CVE-2025-4567 – Post Slider and Carousel with Widget < 3.2.10 – Stored XSS to JS Backdoor Creation – POC

CVE-2025-4567 – Post Slider and Carousel with Widget < 3.2.10 – Stored XSS to JS Backdoor Creation – POC

Vulnerability was discovered in the widely-used WordPress plugin Post Slider and Carousel with Widget, which allows site owners to display posts in sliders or carousels. This plugin is favored for its ease of use and flexibility, especially for non-technical users.

The vulnerability, now identified as CVE-2025-4567, affects plugin versions below 3.2.10 and allows an authenticated user (with access to widget settings) to inject stored JavaScript code into a field that is later rendered on the front-end — leading to persistent Cross-Site Scripting (XSS) and the potential creation of a JavaScript backdoor.

CVE-2024-11924 – Email Subscribers – Stored XSS to JS Backdoor Creation – POC

CVE-2024-11924 – Email Subscribers – Stored XSS to JS Backdoor Creation – POC

Email Subscribers is a WordPress plugin designed to simplify the process of managing email subscriptions, newsletters, and automated email campaigns. With over 80,000 active installations, it is widely used by website administrators for email marketing and user engagement. However, a critical vulnerability, CVE-2024-11924, has been identified within the plugin that allows for the implementation of stored Cross-Site Scripting (XSS). This vulnerability enables an attacker with editor-level access to inject malicious JavaScript, leading to a potential backdoor creation and full admin account takeover.

CVE-2025-1485 – Real Cookie Banner < 5.1.6 – Stored XSS to JS Backdoor Creation – POC

CVE-2025-1485 – Real Cookie Banner < 5.1.6 – Stored XSS to JS Backdoor Creation – POC

The Real Cookie Banner plugin is a powerful consent management tool for WordPress, widely used to help website administrators comply with the GDPR and ePrivacy directives. With features like customizable cookie banners, content blockers, and consent documentation, the plugin plays a key role in user privacy and legal compliance. However, in version below 5.1.6, a Stored Cross-Site Scripting (XSS) vulnerability was discovered that can be exploited by authenticated users with access to the plugin’s customization features.

This article explores the vulnerability in detail, demonstrates how it can be exploited, and outlines practical recommendations for mitigating similar security risks in WordPress environments.

CVE-2025-2162 – MapPress Maps for WordPress – Stored XSS to JS Backdoor Creation – POC

CVE-2025-2162 – MapPress Maps for WordPress – Stored XSS to JS Backdoor Creation – POC

MapPress Maps for WordPress is a widely used plugin for adding Google Maps to WordPress websites. It offers users the ability to create maps with custom markers, locations, and settings, providing an interactive experience for visitors. However, a critical vulnerability—CVE-2025-2162—has been discovered that allows attackers to inject malicious JavaScript into maps, leading to the creation of backdoors that can compromise admin accounts. This stored XSS vulnerability is particularly dangerous as it affects users with editor-level access, enabling attackers to escalate their privileges and potentially take over the site.

CVE-2024-10680 – Form Maker by 10Web – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10680 – Form Maker by 10Web – Stored XSS to JS Backdoor Creation – POC

Form Maker by 10Web is a popular WordPress plugin designed to simplify the process of creating and managing forms. With over 50,000 active installations, it provides a versatile and user-friendly interface for adding various types of forms to WordPress websites. However, a critical vulnerability, CVE-2024-10680, has been discovered in the plugin that allows attackers to exploit stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious scripts, potentially giving them access to admin accounts and creating backdoors in the system.

CVE-2025-2055 – MapPress Maps for WordPress – Stored XSS to Admin Creation (Contributor+) – POC

CVE-2025-2055 – MapPress Maps for WordPress – Stored XSS to Admin Creation (Contributor+) – POC

MapPress Maps for WordPress is a popular plugin used to create and manage maps on WordPress sites. It allows users to easily embed maps and display locations using the Google Maps API. With over 50,000 active installations, it is a widely trusted tool for website owners looking to add interactive maps to their pages. However, a critical vulnerability—CVE-2025-2055—has been discovered in the plugin that allows an attacker to exploit stored Cross-Site Scripting (XSS), which could lead to account takeover and privilege escalation, potentially giving an attacker admin access. This issue is particularly concerning for websites that use MapPress to display sensitive location-based data.

