CVE-2024-5578 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Table of Contents Plus plugin, widely used in WordPress for creating table of contents sections within posts and pages. With over 300,000 installations, this plugin is a valuable tool for content-heavy websites. However, this vulnerability allows attackers to embed malicious JavaScript code within the plugin’s settings, specifically in the “Hide text” field. If exploited, this vulnerability can lead to backdoor creation, admin account takeover, and long-term control of the WordPress site.
CVE-2024-9883 – Pods – Custom Content Types and Fields – Stored XSS to Backdoor Creation – POC
CVE-2024-9883 uncovers a critical vulnerability in the Pods – Custom Content Types and Fields plugin, a popular WordPress plugin with over 100,000 active installations. This vulnerability enables attackers with editor-level permissions to inject malicious JavaScript (JS) into the plugin’s settings, allowing them to create backdoors and perform admin account takeovers. The vulnerability is due to insufficient sanitization within the “Heading HTML tag” setting of custom content fields.
CVE-2024-10362 – Social Media Share Buttons – Stored XSS to Backdoor Creation – POC
CVE-2024-10362 exposes a Stored Cross-Site Scripting (XSS) vulnerability in the Ultimate Social Media Icons WordPress plugin. This popular plugin allows WordPress site administrators to display customizable social media icons, enabling visitors to share content across platforms like Facebook, Twitter, LinkedIn, and more. Unfortunately, a flaw in its handling of user inputs can permit attackers to inject malicious JavaScript code, paving the way for serious security risks. This article explores how the vulnerability was discovered, the potential impact on WordPress sites, and practical steps to protect against such attacks.
CVE-2024-9768 – Formidable Forms – Stored XSS to Backdoor Creation – POC
CVE-2024-9768 reveals a Stored Cross-Site Scripting (XSS) vulnerability in the Formidable Forms WordPress plugin, a leading tool for creating forms, surveys, and other interactive content on websites. Known for its advanced drag-and-drop interface and extensive customization options, Formidable Forms is widely used by WordPress sites for generating user-friendly forms. However, this vulnerability can allow malicious actors to inject JavaScript payloads that can ultimately create backdoors, compromising site security and exposing user data. This article delves into the nature of this vulnerability, how it can be exploited, and the potential impact on affected websites.
CVE-2024-9233 – GS Logo Slider – Unauth Settings Update via Cross-Site Request Forgery (CSRF) – POC
CVE-2024-9233 is a newly discovered vulnerability in the GS Logo Slider plugin, which is installed on over 50,000 WordPress sites. This vulnerability exposes the plugin to Cross-Site Request Forgery (CSRF) attacks, enabling unauthorized users to manipulate plugin settings on behalf of an authenticated user without their consent. Exploiting this vulnerability can result in unwanted changes to the plugin’s configuration, potentially impacting site functionality and security.
CVE-2024-9599 – Popup Box – Stored XSS to Backdoor Creation – POC
CVE-2024-9599 brings to light a critical Stored Cross-Site Scripting (XSS) vulnerability within the WordPress Popup Box plugin, a popular tool used to create a variety of popups for websites. This plugin allows users to add visually appealing and engaging popups, ranging from promotional notifications to subscription forms, without requiring extensive technical knowledge. However, an identified flaw in the way the plugin handles input parameters allows malicious users to inject JavaScript code, leading to the potential creation of backdoors within the WordPress environment. The implications of this vulnerability could lead to unauthorized access and control over affected websites.
CVE-2024-4091 – Responsive Gallery Grid – Stored XSS to JS backdoor – POC
CVE-2024-4091 highlights a significant Stored Cross-Site Scripting (XSS) vulnerability within the Responsive Gallery Grid (RGG) plugin for WordPress, a tool installed on numerous WordPress sites to transform the native WordPress gallery into a responsive layout. The plugin, which integrates well with other third-party lightbox plugins, offers WordPress users an enhanced way to showcase their images while keeping responsive image proportions. However, a flaw in the settings configuration allows contributors or editors with access to plugin settings to inject malicious JavaScript (JS) code into the Margin parameter of the gallery settings. If exploited, this vulnerability can provide attackers with persistent control over the site via a JavaScript backdoor.
CVE-2024-4004 – Advanced Cron Manager – Stored XSS to JS backdoor – POC
CVE-2024-4004 is a newly discovered Stored Cross-Site Scripting (XSS) vulnerability in the widely used WordPress plugin Advanced Cron Manager. This plugin, essential for managing WP Cron events and schedules, offers extensive functionality to WordPress site administrators. It allows them to view, search, execute, add, pause, and delete scheduled tasks, as well as customize PHP cron events. With over 30,000 installations, Advanced Cron Manager provides a streamlined approach to scheduling but, unfortunately, also introduces a vulnerability exploitable by users with access to the admin panel. This vulnerability allows attackers to inject malicious JavaScript code into the Cron Manager’s settings, potentially leading to a backdoor on the site.
CVE-2024-8670 – Photo Gallery by 10Web – Stored XSS to Backdoor Creation – POC
CVE-2024-8670 reveals a critical Stored Cross-Site Scripting (XSS) vulnerability in the Photo Gallery by 10Web plugin, a popular WordPress plugin with over 200,000 installations. This vulnerability allows contributors or editors to inject malicious JavaScript (JS) into the gallery settings, specifically in the “Title” field. Exploiting this vulnerability can lead to admin account hijacking, persistent backdoor creation, and potential long-term control of the WordPress site.
CVE-2024-10104 – Jobs for WordPress – Stored XSS to Backdoor Creation – POC
CVE-2024-10104 is a critical Stored Cross-Site Scripting (XSS) vulnerability affecting the Jobs for WordPress plugin, widely used to manage and display job postings on WordPress sites. This vulnerability allows users with Contributor or higher permissions to inject malicious JavaScript (JS) code into the job posting settings, specifically in the “Working Hours” field. Once exploited, the vulnerability can lead to admin account takeovers, unauthorized backdoor installations, and long-term control over the WordPress site.