CVE

CVE-2024-7762 highlights a critical security flaw in the Simple Job Board plugin, a popular WordPress plugin with over 30,000 installations. This vulnerability allows unauthorized users to access and download confidential resumes and other files uploaded by job applicants. The flaw lies within the plugin’s directory listings system, which fails to implement proper access controls. If exploited, this vulnerability can expose sensitive data, leading to severe privacy breaches and security risks.

The Team Members Showcase plugin for WordPress has discovered a vulnerability CVE-2024-9236, which allows an attacker to execute saved cross-site scripts (XSS) and potentially intercept administrative accounts.It offers website administrators a universal tool for displaying team members on their site using various layouts such as grids and sliders. This plugin is highly customizable, adaptive, and compatible with Elementor, allowing users to easily create professional-looking team storefronts.

CVE-2024-9182 in the Maspik – Advanced Spam Protection plugin allows an attacker to embed saved cross-site scripts (XSS). This vulnerability can lead to serious consequences, such as creating an administrator account without authorization, which can compromise the security of WordPress websites.

CVE-2024-8239 uncovers a serious Stored Cross-Site Scripting (XSS) vulnerability in the Starbox – The Author Box for Humans plugin, used by over 40,000 WordPress sites to display author profiles and bios. This vulnerability allows contributors to inject malicious JavaScript (JS) into their profile settings, specifically through the “Twitter URL” field, which can lead to admin account creation and backdoor access. If exploited, attackers can hijack the WordPress site’s admin functionality and maintain persistent control.

CVE-2024-8283 exposes a serious vulnerability in the Slider by 10Web plugin, a widely used WordPress plugin with over 30,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers, particularly users with contributor-level access, to inject malicious JavaScript (JS) code through the plugin’s slider settings. When exploited, this vulnerability enables attackers to take over admin accounts and create backdoors, allowing them to maintain long-term access to the site.

CVE-2024-3635 represents a critical Stored Cross-Site Scripting (XSS) vulnerability in The Post Grid plugin, a popular tool for creating custom grid layouts in WordPress. With over 100,000 installations, this vulnerability poses a serious threat as it allows attackers with editor-level permissions to inject malicious JavaScript (JS) code into grid settings. Once exploited, the vulnerability can lead to account takeover, enabling attackers to create persistent backdoors and take control of the WordPress site.

CVE-2024-8536 presents a serious security risk in the Ultimate Blocks plugin, used by over 70,000 WordPress sites to enhance post content with custom blocks. This vulnerability allows attackers, specifically users with contributor-level access, to inject malicious JavaScript (JS) into a new post using the plugin’s “Expand” block feature. If exploited, this can lead to admin account creation and full site takeover, putting the entire WordPress installation at risk.

CVE-2024-9021 An XSS vulnerability found recently in the Relevanssi plugin, which is one of the most popular WordPress plugins, extends the standard WordPress search feature by adding powerful customization options and increasing search relevance. However, the recent discovery of a stored XSS vulnerability in Relevanssi version 4.23.1 and below has raised concerns about the security of the website. This vulnerability may allow developers to inject malicious scripts, which will lead to serious consequences for site administrators

CVE-2024-7133 reveals a critical vulnerability in the My Sticky Bar (myStickymenu) WordPress plugin, which has over 100,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious JavaScript (JS) code through the plugin’s settings. Once exploited, the attacker can take over administrator accounts, create persistent backdoors, and control the entire WordPress site. The issue arises due to improper sanitization of user input, specifically in the “Font size” field when creating a sticky bar.

During a recent security test, a vulnerability identified as CVE-2024-8983 was discovered in Custom Twitter Feeds, a popular plugin. This vulnerability allows you to embed saved cross-site scripts (XSS) on the site, which can potentially lead to the creation of a backdoor and account hijacking.