CVE-2024-13357 – Ditty – Stored XSS to Admin Creation (Author+) – POC

CVE-2024-13357 – Ditty – Stored XSS to Admin Creation (Author+) – POC

Ditty is a WordPress plugin used to display custom content in various formats such as lists, sliders, and tickers. With over 50,000 active installations, Ditty has become a widely used tool for WordPress users who wish to showcase dynamic, rotating content on their websites. However, a critical vulnerability, CVE-2024-13357, has been discovered that allows attackers to exploit the plugin’s functionality to execute a Stored Cross-Site Scripting (XSS) attack, which can lead to account takeover and backdoor creation. This vulnerability specifically affects users with Author+ roles, allowing them to escalate their privileges and create an admin account.

Plugin Security Certification (PSC-2025-64569): “Widgets for Google Reviews” – Version 12.7.4: Use Widgets with Enhanced Security

Plugin Security Certification (PSC-2025-64569): “Widgets for Google Reviews” – Version 12.7.4: Use Widgets with Enhanced Security

Widgets for Google Reviews is a powerful WordPress plugin designed to help businesses build trust and increase conversions by seamlessly displaying up to 10 Google reviews in stylish, responsive widgets. With over 40 widget layouts and 25 pre-designed styles, this plugin ensures your customer feedback is not only visible but also visually aligned with your brand.

Whether you’re a small local business or a growing e-commerce brand, this plugin makes it effortless to integrate user-generated reviews directly into your site, boosting both credibility and SEO performance. Beyond the attractive visuals and functionality, Widgets for Google Reviews has undergone extensive code-level security analysis and proudly holds the Plugin Security Certification (PSC-2025-64569) issued by CleanTalk, validating its commitment to secure development practices.

CVE-2024-12743 – MailPoet – Stored XSS to JS Backdoor Creation – POC

CVE-2024-12743 – MailPoet – Stored XSS to JS Backdoor Creation – POC

MailPoet is a popular WordPress plugin that enables users to easily create and send newsletters, manage subscribers, and automate email campaigns. With over 600,000 active installations, it has become a trusted tool for WordPress users looking to enhance their email marketing capabilities. However, a critical vulnerability, CVE-2024-12743, has been discovered in the plugin that allows attackers to exploit Stored Cross-Site Scripting (XSS), leading to a potential account takeover and backdoor creation. This vulnerability affects users with editor-level privileges and can be triggered through the plugin’s form-building interface.

Plugin Security Certification (PSC-2025-64568): “JetBackup” – Version 3.1.7.9: Use Backups with Enhanced Security

Plugin Security Certification (PSC-2025-64568): “JetBackup” – Version 3.1.7.9: Use Backups with Enhanced Security

In the realm of WordPress site management, backup integrity and security are non-negotiable. Whether you’re running a small blog or a full-fledged eCommerce platform, one of the most crucial components of your WordPress infrastructure is a reliable and secure backup solution. That’s where JetBackup shines — a powerful, comprehensive plugin designed to perform backups, restorations, migrations, and cloning with simplicity, efficiency, and now — certified security.

As of version 3.1.7.9, JetBackup has officially passed the Plugin Security Certification (PSC-2025-64568) issued by CleanTalk, confirming that its codebase adheres to strict security and coding standards. This certification provides peace of mind for site owners and administrators, verifying that JetBackup doesn’t just offer robust functionality — it does so safely and responsibly.

Whether you’re downloading a local copy, uploading backups to the cloud, or performing emergency restorations, JetBackup ensures every operation is executed with integrity, transparency, and security at its core.