Hacked.be
About Me
Hello world! I'm Rein Daelman, a passionate cybersecurity researcher and bug bounty hunter. I specialize in web application security and love white/graybox security testing. My hacker alias is "trein", you can find me on most bug bounty platforms.
My CVEs (10)
CVE ID | Description | Severity |
---|---|---|
CVE-2024-13887 | Business Directory Plugin - Easy Listing Directories for WordPress <= 6.4.14 - Insecure Direct Object Reference to Listing Arbitrary Image Addition | Medium |
CVE-2024-13736 | Pure Chat – Live Chat & More! <= 2.4 - Reflected Cross-Site Scripting via purechatWidgetName Parameter | Medium |
CVE-2024-9504 | Booking calendar, Appointment Booking System <= 3.2.15 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload | High |
CVE-2024-8856 | Backup and Staging by WP Time Capsule <= 1.22.21 - Unauthenticated Arbitrary File Upload | Critical |
CVE-2024-9417 | Hash Form - Drag & Drop Form Builder <= 1.1.9 - Unauthenticated Limited File Upload | Medium |
CVE-2024-8657 | Garden Gnome Package <= 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting | Medium |
CVE-2024-45793 | XSS on Confidant API endpoints | Medium |
CVE-2023-6987 | String Locator <= 2.6.5 - Reflected Cross-Site Scripting | Medium |
CVE-2023-6882 | Simple Membership <= 4.3.8 - Reflected Cross-Site Scripting Vulnerability via environment_mode | Medium |
CVE-2023-46154 | E2Pdf <= 1.20.18 - Authenticated (Administrator+) PHP Object Injection | High |
“trein has submitted a number of very well written and valuable reports which helped us better secure Mozilla VPN. The communication is also clear and professional, thank you for all your contributions.”Mozilla
Write-ups
CVE-2024-9504 - Stored XSS via SVG File Upload

CVE-2024-9504 is a security flaw in the 'Booking calendar, Appointment Booking System' WordPress plugin. The vulnerability allows attackers to upload SVG files, resulting in stored XSS.
Nov 30, 2024Rein Daelman
CVE-2024-8856 - Unauthenticated RCE via Arbitrary File Upload

Today, I wanted to talk about CVE-2024-8856, a critical vulnerability I found and reported through WordFence. The issue was found in the WP Time Capsule plugin, which has over 20,000 active installations.
Nov 20, 2024Rein Daelman