CVE List
The Beginning
I started my journey in CVE hunting in late 2022. My friend Rafshanzani Suhada introduced me to how to report a WordPress plugin vulnerability to WPScan. And then, CVE-2022-3074 became my first-ever CVE.
After my first CVE was published, I conducted some research on open-source projects on GitHub and discovered a Host Header Injection vulnerability in Feehi CMS, which was assigned CVE-2022-38796.
Massive Hunt at 2023
In 2023, I conducted a massive hunt on WordPress plugins, creating a bot to detect vulnerabilities in them, and then reported the issues through Patchstack. During that year, I obtained more than 100 CVEs.
This is some CVE i found in 2023.
WordPress Plugins
| CVE ID | Title |
|---|---|
| CVE-2022-3074 | Slider Hero < 8.4.4 - Admin+ Stored Cross-Site Scripting |
| CVE-2023-22714 | Coming Soon by Supsystic <= 1.7.10 Cross Site Request Forgery |
| CVE-2023-23718 | Page Loading Effects <= 2.0.0 - Admin+ Stored Cross-Site Scripting |
| CVE-2023-23864 | Very Simple Google Maps <= 2.8.4 Contributor+ Cross-Site Scripting |
| CVE-2023-23728 | WP Flipclock <= 1.7.4 - Contributor+ Cross-Site Scripting |
| CVE-2023-23989 | RegistrationMagic <= 5.1.9.2 - Unauthenticated HTML Injection |
| CVE-2023-23722 | WP eBay Product Feeds <= 3.3.1 - Admin+ Stored Cross-Site Scripting |
| CVE-2023-23895 | WP Time Slots Booking Form <= 1.1.82 - Broken Access Control |
| CVE-2023-23976 | RegistrationMagic <= 5.1.9.2 - Improper Authorization to Price Change |
| CVE-2023-23979 | Quick Event Manager <= 9.7.4 - Unauthenticated Stored Cross Site Scripting |
| CVE-2023-24379 | WordPress Landing Page Builder <= 3.1.9.8 Editor+ Local File Inclusion |
More published CVE at my Wordfence profile.
Other Open Source Project
| CVE ID | Title |
|---|---|
| CVE-2022-38796 | Feehi CMS 2.1.1 Host Header Injection |
| CVE-2022-46074 | Helmet Store Showroom v1.0 Login Page SQL Injection |
| CVE-2022-46443 | Bang Resto v1.0 Authenticated SQL Injection |
| CVE-2023-24320 | Axcora POS #0~gitf77ec09 Broken Authentication |
And many more.
Whats Next?
Well, this year, I decided to prioritize quality over quantity. I am focusing on hunting CVEs in popular projects or searching specifically for critical or high-severity vulnerabilities only.