Author: Dmitrii I

The Photo Gallery by 10Web plugin is a widely used WordPress plugin designed to help users create beautiful and organized image galleries on their websites. This plugin allows website owners to display their images in various formats, enhancing the visual appeal of their site. However, a severe vulnerability (CVE-2024-13124) has been discovered in the plugin, which allows an attacker to inject malicious JavaScript into the gallery’s title field. This Stored Cross-Site Scripting (XSS) vulnerability can lead to the execution of arbitrary scripts, enabling attackers to potentially create backdoor admin accounts and gain unauthorized access to the site. With over 200,000 installations, this flaw poses a significant threat to websites relying on this plugin.

Form Maker by 10Web is a popular WordPress plugin used to create forms and widgets for various purposes, such as contact forms, surveys, and user registration. The plugin is widely used by website administrators for its ease of use and flexibility. However, a critical vulnerability, CVE-2024-10558, has been discovered in the plugin, which allows attackers to inject malicious JavaScript into the “Title” field of a widget. This Stored Cross-Site Scripting (XSS) vulnerability can result in the execution of arbitrary JavaScript on the website, potentially leading to account takeover and the creation of backdoor access. The vulnerability can be exploited by any user with editor privileges or higher, posing a significant risk to WordPress websites using the plugin.

Site Reviews is a popular WordPress plugin designed to collect and display customer reviews on websites. It offers an easy-to-use interface for both site owners and customers to submit and view reviews. However, a critical vulnerability, CVE-2025-1232, has been discovered in the plugin. This flaw allows unauthenticated users to inject malicious JavaScript into the review form, which can lead to Stored Cross-Site Scripting (XSS) attacks. These attacks could result in unauthorized account creation with admin privileges, ultimately compromising the security of the affected website. With over 100,000 active installations, this vulnerability poses a significant threat to WordPress sites using the Site Reviews plugin.

The GDPR Cookie Compliance plugin is a widely used tool for WordPress sites, enabling them to display cookie consent banners and helping website owners comply with the European Union’s General Data Protection Regulation (GDPR). However, a serious vulnerability (CVE-2025-1623) has been discovered that allows attackers to inject malicious JavaScript code into the “Tracking ID” field under the plugin’s integrations settings. This vulnerability can lead to the execution of stored XSS (Cross-Site Scripting) scripts, allowing for the creation of a backdoor account and other malicious activities. With over 300,000 active installations, this vulnerability poses a significant security risk to websites using this plugin.

The GDPR Cookie Compliance plugin is a widely used tool for WordPress websites to ensure compliance with the European Union’s General Data Protection Regulation (GDPR). The plugin enables site owners to manage cookie consent banners, which are essential for informing users about the use of cookies and obtaining their consent. However, a critical vulnerability (CVE-2025-1624) has been discovered in the plugin, which allows attackers with editor-level access to inject malicious JavaScript into the “Tab Content” field within the plugin’s settings. This malicious JavaScript is then executed when the user interacts with the consent banner. This vulnerability can result in the creation of backdoor accounts, account takeover, and session hijacking. With over 300,000 active installations, the exploitation of this vulnerability poses a significant threat to websites using the GDPR Cookie Compliance plugin.

The GDPR Cookie Compliance plugin is an essential tool for WordPress websites aiming to comply with the General Data Protection Regulation (GDPR) by providing cookie consent banners and settings. However, a critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-1619) has been identified in the plugin. This vulnerability allows an attacker with editor-level privileges to inject malicious JavaScript into the plugin’s “Checkbox Labels” field. Once the injected JavaScript is saved, it is stored in the WordPress database and executed when users interact with the cookie consent banner on the site. This can lead to account takeover, session hijacking, and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability represents a major security risk for websites using the GDPR Cookie Compliance plugin.

The GDPR Cookie Compliance plugin is a popular WordPress tool designed to help websites comply with the European Union’s General Data Protection Regulation (GDPR). It enables website owners to display cookie consent banners and floating buttons to obtain user consent

The GDPR Cookie Compliance plugin is a popular solution for WordPress websites to help them comply with the European Union’s General Data Protection Regulation (GDPR). It is primarily used to display cookie consent banners that inform users about the use of cookies on the website and collect their consent. However, a critical vulnerability, CVE-2025-1621, has been discovered in the plugin that allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability enables attackers to inject malicious JavaScript into the “Accept – Button Label” field in the plugin’s settings. The injected script can later be executed when a user interacts with the consent banner, leading to potential account takeover and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability presents a significant security risk.

The GDPR Cookie Compliance plugin for WordPress is widely used to help websites comply with the European Union’s General Data Protection Regulation (GDPR). One of the core features of the plugin is its cookie consent banner, which informs users about the use of cookies and requests their consent. However, a critical vulnerability, CVE-2025-1622, has been identified in the plugin. This Stored Cross-Site Scripting (XSS) vulnerability allows an attacker with editor-level access to inject malicious JavaScript into the “Cookie Banner Content” field. Once saved, the injected script is stored and executed when the banner is displayed on the site’s frontend, potentially leading to account takeover and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability poses a significant security risk for WordPress websites using the GDPR Cookie Compliance plugin.

The Social Slider Feed plugin for WordPress is used to display social media feeds, such as YouTube videos, Instagram posts, and Twitter feeds, directly on websites. It allows users to create widgets that can be customized with various settings, including titles and content descriptions. However, a critical vulnerability, CVE-2024-10149, has been discovered in this plugin. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers with editor-level access to inject malicious JavaScript code into the widget settings, which is later executed when the widget is viewed on the frontend. This vulnerability could lead to account takeover and the creation of backdoor admin accounts. With over 50,000 active installations, this issue represents a significant security risk to WordPress sites using the Social Slider Feed plugin.