CVE

CVE-2024-8542 is a critical Stored Cross-Site Scripting (XSS) vulnerability affecting the Everest Forms plugin, used by over 100,000 WordPress installations to create forms. This flaw allows contributors or editors to inject malicious JavaScript (JS) into the form’s settings, specifically in the “No field” section of the YES/NO block. Once exploited, the vulnerability can lead to admin account takeovers, the creation of backdoors, and long-term control of the WordPress site.

CVE-2024-8284 represents a critical Stored Cross-Site Scripting (XSS) vulnerability discovered in the Download Manager plugin, which is used by over 100,000 WordPress installations to manage and protect downloadable files. This flaw allows attackers with editor-level permissions to inject malicious JavaScript (JS) into the plugin’s settings, specifically in the “Login Required Message” field. Exploiting this vulnerability can result in the creation of backdoors, admin account takeover, and long-term control of the WordPress site.

CVE-2024-5968 is a critical vulnerability affecting the Photo Gallery by 10Web plugin, which has over 200,000 active installations. The flaw enables attackers to execute Stored Cross-Site Scripting (XSS) by injecting malicious JavaScript (JS) code into the plugin’s settings. When exploited, this vulnerability allows for admin account takeover, backdoor creation, and potentially long-term control over the WordPress site.

CVE-2024-5429 is a critical vulnerability identified in the Logo Slider Free plugin, which is used by over 30,000 WordPress installations to create logo sliders. The flaw allows an attacker with contributor-level access to inject malicious JavaScript (JS) into the plugin’s settings, specifically in the “Brand Name” field. If exploited, this Stored Cross-Site Scripting (XSS) vulnerability can lead to admin account takeover and the creation of persistent backdoors, compromising the entire WordPress site.

CVE-2024-8758 represents a serious vulnerability found in the Quiz and Survey Master (QSM) plugin, a popular WordPress plugin used to create quizzes and surveys, with over 50,000 installations. The flaw allows contributors to inject malicious JavaScript (JS) code into the plugin’s settings, leading to Stored Cross-Site Scripting (XSS) attacks. This can escalate into admin account takeover or the creation of persistent backdoors, enabling attackers to maintain long-term control over the WordPress site.

The CVE-2024-8759 vulnerability has been discovered in the Nested Pages plugin, which allows attackers to carry out an attack using stored cross-site scripts (XSS). This vulnerability can be exploited to create a backdoor or even hack into an administrator account, making it a serious security issue for websites using the plugin.

CVE-2024-8493 is a critical vulnerability identified in The Events Calendar plugin, a widely used WordPress plugin with over 700,000 installations. The vulnerability allows attackers with editor-level access to inject malicious JavaScript (JS) into the plugin’s settings, leading to account takeovers and backdoor creation. Improper input sanitization, particularly in the “Data time separator” field, exposes WordPress sites to this Stored XSS attack, potentially compromising the entire website.

CVE-2024-8619 exposes a serious Stored Cross-Site Scripting (XSS) vulnerability in the Ajax Search Lite plugin, a widely used search enhancement plugin with over 100,000 installations. This vulnerability allows attackers, specifically users with editor-level permissions, to inject malicious JavaScript (JS) into the plugin’s settings. Once exploited, the attacker can create backdoors and take over admin accounts, leading to full control of the WordPress site. The issue lies in improper input sanitization within the plugin’s “image width” field, which can be manipulated to execute malicious scripts.

CVE-2024-8492 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Hustle plugin, which is used by over 100,000 WordPress installations to create popups, email opt-ins, and other marketing tools. This vulnerability allows attackers to inject malicious JavaScript (JS) code through the plugin’s settings, particularly in the “Error Message” field of the Email Field settings. If exploited, this vulnerability can lead to admin account takeover and the creation of persistent backdoors, giving attackers long-term control over the site.

CVE-2024-8187 reveals a critical Stored Cross-Site Scripting (XSS) vulnerability in the Smart Post Show plugin, a popular WordPress plugin with over 30,000 installations. This vulnerability allows attackers with editor-level access to inject malicious JavaScript (JS) into the plugin’s settings. If exploited, the vulnerability enables account takeover, backdoor creation, and long-term control over the WordPress site. The issue stems from improper input validation, particularly in the post grid settings.