oolongeya

•Experience

•Vulnerability Reports

• CVE-*

  *

  *******Github Certified

  * *+
  *

• *

  *Github Certified

  +
  *

• Incorrect Authorization

  Github Certified

  Medium+

• CVE-2026-3589

  Arbitrary Admin User Creation via CSRF

  WooCommerce200M+ downloads

  7.5 High+
  The plugin does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

• CVE-2026-5133

  Missing Authorization in Content AI Bulk Actions

  Rank Math SEO3M+ downloads

  8.1 High+
  A low-privileged user can submit arbitrary post IDs through Content AI bulk actions and trigger unauthorized processing of protected content.

• CVE-2026-5143

  Authorization Flaw in updateMetaBulk Endpoint

  Rank Math SEO3M+ downloads

  6.5 Medium+
  Insufficient authorization checks in the term path can allow unauthorized post title modification under ID-collision conditions.

• CVE-2026-5151

  Object-Level Authorization Mismatch in updateSchemas

  Rank Math SEO3M+ downloads

  7.7 High+
  A low-privileged user can pass permission checks with their own object ID and overwrite metadata rows of other users by targeting foreign meta IDs.

• CVE-2026-5427

  Contributor SSRF and Upload Restriction Bypass via Block URL Import

  KubioWordPress Plugin

  8.8 High+
  A low-privileged contributor can inject attacker-controlled URLs into Kubio block attributes to trigger server-side fetches and save responses into public uploads. This enables SSRF-like access to internal resources and unauthorized data exposure despite normal media upload restrictions.

• KVE-2026-0321

  Admin Privilege Escalation

  Report SolutionKISA Certified

  7.5 High₩3,300,000+
  By taking over admin privileges, restricted features can be controlled.

• KVE-2026-0318

  Admin Privilege Escalation

  Report SolutionKISA Certified

  7.5 High₩3,300,000+
  By taking over admin privileges, restricted features can be controlled.

•Bug Bounty

• Private Program

  Improper Access Control

  HackerOne Certified

  2026|8.7 High$?,???+
  bypassing authorization checks on an internal write endpoint.

• Private Program

  Improper Access Control

  HackerOne Certified

  2026|7.5 High$???+
  Unauthenticated access and large-scale data exposure are possible through API abuse.

• PayPal

  Open Redirect

  HackerOne Certified

  2026|3.4 Low$400+
  A malicious phishing link under a PayPal domain can be generated and redirect users to a malicious site when clicked.

• Automattic

  Improper Access Control

  HackerOne Certified

  2026|7.5 High$400+
  The plugin does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

• Automattic

  Cross-Site Request Forgery CSRF

  HackerOne Certified

  2026|3.9 Low$100+
  CSRF is possible via a nonce-bypass request.

• Rank Math SEO

  Missing Authorization

  Wordfence Certified

  2026|8.1 High$20+
  A low-privileged user can queue unauthorized bulk processing on protected posts through Content AI bulk actions.

• Rank Math SEO

  Improper Access Control

  Wordfence Certified

  2026|6.5 Medium$20+
  Authorization weakness in updateMetaBulk can lead to unauthorized post title updates in specific ID-collision scenarios.

• Rank Math SEO

  Improper Access Control

  Wordfence Certified

  2026|7.7 High$20+
  An object-level authorization mismatch in updateSchemas allows unauthorized overwrite of foreign post metadata.