The Team Members Showcase plugin for WordPress has discovered a vulnerability CVE-2024-9236, which allows an attacker to execute saved cross-site scripts (XSS) and potentially intercept administrative accounts.It offers website administrators a universal tool for displaying team members on their site using various layouts such as grids and sliders. This plugin is highly customizable, adaptive, and compatible with Elementor, allowing users to easily create professional-looking team storefronts.
CVE-2024-9182 – Maspik – Advanced Spam Protection – Stored XSS to Admin Creation – POC
CVE-2024-9182 in the Maspik – Advanced Spam Protection plugin allows an attacker to embed saved cross-site scripts (XSS). This vulnerability can lead to serious consequences, such as creating an administrator account without authorization, which can compromise the security of WordPress websites.
CVE-2024-8239 – Starbox – the Author Box for Humans – Stored XSS to Admin Creation – POC
CVE-2024-8239 uncovers a serious Stored Cross-Site Scripting (XSS) vulnerability in the Starbox – The Author Box for Humans plugin, used by over 40,000 WordPress sites to display author profiles and bios. This vulnerability allows contributors to inject malicious JavaScript (JS) into their profile settings, specifically through the “Twitter URL” field, which can lead to admin account creation and backdoor access. If exploited, attackers can hijack the WordPress site’s admin functionality and maintain persistent control.
CVE-2024-8283 – Slider by 10Web – Stored XSS to Backdoor Creation – POC
CVE-2024-8283 exposes a serious vulnerability in the Slider by 10Web plugin, a widely used WordPress plugin with over 30,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers, particularly users with contributor-level access, to inject malicious JavaScript (JS) code through the plugin’s slider settings. When exploited, this vulnerability enables attackers to take over admin accounts and create backdoors, allowing them to maintain long-term access to the site.
CVE-2024-3635 – The Post Grid – Stored XSS to Backdoor Creation – POC
CVE-2024-3635 represents a critical Stored Cross-Site Scripting (XSS) vulnerability in The Post Grid plugin, a popular tool for creating custom grid layouts in WordPress. With over 100,000 installations, this vulnerability poses a serious threat as it allows attackers with editor-level permissions to inject malicious JavaScript (JS) code into grid settings. Once exploited, the vulnerability can lead to account takeover, enabling attackers to create persistent backdoors and take control of the WordPress site.
Plugin Security Certification (PSC-2024-64530): “Tracking Code Manager” – Version 2.3.0: Use Code manager with Enhanced Security
Tracking Code Manager is a powerful WordPress plugin designed to give website owners full control over third-party tracking codes and scripts. Whether you need to implement Google Analytics, Facebook retargeting, or other platforms to improve user experience, this plugin provides a centralized interface to effectively manage all your codes. Developed by Data443, a leader in data protection and privacy, Tracking Code Manager allows you to easily place tracking codes on different pages or in different locations, while respecting global privacy laws such as GDPR. This plugin has also been thoroughly tested for security and has successfully received the Plugin Security Certification (PSC) from CleanTalk, which guarantees its compliance with strict security protocols.
CVE-2024-8536 – Ultimate Blocks – Stored XSS to Admin Account Creation – POC
CVE-2024-8536 presents a serious security risk in the Ultimate Blocks plugin, used by over 70,000 WordPress sites to enhance post content with custom blocks. This vulnerability allows attackers, specifically users with contributor-level access, to inject malicious JavaScript (JS) into a new post using the plugin’s “Expand” block feature. If exploited, this can lead to admin account creation and full site takeover, putting the entire WordPress installation at risk.
CVE-2024-9021 – Relevanssi – Stored XSS to Admin Account Creation (Contributor+) – POC
CVE-2024-9021 An XSS vulnerability found recently in the Relevanssi plugin, which is one of the most popular WordPress plugins, extends the standard WordPress search feature by adding powerful customization options and increasing search relevance. However, the recent discovery of a stored XSS vulnerability in Relevanssi version 4.23.1 and below has raised concerns about the security of the website. This vulnerability may allow developers to inject malicious scripts, which will lead to serious consequences for site administrators
CVE-2024-7133 – My Sticky Bar (myStickymenu) – Stored XSS to JS Backdoor Creation – POC
CVE-2024-7133 reveals a critical vulnerability in the My Sticky Bar (myStickymenu) WordPress plugin, which has over 100,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious JavaScript (JS) code through the plugin’s settings. Once exploited, the attacker can take over administrator accounts, create persistent backdoors, and control the entire WordPress site. The issue arises due to improper sanitization of user input, specifically in the “Font size” field when creating a sticky bar.
Plugin Security Certification (PSC-2024-64529): “Matomo Analytics” – Version 5.1.3: Use Ethical stats with Enhanced Security
Matomo Analytics is a powerful, secure, and privacy-focused alternative to Google Analytics, offering website owners full control over their data. Unlike many third-party analytics tools, Matomo is hosted on your own servers, ensuring 100% data ownership and privacy compliance. It empowers businesses to make data-driven decisions while protecting user privacy, without sacrificing any advanced analytics features. With an intuitive interface, Matomo makes it easy to gain valuable insights into customer behavior, website performance, and marketing effectiveness, all while adhering to the highest ethical standards. This plugin has also undergone rigorous security testing and has successfully obtained the Plugin Security Certification (PSC) from CleanTalk, ensuring it meets stringent security protocols.