A critical vulnerability has been unearthed in the “Responsive Pricing Table” WordPress plugin, designated as CVE-2024-1333. This flaw, exploitable via Stored Cross-Site Scripting (XSS), facilitates the illicit creation of admin accounts by injecting malicious scripts. Such vulnerabilities pose significant risks
A critical security vulnerability, CVE-2024-1331, has been uncovered in the Team Members plugin for WordPress. This flaw, a Stored Cross-Site Scripting (XSS) vulnerability, allows attackers to execute malicious scripts on behalf of contributors, potentially leading to account takeover and compromising the security of WordPress sites.
A critical vulnerability, CVE-2023-7232, has been uncovered in the Backup and Restore WordPress (BackITup) plugin, leaving websites susceptible to unauthenticated sensitive data exposure. This flaw poses a significant threat to the confidentiality of sensitive information stored on WordPress websites.
Beware WordPress users! A critical vulnerability has been unearthed in the Widget for Social Page Feeds plugin, tagged as CVE-2024-0973. This flaw poses a significant risk of Stored Cross-Site Scripting (XSS) attacks, potentially leading to admin account creation via XSS and compromising your website’s security. Stay informed and take necessary precautions to safeguard your WordPress installations. As a result, high privilege users such as administrators can exploit this flaw to execute malicious scripts, potentially leading to account takeover (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
During rigorous testing of the Advanced Social Feeds Widget & Shortcode plugin, security researchers stumbled upon a dangerous flaw. It was revealed that the plugin’s design allows attackers to execute malicious scripts via Stored XSS, posing a serious threat to website security. As a result, high privilege users such as administrators can exploit this flaw to execute malicious scripts, potentially leading to account takeover (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).
Easy Updates Manager offers a comprehensive solution for managing WordPress updates with ease. Whether you have a single-site installation or a WordPress Multisite setup, this plugin equips you with the tools needed to take control of your website updates efficiently. In this article, we explore the features of Easy Updates Manager, emphasizing its security measures and recognition through the “Plugin Security Certification” (PSC) from CleanTalk.
During the assessment of the Buttons Shortcode and Widget plugin for WordPress, a critical vulnerability was uncovered. It was observed that the plugin allowed the execution of Stored Cross-Site Scripting (XSS) attacks via shortcode embedding. This flaw enables contributors and users with higher privileges to inject malicious scripts into new posts or pages using the plugin’s shortcode functionality.
During routine security assessment, a severe vulnerability was identified in the Backup Bolt plugin for WordPress. Upon inspection of the plugin’s files, it was found that the file path /wordpress/babo-background-error.log was left unprotected, exposing detailed information about the site’s configuration, directories, and files. This flaw poses a significant risk of unauthorized access to sensitive data.
During routine testing of the Error Log Viewer plugin, a vulnerability was discovered that enables unauthorized access to sensitive data. By exploiting this flaw, attackers can gain access to PHP log files without proper authorization.
During testing of the “Login as User or Customer” plugin, a critical vulnerability was identified, enabling a complete takeover of the administrator account and potentially compromising the entire server. By exploiting a flaw in the plugin’s functionality, an attacker could intercept and manipulate sensitive data, including authentication tokens and cookies, leading to unauthorized access and control over the administrator account.