Author: Dmitrii I

The WP Booking Calendar plugin, widely utilized for managing appointments and bookings on WordPress sites, has been found to contain a critical security vulnerability. This flaw allows attackers to exploit the widget feature through a Stored Cross-Site Scripting (XSS) attack, ultimately leading to account takeover and the creation of backdoors. As the plugin boasts approximately 50,000 installations, it is vital for users to understand the implications of this vulnerability and take necessary precautions.

CVE-2024-7879 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the WP-ULike plugin, a popular WordPress plugin with over 100,000 active installations used for tracking user reactions. This flaw allows attackers with editor-level permissions to inject malicious JavaScript into the

CVE-2024-5578 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Table of Contents Plus plugin, widely used in WordPress for creating table of contents sections within posts and pages. With over 300,000 installations, this plugin is a valuable tool for content-heavy websites. However, this vulnerability allows attackers to embed malicious JavaScript code within the plugin’s settings, specifically in the “Hide text” field. If exploited, this vulnerability can lead to backdoor creation, admin account takeover, and long-term control of the WordPress site.

CVE-2024-9883 uncovers a critical vulnerability in the Pods – Custom Content Types and Fields plugin, a popular WordPress plugin with over 100,000 active installations. This vulnerability enables attackers with editor-level permissions to inject malicious JavaScript (JS) into the plugin’s settings, allowing them to create backdoors and perform admin account takeovers. The vulnerability is due to insufficient sanitization within the “Heading HTML tag” setting of custom content fields.

CVE-2024-9233 is a newly discovered vulnerability in the GS Logo Slider plugin, which is installed on over 50,000 WordPress sites. This vulnerability exposes the plugin to Cross-Site Request Forgery (CSRF) attacks, enabling unauthorized users to manipulate plugin settings on behalf of an authenticated user without their consent. Exploiting this vulnerability can result in unwanted changes to the plugin’s configuration, potentially impacting site functionality and security.

CVE-2024-8670 reveals a critical Stored Cross-Site Scripting (XSS) vulnerability in the Photo Gallery by 10Web plugin, a popular WordPress plugin with over 200,000 installations. This vulnerability allows contributors or editors to inject malicious JavaScript (JS) into the gallery settings, specifically in the “Title” field. Exploiting this vulnerability can lead to admin account hijacking, persistent backdoor creation, and potential long-term control of the WordPress site.

CVE-2024-8542 is a critical Stored Cross-Site Scripting (XSS) vulnerability affecting the Everest Forms plugin, used by over 100,000 WordPress installations to create forms. This flaw allows contributors or editors to inject malicious JavaScript (JS) into the form’s settings, specifically in the “No field” section of the YES/NO block. Once exploited, the vulnerability can lead to admin account takeovers, the creation of backdoors, and long-term control of the WordPress site.

CVE-2024-8284 represents a critical Stored Cross-Site Scripting (XSS) vulnerability discovered in the Download Manager plugin, which is used by over 100,000 WordPress installations to manage and protect downloadable files. This flaw allows attackers with editor-level permissions to inject malicious JavaScript (JS) into the plugin’s settings, specifically in the “Login Required Message” field. Exploiting this vulnerability can result in the creation of backdoors, admin account takeover, and long-term control of the WordPress site.

CVE-2024-5968 is a critical vulnerability affecting the Photo Gallery by 10Web plugin, which has over 200,000 active installations. The flaw enables attackers to execute Stored Cross-Site Scripting (XSS) by injecting malicious JavaScript (JS) code into the plugin’s settings. When exploited, this vulnerability allows for admin account takeover, backdoor creation, and potentially long-term control over the WordPress site.

CVE-2024-5429 is a critical vulnerability identified in the Logo Slider Free plugin, which is used by over 30,000 WordPress installations to create logo sliders. The flaw allows an attacker with contributor-level access to inject malicious JavaScript (JS) into the plugin’s settings, specifically in the “Brand Name” field. If exploited, this Stored Cross-Site Scripting (XSS) vulnerability can lead to admin account takeover and the creation of persistent backdoors, compromising the entire WordPress site.