Author: Dmitrii I

Form Maker by 10Web is a popular WordPress plugin that allows users to create custom forms for their websites. With over 50,000 active installations, it’s used widely for collecting data, including user registrations, feedback, and other forms of submission. However, a critical vulnerability, CVE-2024-10560, has been discovered within the plugin. This stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject and execute malicious JavaScript in a form’s description field. Once this script is executed, it enables attackers to gain control over the site by creating backdoors, potentially escalating privileges to admin-level access.

The Slider by 10Web plugin is a widely used WordPress tool designed to create visually engaging image sliders. With over 30,000 active installations, this plugin provides an easy way for users to display images, video, and content in a slideshow format. While the plugin offers many beneficial features, a critical vulnerability, CVE-2024-10565, has been discovered that allows attackers to exploit stored Cross-Site Scripting (XSS) within the plugin’s settings. This vulnerability enables attackers to inject malicious JavaScript into a website, which could result in a backdoor creation, allowing unauthorized access to the site’s admin functions.

The Slider by 10Web plugin is a popular WordPress plugin used for creating responsive image sliders, enhancing the visual appeal of websites. With over 30,000 active installations, this plugin has been widely adopted for its ease of use and feature-rich

The Photo Gallery, Images, Slider in Rbs Image Gallery plugin is a widely used tool for managing and displaying galleries, sliders, and images within WordPress websites. This plugin offers a variety of features to enhance the visual experience of WordPress sites, with over 50,000 active installations. However, a critical security vulnerability—CVE-2024-10144—has been discovered, allowing attackers to inject malicious JavaScript (JS) code. This vulnerability enables attackers to escalate their privileges, resulting in the potential creation of an admin account through a stored XSS attack. This vulnerability exposes sites to a range of malicious activities, including unauthorized access and potential data breaches.

The Giveaways and Contests by RafflePress plugin is a popular tool used by WordPress site owners to manage and run contests, sweepstakes, and giveaways. With over 30,000 active installations, it allows users to boost engagement and traffic by offering incentives to participants. However, a critical vulnerability—CVE-2024-100107—was discovered during testing, which exposes the plugin to a Stored Cross-Site Scripting (XSS) attack. This vulnerability allows malicious actors to inject and execute JavaScript code, enabling them to potentially gain unauthorized access to the site and create backdoors that could compromise the entire platform.

Meta Slider is a widely used WordPress plugin that helps users create image sliders, carousels, and other content displays. With over 600,000 installations, the plugin is a popular choice among developers and website owners for its ease of use and flexibility. However, a serious security flaw—CVE-2025-1203—has been discovered in Meta Slider, which allows malicious users to inject and execute JavaScript through a Stored Cross-Site Scripting (XSS) attack. This vulnerability enables attackers to potentially create backdoors on WordPress sites, leading to full administrative control of the site.

Meta Slider is one of the most popular WordPress plugins used to create responsive image sliders. It offers flexibility and customization options to enhance the visual appeal of websites. However, a critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-1062) has been discovered in the plugin. This vulnerability allows attackers with editor privileges to inject malicious JavaScript into the plugin’s slider settings. By exploiting this flaw, an attacker can gain unauthorized access to a WordPress site, potentially compromising it completely. The vulnerability affects versions with over 600k installs, making it a widespread security risk for many WordPress-powered websites.

Pods is a powerful plugin for WordPress that allows users to create and manage custom post types, fields, and taxonomies. This plugin is widely used for extending WordPress’s native functionality and creating custom content types to suit different needs. However, a severe SQL Injection vulnerability (CVE-2025-1446) has been discovered in the Pods plugin. This vulnerability allows an attacker to inject malicious SQL queries via user input, potentially leading to unauthorized access to the WordPress database. If exploited, this flaw could result in data leakage, manipulation, or even full administrative control over the site.

Nested Pages is a popular WordPress plugin designed to help website administrators organize their pages and posts hierarchically. This plugin allows for easy drag-and-drop management of WordPress pages and custom post types, making it a valuable tool for many site

Calculated Fields Form is a WordPress plugin that enables users to create custom forms with calculated fields, ideal for use in forms that require mathematical calculations such as price estimators, financial forms, and surveys. While the plugin offers a lot of flexibility and customization options, it also contains a critical vulnerability (CVE-2024-13382). This vulnerability allows attackers to inject malicious JavaScript into form fields, which can then be executed by users interacting with the form. The result of exploiting this vulnerability is a potential backdoor access, allowing attackers to perform actions such as account takeover and unauthorized administrative control of the website. This issue impacts versions of the plugin with 50k+ installations, posing a serious security risk to many WordPress sites.