CVE-2024-4091 highlights a significant Stored Cross-Site Scripting (XSS) vulnerability within the Responsive Gallery Grid (RGG) plugin for WordPress, a tool installed on numerous WordPress sites to transform the native WordPress gallery into a responsive layout. The plugin, which integrates well with other third-party lightbox plugins, offers WordPress users an enhanced way to showcase their images while keeping responsive image proportions. However, a flaw in the settings configuration allows contributors or editors with access to plugin settings to inject malicious JavaScript (JS) code into the Margin parameter of the gallery settings. If exploited, this vulnerability can provide attackers with persistent control over the site via a JavaScript backdoor.
CVE-2024-4004 – Advanced Cron Manager – Stored XSS to JS backdoor – POC

CVE-2024-4004 is a newly discovered Stored Cross-Site Scripting (XSS) vulnerability in the widely used WordPress plugin Advanced Cron Manager. This plugin, essential for managing WP Cron events and schedules, offers extensive functionality to WordPress site administrators. It allows them to view, search, execute, add, pause, and delete scheduled tasks, as well as customize PHP cron events. With over 30,000 installations, Advanced Cron Manager provides a streamlined approach to scheduling but, unfortunately, also introduces a vulnerability exploitable by users with access to the admin panel. This vulnerability allows attackers to inject malicious JavaScript code into the Cron Manager’s settings, potentially leading to a backdoor on the site.
CVE-2024-10104 – Jobs for WordPress – Stored XSS to Backdoor Creation – POC

CVE-2024-10104 is a critical Stored Cross-Site Scripting (XSS) vulnerability affecting the Jobs for WordPress plugin, widely used to manage and display job postings on WordPress sites. This vulnerability allows users with Contributor or higher permissions to inject malicious JavaScript (JS) code into the job posting settings, specifically in the “Working Hours” field. Once exploited, the vulnerability can lead to admin account takeovers, unauthorized backdoor installations, and long-term control over the WordPress site.
CVE-2024-8759 – Nested Pages – Stored XSS to backdoor creation – POC

The CVE-2024-8759 vulnerability has been discovered in the Nested Pages plugin, which allows attackers to carry out an attack using stored cross-site scripts (XSS). This vulnerability can be exploited to create a backdoor or even hack into an administrator account, making it a serious security issue for websites using the plugin.
CVE-2024-9236 – Team Members Showcase – Stored XSS to Admin Creation – POC

The Team Members Showcase plugin for WordPress has discovered a vulnerability CVE-2024-9236, which allows an attacker to execute saved cross-site scripts (XSS) and potentially intercept administrative accounts.It offers website administrators a universal tool for displaying team members on their site using various layouts such as grids and sliders. This plugin is highly customizable, adaptive, and compatible with Elementor, allowing users to easily create professional-looking team storefronts.
CVE-2024-9182 – Maspik – Advanced Spam Protection – Stored XSS to Admin Creation – POC
CVE-2024-9021 – Relevanssi – Stored XSS to Admin Account Creation (Contributor+) – POC

CVE-2024-9021 An XSS vulnerability found recently in the Relevanssi plugin, which is one of the most popular WordPress plugins, extends the standard WordPress search feature by adding powerful customization options and increasing search relevance. However, the recent discovery of a stored XSS vulnerability in Relevanssi version 4.23.1 and below has raised concerns about the security of the website. This vulnerability may allow developers to inject malicious scripts, which will lead to serious consequences for site administrators
Plugin Security Certification (PSC-2024-64544): “Matomo Analytics” – Version 5.2.0: Use Ethical stats with Enhanced Security

Matomo Analytics is a powerful, secure, and privacy-focused alternative to Google Analytics, offering website owners full control over their data. Unlike many third-party analytics tools, Matomo is hosted on your own servers, ensuring 100% data ownership and privacy compliance. It empowers businesses to make data-driven decisions while protecting user privacy, without sacrificing any advanced analytics features. With an intuitive interface, Matomo makes it easy to gain valuable insights into customer behavior, website performance, and marketing effectiveness, all while adhering to the highest ethical standards. This plugin has also undergone rigorous security testing and has successfully obtained the Plugin Security Certification (PSC) from CleanTalk, ensuring it meets stringent security protocols.