Author: Artyom Krugov

Fluent Forms, a widely used WordPress plugin that has been installed more than 500,000 times, is known for its advanced and lightweight contact form builder. With features such as drag-and-drop customization, conditional logic, and anti-spam, it has become a staple for both businesses and developers. However, such popularity also makes it an object for exploitation. The vulnerability associated with the persistence of cross-site scripting (XSS) CVE-2024-9651 in older versions of Fluent Forms pages poses a significant risk, potentially allowing attackers to introduce backdoors and compromise entire websites.

Version 5.2.5 of Fluent Forms has received a plugin Security Certificate (PSC), which guarantees users that this version is verified as secure.

It was recently discovered that the “Simple Slide Tab” plugin, designed to help WordPress site owners increase conversion by adding customizable call-to-action tabs, contains a security flaw. The simplicity and convenience of the plugin, combined with its flexibility in customizing tab behavior and appearance, have made it practical among WordPress users. However, this popularity now poses a security threat due to a vulnerability related to the saved cross-site scripts (XSS) CVE-2024-11183. This flaw can be used to create backdoors that provide attackers with unauthorized access to vulnerable sites.

It was recently discovered that the “Sticky Social Icons” plugin, used to integrate customizable social media buttons, contains a vulnerability CVE-2024-10551. This flaw allows attackers to carry out attacks using stored cross-site scripting (XSS), which can potentially lead to the creation of a backdoor and further compromise of vulnerable websites. Since the plugin is currently closed for download and update, understanding this vulnerability is crucial for both prevention and elimination.

CVE-2024-10362 exposes a Stored Cross-Site Scripting (XSS) vulnerability in the Ultimate Social Media Icons WordPress plugin. This popular plugin allows WordPress site administrators to display customizable social media icons, enabling visitors to share content across platforms like Facebook, Twitter, LinkedIn, and more. Unfortunately, a flaw in its handling of user inputs can permit attackers to inject malicious JavaScript code, paving the way for serious security risks. This article explores how the vulnerability was discovered, the potential impact on WordPress sites, and practical steps to protect against such attacks.

CVE-2024-9768 reveals a Stored Cross-Site Scripting (XSS) vulnerability in the Formidable Forms WordPress plugin, a leading tool for creating forms, surveys, and other interactive content on websites. Known for its advanced drag-and-drop interface and extensive customization options, Formidable Forms is widely used by WordPress sites for generating user-friendly forms. However, this vulnerability can allow malicious actors to inject JavaScript payloads that can ultimately create backdoors, compromising site security and exposing user data. This article delves into the nature of this vulnerability, how it can be exploited, and the potential impact on affected websites.

CVE-2024-9599 brings to light a critical Stored Cross-Site Scripting (XSS) vulnerability within the WordPress Popup Box plugin, a popular tool used to create a variety of popups for websites. This plugin allows users to add visually appealing and engaging popups, ranging from promotional notifications to subscription forms, without requiring extensive technical knowledge. However, an identified flaw in the way the plugin handles input parameters allows malicious users to inject JavaScript code, leading to the potential creation of backdoors within the WordPress environment. The implications of this vulnerability could lead to unauthorized access and control over affected websites.

CVE-2024-4091 highlights a significant Stored Cross-Site Scripting (XSS) vulnerability within the Responsive Gallery Grid (RGG) plugin for WordPress, a tool installed on numerous WordPress sites to transform the native WordPress gallery into a responsive layout. The plugin, which integrates well with other third-party lightbox plugins, offers WordPress users an enhanced way to showcase their images while keeping responsive image proportions. However, a flaw in the settings configuration allows contributors or editors with access to plugin settings to inject malicious JavaScript (JS) code into the Margin parameter of the gallery settings. If exploited, this vulnerability can provide attackers with persistent control over the site via a JavaScript backdoor.