In the modern WordPress ecosystem, the principle of least privilege is critical for maintaining site security. It ensures that users can only perform actions strictly necessary for their roles. However, when plugins break this fundamental principle, even seemingly harmless user roles such as “Contributor” can exploit the system and execute powerful administrative actions. This is precisely the case with CVE-2025-3471—a Broken Access Control vulnerability discovered in the SureForms plugin.
CVE-2025-3514 – SureForms – Stored XSS to JS Backdoor Creation – POC

SureForms is a powerful and widely adopted WordPress plugin used for creating customizable forms. With over 200,000 active installations, it is trusted by site administrators for building contact, feedback, and survey forms with ease. However, during a recent plugin assessment, a critical vulnerability was uncovered — a Stored Cross-Site Scripting (XSS) flaw — which allows malicious JavaScript injection through form field attributes. This vulnerability can be exploited by an editor to trigger a JavaScript backdoor, potentially leading to full administrative compromise.
CVE-2025-3513 – SureForms – Stored XSS to JS Backdoor Creation – POC

SureForms is a widely used WordPress plugin for creating custom forms with a drag-and-drop interface. With over 200,000 active installations, it powers contact forms, feedback tools, and opt-in flows on thousands of websites. During a recent security audit, a critical vulnerability — Stored Cross-Site Scripting (XSS) — was identified. This flaw enables a user with editor-level privileges to inject persistent JavaScript into the form confirmation message. When exploited, this vulnerability can lead to JavaScript backdoor creation and full admin account takeover.
CVE-2025-3504 – WP Maps – Stored XSS to JS Backdoor Creation – POC

The WP Maps plugin is a popular solution for adding interactive maps to WordPress sites, boasting over 80,000 installations. However, during a security assessment, a severe vulnerability was discovered — a Stored Cross-Site Scripting (XSS) flaw that can be leveraged by an attacker with editor privileges to inject persistent JavaScript code. This code is later executed in the context of an administrator, potentially resulting in full site takeover.
Plugin Security Certification (PSC-2024-64574): “Solid Security – Password, Two Factor Authentication, and Brute Force Protection” – Version 9.3.8: Use Security Plugin with Enhanced Security

Solid Security – Password, Two Factor Authentication, and Brute Force Protection is a comprehensive WordPress security plugin designed to protect websites from the most common and dangerous cyber threats. With a proactive security strategy, this plugin guards against brute force attacks, malware infections, session hijacking, and unauthorized logins. Built to adapt to various types of websites – from eCommerce to blogs – Solid Security provides real-time monitoring, intelligent user-level protection, and automated vulnerability patching. The plugin has undergone a detailed security audit and successfully received the Plugin Security Certification (PSC) from CleanTalk, guaranteeing robust code integrity and secure implementation practices for WordPress environments.
CVE-2025-3503 – WP Maps – Stored XSS to JS Backdoor Creation – POC

The WP Maps plugin for WordPress, with over 80,000 active installations, provides an easy interface for users to create interactive maps on their websites. However, in the course of a routine security assessment, a serious vulnerability was identified — CVE-2025-3503. This vulnerability allows users with editor-level access or higher to inject persistent JavaScript code (Stored XSS) into map content, opening the door to the creation of a backdoor and full account compromise.
CVE-2025-3502 – WP Maps – Stored XSS to JS Backdoor Creation – POC

The WordPress ecosystem, with its massive collection of third-party plugins, remains a fertile ground for both innovation and security concerns. One such concern has emerged in the popular WP Maps plugin, which boasts over 80,000 active installations. This plugin, designed to help users create interactive maps on their websites, contains a critical vulnerability identified as CVE-2025-3502. The vulnerability allows for the execution of stored cross-site scripting (XSS) payloads, ultimately enabling the creation of JavaScript-based backdoors. This vulnerability is particularly concerning due to its low exploitation threshold and the fact that it can be triggered even by users with limited privileges, such as editors.
Plugin Security Certification (PSC-2025-64573): “WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin” – Version 14.14: Use Statistics with Enhanced Security

WP Statistics is the leading privacy-focused analytics plugin for WordPress, offering site owners complete data control without relying on third-party services like Google Analytics. With full GDPR, CCPA, and PECR compliance out of the box, this plugin ensures users can collect vital website insights without compromising visitor privacy or ownership of their data.
All analytical data is stored locally in your own WordPress database, eliminating the need for external accounts or cookies. As a result, WP Statistics offers cookie-less tracking, no personally identifiable information (PII) by default, and respects “Do Not Track” (DNT) signals — making it the perfect choice for data-responsible site owners.
To validate its commitment to secure coding and data protection, WP Statistics has undergone an independent security audit and successfully received the Plugin Security Certification (PSC-2025-64573) from CleanTalk, guaranteeing it meets strict WordPress security standards.
Plugin Security Certification (PSC-2025-64572): “Hostinger Tools” – Version 3.0.37: Use Tools with Enhanced Security

Hostinger Tools is a powerful all-in-one plugin developed to simplify and secure key administrative tasks on WordPress websites. Designed with both functionality and safety in mind, it allows users to efficiently manage essential settings such as maintenance mode, PHP/WordPress version visibility, HTTPS/WWW redirects, and core security toggles — all from a centralized, intuitive interface.
Built by one of the most reputable hosting providers, Hostinger Tools not only optimizes site control for administrators but also integrates strong security mechanisms to safeguard WordPress environments. This plugin has successfully undergone in-depth security evaluation and received the Plugin Security Certification (PSC) from CleanTalk, validating its compliance with modern secure coding standards.
CVE-2024-12273 – Calculated Fields Form – Stored XSS to JS Backdoor Creation – POC

The Calculated Fields Form plugin is a widely adopted WordPress tool used for creating forms with dynamically calculated fields based on user input. With over 50,000 active installations, it powers various contact forms, booking interfaces, quote generators, and more. Despite its powerful features, a significant security vulnerability has been discovered: CVE-2024-12273, a Stored Cross-Site Scripting (XSS) flaw that can be leveraged by an attacker to inject persistent JavaScript code and deploy a full JavaScript-based backdoor. This allows account takeover and, in worst-case scenarios, full administrative compromise.