The “Easy Table of Contents” plugin, version 2.0.69.1, has earned the prestigious Plugin Security Certification (PSC) from CleanTalk. This certification affirms that the plugin meets stringent security standards, ensuring the safety of users while providing enhanced functionality for managing table of contents on WordPress sites. With its wide range of features and user-friendly interface, the plugin is trusted for creating a fully automatic table of contents (TOC) based on page content. Now, it also stands out for its secure code practices, safeguarding websites from potential vulnerabilities.
CVE-2024-7132 – CoBlocks – Stored XSS to Admin Account Creation – POC
CVE-2024-7132 exposes a critical flaw in the CoBlocks plugin, a widely used WordPress extension with over 400,000 installations. This Stored XSS vulnerability can be exploited by contributors to embed malicious JavaScript code within posts, leading to unauthorized actions, including the creation of admin accounts. The vulnerability highlights the significant security risks associated with improper input validation in WordPress plugins, particularly in environments where user roles and permissions are not tightly controlled.
CVE-2024-5417 – Gutentor – Stored XSS to Admin Account Creation – POC
CVE-2024-5417 reveals a critical security flaw in the Gutentor plugin, a popular WordPress page builder with over 50,000 installations. This Stored Cross-Site Scripting (XSS) vulnerability enables attackers to inject malicious JavaScript code by exploiting the block embedding process in new posts. The severity of the issue lies in the fact that this vulnerability can be leveraged by a contributor to escalate privileges and create an unauthorized admin account, resulting in full control of the website.
CVE-2024-3282 – WP Table Builder – Stored XSS to backdoor creation – POC
The recently discovered vulnerability in WP Table Builder, tracked as CVE-2024-3282, exposes over 60,000 websites to serious risks. This Stored Cross-Site Scripting (XSS) flaw allows attackers to inject malicious JavaScript through the plugin’s table block creation process, potentially resulting in the takeover of administrator accounts and the installation of backdoors. Due to inadequate input sanitization, an attacker can exploit this vulnerability to execute arbitrary code, compromising both website security and user data.
Plugin Security Certification (PSC-2024-64525): “Imagify – Optimize Images” – Version 2.2.2: Use Image Optimization with Enhanced Security
“Imagify – Optimize Images” version 2.2.2 has successfully achieved the Plugin Security Certification (PSC) from CleanTalk, marking it as a leader in secure image optimization for WordPress platforms.
CVE-2024-7082 – Easy Table of Contents – Stored XSS to backdoor creation – POC
A newly discovered vulnerability in the Easy Table of Contents WordPress plugin, designated as CVE-2024-7082, puts more than 500,000 sites at risk. This flaw allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability, which could lead to account takeovers and the installation of backdoors within a WordPress environment. The vulnerability primarily occurs due to the plugin’s failure to properly sanitize user inputs, enabling malicious JavaScript (JS) code to be injected into the site’s widget settings. Once exploited, this flaw can result in the execution of malicious scripts by unsuspecting administrators, giving attackers the opportunity to manipulate or control the website.
CVE-2024-6335 – Tracking Code Manager – Stored XSS to backdoor creation – POC
A significant vulnerability has been discovered in the widely-used Tracking Code Manager WordPress plugin, identified as CVE-2024-6335. With over 100,000 installations, this plugin has become a valuable tool for managing tracking scripts, but a serious security flaw allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw enables attackers to embed malicious JavaScript (JS) code within the plugin, leading to account takeovers and potential backdoor creation. Improper sanitization of inputs is the primary cause of this vulnerability, putting numerous WordPress sites at risk of exploitation.
CVE-2024-6158 – Category Posts Widget (Free and PRO) – Stored XSS to backdoor creation – POC
CVE-2024-6884 highlights a critical vulnerability in the popular Category Posts Widget plugin, which is available in both Free and PRO versions. With over 50,000 active installations, this plugin is widely used to enhance content display in WordPress sites by allowing the customization of category-based posts through widgets. However, during a routine security audit, researchers discovered a severe stored XSS vulnerability that could lead to account takeovers and even the creation of backdoors, especially when exploited by users with certain privileges.
Major signs of Malware on an infected WordPress site
Hi guys, I’d like to share some significant signals that tell about infection on a WordPress site. These data has been collected by our research team at CleanTalk. The team reviews up to 10k files weekly as well as we
Plugin Security Certification (PSC-2024-64524): “Events Manager” – Version 6.5.2: Use Events Functions with Enhanced Security
The plugin is meticulously engineered to deliver reliability, scalability, and secure handling of user data. Recently, Events Manager has successfully undergone a rigorous security audit, earning the prestigious Plugin Security Certification (PSC) from CleanTalk, further solidifying its reputation as a secure solution for managing events on WordPress.