Author: Dmitrii I

Calculated Fields Form is a versatile WordPress plugin that lets users design dynamic forms with live calculations, sliders, and conditional logic. With more than 60,000 active installations, it powers everything from loan calculators to interactive quizzes. However, a severe security flaw—CVE-2024-13381—has been discovered in the plugin’s Slider block configuration. This vulnerability allows an editor to inject persistent JavaScript into form captions, which executes whenever the form is previewed, creating an avenue for backdoor creation and full administrative takeover.

Sure Forms is a popular WordPress plugin with over 200,000 active installations, enabling site owners to create custom contact forms, surveys, and interactive interfaces. While robust in features and ease of use, a critical vulnerability—CVE-2025-5921—has been discovered that permits unauthenticated visitors to execute Cross‑Site Scripting (XSS). By crafting a special URL parameter, attackers can embed JavaScript into a public form field, triggering scripts in an administrator’s browser and forging a path to a persistent backdoor or account takeover.

Form Maker by 10Web is a popular WordPress plugin that enables site owners to build custom forms with drag-and-drop ease. Boasting over 50,000 active installations, it powers everything from simple contact forms to complex multi-step surveys. Despite its robust feature set, including advanced validation and styling options, the plugin contains a critical security flaw—CVE-2024-6130—that allows an editor to inject malicious JavaScript via the form field “classname” attribute. Once stored, this payload executes whenever the form is rendered, enabling account takeover, backdoor installation, and broader site compromise.

The Newsletter plugin is a cornerstone of email marketing for WordPress, with over 300,000 active installations. It allows site owners to embed subscription forms via shortcodes and widgets, manage subscriber lists, and send targeted campaigns. Yet, a critical security flaw—CVE-2025-3581—has been discovered within its widget configuration. This vulnerability permits a user with Editor privileges to inject malicious JavaScript into the widget’s Title field. As a result, any visitor or administrator viewing the widget on the frontend will execute the stored script, potentially establishing a persistent backdoor and complete site compromise.

The Newsletter plugin remains one of the most installed WordPress subscription solutions, with over 300,000 installations powering email campaigns and subscription forms worldwide. Despite its robust feature set—such as drag-and-drop form creation and subscriber management—a severe security flaw has been identified: CVE-2025-3582. This vulnerability allows a user with Editor-level privileges to inject persistent JavaScript into the form configuration itself. Once embedded, the malicious code will execute in any administrator’s or visitor’s browser when they view the affected form, providing attackers with a potent avenue to create backdoors and take over accounts.

The Newsletter plugin for WordPress, with over 300,000 active installations, is widely adopted for managing subscriptions, creating automated campaigns, and personalizing subscriber experiences. However, a severe security flaw—CVE-2025-3584—has been discovered in the plugin’s subscription settings, specifically in its “Welcome page content” feature. This vulnerability allows users with Editor privileges to inject malicious JavaScript into the global “Welcome page” template. When unsuspecting visitors or administrators land on any post or page displaying the Welcome content, the injected script executes, opening the door to full account takeover via a persistent backdoor.

Ninja Forms is a leading WordPress plugin enabling site owners to build advanced forms without coding, with over 700,000 active installations. Despite its popularity and feature richness, a critical vulnerability—CVE-2025-2560—was discovered, allowing users with Editor-level privileges to inject persistent JavaScript into form configurations. This stored XSS can escalate to a full account takeover backdoor, jeopardizing the security of any site using Ninja Forms.

Ninja Forms is one of the most widely used WordPress plugins for creating contact forms with over 700,000 active installations. Its user-friendly drag-and-drop interface makes it a favorite among both developers and non-technical users. However, in the process of a routine plugin security audit, we discovered a critical vulnerability that permits Stored Cross-Site Scripting (XSS), allowing a contributor or editor to inject malicious JavaScript and potentially establish a persistent backdoor, leading to complete account takeover.

WordPress plugins play a vital role in extending the platform’s capabilities, yet they are frequently a weak point in site security. One such case is the Kali Forms plugin, a drag-and-drop form builder currently active on over 30,000 installations. A critical vulnerability, now assigned CVE-2025-3201, was discovered in the plugin that permits users with only Contributor-level privileges to inject and store malicious JavaScript. This XSS payload can be used to hijack administrator sessions, ultimately leading to the creation of rogue admin accounts and full site compromise.

The WordPress ecosystem is vast, with thousands of plugins extending its core functionality. However, the flexibility of these plugins can come at the cost of security if developers don’t adhere to strict input sanitization and output escaping practices. One such vulnerability was discovered in the popular Newsletter plugin, which is installed on over 300,000 websites. The issue, now identified as CVE-2025-3583, allows for Stored Cross-Site Scripting (XSS) that can be weaponized into a JavaScript backdoor, enabling attackers to hijack administrator accounts and compromise the entire site.