CVE-2024-10562 – Form Maker by 10Web – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10562 – Form Maker by 10Web – Stored XSS to JS Backdoor Creation – POC

Form Maker by 10Web is a widely used plugin for creating and managing forms in WordPress. However, a critical vulnerability, CVE-2024-10562, has been discovered in the plugin that allows for Stored Cross-Site Scripting (XSS) attacks. This flaw enables attackers with editor-level privileges to inject malicious JavaScript code into form settings, which is stored and executed when the form is rendered. The injected script can create a backdoor, allowing attackers to escalate their privileges and potentially gain full control over the site. With over 50,000 active installations, this vulnerability poses a significant security risk for WordPress websites using Form Maker by 10Web.

CVE-2024-10309 – Tracking Code Manager – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10309 – Tracking Code Manager – Stored XSS to JS Backdoor Creation – POC

Tracking Code Manager, a widely used WordPress plugin by Data443, allows users to manage and customize third-party tracking codes and scripts on their WordPress sites. The plugin is known for its simplicity and compliance with privacy laws, offering features like tracking pixel placement, regional blocking, and seamless integration with e-commerce platforms. However, a critical stored Cross-Site Scripting (XSS) vulnerability has been identified in versions below 2.4.0, potentially exposing websites to serious security risks.

This vulnerability enables users with Contributor or higher roles to inject malicious scripts into the site, which can compromise the security and integrity of the affected WordPress installation. In this article, we’ll explore the discovery, exploitation, potential risks, and recommendations for mitigating this issue.

CVE-2024-9638 – Category Posts Widget – Stored XSS to JS Backdoor Creation – POC

CVE-2024-9638 – Category Posts Widget – Stored XSS to JS Backdoor Creation – POC

Category Posts Widget is a popular WordPress plugin that allows users to display posts from specific categories in a widget format. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-9638, has been discovered in the plugin. This vulnerability enables attackers with editor-level access to inject malicious JavaScript into the widget settings, which is stored and executed when the widget is rendered on the frontend. The injected script can lead to account takeover, creating a backdoor for the attacker to escalate privileges and gain full control of the site. With over 50,000 active installations, this vulnerability poses a significant security risk to WordPress sites using Category Posts Widget.

CVE-2024-12311 – Email Subscribers – SQL Injection – POC

CVE-2024-12311 – Email Subscribers – SQL Injection – POC

The Email Subscribers plugin for WordPress, which is widely used to manage subscribers, campaigns, and emails, has been found to contain a critical SQL Injection vulnerability identified as CVE-2024-12311. This flaw allows attackers to inject malicious SQL queries into the plugin’s user input fields, enabling unauthorized access to the database. Such an attack could potentially lead to data leakage or manipulation, posing serious security risks. With over 100,000 active installations, this vulnerability represents a significant threat to the integrity and confidentiality of data in WordPress sites using the Email Subscribers plugin.

CVE-2024-11849 – Pods – Custom Content Types and Fields – Stored XSS to JS Backdoor Creation – POC

CVE-2024-11849 – Pods – Custom Content Types and Fields – Stored XSS to JS Backdoor Creation – POC

Pods – Custom Content Types and Fields is a popular WordPress plugin that allows users to create and manage custom content types and fields. However, a serious Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-11849, has been discovered in the plugin. This flaw allows an attacker with editor-level privileges to inject malicious JavaScript into the “Add Button Text” field within the plugin’s “File / Image / Video/ Options” settings. The injected script can then be executed when the settings page is accessed, leading to the creation of a backdoor and potentially allowing attackers to hijack an admin session or escalate their privileges. With over 100,000 active installations, this vulnerability represents a significant security threat for WordPress websites using Pods.

CVE-2024-12280 – WP Customer Area <= 8.2.4 – Event Log Deletion via CSRF – POC

CVE-2024-12280 – WP Customer Area <= 8.2.4 – Event Log Deletion via CSRF – POC

WP Customer Area is a versatile and modular WordPress plugin designed to provide a private content management solution. With features like sharing files and pages with specific users or groups, it has become a preferred choice for managing confidential content in WordPress websites. However, in version 8.2.4 and earlier, a Cross-Site Request Forgery (CSRF) vulnerability was discovered, which allows unauthorized users to delete event logs without proper authentication.

This vulnerability poses a significant risk, as logs often contain critical records of user actions and system events. Attackers exploiting this vulnerability could erase these logs, effectively covering their tracks and compromising a site’s ability to identify malicious activities. Notably, the plugin is now discontinued, emphasizing the importance of transitioning to alternative solutions.

CVE-2024-12302 – Icegram Engage – Stored XSS to Admin Account Creation – POC

CVE-2024-12302 – Icegram Engage – Stored XSS to Admin Account Creation – POC

Icegram Engage, a popular WordPress plugin for creating opt-ins, subscription forms, and campaigns, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12302. This flaw allows attackers with editor-level access to inject malicious JavaScript into the settings of a campaign, which is then executed when the campaign is accessed. The injected script could be used to hijack an admin session or create a backdoor admin account, leading to full site compromise. With over 30,000 active installations, this vulnerability represents a serious threat to WordPress websites using Icegram Engage.

CVE-2024-11223 – WPForms – Stored XSS to JS backdoor creation – POC

CVE-2024-11223 – WPForms – Stored XSS to JS backdoor creation – POC

WPForms, a widely-used WordPress plugin for creating forms, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-11223. This flaw allows an attacker with editor-level access to inject malicious JavaScript code into the settings of the “Number Slider” field in a form. When the form is viewed or submitted, the malicious script executes, potentially creating a backdoor and allowing the attacker to escalate their privileges. With over 6 million active installations, this vulnerability presents a significant security risk for WordPress sites using WPForms.

CVE-2024-10555 – Max Buttons – Stored XSS to Admin Account Creation – POC

CVE-2024-10555 – Max Buttons – Stored XSS to Admin Account Creation – POC

Max Buttons, a popular WordPress plugin for creating customizable buttons, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10555. This flaw allows an attacker with editor-level access to inject malicious JavaScript into the plugin’s settings. The injected script is stored and executed when the plugin settings are accessed. This can lead to account takeover, where an attacker can escalate their privileges and potentially create a backdoor admin account, giving them full control of the site. With over 100,000 active installations, this vulnerability represents a significant security risk for WordPress users.

CVE-2024-8968 – Max Buttons – Stored XSS to Admin Account Creation – POC

CVE-2024-8968 – Max Buttons – Stored XSS to Admin Account Creation – POC

Max Buttons is a widely used WordPress plugin that allows users to create customizable buttons for their website. However, a critical vulnerability, CVE-2024-8968, has been identified in the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript into the “Text color” field when creating a new button, which can be stored and executed when the settings are accessed. The injected script can lead to account takeover and the creation of a backdoor, allowing attackers to gain admin access to the site. With over 100,000 active installations, this vulnerability presents a serious security risk to WordPress websites using Max Buttons.