CVE-2024-8758 – Quiz and Survey Master (QSM) – Stored XSS to Admin Account Creation – POC

CVE-2024-8758 – Quiz and Survey Master (QSM) – Stored XSS to Admin Account Creation – POC

CVE-2024-8758 represents a serious vulnerability found in the Quiz and Survey Master (QSM) plugin, a popular WordPress plugin used to create quizzes and surveys, with over 50,000 installations. The flaw allows contributors to inject malicious JavaScript (JS) code into the plugin’s settings, leading to Stored Cross-Site Scripting (XSS) attacks. This can escalate into admin account takeover or the creation of persistent backdoors, enabling attackers to maintain long-term control over the WordPress site.

CVE-2024-8493 – The Events Calendar – Stored XSS to backdoor creation – POC

CVE-2024-8493 – The Events Calendar – Stored XSS to backdoor creation – POC

CVE-2024-8493 is a critical vulnerability identified in The Events Calendar plugin, a widely used WordPress plugin with over 700,000 installations. The vulnerability allows attackers with editor-level access to inject malicious JavaScript (JS) into the plugin’s settings, leading to account takeovers and backdoor creation. Improper input sanitization, particularly in the “Data time separator” field, exposes WordPress sites to this Stored XSS attack, potentially compromising the entire website.

CVE-2024-8619 – Ajax Search Lite – Stored XSS to backdoor creation – POC

CVE-2024-8619 – Ajax Search Lite – Stored XSS to backdoor creation – POC

CVE-2024-8619 exposes a serious Stored Cross-Site Scripting (XSS) vulnerability in the Ajax Search Lite plugin, a widely used search enhancement plugin with over 100,000 installations. This vulnerability allows attackers, specifically users with editor-level permissions, to inject malicious JavaScript (JS) into the plugin’s settings. Once exploited, the attacker can create backdoors and take over admin accounts, leading to full control of the WordPress site. The issue lies in improper input sanitization within the plugin’s “image width” field, which can be manipulated to execute malicious scripts.

CVE-2024-8492 – Hustle – Stored XSS to backdoor creation – POC

CVE-2024-8492 – Hustle – Stored XSS to backdoor creation – POC

CVE-2024-8492 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Hustle plugin, which is used by over 100,000 WordPress installations to create popups, email opt-ins, and other marketing tools. This vulnerability allows attackers to inject malicious JavaScript (JS) code through the plugin’s settings, particularly in the “Error Message” field of the Email Field settings. If exploited, this vulnerability can lead to admin account takeover and the creation of persistent backdoors, giving attackers long-term control over the site.

CVE-2024-8187 – Smart Post Show – Stored XSS to backdoor creation – POC

CVE-2024-8187 – Smart Post Show – Stored XSS to backdoor creation – POC

CVE-2024-8187 reveals a critical Stored Cross-Site Scripting (XSS) vulnerability in the Smart Post Show plugin, a popular WordPress plugin with over 30,000 installations. This vulnerability allows attackers with editor-level access to inject malicious JavaScript (JS) into the plugin’s settings. If exploited, the vulnerability enables account takeover, backdoor creation, and long-term control over the WordPress site. The issue stems from improper input validation, particularly in the post grid settings.

Plugin Security Certification (PSC-2024-64529): “One User Avatar” – Version 2.4.0: Use Avatars with Enhanced Security

Plugin Security Certification (PSC-2024-64529): “One User Avatar” – Version 2.4.0: Use Avatars with Enhanced Security

The One User Avatar plugin offers a highly flexible way to manage custom user avatars on your WordPress site. Unlike WordPress’s default behavior, which limits custom avatars to those uploaded through Gravatar, One User Avatar allows you to use any image from your Media Library as a custom avatar. The simplicity and efficiency of this plugin have made it a go-to solution for users seeking more control over their avatar management.

And now, with the Plugin Security Certification (PSC-2024-64529) from CleanTalk, you can use One User Avatar with the assurance of enhanced security. This certification confirms that One User Avatar has passed rigorous security checks, making it a trusted option for managing user avatars without introducing vulnerabilities to your WordPress site.

CVE-2024-7762 – Simple Job Board – Unauthenticated Resumes Download – POC

CVE-2024-7762 – Simple Job Board – Unauthenticated Resumes Download – POC

CVE-2024-7762 highlights a critical security flaw in the Simple Job Board plugin, a popular WordPress plugin with over 30,000 installations. This vulnerability allows unauthorized users to access and download confidential resumes and other files uploaded by job applicants. The flaw lies within the plugin’s directory listings system, which fails to implement proper access controls. If exploited, this vulnerability can expose sensitive data, leading to severe privacy breaches and security risks.

CVE-2024-9236 – Team Members Showcase – Stored XSS to Admin Creation – POC

CVE-2024-9236 – Team Members Showcase  – Stored XSS to Admin Creation – POC

The Team Members Showcase plugin for WordPress has discovered a vulnerability CVE-2024-9236, which allows an attacker to execute saved cross-site scripts (XSS) and potentially intercept administrative accounts.It offers website administrators a universal tool for displaying team members on their site using various layouts such as grids and sliders. This plugin is highly customizable, adaptive, and compatible with Elementor, allowing users to easily create professional-looking team storefronts.