CVE-2025-1623 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

CVE-2025-1623 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

The GDPR Cookie Compliance plugin is a widely used tool for WordPress sites, enabling them to display cookie consent banners and helping website owners comply with the European Union’s General Data Protection Regulation (GDPR). However, a serious vulnerability (CVE-2025-1623) has been discovered that allows attackers to inject malicious JavaScript code into the “Tracking ID” field under the plugin’s integrations settings. This vulnerability can lead to the execution of stored XSS (Cross-Site Scripting) scripts, allowing for the creation of a backdoor account and other malicious activities. With over 300,000 active installations, this vulnerability poses a significant security risk to websites using this plugin.

CVE-2025-13616 – Vik Booking for WordPress – Stored XSS to JS Backdoor Creation – POC

CVE-2025-13616 – Vik Booking for WordPress – Stored XSS to JS Backdoor Creation – POC

WordPress remains one of the most popular content management systems (CMS) worldwide, offering thousands of plugins to enhance its functionality. However, the security of these plugins is a significant concern, as vulnerabilities can expose websites to attacks. One such vulnerability, CVE-2024-13616, was discovered in the Vik Booking plugin, a popular hotel booking engine for WordPress. This article explores the discovery, exploitation, and potential risks of this stored XSS vulnerability, along with recommendations for mitigation.

CVE-2025-1624 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

CVE-2025-1624 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

The GDPR Cookie Compliance plugin is a widely used tool for WordPress websites to ensure compliance with the European Union’s General Data Protection Regulation (GDPR). The plugin enables site owners to manage cookie consent banners, which are essential for informing users about the use of cookies and obtaining their consent. However, a critical vulnerability (CVE-2025-1624) has been discovered in the plugin, which allows attackers with editor-level access to inject malicious JavaScript into the “Tab Content” field within the plugin’s settings. This malicious JavaScript is then executed when the user interacts with the consent banner. This vulnerability can result in the creation of backdoor accounts, account takeover, and session hijacking. With over 300,000 active installations, the exploitation of this vulnerability poses a significant threat to websites using the GDPR Cookie Compliance plugin.

CVE-2024-13383 – HD Quiz < 2.0.0 – Stored XSS to JS Backdoor Creation – POC

CVE-2024-13383 – HD Quiz < 2.0.0 – Stored XSS to JS Backdoor Creation – POC

In modern web development, security vulnerabilities remain a critical concern, particularly when user-generated content is involved. One such vulnerability, CVE-2024-13383, was identified in the HD Quiz plugin (versions prior to 2.0.0) for WordPress. This vulnerability allows an attacker to inject stored cross-site scripting (XSS) payloads into quizzes, leading to potential exploitation and compromise of user data.

CVE-2024-12739 – Mobile Contact Bar < 3.0.5 – Stored XSS to JS Backdoor Creation – POC

CVE-2024-12739 – Mobile Contact Bar < 3.0.5 – Stored XSS to JS Backdoor Creation – POC

The Mobile Contact Bar plugin for WordPress provides website owners with an intuitive way to create customizable contact options for their visitors. However, a critical Stored Cross-Site Scripting (XSS) vulnerability has been identified in versions below 3.0.5, which can lead to JavaScript backdoor creation and potential full site compromise. This article explores the discovery, exploitation, risks, and mitigation strategies for this vulnerability

CVE-2025-1619 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

CVE-2025-1619 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

The GDPR Cookie Compliance plugin is an essential tool for WordPress websites aiming to comply with the General Data Protection Regulation (GDPR) by providing cookie consent banners and settings. However, a critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-1619) has been identified in the plugin. This vulnerability allows an attacker with editor-level privileges to inject malicious JavaScript into the plugin’s “Checkbox Labels” field. Once the injected JavaScript is saved, it is stored in the WordPress database and executed when users interact with the cookie consent banner on the site. This can lead to account takeover, session hijacking, and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability represents a major security risk for websites using the GDPR Cookie Compliance plugin.

CVE-2024-11503 – WP Tabs < 2.2.7 – Stored XSS to JS Backdoor Creation – POC

CVE-2024-11503 – WP Tabs < 2.2.7 – Stored XSS to JS Backdoor Creation – POC

WP Tabs is a widely used WordPress plugin designed to help users create and manage tabbed navigation on their websites. With its user-friendly interface and extensive customization options, WP Tabs has gained popularity among WordPress site owners. However, a security vulnerability (CVE-2024-111503) was discovered in versions below 2.2.7, exposing websites to a Stored Cross-Site Scripting (XSS) attack. This article delves into the discovery, exploitation, risks, and remediation of this vulnerability.

CVE-2024-10475 – Lead Form Builder – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10475 – Lead Form Builder – Stored XSS to JS Backdoor Creation – POC

Lead Form Builder is a popular WordPress plugin designed to create and manage contact forms. It offers an easy-to-use drag-and-drop interface and integration with page builders like Elementor, Brizy, SiteOrigin, and Gutenberg. However, a security vulnerability (CVE-2024-10475) was discovered in versions prior to 1.9.8, which allows attackers to inject and execute malicious JavaScript code through Stored Cross-Site Scripting (XSS). This article explores the vulnerability, its risks, exploitation, and best practices to mitigate the issue.

CVE-2025-1621 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

CVE-2025-1621 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC

The GDPR Cookie Compliance plugin is a popular solution for WordPress websites to help them comply with the European Union’s General Data Protection Regulation (GDPR). It is primarily used to display cookie consent banners that inform users about the use of cookies on the website and collect their consent. However, a critical vulnerability, CVE-2025-1621, has been discovered in the plugin that allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability enables attackers to inject malicious JavaScript into the “Accept – Button Label” field in the plugin’s settings. The injected script can later be executed when a user interacts with the consent banner, leading to potential account takeover and the creation of backdoor admin accounts. With over 300,000 active installations, this vulnerability presents a significant security risk.