CVE

Logo Slider is a WordPress plugin used to create image carousels and sliders, often utilized by businesses and websites to showcase logos, brands, or featured partners. A critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12308, has been identified in the plugin, which allows a contributor-level user to inject malicious JavaScript into the “Logo Slider” settings. The vulnerability allows the injected script to execute when a user hovers over the carousel. This action can result in admin account creation, providing the attacker with full control over the site. With over 20,000 active installations, this vulnerability poses a serious risk to WordPress websites using the Logo Slider plugin.

PowerPress Podcasting, a widely-used WordPress plugin developed by Blubrry Podcasting, facilitates podcast management and publishing directly from a WordPress website. It integrates with major platforms like Apple Podcasts, Spotify, and YouTube Music, making it an essential tool for podcasters. However, a vulnerability (CVE-2024-9227) has been discovered in versions below 11.9.18, allowing users with Author+ permissions to execute stored cross-site scripting (XSS) attacks. This article explores the discovery, impact, exploitation, and mitigation of this vulnerability.

Form Maker by 10Web is a widely used WordPress plugin that allows users to easily create and manage forms for a variety of purposes, such as contact forms, surveys, and registration forms. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-13605, has been discovered in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Width” field in the theme settings. When this setting is saved, the malicious script is stored and executed in the browser of any user who hovers over the input field, potentially leading to account takeover and the creation of backdoor admin accounts. With over 50,000 active installations, this flaw poses a serious security risk to WordPress websites using Form Maker.

Ajax Search Lite is a popular WordPress plugin used to enhance the search experience by providing real-time AJAX search results. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-13585, has been discovered in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Categories filter box header text” field within the “Frontend Filters” settings. The injected script is then executed when the search results are displayed, leading to account takeover and the creation of a backdoor admin account. With over 100,000 active installations, this flaw poses a serious security risk to WordPress websites using Ajax Search Lite.

LearnPress is a popular Learning Management System (LMS) plugin for WordPress, used by educators and organizations to create online courses, quizzes, and manage learning materials. A critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-13127, has been discovered in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Decimal separator” field in the plugin’s general settings. The injected script is then executed when the “Order Details” page is viewed, potentially allowing attackers to take over the accounts of admins or other users. With over 100,000 active installations, this vulnerability presents a serious security risk to WordPress websites using LearnPress.

Cross-Site Scripting (XSS) vulnerabilities remain one of the most persistent security threats in web applications, including WordPress plugins. The vulnerability CVE-2024-13602 was discovered in the “Poll Maker” WordPress plugin, allowing an attacker to inject malicious JavaScript code into the plugin’s redirect settings. This stored XSS vulnerability can be leveraged to execute arbitrary JavaScript, potentially leading to full account takeovers or JavaScript-based backdoor creation.

Master Slider is a widely used WordPress plugin that enables users to create responsive sliders for showcasing images, videos, and other content. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12173, has been discovered in the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript into the “Slider custom styles” field within the plugin’s main settings. The injected script is then executed on the frontend when the slider is rendered, which can lead to account takeover and the creation of a backdoor admin account. With over 100,000 active installations, this vulnerability presents a significant security risk for WordPress sites using Master Slider.

The Social Media Plugin by Social Snap is widely used to add social sharing functionalities to WordPress websites. This plugin allows website administrators to add social sharing buttons, follow icons, and “Click to Tweet” features. However, a critical vulnerability, Stored Cross-Site Scripting (Stored XSS), has been identified in versions <= 1.3.6 of the plugin. This vulnerability allows an attacker to inject malicious JavaScript payloads, which can be executed when an admin user views the vulnerable settings page.

Forminator is a widely-used WordPress plugin designed to help users create forms, polls, and surveys with ease. However, CVE-2024-7052 reveals a critical Stored Cross-Site Scripting (XSS) vulnerability that can be exploited by attackers with editor-level access. This vulnerability allows malicious users to inject JavaScript into form fields, which, when executed, can lead to account takeover and the creation of a backdoor. With over 500,000 active installations, this flaw presents a significant security risk, especially for websites that rely on Forminator to gather sensitive user information.

WP ULike is a popular WordPress plugin that enables website administrators to add like buttons to posts, comments, and custom post types. This feature is widely used across WordPress websites to allow users to express their preferences for content. However, a critical vulnerability, CVE-2024-12770, has been identified in the plugin that allows for the injection of malicious JavaScript into the site. This Stored Cross-Site Scripting (XSS) vulnerability can be exploited by attackers with editor-level access, enabling them to inject malicious scripts into the “Like Button Aria Label” field. When the settings are saved, the injected script is stored in the database and executed on the frontend, which could lead to account takeover and the creation of a backdoor admin account. With over 100,000 active installations, this vulnerability presents a significant security risk to WordPress websites using WP ULike.