Author: Dmitrii I

CVE-2024-8536 presents a serious security risk in the Ultimate Blocks plugin, used by over 70,000 WordPress sites to enhance post content with custom blocks. This vulnerability allows attackers, specifically users with contributor-level access, to inject malicious JavaScript (JS) into a new post using the plugin’s “Expand” block feature. If exploited, this can lead to admin account creation and full site takeover, putting the entire WordPress installation at risk.

CVE-2024-7133 reveals a critical vulnerability in the My Sticky Bar (myStickymenu) WordPress plugin, which has over 100,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious JavaScript (JS) code through the plugin’s settings. Once exploited, the attacker can take over administrator accounts, create persistent backdoors, and control the entire WordPress site. The issue arises due to improper sanitization of user input, specifically in the “Font size” field when creating a sticky bar.

CVE-2024-6887 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Giveaways and Contests by RafflePress plugin, used by over 30,000 WordPress installations to run giveaways and contests. This vulnerability allows attackers to inject malicious JavaScript (JS) through the plugin’s settings. The attack can be initiated by users with editor-level access, resulting in account takeover, backdoor creation, and potentially long-term control over the affected WordPress site. The flaw resides in the plugin’s failure to properly sanitize inputs, particularly in the “Button color” field.

CVE-2024-7761 exposes a critical flaw in the Simple Job Board plugin, widely used by WordPress sites to manage job listings and applications. With over 40,000 installations, this vulnerability allows attackers to exploit a Stored Cross-Site Scripting (XSS) flaw, enabling them to inject malicious JavaScript code. When executed, this can lead to account takeover, backdoor creation, and potentially long-term control over the site. The vulnerability stems from insufficient input validation, particularly in the plugin’s widget settings, making it an appealing target for attackers.

CVE-2024-3899 is a severe vulnerability found in the Envira Gallery plugin, a popular WordPress plugin used by over 100,000 websites to create image galleries. This vulnerability allows contributors (or users with higher privileges) to execute stored Cross-Site Scripting (XSS) attacks by embedding malicious JavaScript code in the “Title” field of image settings. When exploited, this flaw can lead to the creation of unauthorized admin accounts, giving attackers complete control over the website.

CVE-2024-5561 highlights a critical flaw in the Popup Maker plugin, a popular WordPress plugin used by over 700,000 websites to create and manage popups. This vulnerability allows attackers to execute stored Cross-Site Scripting (XSS) attacks by embedding malicious JavaScript (JS) code. Exploited by someone with editor-level permissions, this flaw can result in complete account takeover and the creation of backdoors, leading to long-term control over the compromised WordPress site.

A critical vulnerability, designated as CVE-2024-7315, has been discovered in the WPvivid plugin, widely used for migration, backup, and staging in WordPress with over 500,000 installations. This flaw exposes highly sensitive data, including database passwords and site configuration details, by exploiting a specific directory (./wp-content/wpvividbackups/wpvivid_log/). If left unpatched, the vulnerability can lead to complete site compromise through brute force attacks on password hashes or direct access to sensitive information.

CVE-2024-6889 exposes a serious vulnerability in the Secure Copy Content Protection and Content Locking plugin, a tool used to prevent unauthorized content copying and to add protection measures on WordPress websites. With this vulnerability, attackers can leverage Stored Cross-Site Scripting (XSS) to inject malicious scripts and create backdoors, leading to full account takeover. The flaw allows editors to inject harmful JavaScript (JS) code into the plugin’s settings, potentially compromising the entire WordPress site.