Author: Dmitrii I

The WordPress ecosystem, with its massive collection of third-party plugins, remains a fertile ground for both innovation and security concerns. One such concern has emerged in the popular WP Maps plugin, which boasts over 80,000 active installations. This plugin, designed to help users create interactive maps on their websites, contains a critical vulnerability identified as CVE-2025-3502. The vulnerability allows for the execution of stored cross-site scripting (XSS) payloads, ultimately enabling the creation of JavaScript-based backdoors. This vulnerability is particularly concerning due to its low exploitation threshold and the fact that it can be triggered even by users with limited privileges, such as editors.

The Calculated Fields Form plugin is a widely adopted WordPress tool used for creating forms with dynamically calculated fields based on user input. With over 50,000 active installations, it powers various contact forms, booking interfaces, quote generators, and more. Despite its powerful features, a significant security vulnerability has been discovered: CVE-2024-12273, a Stored Cross-Site Scripting (XSS) flaw that can be leveraged by an attacker to inject persistent JavaScript code and deploy a full JavaScript-based backdoor. This allows account takeover and, in worst-case scenarios, full administrative compromise.

AI Autotagger (Taxo Press) is a popular plugin used in WordPress for automatically tagging posts and improving the content classification process. It helps users to efficiently manage taxonomies and tags across their site, saving time and improving content visibility. However, a critical vulnerability, CVE-2025-0627, was discovered in the plugin, which allows attackers to inject malicious scripts, enabling a backdoor creation that can lead to account takeover. This vulnerability is a stored Cross-Site Scripting (XSS) flaw that can be exploited by users with editor privileges.

The Category Posts Widget is a popular WordPress plugin that allows users to display posts from specified categories in a widget format. It is often used to enhance the user experience by providing dynamic content related to specific categories. However, a critical vulnerability has been discovered—CVE-2025-1453—that allows attackers to exploit stored XSS within the widget’s settings. This vulnerability enables attackers with editor-level permissions to inject malicious JavaScript, leading to potential backdoor creation and full account takeover.

Email Subscribers is a widely used plugin in WordPress, allowing users to manage email subscriptions, newsletters, and automated email campaigns. It is a valuable tool for website administrators looking to engage with their users via email marketing. However, CVE-2025-0671, a stored Cross-Site Scripting (XSS) vulnerability, has been discovered in the plugin that enables an attacker to inject malicious JavaScript into the site. This stored XSS vulnerability could lead to the creation of backdoors for attackers, potentially resulting in full site compromise, including admin account takeover.

Email Subscribers is a WordPress plugin designed to simplify the process of managing email subscriptions, newsletters, and automated email campaigns. With over 80,000 active installations, it is widely used by website administrators for email marketing and user engagement. However, a critical vulnerability, CVE-2024-11924, has been identified within the plugin that allows for the implementation of stored Cross-Site Scripting (XSS). This vulnerability enables an attacker with editor-level access to inject malicious JavaScript, leading to a potential backdoor creation and full admin account takeover.

MapPress Maps for WordPress is a widely used plugin for adding Google Maps to WordPress websites. It offers users the ability to create maps with custom markers, locations, and settings, providing an interactive experience for visitors. However, a critical vulnerability—CVE-2025-2162—has been discovered that allows attackers to inject malicious JavaScript into maps, leading to the creation of backdoors that can compromise admin accounts. This stored XSS vulnerability is particularly dangerous as it affects users with editor-level access, enabling attackers to escalate their privileges and potentially take over the site.

Form Maker by 10Web is a popular WordPress plugin designed to simplify the process of creating and managing forms. With over 50,000 active installations, it provides a versatile and user-friendly interface for adding various types of forms to WordPress websites. However, a critical vulnerability, CVE-2024-10680, has been discovered in the plugin that allows attackers to exploit stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious scripts, potentially giving them access to admin accounts and creating backdoors in the system.

MapPress Maps for WordPress is a popular plugin used to create and manage maps on WordPress sites. It allows users to easily embed maps and display locations using the Google Maps API. With over 50,000 active installations, it is a widely trusted tool for website owners looking to add interactive maps to their pages. However, a critical vulnerability—CVE-2025-2055—has been discovered in the plugin that allows an attacker to exploit stored Cross-Site Scripting (XSS), which could lead to account takeover and privilege escalation, potentially giving an attacker admin access. This issue is particularly concerning for websites that use MapPress to display sensitive location-based data.

Ditty is a WordPress plugin used to display custom content in various formats such as lists, sliders, and tickers. With over 50,000 active installations, Ditty has become a widely used tool for WordPress users who wish to showcase dynamic, rotating content on their websites. However, a critical vulnerability, CVE-2024-13357, has been discovered that allows attackers to exploit the plugin’s functionality to execute a Stored Cross-Site Scripting (XSS) attack, which can lead to account takeover and backdoor creation. This vulnerability specifically affects users with Author+ roles, allowing them to escalate their privileges and create an admin account.