Quiz And Survey Master (QSM) is a powerful WordPress plugin used to design and deploy quizzes, surveys, and assessments, with over 50,000 active installations. Despite its extensive use for educational and marketing purposes, a critical vulnerability—CVE-2025-6790—has been identified that permits unauthenticated attackers to perform Cross-Site Request Forgery (CSRF) against its AJAX endpoint for quiz template creation. This flaw allows an attacker to inject arbitrary templates into the system, potentially enabling further administrative actions or content hijacking without requiring any valid credentials.
CVE-2025-8015 – Shortcodes Ultimate – Stored XSS (Author+) to Admin Account Creation – POC

Shortcodes Ultimate is a ubiquitous WordPress plugin used by over 500,000 websites to effortlessly embed rich content—galleries, tabs, sliders—through simple shortcode syntax. While its drag-and-drop gallery builder and extensive shortcode library enhance user experience, a serious security flaw—CVE-2025-8015—has been discovered. This vulnerability permits an Author+ user to inject persistent JavaScript into gallery items (via image links or titles), which executes when administrators or other privileged users interact with the gallery. Ultimately, attackers can escalate privileges, create admin backdoors, and fully compromise the site.
CVE-2025-7369 – Shortcodes Ultimate – Unauthenticated Stored XSS via CSRF to Admin Account Creation – POC

The Shortcodes Ultimate plugin is a widely used WordPress toolkit, enabling site owners to add rich content elements—buttons, tabs, sliders—via simple shortcodes. With over 500,000 active installations, it is a go-to plugin for visual enhancements. However, a critical vulnerability, CVE-2025-7369, allows unauthenticated attackers to exploit a lack of CSRF protection on the plugin’s AJAX preview endpoint. By submitting a specially crafted form, an attacker can store malicious JavaScript in the database that executes in the administrator’s browser, opening the door to a full account-takeover backdoor.
CVE-2025-3414 – Structured Content <= 1.6.4 Contributor+ – Stored XSS to JS Backdoor Creation – POC

The Structured Content plugin helps WordPress users enhance their pages with rich JSON-LD schema.org structured data elements. It allows for the insertion of components like FAQs, job postings, events, and more, with options to display the content as visible HTML or hidden machine-readable data.
However, in version 1.6.4 and below, a Stored Cross-Site Scripting (XSS) vulnerability was identified that allows users with Contributor privileges to inject malicious JavaScript via the “Additional CSS class(es)” field in FAQ blocks. This XSS payload is then persistently stored and can be executed when the HTML is rendered, leading to account compromise or further exploitation.
CVE-2025-6572 – OpenStreetMap – Stored XSS to JS Backdoor Creation – POC

The OpenStreetMap for Gutenberg and WPBakery Page Builder plugin is designed to help WordPress users easily embed customizable and interactive maps into their posts and pages. However, in version 1.2.0 and below, a Stored Cross-Site Scripting (XSS) vulnerability exists, which allows Contributor-level users to inject persistent JavaScript code into map marker popup text. This can lead to account compromise, content injection, and potentially full site takeover.
CVE-2024-13381 – Calculated Fields Form – Stored XSS to JS Backdoor Creation – POC

Calculated Fields Form is a versatile WordPress plugin that lets users design dynamic forms with live calculations, sliders, and conditional logic. With more than 60,000 active installations, it powers everything from loan calculators to interactive quizzes. However, a severe security flaw—CVE-2024-13381—has been discovered in the plugin’s Slider block configuration. This vulnerability allows an editor to inject persistent JavaScript into form captions, which executes whenever the form is previewed, creating an avenue for backdoor creation and full administrative takeover.
CVE-2025-5921 – Sure Forms – Unauthenticated XSS – POC

Sure Forms is a popular WordPress plugin with over 200,000 active installations, enabling site owners to create custom contact forms, surveys, and interactive interfaces. While robust in features and ease of use, a critical vulnerability—CVE-2025-5921—has been discovered that permits unauthenticated visitors to execute Cross‑Site Scripting (XSS). By crafting a special URL parameter, attackers can embed JavaScript into a public form field, triggering scripts in an administrator’s browser and forging a path to a persistent backdoor or account takeover.
CVE-2024-6130 – Form Maker by 10Web – Stored XSS to JS Backdoor Creation – POC

Form Maker by 10Web is a popular WordPress plugin that enables site owners to build custom forms with drag-and-drop ease. Boasting over 50,000 active installations, it powers everything from simple contact forms to complex multi-step surveys. Despite its robust feature set, including advanced validation and styling options, the plugin contains a critical security flaw—CVE-2024-6130—that allows an editor to inject malicious JavaScript via the form field “classname” attribute. Once stored, this payload executes whenever the form is rendered, enabling account takeover, backdoor installation, and broader site compromise.
CVE-2025-3581 – Newsletter – Stored XSS to JS Backdoor Creation – POC

The Newsletter plugin is a cornerstone of email marketing for WordPress, with over 300,000 active installations. It allows site owners to embed subscription forms via shortcodes and widgets, manage subscriber lists, and send targeted campaigns. Yet, a critical security flaw—CVE-2025-3581—has been discovered within its widget configuration. This vulnerability permits a user with Editor privileges to inject malicious JavaScript into the widget’s Title field. As a result, any visitor or administrator viewing the widget on the frontend will execute the stored script, potentially establishing a persistent backdoor and complete site compromise.
CVE-2025-3582 – Newsletter – Stored XSS to JS Backdoor Creation – POC

The Newsletter plugin remains one of the most installed WordPress subscription solutions, with over 300,000 installations powering email campaigns and subscription forms worldwide. Despite its robust feature set—such as drag-and-drop form creation and subscriber management—a severe security flaw has been identified: CVE-2025-3582. This vulnerability allows a user with Editor-level privileges to inject persistent JavaScript into the form configuration itself. Once embedded, the malicious code will execute in any administrator’s or visitor’s browser when they view the affected form, providing attackers with a potent avenue to create backdoors and take over accounts.