Security

Plugin Security Certification (PSC-2024-64538): “Limit Login Attempts Reloaded” – Version 2.26.19: Use Login Attempts with Enhanced Security

Limit Login Attempts Reloaded is a comprehensive plugin designed to fortify your WordPress site against brute force attacks by limiting the number of login attempts. With over 2.5 million downloads, it’s a proven solution for login security that supports various login methods, including XMLRPC, WooCommerce, and custom login pages. The plugin’s innovative design effectively mitigates vulnerabilities inherent in WordPress’s default unlimited login attempts, thereby significantly enhancing your website’s defense mechanisms.

Limit Login Attempts Reloaded has undergone rigorous security testing and successfully obtained the prestigious Plugin Security Certification (PSC) from CleanTalk. This certification highlights its commitment to maintaining stringent security standards and providing robust protection for its users.

CVE-2024-11223 – WPForms – Stored XSS to JS backdoor creation – POC

WPForms, a widely-used WordPress plugin for creating forms, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-11223. This flaw allows an attacker with editor-level access to inject malicious JavaScript code into the settings of the “Number Slider” field in a form. When the form is viewed or submitted, the malicious script executes, potentially creating a backdoor and allowing the attacker to escalate their privileges. With over 6 million active installations, this vulnerability presents a significant security risk for WordPress sites using WPForms.

CVE-2024-10555 – Max Buttons – Stored XSS to Admin Account Creation – POC

Max Buttons, a popular WordPress plugin for creating customizable buttons, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-10555. This flaw allows an attacker with editor-level access to inject malicious JavaScript into the plugin’s settings. The injected script is stored and executed when the plugin settings are accessed. This can lead to account takeover, where an attacker can escalate their privileges and potentially create a backdoor admin account, giving them full control of the site. With over 100,000 active installations, this vulnerability represents a significant security risk for WordPress users.

Plugin Security Certification (PSC-2024-64535): “ProfilePress” – Version 4.15.23: Use Memberships with Enhanced Security

ProfilePress is a modern WordPress membership and user profile plugin that empowers website owners to create secure, user-friendly communities, manage memberships, sell digital products, and process both one-time and recurring payments. With its robust suite of features, ProfilePress stands out as a top-tier solution for building ecommerce membership sites, controlling user access, and ensuring a seamless user experience.

Now, with the Plugin Security Certification (PSC-2024-64535) from CleanTalk, ProfilePress has undergone a rigorous security review. This certification attests that the plugin meets stringent security standards, safeguarding your membership site from potential threats and vulnerabilities. Site administrators and developers can now confidently deploy ProfilePress, knowing that it has passed extensive testing and complies with best security practices.

Plugin Security Certification (PSC-2024-64537): “Loco Translate” – Version 2.7.2: Use Translate with Enhanced Security

Loco Translate is a powerful tool designed for seamless translation management directly within your WordPress dashboard. With over 1 million downloads, this plugin has established itself as a reliable choice for developers and website owners seeking an efficient way to

Plugin Security Certification (PSC-2024-64536): “WP Super Cache” – Version 2.0.1: Use Cache with Enhanced Security

WP Super Cache is an essential WordPress plugin designed to optimize website performance by generating static HTML files from dynamic content. These static files are served to visitors, significantly reducing server load and enhancing website speed. With its robust caching methods, including mod_rewrite, PHP caching, and WP-Cache, WP Super Cache ensures seamless performance for both logged-in and anonymous users. Following a rigorous security evaluation, WP Super Cache has successfully obtained the Plugin Security Certification (PSC) with the status PSC-2024-64536 from CleanTalk, affirming its commitment to delivering a secure and efficient solution.

CVE-2024-8968 – Max Buttons – Stored XSS to Admin Account Creation – POC

Max Buttons is a widely used WordPress plugin that allows users to create customizable buttons for their website. However, a critical vulnerability, CVE-2024-8968, has been identified in the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript into the “Text color” field when creating a new button, which can be stored and executed when the settings are accessed. The injected script can lead to account takeover and the creation of a backdoor, allowing attackers to gain admin access to the site. With over 100,000 active installations, this vulnerability presents a serious security risk to WordPress websites using Max Buttons.

CVE-2024-10706 – Download Manager – Stored XSS to Admin Account Creation – POC

Download Manager is a widely used WordPress plugin for managing downloadable files and controlling access to them. However, it contains a critical vulnerability, CVE-2024-10706, which allows for Stored Cross-Site Scripting (XSS) attacks. This vulnerability enables attackers to inject malicious JavaScript code into the plugin’s settings, which is then executed when the settings are accessed. This could lead to account takeover, with attackers gaining unauthorized admin access. With over 100,000 active installations, this flaw presents a significant security risk for WordPress websites using Download Manager.

CVE-2024-10678 – Ultimate Blocks – Stored XSS to Admin Account Creation – POC

Ultimate Blocks is a popular WordPress plugin that provides a variety of content blocks for Gutenberg. However, a critical vulnerability, CVE-2024-10678, has been discovered in the plugin, which allows for a Stored Cross-Site Scripting (XSS) attack. This vulnerability enables an attacker with contributor privileges to inject malicious JavaScript code into the “Countdown” block of a new post, which is then executed when the post is interacted with. The injected script can lead to account takeover and the creation of a backdoor admin account, posing a serious risk for WordPress websites. With over 50,000 active installations, this vulnerability represents a significant security threat.

Plugin Security Certification (PSC-2024-64534): “Post Duplicator” – Version 2.47: Use Duplicator with Enhanced Security

Post Duplicator is a powerful yet simple WordPress plugin designed to duplicate posts, pages, and custom post types with just a click. It offers seamless functionality, supporting custom taxonomies and custom fields, making it a must-have for developers and content managers. With its intuitive interface, users can easily create exact replicas of their posts directly from the WordPress dashboard.

The plugin is particularly useful for developers working on new WordPress sites, as it allows for the creation of dummy content to test layouts and features. By streamlining content duplication, Post Duplicator ensures a hassle-free user experience while maintaining compatibility with WordPress core features.