.4 - Privilege Escalation and Account Takeover via Weak OTP	CVE-2024-9305	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	October 15, 2024
Slider Revolution <= 6.7.18 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload	CVE-2024-8107	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 30, 2024
Starter Templates <= 4.4.0 - Authenticated (Author+) Stored Cross-Site Scripting	CVE-2024-47345	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 27, 2024
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.12 - Insecure Direct Object Reference to Account Takeover/Privilege Escalation	CVE-2024-8290	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	September 24, 2024
REST API TO MiniProgram <= 4.7.1 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover	CVE-2024-8485	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	September 24, 2024
REST API TO MiniProgram <= 4.7.1 - Unauthenticated SQL Injection	CVE-2024-8484	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	September 24, 2024
Ninja Forms Contact Form <= 3.8.15 - Reflected Self-Based Cross-Site Scripting via Referer	CVE-2024-3866	4.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N	September 24, 2024
Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress <= 1.8.1.14 - Insecure Direct Object Reference to Account Takeover and Privilege Escalation	CVE-2024-8791	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	September 23, 2024
BA Book Everything <= 1.6.20 - Unauthenticated Arbitrary User Password Reset	CVE-2024-8794	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	September 23, 2024
BA Book Everything <= 1.6.20 - Cross-Site Request Forgery to Email Address Update/Account Takeover	CVE-2024-8795	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	September 23, 2024
PropertyHive <= 2.0.19 - Cross-Site Request Forgery via save_account_details	CVE-2024-8490	8.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	September 16, 2024
Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) <= 2.8.11 - Authenticated (Contributor+) Privilege Escalation	CVE-2024-8246	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	September 13, 2024
Betheme \| Responsive Multipurpose WordPress & WooCommerce Theme <= 27.5.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File	CVE-2024-5567	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 12, 2024
Avada \| Website Builder For WordPress & eCommerce <= 3.11.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via fusion_button Shortcode	CVE-2024-5628	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	September 12, 2024
MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.3 - Unauthorized User Registration	CVE-2024-8269	7.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L	September 12, 2024
Elementor Website Builder – More than Just a Page Builder <= 3.23.4 - Authenticated (Contributor+) Stored Cross-Site Scripting in the URL Parameter in Multiple Widgets	CVE-2024-5416	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N	September 10, 2024
Post Grid and Gutenberg Blocks 2.2.87 - 2.2.90 - Authenticated (Subscriber+) Privilege Escalation	CVE-2024-8253	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	September 10, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation