CVE-2024-7315 – Migration, Backup, Staging – WPvivid – Unauth Sensitive Data Exposure and Database password leak – POC

CVE-2024-7315 – Migration, Backup, Staging – WPvivid – Unauth Sensitive Data Exposure and Database password leak – POC

A critical vulnerability, designated as CVE-2024-7315, has been discovered in the WPvivid plugin, widely used for migration, backup, and staging in WordPress with over 500,000 installations. This flaw exposes highly sensitive data, including database passwords and site configuration details, by exploiting a specific directory (./wp-content/wpvividbackups/wpvivid_log/). If left unpatched, the vulnerability can lead to complete site compromise through brute force attacks on password hashes or direct access to sensitive information.

Plugin Security Certification (PSC-2024-64527): “Security & Malware scan by CleanTalk” – Version 2.141: Enhanced Protection from ALL

Plugin Security Certification (PSC-2024-64527): “Security & Malware scan by CleanTalk” – Version 2.141: Enhanced Protection from ALL

The Security & Malware Scan by CleanTalk plugin (version 2.141) has received the prestigious Plugin Security Certification (PSC) from CleanTalk. This powerful plugin provides comprehensive protection to WordPress websites by scanning for malware, blocking brute-force attacks, filtering unwanted traffic, and protecting your site from online threats. CleanTalk ensures that your website remains secure, fast, and fully optimized by combining a robust set of features to stop malicious attacks before they happen.

CVE-2024-6889 – Secure Copy Content Protection and Content Locking – Stored XSS to Backdoor Creation – POC

CVE-2024-6889 – Secure Copy Content Protection and Content Locking – Stored XSS to Backdoor Creation – POC

CVE-2024-6889 exposes a serious vulnerability in the Secure Copy Content Protection and Content Locking plugin, a tool used to prevent unauthorized content copying and to add protection measures on WordPress websites. With this vulnerability, attackers can leverage Stored Cross-Site Scripting (XSS) to inject malicious scripts and create backdoors, leading to full account takeover. The flaw allows editors to inject harmful JavaScript (JS) code into the plugin’s settings, potentially compromising the entire WordPress site.

Plugin Security Certification (PSC-2024-64526): “Easy Table of Contents” – Version 2.0.69.1: Use TOC with Enhanced Security

Plugin Security Certification (PSC-2024-64526): “Easy Table of Contents” – Version 2.0.69.1: Use TOC with Enhanced Security

The “Easy Table of Contents” plugin, version 2.0.69.1, has earned the prestigious Plugin Security Certification (PSC) from CleanTalk. This certification affirms that the plugin meets stringent security standards, ensuring the safety of users while providing enhanced functionality for managing table of contents on WordPress sites. With its wide range of features and user-friendly interface, the plugin is trusted for creating a fully automatic table of contents (TOC) based on page content. Now, it also stands out for its secure code practices, safeguarding websites from potential vulnerabilities.

CVE-2024-7132 – CoBlocks – Stored XSS to Admin Account Creation – POC

CVE-2024-7132 – CoBlocks – Stored XSS to Admin Account Creation – POC

CVE-2024-7132 exposes a critical flaw in the CoBlocks plugin, a widely used WordPress extension with over 400,000 installations. This Stored XSS vulnerability can be exploited by contributors to embed malicious JavaScript code within posts, leading to unauthorized actions, including the creation of admin accounts. The vulnerability highlights the significant security risks associated with improper input validation in WordPress plugins, particularly in environments where user roles and permissions are not tightly controlled.

CVE-2024-5417 – Gutentor – Stored XSS to Admin Account Creation – POC

CVE-2024-5417 – Gutentor – Stored XSS to Admin Account Creation – POC

CVE-2024-5417 reveals a critical security flaw in the Gutentor plugin, a popular WordPress page builder with over 50,000 installations. This Stored Cross-Site Scripting (XSS) vulnerability enables attackers to inject malicious JavaScript code by exploiting the block embedding process in new posts. The severity of the issue lies in the fact that this vulnerability can be leveraged by a contributor to escalate privileges and create an unauthorized admin account, resulting in full control of the website.

CVE-2024-3282 – WP Table Builder – Stored XSS to backdoor creation – POC

CVE-2024-3282 – WP Table Builder – Stored XSS to backdoor creation – POC

The recently discovered vulnerability in WP Table Builder, tracked as CVE-2024-3282, exposes over 60,000 websites to serious risks. This Stored Cross-Site Scripting (XSS) flaw allows attackers to inject malicious JavaScript through the plugin’s table block creation process, potentially resulting in the takeover of administrator accounts and the installation of backdoors. Due to inadequate input sanitization, an attacker can exploit this vulnerability to execute arbitrary code, compromising both website security and user data.

CVE-2024-7082 – Easy Table of Contents – Stored XSS to backdoor creation – POC

CVE-2024-7082 – Easy Table of Contents – Stored XSS to backdoor creation – POC

A newly discovered vulnerability in the Easy Table of Contents WordPress plugin, designated as CVE-2024-7082, puts more than 500,000 sites at risk. This flaw allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability, which could lead to account takeovers and the installation of backdoors within a WordPress environment. The vulnerability primarily occurs due to the plugin’s failure to properly sanitize user inputs, enabling malicious JavaScript (JS) code to be injected into the site’s widget settings. Once exploited, this flaw can result in the execution of malicious scripts by unsuspecting administrators, giving attackers the opportunity to manipulate or control the website.

CVE-2024-6335 – Tracking Code Manager – Stored XSS to backdoor creation – POC

CVE-2024-6335 – Tracking Code Manager – Stored XSS to backdoor creation – POC

A significant vulnerability has been discovered in the widely-used Tracking Code Manager WordPress plugin, identified as CVE-2024-6335. With over 100,000 installations, this plugin has become a valuable tool for managing tracking scripts, but a serious security flaw allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw enables attackers to embed malicious JavaScript (JS) code within the plugin, leading to account takeovers and potential backdoor creation. Improper sanitization of inputs is the primary cause of this vulnerability, putting numerous WordPress sites at risk of exploitation.