WPForms, a widely-used WordPress plugin for creating forms, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-11223. This flaw allows an attacker with editor-level access to inject malicious JavaScript code into the settings of the “Number Slider” field in a form. When the form is viewed or submitted, the malicious script executes, potentially creating a backdoor and allowing the attacker to escalate their privileges. With over 6 million active installations, this vulnerability presents a significant security risk for WordPress sites using WPForms.
CVE-2024-10555 – Max Buttons – Stored XSS to Admin Account Creation – POC
Max Buttons, a popular WordPress plugin for creating customizable buttons, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10555. This flaw allows an attacker with editor-level access to inject malicious JavaScript into the plugin’s settings. The injected script is stored and executed when the plugin settings are accessed. This can lead to account takeover, where an attacker can escalate their privileges and potentially create a backdoor admin account, giving them full control of the site. With over 100,000 active installations, this vulnerability represents a significant security risk for WordPress users.
CVE-2024-8968 – Max Buttons – Stored XSS to Admin Account Creation – POC
Max Buttons is a widely used WordPress plugin that allows users to create customizable buttons for their website. However, a critical vulnerability, CVE-2024-8968, has been identified in the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript into the “Text color” field when creating a new button, which can be stored and executed when the settings are accessed. The injected script can lead to account takeover and the creation of a backdoor, allowing attackers to gain admin access to the site. With over 100,000 active installations, this vulnerability presents a serious security risk to WordPress websites using Max Buttons.
CVE-2024-10706 – Download Manager – Stored XSS to Admin Account Creation – POC
Download Manager is a widely used WordPress plugin for managing downloadable files and controlling access to them. However, it contains a critical vulnerability, CVE-2024-10706, which allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability enables attackers to inject malicious JavaScript code into the plugin’s settings, which is then executed when the settings are accessed. This could lead to account takeover, with attackers gaining unauthorized admin access. With over 100,000 active installations, this flaw presents a significant security risk for WordPress websites using Download Manager.
CVE-2024-10678 – Ultimate Blocks – Stored XSS to Admin Account Creation – POC
Ultimate Blocks is a popular WordPress plugin that provides a variety of content blocks for Gutenberg. However, a critical vulnerability, CVE-2024-10678, has been discovered in the plugin, which allows for a Stored Cross-Site Scripting (XSS) attack. This vulnerability enables an attacker with contributor privileges to inject malicious JavaScript code into the “Countdown” block of a new post, which is then executed when the post is interacted with. The injected script can lead to account takeover and the creation of a backdoor admin account, posing a serious risk for WordPress websites. With over 50,000 active installations, this vulnerability represents a significant security threat.
CVE-2024-10939 – Image Widget – Stored XSS to JS Backdoor Creation – POC
The Image Widget plugin for WordPress, used to add image widgets to pages or posts, has been found to have a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10939. This vulnerability allows attackers with editor-level privileges to inject malicious JavaScript into the “imgurl” field of an image widget. The injected script is stored and executed when the widget is rendered, potentially leading to account takeover and the creation of a backdoor. With over 100,000 active installations, this vulnerability poses a significant security risk for WordPress sites using the Image Widget plugin.
CVE-2024-10568 – Ajax Search Lite – Live Search & Filter – Stored XSS to JS Backdoor Creation – POC
Ajax Search Lite, a popular WordPress plugin that enables live search and filtering functionality, has been found to have a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-10568. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the plugin’s settings, which is stored in the WordPress database and executed when the settings are accessed. The injected JavaScript can create a backdoor, potentially leading to account takeover and site compromise. With over 100,000 active installations, this vulnerability poses a significant security risk for WordPress sites that use the Ajax Search Lite plugin.
CVE-2024-10010 – LearnPress – Stored XSS to JS Backdoor Creation – POC
LearnPress, a popular WordPress plugin for creating and managing online courses, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10010. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the plugin’s settings, which is then stored and executed when the settings are viewed. The injected script can create a backdoor, allowing the attacker to take control of the site and escalate privileges, leading to a full account takeover. With over 100,000 active installations, this vulnerability poses a significant security risk to WordPress sites that rely on LearnPress for managing educational content.
CVE-2024-9428 – Popup Builder – Stored XSS to JS Backdoor Creation – POC
Popup Builder, a popular WordPress plugin used to create and manage popups on websites, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-9428. This flaw allows attackers to inject malicious JavaScript into the plugin’s settings, specifically within the “Alt Text” field of an image in the popup. The injected script can be executed when the popup is viewed, enabling attackers to escalate privileges and potentially create a backdoor for account takeover. This vulnerability affects over 200,000 installations of the Popup Builder plugin and presents a serious security risk for WordPress sites using this plugin.
CVE-2024-10517 – ProfilePress – Stored XSS to JS Backdoor Creation – POC
ProfilePress is a popular WordPress plugin used for creating and managing user login, registration, and profile forms. It provides features to enhance user experience and website functionality. However, a critical vulnerability, CVE-2024-10517, has been discovered in the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript into the “User Login” field of a new form, which is then stored and executed on the site. The vulnerability can lead to account takeover and the creation of a backdoor for the attacker, compromising the integrity of the WordPress installation. With over 200,000 active installations, this vulnerability represents a significant security risk for websites using ProfilePress.