Security

In the ever-evolving landscape of cybersecurity, vulnerabilities in WordPress plugins remain a persistent threat. One such recent discovery is CVE-2024-9390, a Stored Cross-Site Scripting (XSS) vulnerability affecting versions of the RegistrationMagic plugin prior to 6.0.2.1. This flaw allows attackers with certain privileges to inject malicious scripts, which can execute arbitrary JavaScript in the administrator’s session, potentially leading to account hijacking or further exploitation of the system.

The Download Manager plugin for WordPress is commonly used to manage and secure downloadable files, including documents, images, and other resources. It allows administrators to set up password-protected downloads to restrict access to certain files. However, a critical vulnerability, CVE-2024-13126, has been discovered that allows unauthenticated users to bypass password protection and download all files from the plugin’s directory, including those that are meant to be password-protected. This vulnerability, stemming from improper directory listing configurations, exposes the protected content to unauthorized users. With over 100,000 active installations, this issue poses a significant security risk to WordPress websites using the Download Manager plugin.

WordPress plugins are essential tools that enhance the functionality of websites, allowing users to extend features without modifying core code. However, security vulnerabilities in plugins can expose websites to serious threats, including Cross-Site Scripting (XSS) attacks. One such vulnerability has been identified in the “MB Custom Post Types & Custom Taxonomies” plugin (CVE-2024-10143), allowing stored XSS exploitation that could lead to administrative account creation and malicious script execution.

Form Maker by 10Web is a versatile WordPress plugin used to create and manage various forms, such as contact forms, surveys, and registration forms. However, a critical vulnerability, CVE-2024-13053, has been discovered in the plugin, which allows attackers to inject malicious JavaScript into the plugin’s settings. This vulnerability, a Stored Cross-Site Scripting (XSS) flaw, enables attackers with editor-level access to execute arbitrary JavaScript code. This could lead to session hijacking, privilege escalation, or the creation of backdoor admin accounts. With over 50,000 active installations, the vulnerability poses a significant risk to WordPress sites using Form Maker.

Hubbub Lite, a popular WordPress plugin for social sharing, allows users to integrate share buttons for major social networks such as Facebook, Twitter (X), Pinterest, and LinkedIn. However, a recently discovered vulnerability (CVE-2024-10145) exposes websites to stored cross-site scripting (XSS) attacks. This flaw could allow malicious actors to inject harmful scripts, leading to account hijacking and unauthorized actions within the site.

Logo Slider is a WordPress plugin used to create image carousels and sliders, often utilized by businesses and websites to showcase logos, brands, or featured partners. A critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12308, has been identified in the plugin, which allows a contributor-level user to inject malicious JavaScript into the “Logo Slider” settings. The vulnerability allows the injected script to execute when a user hovers over the carousel. This action can result in admin account creation, providing the attacker with full control over the site. With over 20,000 active installations, this vulnerability poses a serious risk to WordPress websites using the Logo Slider plugin.

PowerPress Podcasting, a widely-used WordPress plugin developed by Blubrry Podcasting, facilitates podcast management and publishing directly from a WordPress website. It integrates with major platforms like Apple Podcasts, Spotify, and YouTube Music, making it an essential tool for podcasters. However, a vulnerability (CVE-2024-9227) has been discovered in versions below 11.9.18, allowing users with Author+ permissions to execute stored cross-site scripting (XSS) attacks. This article explores the discovery, impact, exploitation, and mitigation of this vulnerability.

Form Maker by 10Web is a widely used WordPress plugin that allows users to easily create and manage forms for a variety of purposes, such as contact forms, surveys, and registration forms. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-13605, has been discovered in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Width” field in the theme settings. When this setting is saved, the malicious script is stored and executed in the browser of any user who hovers over the input field, potentially leading to account takeover and the creation of backdoor admin accounts. With over 50,000 active installations, this flaw poses a serious security risk to WordPress websites using Form Maker.

Ajax Search Lite is a popular WordPress plugin used to enhance the search experience by providing real-time AJAX search results. However, a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-13585, has been discovered in the plugin. This vulnerability allows attackers with editor-level access to inject malicious JavaScript into the “Categories filter box header text” field within the “Frontend Filters” settings. The injected script is then executed when the search results are displayed, leading to account takeover and the creation of a backdoor admin account. With over 100,000 active installations, this flaw poses a serious security risk to WordPress websites using Ajax Search Lite.