CVE-2024-11503 – WP Tabs < 2.2.7 – Stored XSS to JS Backdoor Creation – POC

CVE-2024-11503 – WP Tabs < 2.2.7 – Stored XSS to JS Backdoor Creation – POC

WP Tabs is a widely used WordPress plugin designed to help users create and manage tabbed navigation on their websites. With its user-friendly interface and extensive customization options, WP Tabs has gained popularity among WordPress site owners. However, a security vulnerability (CVE-2024-111503) was discovered in versions below 2.2.7, exposing websites to a Stored Cross-Site Scripting (XSS) attack. This article delves into the discovery, exploitation, risks, and remediation of this vulnerability.

Plugin Security Certification (PSC-2025-64560): “Disable Comments – Remove Comments & Stop Spam” – Version 2.4.7: Use Comments plugin with Enhanced Security

Plugin Security Certification (PSC-2025-64560): “Disable Comments – Remove Comments & Stop Spam” – Version 2.4.7: Use Comments plugin with Enhanced Security

Disable Comments – Remove Comments & Stop Spam [Multi-Site Support] is a powerful plugin designed to give WordPress site owners complete control over comment functionality. By allowing users to globally enable or disable comments on posts, pages, and media, this plugin is an effective tool to prevent spam and unwanted discussions. It provides seamless integration with WP-CLI, XML-RPC, and REST-API, ensuring a streamlined approach to managing comments.

This plugin enhances website security by eliminating potential spam injection points and preventing unauthorized comment-based interactions. It has successfully undergone rigorous security testing and has received the prestigious Plugin Security Certification (PSC-2025-64560) from CleanTalk, ensuring robust protection against spam-related vulnerabilities.

CVE-2024-10475 – Lead Form Builder – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10475 – Lead Form Builder – Stored XSS to JS Backdoor Creation – POC

Lead Form Builder is a popular WordPress plugin designed to create and manage contact forms. It offers an easy-to-use drag-and-drop interface and integration with page builders like Elementor, Brizy, SiteOrigin, and Gutenberg. However, a security vulnerability (CVE-2024-10475) was discovered in versions prior to 1.9.8, which allows attackers to inject and execute malicious JavaScript code through Stored Cross-Site Scripting (XSS). This article explores the vulnerability, its risks, exploitation, and best practices to mitigate the issue.

CVE-2025-1621 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

CVE-2025-1621 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

The GDPR Cookie Compliance plugin is a popular solution for WordPress websites to help them comply with the European Union’s General Data Protection Regulation (GDPR). It is primarily used to display cookie consent banners that inform users about the use of cookies on the website and collect their consent. However, a critical vulnerability, CVE-2025-1621, has been discovered in the plugin that allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability enables attackers to inject malicious JavaScript into the “Accept – Button Label” field in the plugin’s settings. The injected script can later be executed when a user interacts with the consent banner, leading to potential account takeover and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability presents a significant security risk.

Plugin Security Certification (PSC-2025-64559): “W3 Total Cache” – Version 2.8.6: Use Cache plugin with Enhanced Security

Plugin Security Certification (PSC-2025-64559): “W3 Total Cache” – Version 2.8.6: Use Cache plugin with Enhanced Security

W3 Total Cache (W3TC) is a powerful performance optimization plugin designed to enhance website speed, SEO rankings, and user experience. It achieves this by leveraging caching mechanisms, content delivery network (CDN) integration, and advanced web performance optimization (WPO) techniques. Trusted by over a million users, W3TC significantly reduces page load times, ensuring seamless website performance. The plugin has undergone rigorous security testing and has successfully obtained the Plugin Security Certification (PSC-2025-64559) from CleanTalk, guaranteeing a secure environment for WordPress websites.

CVE-2024-10703 – Registrations for Events Calendar – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10703 – Registrations for Events Calendar – Stored XSS to JS Backdoor Creation – POC

Stored Cross-Site Scripting (Stored XSS) is a critical web security vulnerability that allows attackers to inject malicious scripts into a website, which are then executed in the browsers of unsuspecting users. This article focuses on CVE-2024-10703, a Stored XSS vulnerability found in versions below 2.13.4 of the “Registrations for The Events Calendar” plugin for WordPress. This vulnerability can be exploited by an attacker with administrator privileges to inject harmful scripts that execute when users interact with certain elements of the website.

CVE-2025-1622 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

CVE-2025-1622 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

The GDPR Cookie Compliance plugin for WordPress is widely used to help websites comply with the European Union’s General Data Protection Regulation (GDPR). One of the core features of the plugin is its cookie consent banner, which informs users about the use of cookies and requests their consent. However, a critical vulnerability, CVE-2025-1622, has been identified in the plugin. This Stored Cross-Site Scripting (XSS) vulnerability allows an attacker with editor-level access to inject malicious JavaScript into the “Cookie Banner Content” field. Once saved, the injected script is stored and executed when the banner is displayed on the site’s frontend, potentially leading to account takeover and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability poses a significant security risk for WordPress websites using the GDPR Cookie Compliance plugin.

CVE-2024-10472 – Stylish Price List < 7.1.12 – Stored XSS to Admin Creation – POC

CVE-2024-10472 – Stylish Price List < 7.1.12 – Stored XSS to Admin Creation – POC

WordPress plugins play a crucial role in extending the functionality of websites. However, vulnerabilities in these plugins can introduce significant security risks. One such vulnerability has been discovered in the Stylish Price List plugin (versions below 7.1.12), which enables users to create visually appealing price lists and pricing tables. The vulnerability allows a malicious actor to inject and store JavaScript code, leading to a Stored Cross-Site Scripting (XSS) attack that can compromise an administrator’s session.

CVE-2024-10149 – Social Slider Feed – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10149 – Social Slider Feed – Stored XSS to JS Backdoor Creation – POC

The Social Slider Feed plugin for WordPress is used to display social media feeds, such as YouTube videos, Instagram posts, and Twitter feeds, directly on websites. It allows users to create widgets that can be customized with various settings, including titles and content descriptions. However, a critical vulnerability, CVE-2024-10149, has been discovered in this plugin. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers with editor-level access to inject malicious JavaScript code into the widget settings, which is later executed when the widget is viewed on the frontend. This vulnerability could lead to account takeover and the creation of backdoor admin accounts. With over 50,000 active installations, this issue represents a significant security risk to WordPress sites using the Social Slider Feed plugin.