CVE-2024-8239 – Starbox – the Author Box for Humans – Stored XSS to Admin Creation – POC

CVE-2024-8239 – Starbox – the Author Box for Humans – Stored XSS to Admin Creation – POC

CVE-2024-8239 uncovers a serious Stored Cross-Site Scripting (XSS) vulnerability in the Starbox – The Author Box for Humans plugin, used by over 40,000 WordPress sites to display author profiles and bios. This vulnerability allows contributors to inject malicious JavaScript (JS) into their profile settings, specifically through the “Twitter URL” field, which can lead to admin account creation and backdoor access. If exploited, attackers can hijack the WordPress site’s admin functionality and maintain persistent control.

CVE-2024-8283 – Slider by 10Web – Stored XSS to Backdoor Creation – POC

CVE-2024-8283 – Slider by 10Web – Stored XSS to Backdoor Creation – POC

CVE-2024-8283 exposes a serious vulnerability in the Slider by 10Web plugin, a widely used WordPress plugin with over 30,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers, particularly users with contributor-level access, to inject malicious JavaScript (JS) code through the plugin’s slider settings. When exploited, this vulnerability enables attackers to take over admin accounts and create backdoors, allowing them to maintain long-term access to the site.

CVE-2024-3635 – The Post Grid – Stored XSS to Backdoor Creation – POC

CVE-2024-3635 – The Post Grid – Stored XSS to Backdoor Creation – POC

CVE-2024-3635 represents a critical Stored Cross-Site Scripting (XSS) vulnerability in The Post Grid plugin, a popular tool for creating custom grid layouts in WordPress. With over 100,000 installations, this vulnerability poses a serious threat as it allows attackers with editor-level permissions to inject malicious JavaScript (JS) code into grid settings. Once exploited, the vulnerability can lead to account takeover, enabling attackers to create persistent backdoors and take control of the WordPress site.

CVE-2024-8536 – Ultimate Blocks – Stored XSS to Admin Account Creation – POC

CVE-2024-8536 – Ultimate Blocks – Stored XSS to Admin Account Creation – POC

CVE-2024-8536 presents a serious security risk in the Ultimate Blocks plugin, used by over 70,000 WordPress sites to enhance post content with custom blocks. This vulnerability allows attackers, specifically users with contributor-level access, to inject malicious JavaScript (JS) into a new post using the plugin’s “Expand” block feature. If exploited, this can lead to admin account creation and full site takeover, putting the entire WordPress installation at risk.

CVE-2024-7133 – My Sticky Bar (myStickymenu) – Stored XSS to JS Backdoor Creation – POC

CVE-2024-7133 – My Sticky Bar (myStickymenu) – Stored XSS to JS Backdoor Creation – POC

CVE-2024-7133 reveals a critical vulnerability in the My Sticky Bar (myStickymenu) WordPress plugin, which has over 100,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious JavaScript (JS) code through the plugin’s settings. Once exploited, the attacker can take over administrator accounts, create persistent backdoors, and control the entire WordPress site. The issue arises due to improper sanitization of user input, specifically in the “Font size” field when creating a sticky bar.

Plugin Security Certification (PSC-2024-64528): “SiteOrigin CSS” – Version 1.5.11: Use CSS with Enhanced Security

Plugin Security Certification (PSC-2024-64528): “SiteOrigin CSS” – Version 1.5.11: Use CSS with Enhanced Security

SiteOrigin CSS is an advanced, feature-rich CSS editor that empowers WordPress users to customize their website’s design in real time, without needing to master complex coding. Trusted by thousands of users, this powerful plugin simplifies the process of modifying the visual aspects of your WordPress site, offering ease of use for both beginners and advanced users. With Plugin Security Certification (PSC-2024-64528) by CleanTalk, you can now confidently use SiteOrigin CSS with the assurance of enhanced security and protection against vulnerabilities.

CVE-2024-6887 – Giveaways and Contests by RafflePress – Stored XSS to JS Backdoor Creation – POC

CVE-2024-6887 – Giveaways and Contests by RafflePress – Stored XSS to JS Backdoor Creation – POC

CVE-2024-6887 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Giveaways and Contests by RafflePress plugin, used by over 30,000 WordPress installations to run giveaways and contests. This vulnerability allows attackers to inject malicious JavaScript (JS) through the plugin’s settings. The attack can be initiated by users with editor-level access, resulting in account takeover, backdoor creation, and potentially long-term control over the affected WordPress site. The flaw resides in the plugin’s failure to properly sanitize inputs, particularly in the “Button color” field.

CVE-2024-7761 – Simple Job Board – Stored XSS to JS Backdoor Creation – POC

CVE-2024-7761 – Simple Job Board – Stored XSS to JS Backdoor Creation – POC

CVE-2024-7761 exposes a critical flaw in the Simple Job Board plugin, widely used by WordPress sites to manage job listings and applications. With over 40,000 installations, this vulnerability allows attackers to exploit a Stored Cross-Site Scripting (XSS) flaw, enabling them to inject malicious JavaScript code. When executed, this can lead to account takeover, backdoor creation, and potentially long-term control over the site. The vulnerability stems from insufficient input validation, particularly in the plugin’s widget settings, making it an appealing target for attackers.

CVE-2024-3899 – Envira Gallery – Stored XSS to Admin Account Creation (Contributor+) – POC

CVE-2024-3899 – Envira Gallery – Stored XSS to Admin Account Creation (Contributor+) – POC

CVE-2024-3899 is a severe vulnerability found in the Envira Gallery plugin, a popular WordPress plugin used by over 100,000 websites to create image galleries. This vulnerability allows contributors (or users with higher privileges) to execute stored Cross-Site Scripting (XSS) attacks by embedding malicious JavaScript code in the “Title” field of image settings. When exploited, this flaw can lead to the creation of unauthorized admin accounts, giving attackers complete control over the website.

CVE-2024-5561 – Popup Maker – Stored XSS to backdoor creation – POC

CVE-2024-5561 – Popup Maker – Stored XSS to backdoor creation – POC

CVE-2024-5561 highlights a critical flaw in the Popup Maker plugin, a popular WordPress plugin used by over 700,000 websites to create and manage popups. This vulnerability allows attackers to execute stored Cross-Site Scripting (XSS) attacks by embedding malicious JavaScript (JS) code. Exploited by someone with editor-level permissions, this flaw can result in complete account takeover and the creation of backdoors, leading to long-term control over the compromised WordPress site.