CVE

CVE-2024-9021 An XSS vulnerability found recently in the Relevanssi plugin, which is one of the most popular WordPress plugins, extends the standard WordPress search feature by adding powerful customization options and increasing search relevance. However, the recent discovery of a stored XSS vulnerability in Relevanssi version 4.23.1 and below has raised concerns about the security of the website. This vulnerability may allow developers to inject malicious scripts, which will lead to serious consequences for site administrators

CVE-2024-7133 reveals a critical vulnerability in the My Sticky Bar (myStickymenu) WordPress plugin, which has over 100,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious JavaScript (JS) code through the plugin’s settings. Once exploited, the attacker can take over administrator accounts, create persistent backdoors, and control the entire WordPress site. The issue arises due to improper sanitization of user input, specifically in the “Font size” field when creating a sticky bar.

During a recent security test, a vulnerability identified as CVE-2024-8983 was discovered in Custom Twitter Feeds, a popular plugin. This vulnerability allows you to embed saved cross-site scripts (XSS) on the site, which can potentially lead to the creation of a backdoor and account hijacking.

CVE-2024-6887 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Giveaways and Contests by RafflePress plugin, used by over 30,000 WordPress installations to run giveaways and contests. This vulnerability allows attackers to inject malicious JavaScript (JS) through the plugin’s settings. The attack can be initiated by users with editor-level access, resulting in account takeover, backdoor creation, and potentially long-term control over the affected WordPress site. The flaw resides in the plugin’s failure to properly sanitize inputs, particularly in the “Button color” field.

CVE-2024-7761 exposes a critical flaw in the Simple Job Board plugin, widely used by WordPress sites to manage job listings and applications. With over 40,000 installations, this vulnerability allows attackers to exploit a Stored Cross-Site Scripting (XSS) flaw, enabling them to inject malicious JavaScript code. When executed, this can lead to account takeover, backdoor creation, and potentially long-term control over the site. The vulnerability stems from insufficient input validation, particularly in the plugin’s widget settings, making it an appealing target for attackers.

CVE-2024-3899 is a severe vulnerability found in the Envira Gallery plugin, a popular WordPress plugin used by over 100,000 websites to create image galleries. This vulnerability allows contributors (or users with higher privileges) to execute stored Cross-Site Scripting (XSS) attacks by embedding malicious JavaScript code in the “Title” field of image settings. When exploited, this flaw can lead to the creation of unauthorized admin accounts, giving attackers complete control over the website.

CVE-2024-5561 highlights a critical flaw in the Popup Maker plugin, a popular WordPress plugin used by over 700,000 websites to create and manage popups. This vulnerability allows attackers to execute stored Cross-Site Scripting (XSS) attacks by embedding malicious JavaScript (JS) code. Exploited by someone with editor-level permissions, this flaw can result in complete account takeover and the creation of backdoors, leading to long-term control over the compromised WordPress site.

A critical vulnerability, designated as CVE-2024-7315, has been discovered in the WPvivid plugin, widely used for migration, backup, and staging in WordPress with over 500,000 installations. This flaw exposes highly sensitive data, including database passwords and site configuration details, by exploiting a specific directory (./wp-content/wpvividbackups/wpvivid_log/). If left unpatched, the vulnerability can lead to complete site compromise through brute force attacks on password hashes or direct access to sensitive information.

CVE-2024-8617 detects a stored XSS vulnerability in the popular QuizMaker plugin for WordPress, which allows users to create various quizzes with different types of questions. Although it offers extensive functionality for creating quizzes, it also contains a critical security flaw

Vulnerability CVE-2024-7758 affects the Stylish Price List plugin, which is used in companies such as beauty salons, spas, restaurants, etc. This plugin allows users to create elegant price lists, helping to convert visitors into customers. However, this vulnerability opens up the possibility for attackers to inject malicious code into a website, leading to potential account hijacking or other serious security breaches.