Cross-Site Request Forgery (CSRF) is a type of web security vulnerability that allows an attacker to execute unauthorized actions on behalf of an authenticated user. In the case of the Event Tickets with Ticket Scanner plugin (version <= 2.5.4), a CSRF vulnerability has been discovered, allowing attackers to delete all tickets without proper authorization.
CVE-2024-13313 – AWeber < 7.3.21 – Stored XSS to Backdoor Creation – POC

The Weber – Free Sign Up Form and Landing Page Builder plugin for WordPress is designed to facilitate email marketing, lead generation, and newsletter management. It allows users to create and embed sign-up forms, automate email campaigns, and integrate various marketing tools seamlessly. However, a critical security vulnerability, CVE-2024-13313, was identified in versions below 7.3.21, allowing Stored Cross-Site Scripting (XSS) attacks. This article explores the discovery, exploitation, and mitigation of this vulnerability.
CVE-2025-1062 – Meta Slider – Stored XSS to Backdoor Creation – POC

Meta Slider is one of the most popular WordPress plugins used to create responsive image sliders. It offers flexibility and customization options to enhance the visual appeal of websites. However, a critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-1062) has been discovered in the plugin. This vulnerability allows attackers with editor privileges to inject malicious JavaScript into the plugin’s slider settings. By exploiting this flaw, an attacker can gain unauthorized access to a WordPress site, potentially compromising it completely. The vulnerability affects versions with over 600k installs, making it a widespread security risk for many WordPress-powered websites.
CVE-2025-1446 – Pods – Custom Content Types and Fields – SQL Injection – POC

Pods is a powerful plugin for WordPress that allows users to create and manage custom post types, fields, and taxonomies. This plugin is widely used for extending WordPress’s native functionality and creating custom content types to suit different needs. However, a severe SQL Injection vulnerability (CVE-2025-1446) has been discovered in the Pods plugin. This vulnerability allows an attacker to inject malicious SQL queries via user input, potentially leading to unauthorized access to the WordPress database. If exploited, this flaw could result in data leakage, manipulation, or even full administrative control over the site.
CVE-2025-0718 – Nested Pages – Stored XSS to Admin Creation – POC
CVE-2024-13382 – Calculated Fields Form – Stored XSS to JS Backdoor Creation – POC

Calculated Fields Form is a WordPress plugin that enables users to create custom forms with calculated fields, ideal for use in forms that require mathematical calculations such as price estimators, financial forms, and surveys. While the plugin offers a lot of flexibility and customization options, it also contains a critical vulnerability (CVE-2024-13382). This vulnerability allows attackers to inject malicious JavaScript into form fields, which can then be executed by users interacting with the form. The result of exploiting this vulnerability is a potential backdoor access, allowing attackers to perform actions such as account takeover and unauthorized administrative control of the website. This issue impacts versions of the plugin with 50k+ installations, posing a serious security risk to many WordPress sites.
CVE-2024-13124 – Photo Gallery by 10Web – Stored XSS to JS Backdoor Creation – POC

The Photo Gallery by 10Web plugin is a widely used WordPress plugin designed to help users create beautiful and organized image galleries on their websites. This plugin allows website owners to display their images in various formats, enhancing the visual appeal of their site. However, a severe vulnerability (CVE-2024-13124) has been discovered in the plugin, which allows an attacker to inject malicious JavaScript into the gallery’s title field. This Stored Cross-Site Scripting (XSS) vulnerability can lead to the execution of arbitrary scripts, enabling attackers to potentially create backdoor admin accounts and gain unauthorized access to the site. With over 200,000 installations, this flaw poses a significant threat to websites relying on this plugin.
CVE-2025-0717 – Social Slider Feed < 2.2.9 – Stored XSS to JS Backdoor Creation – POC

The security of WordPress plugins is crucial for website integrity, as vulnerabilities can expose sites to attacks that compromise data and user trust. One such critical issue has been identified in the Photo Gallery, Images, Slider in Rbs Image Gallery plugin, affecting versions below 3.2.24. This vulnerability, CVE-2024-13384, allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability, leading to JavaScript backdoor creation. This article provides an in-depth analysis of the discovery, exploitation, and potential risks, along with recommendations to mitigate this issue.
CVE-2024-13384 – Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.24 – Stored XSS to JS Backdoor Creation – POC

The security of WordPress plugins is crucial for website integrity, as vulnerabilities can expose sites to attacks that compromise data and user trust. One such critical issue has been identified in the Photo Gallery, Images, Slider in Rbs Image Gallery plugin, affecting versions below 3.2.24. This vulnerability, CVE-2024-13384, allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability, leading to JavaScript backdoor creation. This article provides an in-depth analysis of the discovery, exploitation, and potential risks, along with recommendations to mitigate this issue.
CVE-2024-10558 – Form Maker by 10Web – Stored XSS to JS Backdoor Creation – POC

Form Maker by 10Web is a popular WordPress plugin used to create forms and widgets for various purposes, such as contact forms, surveys, and user registration. The plugin is widely used by website administrators for its ease of use and flexibility. However, a critical vulnerability, CVE-2024-10558, has been discovered in the plugin, which allows attackers to inject malicious JavaScript into the “Title” field of a widget. This Stored Cross-Site Scripting (XSS) vulnerability can result in the execution of arbitrary JavaScript on the website, potentially leading to account takeover and the creation of backdoor access. The vulnerability can be exploited by any user with editor privileges or higher, posing a significant risk to WordPress websites using the plugin.