CVE-2025-0717 – Social Slider Feed < 2.2.9 – Stored XSS to JS Backdoor Creation – POC

CVE-2025-0717 – Social Slider Feed < 2.2.9 – Stored XSS to JS Backdoor Creation – POC

The security of WordPress plugins is crucial for website integrity, as vulnerabilities can expose sites to attacks that compromise data and user trust. One such critical issue has been identified in the Photo Gallery, Images, Slider in Rbs Image Gallery plugin, affecting versions below 3.2.24. This vulnerability, CVE-2024-13384, allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability, leading to JavaScript backdoor creation. This article provides an in-depth analysis of the discovery, exploitation, and potential risks, along with recommendations to mitigate this issue.

CVE-2024-13384 – Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.24 – Stored XSS to JS Backdoor Creation – POC

CVE-2024-13384 – Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.24 – Stored XSS to JS Backdoor Creation – POC

The security of WordPress plugins is crucial for website integrity, as vulnerabilities can expose sites to attacks that compromise data and user trust. One such critical issue has been identified in the Photo Gallery, Images, Slider in Rbs Image Gallery plugin, affecting versions below 3.2.24. This vulnerability, CVE-2024-13384, allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability, leading to JavaScript backdoor creation. This article provides an in-depth analysis of the discovery, exploitation, and potential risks, along with recommendations to mitigate this issue.

CVE-2024-10558 – Form Maker by 10Web – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10558 – Form Maker by 10Web – Stored XSS to JS Backdoor Creation – POC

Form Maker by 10Web is a popular WordPress plugin used to create forms and widgets for various purposes, such as contact forms, surveys, and user registration. The plugin is widely used by website administrators for its ease of use and flexibility. However, a critical vulnerability, CVE-2024-10558, has been discovered in the plugin, which allows attackers to inject malicious JavaScript into the “Title” field of a widget. This Stored Cross-Site Scripting (XSS) vulnerability can result in the execution of arbitrary JavaScript on the website, potentially leading to account takeover and the creation of backdoor access. The vulnerability can be exploited by any user with editor privileges or higher, posing a significant risk to WordPress websites using the plugin.

CVE-2024-13729 – Podlove Podcast Publisher < 4.1.24 – Stored XSS to Admin Creation – POC

CVE-2024-13729 – Podlove Podcast Publisher < 4.1.24 – Stored XSS to Admin Creation – POC

Podlove Podcast Publisher is a powerful WordPress plugin designed to streamline podcast publishing. It offers features like multi-format publishing, enhanced RSS feeds, an optimized web player, and metadata management. However, a critical stored Cross-Site Scripting (XSS) vulnerability (CVE-2024-13729) has been identified in versions prior to 4.1.24, allowing attackers to inject malicious scripts that could lead to unauthorized administrative actions

CVE-2024-12716 – Simple Basic Contact Form – Stored XSS to Admin Creation – POC

CVE-2024-12716 – Simple Basic Contact Form – Stored XSS to Admin Creation – POC

The Simple Basic Contact Form (SBCF) plugin is widely used in WordPress for implementing lightweight and efficient contact forms. Despite its focus on security and minimalism, a Stored Cross-Site Scripting (XSS) vulnerability has been identified, allowing an attacker to inject malicious scripts that execute in the browser of an administrator. This article explores the discovery, exploitation, and security implications of this vulnerability while providing recommendations for mitigation.

CVE-2025-1232 – Site Reviews – Unauthenticated Stored XSS to Admin Creation – POC

CVE-2025-1232 – Site Reviews – Unauthenticated Stored XSS to Admin Creation – POC

Site Reviews is a popular WordPress plugin designed to collect and display customer reviews on websites. It offers an easy-to-use interface for both site owners and customers to submit and view reviews. However, a critical vulnerability, CVE-2025-1232, has been discovered in the plugin. This flaw allows unauthenticated users to inject malicious JavaScript into the review form, which can lead to Stored Cross-Site Scripting (XSS) attacks. These attacks could result in unauthorized account creation with admin privileges, ultimately compromising the security of the affected website. With over 100,000 active installations, this vulnerability poses a significant threat to WordPress sites using the Site Reviews plugin.

CVE-2024-12679 – Prisna GWT for WordPress – Stored XSS to JS Backdoor Creation – POC

CVE-2024-12679 – Prisna GWT for WordPress – Stored XSS to JS Backdoor Creation – POC

WordPress is one of the most popular content management systems, powering millions of websites worldwide. Plugins enhance its functionality but can also introduce security vulnerabilities. One such case is the Prisna GWT plugin, which allows automatic translation using Google’s services. A stored cross-site scripting (XSS) vulnerability (CVE-2024-12679) has been identified in this plugin, posing a risk to website security. This article explores the discovery, exploitation, and mitigation of this vulnerability.

Plugin Security Certification (PSC-2025-64561): “Fluent Forms PRO” – Version 6.0.0: Use Forms with Enhanced Security

Plugin Security Certification (PSC-2025-64561): “Fluent Forms PRO” – Version 6.0.0: Use Forms with Enhanced Security

Fluent Forms PRO, like Fluent Forms, has passed a thorough security assessment and received the Plugin Security Certification (PSC) from CleanTalk, which guarantees users a secure environment for managing forms.
Fluent Forms PRO is a comprehensive and secure contact form builder with advanced features developed for WordPress. With an intuitive, drag-and-drop interface, Fluent Forms provides a wide range of features that are suitable for both beginners and advanced users. Recognized for its performance, Fluent Forms loads quickly without overloading your website and offers a wide range of powerful form functionality. The plugin’s security features protect user data, and advanced customization options make it a universal choice for any WordPress website.

And now, thanks to the security certification of the plugin (PSC-2024-64561) from CleanTalk, you can use Fluent Forms with a guarantee of increased security. This certification confirms that Fluent Forms has passed a thorough security check, making it a reliable means of managing the contact form builder without introducing vulnerabilities to your WordPress site.

CVE-2025-1623 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

CVE-2025-1623 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

The GDPR Cookie Compliance plugin is a widely used tool for WordPress sites, enabling them to display cookie consent banners and helping website owners comply with the European Union’s General Data Protection Regulation (GDPR). However, a serious vulnerability (CVE-2025-1623) has been discovered that allows attackers to inject malicious JavaScript code into the “Tracking ID” field under the plugin’s integrations settings. This vulnerability can lead to the execution of stored XSS (Cross-Site Scripting) scripts, allowing for the creation of a backdoor account and other malicious activities. With over 300,000 active installations, this vulnerability poses a significant security risk to websites using this plugin.

CVE-2025-13616 – Vik Booking for WordPress – Stored XSS to JS Backdoor Creation – POC

CVE-2025-13616 – Vik Booking for WordPress – Stored XSS to JS Backdoor Creation – POC

WordPress remains one of the most popular content management systems (CMS) worldwide, offering thousands of plugins to enhance its functionality. However, the security of these plugins is a significant concern, as vulnerabilities can expose websites to attacks. One such vulnerability, CVE-2024-13616, was discovered in the Vik Booking plugin, a popular hotel booking engine for WordPress. This article explores the discovery, exploitation, and potential risks of this stored XSS vulnerability, along with recommendations for mitigation.