Author: Artyom Krugov

Stored Cross-Site Scripting (Stored XSS) is a critical web security vulnerability that allows attackers to inject malicious scripts into a website, which are then executed in the browsers of unsuspecting users. This article focuses on CVE-2024-10703, a Stored XSS vulnerability found in versions below 2.13.4 of the “Registrations for The Events Calendar” plugin for WordPress. This vulnerability can be exploited by an attacker with administrator privileges to inject harmful scripts that execute when users interact with certain elements of the website.

WordPress plugins play a crucial role in extending the functionality of websites. However, vulnerabilities in these plugins can introduce significant security risks. One such vulnerability has been discovered in the Stylish Price List plugin (versions below 7.1.12), which enables users to create visually appealing price lists and pricing tables. The vulnerability allows a malicious actor to inject and store JavaScript code, leading to a Stored Cross-Site Scripting (XSS) attack that can compromise an administrator’s session.

In the ever-evolving landscape of cybersecurity, vulnerabilities in WordPress plugins remain a persistent threat. One such recent discovery is CVE-2024-9390, a Stored Cross-Site Scripting (XSS) vulnerability affecting versions of the RegistrationMagic plugin prior to 6.0.2.1. This flaw allows attackers with certain privileges to inject malicious scripts, which can execute arbitrary JavaScript in the administrator’s session, potentially leading to account hijacking or further exploitation of the system.

WordPress plugins are essential tools that enhance the functionality of websites, allowing users to extend features without modifying core code. However, security vulnerabilities in plugins can expose websites to serious threats, including Cross-Site Scripting (XSS) attacks. One such vulnerability has been identified in the “MB Custom Post Types & Custom Taxonomies” plugin (CVE-2024-10143), allowing stored XSS exploitation that could lead to administrative account creation and malicious script execution.

Hubbub Lite, a popular WordPress plugin for social sharing, allows users to integrate share buttons for major social networks such as Facebook, Twitter (X), Pinterest, and LinkedIn. However, a recently discovered vulnerability (CVE-2024-10145) exposes websites to stored cross-site scripting (XSS) attacks. This flaw could allow malicious actors to inject harmful scripts, leading to account hijacking and unauthorized actions within the site.

PowerPress Podcasting, a widely-used WordPress plugin developed by Blubrry Podcasting, facilitates podcast management and publishing directly from a WordPress website. It integrates with major platforms like Apple Podcasts, Spotify, and YouTube Music, making it an essential tool for podcasters. However, a vulnerability (CVE-2024-9227) has been discovered in versions below 11.9.18, allowing users with Author+ permissions to execute stored cross-site scripting (XSS) attacks. This article explores the discovery, impact, exploitation, and mitigation of this vulnerability.

Cross-Site Scripting (XSS) vulnerabilities remain one of the most persistent security threats in web applications, including WordPress plugins. The vulnerability CVE-2024-13602 was discovered in the “Poll Maker” WordPress plugin, allowing an attacker to inject malicious JavaScript code into the plugin’s redirect settings. This stored XSS vulnerability can be leveraged to execute arbitrary JavaScript, potentially leading to full account takeovers or JavaScript-based backdoor creation.

The Social Media Plugin by Social Snap is widely used to add social sharing functionalities to WordPress websites. This plugin allows website administrators to add social sharing buttons, follow icons, and “Click to Tweet” features. However, a critical vulnerability, Stored Cross-Site Scripting (Stored XSS), has been identified in versions <= 1.3.6 of the plugin. This vulnerability allows an attacker to inject malicious JavaScript payloads, which can be executed when an admin user views the vulnerable settings page.