Author: Dmitrii I

The GDPR Cookie Compliance plugin is a popular solution for WordPress websites to help them comply with the European Union’s General Data Protection Regulation (GDPR). It is primarily used to display cookie consent banners that inform users about the use of cookies on the website and collect their consent. However, a critical vulnerability, CVE-2025-1621, has been discovered in the plugin that allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability enables attackers to inject malicious JavaScript into the “Accept – Button Label” field in the plugin’s settings. The injected script can later be executed when a user interacts with the consent banner, leading to potential account takeover and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability presents a significant security risk.

The GDPR Cookie Compliance plugin for WordPress is widely used to help websites comply with the European Union’s General Data Protection Regulation (GDPR). One of the core features of the plugin is its cookie consent banner, which informs users about the use of cookies and requests their consent. However, a critical vulnerability, CVE-2025-1622, has been identified in the plugin. This Stored Cross-Site Scripting (XSS) vulnerability allows an attacker with editor-level access to inject malicious JavaScript into the “Cookie Banner Content” field. Once saved, the injected script is stored and executed when the banner is displayed on the site’s frontend, potentially leading to account takeover and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability poses a significant security risk for WordPress websites using the GDPR Cookie Compliance plugin.

The Social Slider Feed plugin for WordPress is used to display social media feeds, such as YouTube videos, Instagram posts, and Twitter feeds, directly on websites. It allows users to create widgets that can be customized with various settings, including titles and content descriptions. However, a critical vulnerability, CVE-2024-10149, has been discovered in this plugin. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers with editor-level access to inject malicious JavaScript code into the widget settings, which is later executed when the widget is viewed on the frontend. This vulnerability could lead to account takeover and the creation of backdoor admin accounts. With over 50,000 active installations, this issue represents a significant security risk to WordPress sites using the Social Slider Feed plugin.

The Download Manager plugin for WordPress is commonly used to manage and secure downloadable files, including documents, images, and other resources. It allows administrators to set up password-protected downloads to restrict access to certain files. However, a critical vulnerability, CVE-2024-13126, has been discovered that allows unauthenticated users to bypass password protection and download all files from the plugin’s directory, including those that are meant to be password-protected. This vulnerability, stemming from improper directory listing configurations, exposes the protected content to unauthorized users. With over 100,000 active installations, this issue poses a significant security risk to WordPress websites using the Download Manager plugin.

Form Maker by 10Web is a versatile WordPress plugin used to create and manage various forms, such as contact forms, surveys, and registration forms. However, a critical vulnerability, CVE-2024-13053, has been discovered in the plugin, which allows attackers to inject malicious JavaScript into the plugin’s settings. This vulnerability, a Stored Cross-Site Scripting (XSS) flaw, enables attackers with editor-level access to execute arbitrary JavaScript code. This could lead to session hijacking, privilege escalation, or the creation of backdoor admin accounts. With over 50,000 active installations, the vulnerability poses a significant risk to WordPress sites using Form Maker.

Logo Slider is a WordPress plugin used to create image carousels and sliders, often utilized by businesses and websites to showcase logos, brands, or featured partners. A critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12308, has been identified in the plugin, which allows a contributor-level user to inject malicious JavaScript into the “Logo Slider” settings. The vulnerability allows the injected script to execute when a user hovers over the carousel. This action can result in admin account creation, providing the attacker with full control over the site. With over 20,000 active installations, this vulnerability poses a serious risk to WordPress websites using the Logo Slider plugin.

Form Maker by 10Web is a widely used WordPress plugin that allows users to easily create and manage forms for a variety of purposes, such as contact forms, surveys, and registration forms. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-13605, has been discovered in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Width” field in the theme settings. When this setting is saved, the malicious script is stored and executed in the browser of any user who hovers over the input field, potentially leading to account takeover and the creation of backdoor admin accounts. With over 50,000 active installations, this flaw poses a serious security risk to WordPress websites using Form Maker.

Ajax Search Lite is a popular WordPress plugin used to enhance the search experience by providing real-time AJAX search results. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-13585, has been discovered in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Categories filter box header text” field within the “Frontend Filters” settings. The injected script is then executed when the search results are displayed, leading to account takeover and the creation of a backdoor admin account. With over 100,000 active installations, this flaw poses a serious security risk to WordPress websites using Ajax Search Lite.

LearnPress is a popular Learning Management System (LMS) plugin for WordPress, used by educators and organizations to create online courses, quizzes, and manage learning materials. A critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-13127, has been discovered in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Decimal separator” field in the plugin’s general settings. The injected script is then executed when the “Order Details” page is viewed, potentially allowing attackers to take over the accounts of admins or other users. With over 100,000 active installations, this vulnerability presents a serious security risk to WordPress websites using LearnPress.

Master Slider is a widely used WordPress plugin that enables users to create responsive sliders for showcasing images, videos, and other content. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12173, has been discovered in the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript into the “Slider custom styles” field within the plugin’s main settings. The injected script is then executed on the frontend when the slider is rendered, which can lead to account takeover and the creation of a backdoor admin account. With over 100,000 active installations, this vulnerability presents a significant security risk for WordPress sites using Master Slider.