Author: Dmitrii I

Ditty is a WordPress plugin used to display custom content in various formats such as lists, sliders, and tickers. With over 50,000 active installations, Ditty has become a widely used tool for WordPress users who wish to showcase dynamic, rotating content on their websites. However, a critical vulnerability, CVE-2024-13357, has been discovered that allows attackers to exploit the plugin’s functionality to execute a Stored Cross-Site Scripting (XSS) attack, which can lead to account takeover and backdoor creation. This vulnerability specifically affects users with Author+ roles, allowing them to escalate their privileges and create an admin account.

MailPoet is a popular WordPress plugin that enables users to easily create and send newsletters, manage subscribers, and automate email campaigns. With over 600,000 active installations, it has become a trusted tool for WordPress users looking to enhance their email marketing capabilities. However, a critical vulnerability, CVE-2024-12743, has been discovered in the plugin that allows attackers to exploit Stored Cross-Site Scripting (XSS), leading to a potential account takeover and backdoor creation. This vulnerability affects users with editor-level privileges and can be triggered through the plugin’s form-building interface.

Icegram Engage is a widely-used WordPress plugin that enables website owners to create and manage popups, opt-in forms, and other interactive features to enhance user engagement. With over 30,000 active installations, the plugin is trusted by many to boost conversions and improve user experience. However, a critical vulnerability—CVE-2024-13482—has been discovered in the plugin. This stored Cross-Site Scripting (XSS) vulnerability allows an attacker to inject malicious JavaScript code into the plugin settings, which can lead to account takeover and the creation of a backdoor in the WordPress site.

Icegram Engage is a popular WordPress plugin designed to create popups, opt-in forms, and other interactive elements to engage visitors. With over 30,000 active installations, it is widely used to enhance user experience on WordPress sites. However, a critical vulnerability (CVE-2024-13486) has been identified within the plugin that allows an attacker to execute stored Cross-Site Scripting (XSS) attacks. This vulnerability can be exploited by attackers to inject malicious JavaScript code, potentially leading to backdoor creation and unauthorized account takeover.

The Contact Form & SMTP Plugin for WordPress by PirateForms is widely used to add customizable contact forms and SMTP email configurations to WordPress sites. With over 50,000 active installations, the plugin provides a convenient solution for website owners to manage user interactions. However, a critical vulnerability (CVE-2024-11272) has been discovered in the plugin that exposes WordPress sites to a serious security risk. The vulnerability allows attackers to inject malicious JavaScript into the plugin’s settings via the “Submit button” field. This can lead to account takeover, backdoor creation, and a wide range of other security risks.

The Contact Form & SMTP Plugin for WordPress by PirateForms is widely used to implement contact forms and handle email submissions through SMTP. With over 50,000 active installations, this plugin offers a simple and efficient way to manage user inquiries. However, a critical vulnerability—CVE-2024-11273—has been discovered in the plugin, which allows for Stored Cross-Site Scripting (XSS) attacks. This flaw enables attackers to inject malicious JavaScript code into the plugin’s settings, leading to the creation of backdoors and allowing attackers to take over admin accounts.

The Simple Banner plugin is a popular WordPress plugin used by website owners to display customizable banners at the top of their pages. With over 50,000 active installations, the plugin allows users to manage and configure banner content easily. While the plugin provides useful features, a critical vulnerability—CVE-2024-12769—was discovered during testing, which allows attackers to inject malicious JavaScript (JS) into the banner settings. This vulnerability enables attackers to execute stored XSS attacks, ultimately leading to the creation of a backdoor and account takeover by an attacker. This security flaw underscores the importance of input validation and sanitization, especially for plugins that manage dynamic content.

Quiz and Survey Master (QSM) is a popular WordPress plugin used by website owners and content creators to design and implement quizzes, surveys, and polls on their websites. With over 50,000 active installations, it provides a versatile platform for gathering feedback and engaging users. However, a critical vulnerability—CVE-2024-10679—has been identified in the plugin that exposes WordPress sites to a serious risk. The vulnerability allows attackers to execute a Stored Cross-Site Scripting (XSS) attack via the plugin’s settings, enabling attackers to escalate privileges and create an admin account. This vulnerability is particularly dangerous because it allows attackers to exploit low-level user roles, such as contributors, to gain full control over the WordPress site.