CVE-2024-7132 – CoBlocks – Stored XSS to Admin Account Creation – POC

CVE-2024-7132 – CoBlocks – Stored XSS to Admin Account Creation – POC

CVE-2024-7132 exposes a critical flaw in the CoBlocks plugin, a widely used WordPress extension with over 400,000 installations. This Stored XSS vulnerability can be exploited by contributors to embed malicious JavaScript code within posts, leading to unauthorized actions, including the creation of admin accounts. The vulnerability highlights the significant security risks associated with improper input validation in WordPress plugins, particularly in environments where user roles and permissions are not tightly controlled.

CVE-2024-5417 – Gutentor – Stored XSS to Admin Account Creation – POC

CVE-2024-5417 – Gutentor – Stored XSS to Admin Account Creation – POC

CVE-2024-5417 reveals a critical security flaw in the Gutentor plugin, a popular WordPress page builder with over 50,000 installations. This Stored Cross-Site Scripting (XSS) vulnerability enables attackers to inject malicious JavaScript code by exploiting the block embedding process in new posts. The severity of the issue lies in the fact that this vulnerability can be leveraged by a contributor to escalate privileges and create an unauthorized admin account, resulting in full control of the website.

CVE-2024-3282 – WP Table Builder – Stored XSS to backdoor creation – POC

CVE-2024-3282 – WP Table Builder – Stored XSS to backdoor creation – POC

The recently discovered vulnerability in WP Table Builder, tracked as CVE-2024-3282, exposes over 60,000 websites to serious risks. This Stored Cross-Site Scripting (XSS) flaw allows attackers to inject malicious JavaScript through the plugin’s table block creation process, potentially resulting in the takeover of administrator accounts and the installation of backdoors. Due to inadequate input sanitization, an attacker can exploit this vulnerability to execute arbitrary code, compromising both website security and user data.

CVE-2024-7082 – Easy Table of Contents – Stored XSS to backdoor creation – POC

CVE-2024-7082 – Easy Table of Contents – Stored XSS to backdoor creation – POC

A newly discovered vulnerability in the Easy Table of Contents WordPress plugin, designated as CVE-2024-7082, puts more than 500,000 sites at risk. This flaw allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability, which could lead to account takeovers and the installation of backdoors within a WordPress environment. The vulnerability primarily occurs due to the plugin’s failure to properly sanitize user inputs, enabling malicious JavaScript (JS) code to be injected into the site’s widget settings. Once exploited, this flaw can result in the execution of malicious scripts by unsuspecting administrators, giving attackers the opportunity to manipulate or control the website.

CVE-2024-6335 – Tracking Code Manager – Stored XSS to backdoor creation – POC

CVE-2024-6335 – Tracking Code Manager – Stored XSS to backdoor creation – POC

A significant vulnerability has been discovered in the widely-used Tracking Code Manager WordPress plugin, identified as CVE-2024-6335. With over 100,000 installations, this plugin has become a valuable tool for managing tracking scripts, but a serious security flaw allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw enables attackers to embed malicious JavaScript (JS) code within the plugin, leading to account takeovers and potential backdoor creation. Improper sanitization of inputs is the primary cause of this vulnerability, putting numerous WordPress sites at risk of exploitation.

CVE-2024-6158 – Category Posts Widget (Free and PRO) – Stored XSS to backdoor creation – POC

CVE-2024-6158 – Category Posts Widget (Free and PRO) – Stored XSS to backdoor creation – POC

CVE-2024-6884 highlights a critical vulnerability in the popular Category Posts Widget plugin, which is available in both Free and PRO versions. With over 50,000 active installations, this plugin is widely used to enhance content display in WordPress sites by allowing the customization of category-based posts through widgets. However, during a routine security audit, researchers discovered a severe stored XSS vulnerability that could lead to account takeovers and even the creation of backdoors, especially when exploited by users with certain privileges.

CVE-2024-6884 – Gutenberg Blocks with AI by Kadence WP – Stored XSS to Admin Account Creation (Contributor+) – POC

CVE-2024-6884 – Gutenberg Blocks with AI by Kadence WP – Stored XSS to Admin Account Creation (Contributor+) – POC

In an era where digital content creation via platforms like WordPress is ubiquitous, the importance of cybersecurity cannot be overstated. A recent discovery has brought to light a critical vulnerability in the “Gutenberg Blocks with AI by Kadence WP” plugin, a popular tool used by over 400,000 installations worldwide. (CVE-2024-6884)

CVE-2024-6766 – Shortcodes Ultimate Pro – Stored XSS to Admin Account Creation (Contributor+) – POC

CVE-2024-6766 – Shortcodes Ultimate Pro – Stored XSS to Admin Account Creation (Contributor+) – POC

The digital world is rife with threats, and the latest discovery in the WordPress plugin landscape underscores this reality. “Shortcodes Ultimate Pro,” a popular plugin with over 500,000 installations, has been found vulnerable to a severe security flaw, CVE-2024-6766. This vulnerability exposes websites to significant risks, impacting both their integrity and the safety of user data.

CVE-2024-6390 – Quiz and Survey Master (QSM) – Stored XSS to Admin Account Creation – POC

CVE-2024-6390 – Quiz and Survey Master (QSM) – Stored XSS to Admin Account Creation – POC

In today’s digital age, the security of web plugins is more critical than ever. The popular Quiz and Survey Master (QSM) plugin, trusted by over 40,000 installations, has recently been spotlighted for a severe security flaw. This article explores the nuances of this vulnerability, its implications, and provides a roadmap towards mitigation.