CVE

Email Subscribers is a WordPress plugin designed to simplify the process of managing email subscriptions, newsletters, and automated email campaigns. With over 80,000 active installations, it is widely used by website administrators for email marketing and user engagement. However, a critical vulnerability, CVE-2024-11924, has been identified within the plugin that allows for the implementation of stored Cross-Site Scripting (XSS). This vulnerability enables an attacker with editor-level access to inject malicious JavaScript, leading to a potential backdoor creation and full admin account takeover.

The Real Cookie Banner plugin is a powerful consent management tool for WordPress, widely used to help website administrators comply with the GDPR and ePrivacy directives. With features like customizable cookie banners, content blockers, and consent documentation, the plugin plays a key role in user privacy and legal compliance. However, in version below 5.1.6, a Stored Cross-Site Scripting (XSS) vulnerability was discovered that can be exploited by authenticated users with access to the plugin’s customization features.

This article explores the vulnerability in detail, demonstrates how it can be exploited, and outlines practical recommendations for mitigating similar security risks in WordPress environments.

MapPress Maps for WordPress is a widely used plugin for adding Google Maps to WordPress websites. It offers users the ability to create maps with custom markers, locations, and settings, providing an interactive experience for visitors. However, a critical vulnerability—CVE-2025-2162—has been discovered that allows attackers to inject malicious JavaScript into maps, leading to the creation of backdoors that can compromise admin accounts. This stored XSS vulnerability is particularly dangerous as it affects users with editor-level access, enabling attackers to escalate their privileges and potentially take over the site.

Form Maker by 10Web is a popular WordPress plugin designed to simplify the process of creating and managing forms. With over 50,000 active installations, it provides a versatile and user-friendly interface for adding various types of forms to WordPress websites. However, a critical vulnerability, CVE-2024-10680, has been discovered in the plugin that allows attackers to exploit stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious scripts, potentially giving them access to admin accounts and creating backdoors in the system.

MapPress Maps for WordPress is a popular plugin used to create and manage maps on WordPress sites. It allows users to easily embed maps and display locations using the Google Maps API. With over 50,000 active installations, it is a widely trusted tool for website owners looking to add interactive maps to their pages. However, a critical vulnerability—CVE-2025-2055—has been discovered in the plugin that allows an attacker to exploit stored Cross-Site Scripting (XSS), which could lead to account takeover and privilege escalation, potentially giving an attacker admin access. This issue is particularly concerning for websites that use MapPress to display sensitive location-based data.

Ditty is a WordPress plugin used to display custom content in various formats such as lists, sliders, and tickers. With over 50,000 active installations, Ditty has become a widely used tool for WordPress users who wish to showcase dynamic, rotating content on their websites. However, a critical vulnerability, CVE-2024-13357, has been discovered that allows attackers to exploit the plugin’s functionality to execute a Stored Cross-Site Scripting (XSS) attack, which can lead to account takeover and backdoor creation. This vulnerability specifically affects users with Author+ roles, allowing them to escalate their privileges and create an admin account.

MailPoet is a popular WordPress plugin that enables users to easily create and send newsletters, manage subscribers, and automate email campaigns. With over 600,000 active installations, it has become a trusted tool for WordPress users looking to enhance their email marketing capabilities. However, a critical vulnerability, CVE-2024-12743, has been discovered in the plugin that allows attackers to exploit Stored Cross-Site Scripting (XSS), leading to a potential account takeover and backdoor creation. This vulnerability affects users with editor-level privileges and can be triggered through the plugin’s form-building interface.

Blog2Social is a widely used WordPress plugin that enables automatic posting, cross-promoting, and scheduling of content across a variety of social networks. It’s particularly popular among content creators and marketing teams for its extensive integrations and automation features. However, in versions prior to 8.4.0, a critical Stored Cross-Site Scripting (XSS) vulnerability was discovered. This flaw allows users with the Contributor role to inject malicious scripts that get executed within the WordPress Dashboard, posing a significant security threat.

Icegram Engage is a widely-used WordPress plugin that enables website owners to create and manage popups, opt-in forms, and other interactive features to enhance user engagement. With over 30,000 active installations, the plugin is trusted by many to boost conversions and improve user experience. However, a critical vulnerability—CVE-2024-13482—has been discovered in the plugin. This stored Cross-Site Scripting (XSS) vulnerability allows an attacker to inject malicious JavaScript code into the plugin settings, which can lead to account takeover and the creation of a backdoor in the WordPress site.

In April 2025, a stored Cross-Site Scripting (XSS) vulnerability was identified in the popular Qi Blocks WordPress plugin, specifically affecting versions below 1.4. This vulnerability, now tracked as CVE-2025-1627, allows a user with Contributor permissions to inject malicious scripts into the site using the Table of Contents (ToC) block. Once a malicious payload is stored, it gets executed every time a visitor loads the affected page — putting both site administrators and end users at risk.