In the ever-evolving landscape of web security, vulnerabilities in popular plugins can have widespread and severe consequences. A recent vulnerability, identified as CVE-2024-4057, has been discovered in the Gutenberg Blocks by Kadence Blocks plugin, a widely used tool with over 400,000 active installations. This critical-high vulnerability allows attackers to execute Stored Cross-Site Scripting (XSS) attacks, leading to admin account creation and potentially compromising the entire website.
CVE-2024-2220 – Button contact VR – Stored XSS to JS backdoor creation – POC
In today’s digital age, security vulnerabilities in web applications can lead to severe consequences, including unauthorized access, data breaches, and loss of trust. One such critical vulnerability is the Stored Cross-Site Scripting (XSS) attack. This article explores a newly discovered Stored XSS vulnerability in the “Button Contact VR” WordPress plugin, identified as CVE-2024-2220. This flaw can allow attackers to embed malicious scripts, creating backdoors for account takeover, posing significant risks to website integrity and user data. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
Plugin Security Certification: “Statify” – Version 1.8.4: Check Visitor Statistics with Enhanced Security
Version 1.8.4 of the Statify plugin offers a secure and efficient solution for tracking visitor statistics on your WordPress site. With a focus on privacy compliance and transparent data handling, Statify provides valuable insights without compromising user privacy or security.
CVE-2024-4372 – Carousel Slider – Stored XSS to JS backdoor creation – POC
In a recent security assessment, a critical vulnerability, CVE-2024-4372, was discovered within the Carousel Slider WordPress plugin. This flaw exposes an alarming risk of Stored Cross-Site Scripting (XSS), paving the way for unauthorized access and potential website compromise. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
CVE-2024-2189 – Social Icons Widget & Block – Stored XSS to JS backdoor creation – POC
A critical security vulnerability, CVE-2024-2189, has been identified in the Social Icons Widget & Block WordPress plugin, which boasts over 100k installations. This vulnerability exposes websites to the risk of Stored Cross-Site Scripting (XSS) attacks, potentially leading to account takeover and compromising website integrity. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
CVE-2024-2744 – NextGEN Gallery – Stored XSS to JS backdoor creation – POC
A critical vulnerability, CVE-2024-2744, has been discovered in NextGen Gallery, a popular WordPress plugin with over 500 000+ installations. This flaw exposes websites to the risk of Stored XSS attacks, potentially leading to account takeover and compromising website integrity. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
CVE-2024-3548 – Shortcodes Ultimate – Stored XSS to Admin Account Creation (Contributor+) Critical-High – POC
A critical vulnerability has emerged in Shortcodes Ultimate – CVE-2024-3548. With over 600k installations, this exploit poses a significant threat to WordPress sites. Let’s delve into the intricacies of this Stored XSS flaw and its potential repercussions.
CVE-2024-3241 – Ultimate Blocks – Stored XSS to Admin Account Creation (Contributor+) – POC
WordPress users beware! CVE-2024-3241 looms over Ultimate Blocks, exposing a Stored XSS vulnerability that enables admin account creation. This threat, originating from a seemingly harmless plugin, demands immediate attention to safeguard your website’s integrity.
CVE-2024-3368 – All in One SEO – Stored XSS to Admin Account Creation (Contributor+) Critical-High – POC
A critical security flaw has been discovered in the widely-used WordPress plugin, All in One SEO with more then 3 millions installations, marked as CVE-2024-3368. This vulnerability poses a significant threat, allowing attackers to execute malicious code through Stored Cross-Site Scripting (XSS) attacks, potentially leading to the creation of admin accounts by contributors.
Plugin Security Certification: “Smash Balloon Social Post Feed” – Version 4.2.4: Display Facebook posts with Enhanced Security
Enhance your WordPress site with a robust Facebook post display plugin that’s not only feature-rich but also prioritizes security. Smash Balloon Social Post Feed, now certified with the Plugin Security Certification (PSC) from CleanTalk, offers unparalleled customization options while maintaining top-notch security standards.