CVE

The Image Widget plugin for WordPress, used to add image widgets to pages or posts, has been found to have a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10939. This vulnerability allows attackers with editor-level privileges to inject malicious JavaScript into the “imgurl” field of an image widget. The injected script is stored and executed when the widget is rendered, potentially leading to account takeover and the creation of a backdoor. With over 100,000 active installations, this vulnerability poses a significant security risk for WordPress sites using the Image Widget plugin.

Ajax Search Lite, a popular WordPress plugin that enables live search and filtering functionality, has been found to have a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-10568. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the plugin’s settings, which is stored in the WordPress database and executed when the settings are accessed. The injected JavaScript can create a backdoor, potentially leading to account takeover and site compromise. With over 100,000 active installations, this vulnerability poses a significant security risk for WordPress sites that use the Ajax Search Lite plugin.

LearnPress, a popular WordPress plugin for creating and managing online courses, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10010. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the plugin’s settings, which is then stored and executed when the settings are viewed. The injected script can create a backdoor, allowing the attacker to take control of the site and escalate privileges, leading to a full account takeover. With over 100,000 active installations, this vulnerability poses a significant security risk to WordPress sites that rely on LearnPress for managing educational content.

Popup Builder, a popular WordPress plugin used to create and manage popups on websites, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-9428. This flaw allows attackers to inject malicious JavaScript into the plugin’s settings, specifically within the “Alt Text” field of an image in the popup. The injected script can be executed when the popup is viewed, enabling attackers to escalate privileges and potentially create a backdoor for account takeover. This vulnerability affects over 200,000 installations of the Popup Builder plugin and presents a serious security risk for WordPress sites using this plugin.

ProfilePress is a popular WordPress plugin used for creating and managing user login, registration, and profile forms. It provides features to enhance user experience and website functionality. However, a critical vulnerability, CVE-2024-10517, has been discovered in the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript into the “User Login” field of a new form, which is then stored and executed on the site. The vulnerability can lead to account takeover and the creation of a backdoor for the attacker, compromising the integrity of the WordPress installation. With over 200,000 active installations, this vulnerability represents a significant security risk for websites using ProfilePress.

ProfilePress, a popular WordPress plugin used for user registration, login forms, and membership management, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10518. This flaw allows an attacker to inject malicious JavaScript into the plugin’s settings, particularly in the “Name” field of the Membership Plan configuration. When executed, the injected JavaScript can create a backdoor, allowing the attacker to take control of the WordPress site. With over 200,000 active installations, this vulnerability poses a significant security threat to a large number of WordPress sites.

Kadence Blocks, a popular WordPress plugin used to extend the functionality of the Kadence theme by adding custom blocks, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10637. This flaw allows attackers with contributor-level access to inject malicious JavaScript code into a new post, which is then stored and executed. The vulnerability can lead to the creation of a JavaScript backdoor, which can escalate privileges to admin level, allowing attackers to take control of the site. With over 400,000 active installations, this vulnerability presents a significant security risk to WordPress sites using Kadence Blocks.

WP Booking Calendar is a widely-used WordPress plugin that enables users to manage and book appointments directly from their WordPress site. However, a critical Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the plugin, identified as CVE-2024-10893. This vulnerability allows attackers to inject malicious JavaScript code into the plugin’s “Message title” field. The flaw can be exploited by users with any role, including editors, and can lead to the creation of a backdoor through which attackers can hijack accounts and take control of the site. With over 50,000 active installations, this vulnerability represents a significant security risk.

The Photo Gallery by 10Web plugin, widely used for managing and displaying image galleries in WordPress, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10704. This flaw allows attackers with editor-level access to inject

Element Pack, a popular addon for the Elementor page builder, adds various widgets and elements to enhance the functionality of WordPress sites. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-10980, has been discovered in the plugin. This flaw allows attackers with contributor privileges to inject malicious JavaScript into a post’s “Message” field within the “Cookie Consent” block, which is then executed when the content is viewed. This vulnerability can lead to admin account creation and full control of the affected WordPress site, posing a serious security risk to the over 100,000 active installations of Element Pack.