CVE

ProfilePress, a popular WordPress plugin used for user registration, login forms, and membership management, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10518. This flaw allows an attacker to inject malicious JavaScript into the plugin’s settings, particularly in the “Name” field of the Membership Plan configuration. When executed, the injected JavaScript can create a backdoor, allowing the attacker to take control of the WordPress site. With over 200,000 active installations, this vulnerability poses a significant security threat to a large number of WordPress sites.

Kadence Blocks, a popular WordPress plugin used to extend the functionality of the Kadence theme by adding custom blocks, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10637. This flaw allows attackers with contributor-level access to inject malicious JavaScript code into a new post, which is then stored and executed. The vulnerability can lead to the creation of a JavaScript backdoor, which can escalate privileges to admin level, allowing attackers to take control of the site. With over 400,000 active installations, this vulnerability presents a significant security risk to WordPress sites using Kadence Blocks.

WP Booking Calendar is a widely-used WordPress plugin that enables users to manage and book appointments directly from their WordPress site. However, a critical Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the plugin, identified as CVE-2024-10893. This vulnerability allows attackers to inject malicious JavaScript code into the plugin’s “Message title” field. The flaw can be exploited by users with any role, including editors, and can lead to the creation of a backdoor through which attackers can hijack accounts and take control of the site. With over 50,000 active installations, this vulnerability represents a significant security risk.

The Photo Gallery by 10Web plugin, widely used for managing and displaying image galleries in WordPress, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10704. This flaw allows attackers with editor-level access to inject

Element Pack, a popular addon for the Elementor page builder, adds various widgets and elements to enhance the functionality of WordPress sites. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-10980, has been discovered in the plugin. This flaw allows attackers with contributor privileges to inject malicious JavaScript into a post’s “Message” field within the “Cookie Consent” block, which is then executed when the content is viewed. This vulnerability can lead to admin account creation and full control of the affected WordPress site, posing a serious security risk to the over 100,000 active installations of Element Pack.

The Logo Slider plugin for WordPress, which enables users to display brand logos and images in a slider format, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-10896. This flaw allows attackers with contributor-level access to inject malicious JavaScript into the plugin’s settings, which is then executed when the slider block is interacted with on the front-end. This vulnerability can lead to serious consequences, including the creation of an admin account and full site compromise. With over 30,000 active installations, the potential impact of this vulnerability is significant for WordPress sites using the Logo Slider plugin.

The Logo Slider plugin for WordPress, a popular tool for displaying logos and brand images on websites, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10473. This vulnerability allows attackers with contributor-level access to inject malicious JavaScript into the “Brand Name” field of a new logo slider. The injected code can then be executed when the slider is rendered on the front-end of the site, potentially leading to the creation of an admin account and complete site compromise. With over 30,000 active installations, this flaw poses a significant security risk to WordPress sites using the Logo Slider plugin.

Element Pack Lite, a popular add-on for the Elementor page builder in WordPress, provides users with advanced widgets and design tools. However, a critical vulnerability, CVE-2024-10493, has been identified in the plugin. This flaw allows attackers with contributor-level access to inject malicious JavaScript code into the “Content Caption” field of a new post, which can result in an admin account being created. With over 100,000 installations, this vulnerability poses a significant risk to WordPress sites that use Element Pack Lite to extend their Elementor functionality.

Everest Forms, a popular plugin for creating forms in WordPress, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10471. This vulnerability allows attackers with editor-level privileges to inject malicious JavaScript code into the plugin’s form settings, which could lead to account takeover and the creation of backdoors. Given the large user base of Everest Forms, with over 6 million active installations, this vulnerability poses a significant threat to the security of many WordPress websites.

Fluent Forms, a widely used WordPress plugin that has been installed more than 500,000 times, is known for its advanced and lightweight contact form builder. With features such as drag-and-drop customization, conditional logic, and anti-spam, it has become a staple for both businesses and developers. However, such popularity also makes it an object for exploitation. The vulnerability associated with the persistence of cross-site scripting (XSS) CVE-2024-9651 in older versions of Fluent Forms pages poses a significant risk, potentially allowing attackers to introduce backdoors and compromise entire websites.

Version 5.2.5 of Fluent Forms has received a plugin Security Certificate (PSC), which guarantees users that this version is verified as secure.