CVE

The Post Grid Gutenberg Blocks (Combo Blocks) plugin for WordPress allows users to display posts in a grid format with various customizations, making it a popular choice among WordPress users. However, a critical Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the plugin, identified as CVE-2024-9645. This flaw allows an attacker with contributor-level access to inject malicious JavaScript into the plugin’s shortcode, which can be executed when the post is viewed. The attacker can exploit this vulnerability to create a backdoor admin account, potentially giving them full control of the website. With over 50,000 active installations, this vulnerability presents a significant security risk to sites using this plugin.

List Category Posts is a widely used WordPress plugin that allows site owners to display posts from specific categories in a list format. However, CVE-2024-9020 has been identified as a critical Stored Cross-Site Scripting (XSS) vulnerability within the plugin. This vulnerability enables attackers with contributor-level privileges to inject malicious JavaScript into post excerpts, which can lead to the creation of a backdoor admin account. With over 100,000 active installations, this flaw presents a significant security risk for websites using the List Category Posts plugin.

The WP Carousel plugin is a popular WordPress plugin that allows users to create beautiful image, post, and WooCommerce product carousels effortlessly. With its user-friendly interface and extensive features, it has become a preferred choice for many WordPress site owners. However, a vulnerability (CVE-2024-13314) has been discovered in versions below 2.7.4, allowing attackers to exploit Stored Cross-Site Scripting (XSS), posing a significant security risk.

Google Maps is an essential feature for many websites, enabling businesses and organizations to display interactive maps for better user engagement. WP Google Map is a WordPress plugin designed to simplify the integration of Google Maps into websites. This user-friendly tool provides extensive customization options, making it a favorite among WordPress users. However, recent security research uncovered a critical stored Cross-Site Scripting (XSS) vulnerability in the plugin, identified as CVE-2024-13208. This vulnerability has the potential to compromise the security of websites using the plugin, highlighting the importance of robust security measures.

Email Subscribers by Icegram Express is a popular WordPress plugin designed to help website administrators manage email subscriptions and send automated notifications, such as confirmation emails and newsletters. However, CVE-2024-125678 has been identified as a critical vulnerability in the plugin that allows attackers to inject malicious JavaScript into the email content field of a new workflow. The injected script can lead to a backdoor creation, allowing attackers to hijack admin sessions or escalate their privileges to take full control of the WordPress site. With over 100,000 active installations, this vulnerability poses a significant risk to WordPress websites that rely on Email Subscribers for their subscription management.

Email Subscribers by Icegram Express is a popular WordPress plugin that enables website owners to collect email subscribers and send newsletters, notifications, and updates. However, CVE-2024-12566 has been identified as a serious Stored Cross-Site Scripting (XSS) vulnerability within the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript code into a form’s “Show message” field. Once the malicious script is embedded, it can lead to session hijacking or the creation of a backdoor admin account. With over 100,000 active installations, this vulnerability poses a significant risk for WordPress websites using Email Subscribers by Icegram Express.

Email Subscribers by Icegram Express is a widely used WordPress plugin designed to help website administrators collect and manage email subscribers, as well as send newsletters and email notifications. However, a critical vulnerability has been found in the plugin, CVE-2024-11636, which allows attackers with editor-level access to inject malicious JavaScript into form fields. This stored Cross-Site Scripting (XSS) vulnerability can lead to account takeover by creating a backdoor that allows unauthorized users to gain full control of the site. With over 100,000 active installations, this flaw represents a serious security risk for WordPress sites using the plugin.

Robo Gallery, a popular WordPress plugin used for displaying photo galleries and sliders, contains a critical vulnerability, CVE-2024-10102. This flaw allows attackers to inject malicious JavaScript code into the plugin’s settings via a simple stored Cross-Site Scripting (XSS) attack. The vulnerability can be exploited by users with contributor privileges, enabling them to create a backdoor in the WordPress admin area. This backdoor can then be used to hijack admin accounts, potentially gaining full control of the website. With over 50,000 active installations, this vulnerability poses a significant risk to sites using Robo Gallery.

Form Maker by 10Web is a widely used plugin for creating and managing forms in WordPress. However, a critical vulnerability, CVE-2024-10562, has been discovered in the plugin that allows for Stored Cross-Site Scripting (XSS) attacks. This flaw enables attackers with editor-level privileges to inject malicious JavaScript code into form settings, which is stored and executed when the form is rendered. The injected script can create a backdoor, allowing attackers to escalate their privileges and potentially gain full control over the site. With over 50,000 active installations, this vulnerability poses a significant security risk for WordPress websites using Form Maker by 10Web.

Tracking Code Manager, a widely used WordPress plugin by Data443, allows users to manage and customize third-party tracking codes and scripts on their WordPress sites. The plugin is known for its simplicity and compliance with privacy laws, offering features like tracking pixel placement, regional blocking, and seamless integration with e-commerce platforms. However, a critical stored Cross-Site Scripting (XSS) vulnerability has been identified in versions below 2.4.0, potentially exposing websites to serious security risks.

This vulnerability enables users with Contributor or higher roles to inject malicious scripts into the site, which can compromise the security and integrity of the affected WordPress installation. In this article, we’ll explore the discovery, exploitation, potential risks, and recommendations for mitigating this issue.