CVE-2024-9182 in the Maspik – Advanced Spam Protection plugin allows an attacker to embed saved cross-site scripts (XSS). This vulnerability can lead to serious consequences, such as creating an administrator account without authorization, which can compromise the security of WordPress websites.
CVE-2024-8239 uncovers a serious Stored Cross-Site Scripting (XSS) vulnerability in the Starbox – The Author Box for Humans plugin, used by over 40,000 WordPress sites to display author profiles and bios. This vulnerability allows contributors to inject malicious JavaScript (JS) into their profile settings, specifically through the “Twitter URL” field, which can lead to admin account creation and backdoor access. If exploited, attackers can hijack the WordPress site’s admin functionality and maintain persistent control.
CVE-2024-8283 exposes a serious vulnerability in the Slider by 10Web plugin, a widely used WordPress plugin with over 30,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers, particularly users with contributor-level access, to inject malicious JavaScript (JS) code through the plugin’s slider settings. When exploited, this vulnerability enables attackers to take over admin accounts and create backdoors, allowing them to maintain long-term access to the site.
CVE-2024-3635 represents a critical Stored Cross-Site Scripting (XSS) vulnerability in The Post Grid plugin, a popular tool for creating custom grid layouts in WordPress. With over 100,000 installations, this vulnerability poses a serious threat as it allows attackers with editor-level permissions to inject malicious JavaScript (JS) code into grid settings. Once exploited, the vulnerability can lead to account takeover, enabling attackers to create persistent backdoors and take control of the WordPress site.
CVE-2024-8536 presents a serious security risk in the Ultimate Blocks plugin, used by over 70,000 WordPress sites to enhance post content with custom blocks. This vulnerability allows attackers, specifically users with contributor-level access, to inject malicious JavaScript (JS) into a new post using the plugin’s “Expand” block feature. If exploited, this can lead to admin account creation and full site takeover, putting the entire WordPress installation at risk.
CVE-2024-9021 An XSS vulnerability found recently in the Relevanssi plugin, which is one of the most popular WordPress plugins, extends the standard WordPress search feature by adding powerful customization options and increasing search relevance. However, the recent discovery of a stored XSS vulnerability in Relevanssi version 4.23.1 and below has raised concerns about the security of the website. This vulnerability may allow developers to inject malicious scripts, which will lead to serious consequences for site administrators
CVE-2024-7133 reveals a critical vulnerability in the My Sticky Bar (myStickymenu) WordPress plugin, which has over 100,000 active installations. This Stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject malicious JavaScript (JS) code through the plugin’s settings. Once exploited, the attacker can take over administrator accounts, create persistent backdoors, and control the entire WordPress site. The issue arises due to improper sanitization of user input, specifically in the “Font size” field when creating a sticky bar.
Matomo Analytics is a powerful, secure, and privacy-focused alternative to Google Analytics, offering website owners full control over their data. Unlike many third-party analytics tools, Matomo is hosted on your own servers, ensuring 100% data ownership and privacy compliance. It empowers businesses to make data-driven decisions while protecting user privacy, without sacrificing any advanced analytics features. With an intuitive interface, Matomo makes it easy to gain valuable insights into customer behavior, website performance, and marketing effectiveness, all while adhering to the highest ethical standards. This plugin has also undergone rigorous security testing and has successfully obtained the Plugin Security Certification (PSC) from CleanTalk, ensuring it meets stringent security protocols.
During a recent security test, a vulnerability identified as CVE-2024-8983 was discovered in Custom Twitter Feeds, a popular plugin. This vulnerability allows you to embed saved cross-site scripts (XSS) on the site, which can potentially lead to the creation of a backdoor and account hijacking.
SiteOrigin CSS is an advanced, feature-rich CSS editor that empowers WordPress users to customize their website’s design in real time, without needing to master complex coding. Trusted by thousands of users, this powerful plugin simplifies the process of modifying the visual aspects of your WordPress site, offering ease of use for both beginners and advanced users. With Plugin Security Certification (PSC-2024-64528) by CleanTalk, you can now confidently use SiteOrigin CSS with the assurance of enhanced security and protection against vulnerabilities.
