🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Wordfence Intelligence > Vulnerability Researchers > beluga

beluga

All Time Ranking

All Time Discoveries

Showing 21-40 of 60 Vulnerabilities

ARForms Form Builder <= 1.6.1 - Missing Authorization

4.3

CVE-2024-31270

Apr 5, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

ARForms Form Builder <= 1.6.1 - Cross-Site Request Forgery

4.3

CVE-2024-31272

Apr 5, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

MP3 Audio Player for Music, Radio & Podcast by Sonaar <= 4.10.1 - Unauthenticated Arbitrary File Download

5.3

CVE-2024-31343

Apr 5, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

WP Poll Maker <= 3.1 - Authenticated (Subscriber+) Arbitrary File Deletion

8.8

CVE-2024-31240

Apr 5, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

User Rights Access Manager <= 1.1.2 - Reflected Cross-Site Scripting

6.1

CVE-2024-31122

Mar 29, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

FG PrestaShop to WooCommerce <= 4.45.1 - Unauthenticated Sensitive Information Disclosure

5.3

CVE-2024-30511

Mar 29, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Kanban Boards for WordPress <= 2.5.21 - Reflected Cross-Site Scripting

6.1

CVE-2024-31103

Mar 29, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

New Order Notification for Woocommerce <= 2.0.2 - Missing Authorization

4.3

CVE-2024-31098

Mar 29, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

WP Hotel Booking <= 2.0.9.2 - Missing Authorization

5.3

CVE-2024-30508

Mar 28, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Finale Lite <= 2.18.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation

5.4

CVE-2024-30485

Mar 28, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

WP Travel Engine <= 5.7.9 - Authenticated (Administrator+) SQL Injection

9.1

CVE-2024-30504

Mar 28, 2024

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

WP Travel Engine <= 5.7.9 - Unauthenticated SQL Injection

10.0

CVE-2024-30502

Mar 28, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

WordPress Tooltips <= 9.4.3 - Authenticated (Contributor+) SQL Injection

9.9

CVE-2024-30243

Mar 26, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Premium Packages <= 5.8.2 - Reflected Cross-Site Scripting

6.1

CVE-2024-29924

Mar 25, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-29932

Mar 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

WP-Lister Lite for Amazon <= 2.6.8 - Reflected Cross-Site Scripting

6.1

CVE-2024-30199

Mar 25, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

PropertyHive <= 2.0.8 - Reflected Cross-Site Scripting

6.1

CVE-2024-29923

Mar 25, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Crypto Converter Widget <= 1.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

6.4

CVE-2024-29930

Mar 25, 2024

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Co-marquage service-public.fr <= 0.5.72 - Reflected Cross-Site Scripting via search_term

6.1

CVE-2024-29758

Mar 25, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Olive One Click Demo Import <= 1.1.1 - Missing Authorization

6.5

CVE-2024-2702

Mar 20, 2024

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Title	CVE ID	CVSS	Vector	Date
ARForms Form Builder <= 1.6.1 - Missing Authorization	CVE-2024-31270	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	April 5, 2024
ARForms Form Builder <= 1.6.1 - Cross-Site Request Forgery	CVE-2024-31272	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	April 5, 2024
MP3 Audio Player for Music, Radio & Podcast by Sonaar <= 4.10.1 - Unauthenticated Arbitrary File Download	CVE-2024-31343	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	April 5, 2024
WP Poll Maker <= 3.1 - Authenticated (Subscriber+) Arbitrary File Deletion	CVE-2024-31240	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	April 5, 2024
User Rights Access Manager <= 1.1.2 - Reflected Cross-Site Scripting	CVE-2024-31122	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 29, 2024
FG PrestaShop to WooCommerce <= 4.45.1 - Unauthenticated Sensitive Information Disclosure	CVE-2024-30511	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	March 29, 2024
Kanban Boards for WordPress <= 2.5.21 - Reflected Cross-Site Scripting	CVE-2024-31103	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 29, 2024
New Order Notification for Woocommerce <= 2.0.2 - Missing Authorization	CVE-2024-31098	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	March 29, 2024
WP Hotel Booking <= 2.0.9.2 - Missing Authorization	CVE-2024-30508	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	March 28, 2024
Finale Lite <= 2.18.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation and Activation	CVE-2024-30485	5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N	March 28, 2024
WP Travel Engine <= 5.7.9 - Authenticated (Administrator+) SQL Injection	CVE-2024-30504	9.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	March 28, 2024
WP Travel Engine <= 5.7.9 - Unauthenticated SQL Injection	CVE-2024-30502	10.0	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H	March 28, 2024
WordPress Tooltips <= 9.4.3 - Authenticated (Contributor+) SQL Injection	CVE-2024-30243	9.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	March 26, 2024
Premium Packages <= 5.8.2 - Reflected Cross-Site Scripting	CVE-2024-29924	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 25, 2024
WordPress Meta Data and Taxonomies Filter (MDTF) <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2024-29932	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	March 25, 2024
WP-Lister Lite for Amazon <= 2.6.8 - Reflected Cross-Site Scripting	CVE-2024-30199	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 25, 2024
PropertyHive <= 2.0.8 - Reflected Cross-Site Scripting	CVE-2024-29923	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 25, 2024
Crypto Converter Widget <= 1.8.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode	CVE-2024-29930	6.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N	March 25, 2024
Co-marquage service-public.fr <= 0.5.72 - Reflected Cross-Site Scripting via search_term	CVE-2024-29758	6.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	March 25, 2024
Olive One Click Demo Import <= 1.1.1 - Missing Authorization	CVE-2024-2702	6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N	March 20, 2024

Share this researcher's vulnerability discoveries

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation