CVE-2024-10144 – Photo Gallery, Images, Slider in Rbs Image Gallery – Stored XSS to Admin Creation (Contributor+) – POC

CVE-2024-10144 – Photo Gallery, Images, Slider in Rbs Image Gallery – Stored XSS to Admin Creation (Contributor+) – POC

The Photo Gallery, Images, Slider in Rbs Image Gallery plugin is a widely used tool for managing and displaying galleries, sliders, and images within WordPress websites. This plugin offers a variety of features to enhance the visual experience of WordPress sites, with over 50,000 active installations. However, a critical security vulnerability—CVE-2024-10144—has been discovered, allowing attackers to inject malicious JavaScript (JS) code. This vulnerability enables attackers to escalate their privileges, resulting in the potential creation of an admin account through a stored XSS attack. This vulnerability exposes sites to a range of malicious activities, including unauthorized access and potential data breaches.

CVE-2024-10107 – Giveaways and Contests by RafflePress – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10107 – Giveaways and Contests by RafflePress – Stored XSS to JS Backdoor Creation – POC

The Giveaways and Contests by RafflePress plugin is a popular tool used by WordPress site owners to manage and run contests, sweepstakes, and giveaways. With over 30,000 active installations, it allows users to boost engagement and traffic by offering incentives to participants. However, a critical vulnerability—CVE-2024-100107—was discovered during testing, which exposes the plugin to a Stored Cross-Site Scripting (XSS) attack. This vulnerability allows malicious actors to inject and execute JavaScript code, enabling them to potentially gain unauthorized access to the site and create backdoors that could compromise the entire platform.

CVE-2024-13207 – Widget for Social Page Feeds < 6.4.2 – Stored XSS to Backdoor Creation – POC

CVE-2024-13207 – Widget for Social Page Feeds < 6.4.2 – Stored XSS to Backdoor Creation – POC

In April 2024, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the popular WordPress plugin Widget for Social Page Feeds (formerly known as “Facebook Page Like Widget”). This plugin is installed on over 80,000 WordPress sites and is widely used to display Facebook page feeds in sidebars and other widget areas. The vulnerability, assigned CVE-2024-13207, affects all plugin versions below 6.4.2 and can allow attackers to inject malicious JavaScript, potentially leading to full site compromise.

CVE-2024-13610 – Simple Social Media Share Buttons < 6.0.0 – Stored XSS to Backdoor Creation – POC

CVE-2024-13610 – Simple Social Media Share Buttons < 6.0.0 – Stored XSS to Backdoor Creation – POC

In early 2024, a security flaw was identified in the popular WordPress plugin Simple Social Media Share Buttons, used on thousands of websites to enhance social media engagement. The vulnerability, now tracked as CVE-2024-13610, allows attackers to inject persistent JavaScript (Stored XSS) into the admin panel via the YouTube Channel ID field inside the widget settings. In the worst-case scenario, this could lead to the creation of backdoor admin accounts, full site compromise, or even malware distribution to site visitors.

CVE-2025-1203 – Meta Slider – Stored XSS to Backdoor Creation – POC

CVE-2025-1203 – Meta Slider – Stored XSS to Backdoor Creation – POC

Meta Slider is a widely used WordPress plugin that helps users create image sliders, carousels, and other content displays. With over 600,000 installations, the plugin is a popular choice among developers and website owners for its ease of use and flexibility. However, a serious security flaw—CVE-2025-1203—has been discovered in Meta Slider, which allows malicious users to inject and execute JavaScript through a Stored Cross-Site Scripting (XSS) attack. This vulnerability enables attackers to potentially create backdoors on WordPress sites, leading to full administrative control of the site.

CVE-2025-1762 – Event Tickets with Ticket Scanner <= 2.5.4 – Arbitrary Tickets Deletion via CSRF – POC

CVE-2025-1762 – Event Tickets with Ticket Scanner <= 2.5.4 – Arbitrary Tickets Deletion via CSRF – POC

Cross-Site Request Forgery (CSRF) is a type of web security vulnerability that allows an attacker to execute unauthorized actions on behalf of an authenticated user. In the case of the Event Tickets with Ticket Scanner plugin (version <= 2.5.4), a CSRF vulnerability has been discovered, allowing attackers to delete all tickets without proper authorization.

CVE-2024-13313 – AWeber < 7.3.21 – Stored XSS to Backdoor Creation – POC

CVE-2024-13313 – AWeber < 7.3.21 – Stored XSS to Backdoor Creation – POC

The Weber – Free Sign Up Form and Landing Page Builder plugin for WordPress is designed to facilitate email marketing, lead generation, and newsletter management. It allows users to create and embed sign-up forms, automate email campaigns, and integrate various marketing tools seamlessly. However, a critical security vulnerability, CVE-2024-13313, was identified in versions below 7.3.21, allowing Stored Cross-Site Scripting (XSS) attacks. This article explores the discovery, exploitation, and mitigation of this vulnerability.

CVE-2025-1062 – Meta Slider – Stored XSS to Backdoor Creation – POC

CVE-2025-1062 – Meta Slider – Stored XSS to Backdoor Creation – POC

Meta Slider is one of the most popular WordPress plugins used to create responsive image sliders. It offers flexibility and customization options to enhance the visual appeal of websites. However, a critical Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-1062) has been discovered in the plugin. This vulnerability allows attackers with editor privileges to inject malicious JavaScript into the plugin’s slider settings. By exploiting this flaw, an attacker can gain unauthorized access to a WordPress site, potentially compromising it completely. The vulnerability affects versions with over 600k installs, making it a widespread security risk for many WordPress-powered websites.

CVE-2025-1446 – Pods – Custom Content Types and Fields – SQL Injection – POC

CVE-2025-1446 – Pods – Custom Content Types and Fields – SQL Injection – POC

Pods is a powerful plugin for WordPress that allows users to create and manage custom post types, fields, and taxonomies. This plugin is widely used for extending WordPress’s native functionality and creating custom content types to suit different needs. However, a severe SQL Injection vulnerability (CVE-2025-1446) has been discovered in the Pods plugin. This vulnerability allows an attacker to inject malicious SQL queries via user input, potentially leading to unauthorized access to the WordPress database. If exploited, this flaw could result in data leakage, manipulation, or even full administrative control over the site.