Author: Dmitrii I

The Salon Booking System plugin for WordPress is a widely-used tool that allows businesses to manage appointments and bookings online. However, a serious vulnerability, CVE-2024-9882, has been discovered that enables attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw allows attackers to inject malicious JavaScript code into the plugin’s service settings, leading to potential account takeover and the creation of a backdoor.

The Ditty plugin, designed for displaying custom feeds and lists of posts in WordPress, has been found to contain a critical vulnerability that allows an attacker to exploit a Stored Cross-Site Scripting (XSS) flaw. This vulnerability, identified as CVE-2024-9600, can be used by contributors to inject malicious JavaScript code into new posts, which upon interaction can lead to the creation of an admin account. With approximately 50,000 active installations, this vulnerability poses a serious risk to WordPress sites utilizing the Ditty plugin.

The Squirrly SEO plugin, a popular tool for search engine optimization in WordPress, has been found to harbor a critical vulnerability, CVE-2024-10515. This flaw allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability through the plugin’s SEO settings. By embedding malicious JavaScript code into the “Meta Keywords” field in the SEO Snippet settings, attackers can execute arbitrary scripts, leading to account takeover and backdoor creation. With over 100,000 active installations, this vulnerability poses a serious risk to WordPress sites using the plugin.

The MailPoet plugin, widely used for newsletter management, email marketing, and automation in WordPress, has been found to contain a severe security vulnerability. This vulnerability, identified as CVE-2024-10103, allows an attacker to execute a Stored Cross-Site Scripting (XSS) attack through the “Custom HTML” block when creating a new form. The flaw grants the attacker the ability to embed malicious JavaScript code, leading to account takeover and backdoor creation. With over 700,000 active installations, this vulnerability poses a significant risk to WordPress sites that utilize the plugin.

The WP Booking Calendar plugin, widely utilized for managing appointments and bookings on WordPress sites, has been found to contain a critical security vulnerability. This flaw allows attackers to exploit the widget feature through a Stored Cross-Site Scripting (XSS) attack, ultimately leading to account takeover and the creation of backdoors. As the plugin boasts approximately 50,000 installations, it is vital for users to understand the implications of this vulnerability and take necessary precautions.

CVE-2024-7879 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the WP-ULike plugin, a popular WordPress plugin with over 100,000 active installations used for tracking user reactions. This flaw allows attackers with editor-level permissions to inject malicious JavaScript into the

CVE-2024-5578 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Table of Contents Plus plugin, widely used in WordPress for creating table of contents sections within posts and pages. With over 300,000 installations, this plugin is a valuable tool for content-heavy websites. However, this vulnerability allows attackers to embed malicious JavaScript code within the plugin’s settings, specifically in the “Hide text” field. If exploited, this vulnerability can lead to backdoor creation, admin account takeover, and long-term control of the WordPress site.

CVE-2024-9883 uncovers a critical vulnerability in the Pods – Custom Content Types and Fields plugin, a popular WordPress plugin with over 100,000 active installations. This vulnerability enables attackers with editor-level permissions to inject malicious JavaScript (JS) into the plugin’s settings, allowing them to create backdoors and perform admin account takeovers. The vulnerability is due to insufficient sanitization within the “Heading HTML tag” setting of custom content fields.

CVE-2024-9233 is a newly discovered vulnerability in the GS Logo Slider plugin, which is installed on over 50,000 WordPress sites. This vulnerability exposes the plugin to Cross-Site Request Forgery (CSRF) attacks, enabling unauthorized users to manipulate plugin settings on behalf of an authenticated user without their consent. Exploiting this vulnerability can result in unwanted changes to the plugin’s configuration, potentially impacting site functionality and security.

CVE-2024-8670 reveals a critical Stored Cross-Site Scripting (XSS) vulnerability in the Photo Gallery by 10Web plugin, a popular WordPress plugin with over 200,000 installations. This vulnerability allows contributors or editors to inject malicious JavaScript (JS) into the gallery settings, specifically in the “Title” field. Exploiting this vulnerability can lead to admin account hijacking, persistent backdoor creation, and potential long-term control of the WordPress site.