CVE-2024-9651 – Fluent Forms – Stored XSS to Backdoor Creation – POC

CVE-2024-9651 – Fluent Forms – Stored XSS to Backdoor Creation – POC

Fluent Forms, a widely used WordPress plugin that has been installed more than 500,000 times, is known for its advanced and lightweight contact form builder. With features such as drag-and-drop customization, conditional logic, and anti-spam, it has become a staple for both businesses and developers. However, such popularity also makes it an object for exploitation. The vulnerability associated with the persistence of cross-site scripting (XSS) CVE-2024-9651 in older versions of Fluent Forms pages poses a significant risk, potentially allowing attackers to introduce backdoors and compromise entire websites.

Version 5.2.5 of Fluent Forms has received a plugin Security Certificate (PSC), which guarantees users that this version is verified as secure.

CVE-2024-11183 – Simple Side Tab – Stored XSS to Backdoor Creation – POC

CVE-2024-11183 – Simple Side Tab – Stored XSS to Backdoor Creation – POC

It was recently discovered that the “Simple Slide Tab” plugin, designed to help WordPress site owners increase conversion by adding customizable call-to-action tabs, contains a security flaw. The simplicity and convenience of the plugin, combined with its flexibility in customizing tab behavior and appearance, have made it practical among WordPress users. However, this popularity now poses a security threat due to a vulnerability related to the saved cross-site scripts (XSS) CVE-2024-11183. This flaw can be used to create backdoors that provide attackers with unauthorized access to vulnerable sites.

CVE-2024-10551 – Sticky Social Icons – Stored XSS to Backdoor Creation – POC

CVE-2024-10551 – Sticky Social Icons – Stored XSS to Backdoor Creation – POC

It was recently discovered that the “Sticky Social Icons” plugin, used to integrate customizable social media buttons, contains a vulnerability CVE-2024-10551. This flaw allows attackers to carry out attacks using stored cross-site scripting (XSS), which can potentially lead to the creation of a backdoor and further compromise of vulnerable websites. Since the plugin is currently closed for download and update, understanding this vulnerability is crucial for both prevention and elimination.

CVE-2024-7056 – WPForms – Stored XSS to Backdoor Creation – POC

CVE-2024-7056 – WPForms – Stored XSS to Backdoor Creation – POC

WPForms, one of the most popular WordPress plugins for creating forms, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-7056. This flaw allows attackers with editor privileges to inject malicious JavaScript code into the plugin’s settings, which could then be executed when interacting with the form. The vulnerability can lead to account takeover and backdoor creation, posing significant risks to WordPress websites using WPForms. With over 6 million active installations, this vulnerability affects a vast number of websites, making it a serious concern.

CVE-2024-6393 – Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery – Stored XSS to Backdoor Creation – POC

CVE-2024-6393 – Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery – Stored XSS to Backdoor Creation – POC

The NextGEN Gallery plugin, a widely used WordPress plugin for managing and displaying image galleries, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-6393. This flaw allows attackers with editor privileges to inject malicious JavaScript code into gallery settings. This malicious code can be executed when the gallery is viewed, resulting in potential account takeover and backdoor creation. With over 500,000 installations, this vulnerability poses a serious security risk to WordPress sites utilizing NextGEN Gallery.

CVE-2024-9882 – Salon Booking System – Stored XSS to Backdoor Creation – POC

CVE-2024-9882 – Salon Booking System – Stored XSS to Backdoor Creation – POC

The Salon Booking System plugin for WordPress is a widely-used tool that allows businesses to manage appointments and bookings online. However, a serious vulnerability, CVE-2024-9882, has been discovered that enables attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw allows attackers to inject malicious JavaScript code into the plugin’s service settings, leading to potential account takeover and the creation of a backdoor.

Effective Prevention Methods for XSS

Effective Prevention Methods for XSS

Cross-site scripting (XSS) vulnerabilities occupy one of the first places in terms of frequency among the vulnerabilities found in WordPress plugins. These vulnerabilities occur when data from a user is not sufficiently cleaned before being displayed on site pages, which allows attackers to inject malicious code such as JavaScript and execute it in visitors’ browsers. XSS attacks can lead to theft of user data, hijacking of sessions, modification of page content, and other types of malicious activity

CVE-2024-9600 – Ditty – Stored XSS to Admin Account Creation – POC

CVE-2024-9600 – Ditty – Stored XSS to Admin Account Creation – POC

The Ditty plugin, designed for displaying custom feeds and lists of posts in WordPress, has been found to contain a critical vulnerability that allows an attacker to exploit a Stored Cross-Site Scripting (XSS) flaw. This vulnerability, identified as CVE-2024-9600, can be used by contributors to inject malicious JavaScript code into new posts, which upon interaction can lead to the creation of an admin account. With approximately 50,000 active installations, this vulnerability poses a serious risk to WordPress sites utilizing the Ditty plugin.

CVE-2024-10515 – Squirrly SEO (Newton) – Stored XSS to Backdoor Creation – POC

CVE-2024-10515 – Squirrly SEO (Newton) – Stored XSS to Backdoor Creation – POC

The Squirrly SEO plugin, a popular tool for search engine optimization in WordPress, has been found to harbor a critical vulnerability, CVE-2024-10515. This flaw allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability through the plugin’s SEO settings. By embedding malicious JavaScript code into the “Meta Keywords” field in the SEO Snippet settings, attackers can execute arbitrary scripts, leading to account takeover and backdoor creation. With over 100,000 active installations, this vulnerability poses a serious risk to WordPress sites using the plugin.