Plugin Security Certification: “WordPress Popular Posts” – Version 6.4.0: Enhancing Content Visibility with Secure Integration

Plugin Security Certification: “WordPress Popular Posts” – Version 6.4.0: Enhancing Content Visibility with Secure Integration

WordPress Popular Posts is a versatile widget that enables website owners to showcase their most popular posts in a highly customizable manner. With an array of features and customization options, this plugin offers an effective way to increase content visibility and engage site visitors. In this article, we delve into the significance of WordPress Popular Posts, highlighting its security features and its recognition through the “Plugin Security Certification” (PSC) from CleanTalk.

CVE-2024-0719 – Tabs Shortcode and Widget – Contributor+ Stored XSS via shortcode – POC

CVE-2024-0719 – Tabs Shortcode and Widget – Contributor+ Stored XSS via shortcode – POC

During testing of the Tabs Shortcode and Widget plugin for WordPress, a security vulnerability was discovered that allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability arises from the plugin’s failure to properly validate and escape some of its shortcode attributes before outputting them back in a page or post where the shortcode is embedded. As a result, users with the contributor role and above can exploit this flaw to execute malicious scripts, potentially leading to account takeover and compromise of the website.

CVE-2024-0561 – Ultimate Posts Widget – Stored XSS – POC

CVE-2024-0561 – Ultimate Posts Widget – Stored XSS – POC

During testing of the Ultimate Posts Widget plugin for WordPress, a security vulnerability was identified that allows for Stored Cross-Site Scripting (XSS) attacks. The vulnerability arises from the plugin’s failure to properly validate and escape certain widget options before outputting them back in attributes. As a result, high privilege users such as administrators can exploit this flaw to execute malicious scripts, potentially leading to account takeover.

Plugin Security Certification: “AddToAny Share Buttons” – Version 1.8.9: Enhancing Social Sharing with Secure Integration

Plugin Security Certification: “AddToAny Share Buttons” – Version 1.8.9: Enhancing Social Sharing with Secure Integration

The AddToAny Share Buttons plugin for WordPress empowers website owners to boost traffic and engagement by facilitating seamless sharing of posts and pages across various social media platforms and services. With support for a wide range of sharing options, including Facebook, Pinterest, WhatsApp, LinkedIn, and more, this plugin has been a cornerstone of social sharing since 2006. In this article, we explore the significance of the AddToAny Share Buttons plugin, emphasizing its security features and its recognition through the “Plugin Security Certification” (PSC) from CleanTalk.

CVE-2024-0559 – Enhanced Text Widget – Stored XSS – POC

CVE-2024-0559 – Enhanced Text Widget – Stored XSS – POC

During testing of the Enhanced Text Widget plugin for WordPress, a security vulnerability was identified that allows for Stored Cross-Site Scripting (XSS) attacks. The vulnerability arises from the plugin’s failure to properly validate and escape certain widget options before outputting them back in attributes. As a result, high privilege users such as administrators or editors can exploit this flaw to execute malicious scripts, potentially leading to account takeover (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

Plugin Security Certification: “Backuply” – Version 1.2.7: Protecting Your WordPress Assets with Secure Backups

Plugin Security Certification: “Backuply” – Version 1.2.7: Protecting Your WordPress Assets with Secure Backups

In the ever-evolving landscape of WordPress, safeguarding your website against data loss is paramount. The “Backuply” plugin, now at version 1.2.7, offers a robust backup solution designed to protect your WordPress assets from server crashes, hacks, faulty updates, or plugin malfunctions. In this article, we explore the significance of this plugin, focusing on its security features and its recognition through the “Plugin Security Certification” (PSC) from CleanTalk.

CVE-2023-5711 – System Dashboard – Broken Logical Control to PHP info disclosure – POC

CVE-2023-5711 – System Dashboard – Broken Logical Control to PHP info disclosure – POC

During the examination of the System Dashboard plugin for WordPress, a security vulnerability was identified that allows unauthorized access to sensitive data. This flaw stems from a lack of capability check on the sd_php_info() function, which is hooked via an AJAX action in all versions of the plugin up to, and including, 2.8.7. As a result, authenticated attackers with subscriber-level access and above can exploit this vulnerability to retrieve sensitive information provided by PHP info.

Plugin Security Certification: “Simple History” – Version 4.10.0: Enhancing WordPress Security with Action Logs

Plugin Security Certification: “Simple History” – Version 4.10.0: Enhancing WordPress Security with Action Logs

In the dynamic environment of WordPress, keeping track of changes made to your website is essential for maintaining security and accountability. The “Simple History” plugin, now at version 4.10.0, offers a comprehensive solution by providing a detailed log of recent activities directly on your dashboard or a separate page. In this article, we delve into the significance of this plugin, highlighting its security features and its recognition through the “Plugin Security Certification” (PSC) from CleanTalk.

CVE-2023-4783 – Magee Shortcodes – Stored XSS via shortcode – POC

CVE-2023-4783 – Magee Shortcodes – Stored XSS via shortcode – POC

During the evaluation of the Magee Shortcodes plugin, security researchers identified a critical vulnerability enabling Stored Cross-Site Scripting (XSS) attacks. This vulnerability permits malicious actors to execute arbitrary JavaScript code within the context of a victim’s browser when interacting with a compromised post containing specially crafted shortcodes.