Security

WPForms, one of the most popular WordPress plugins for creating forms, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-7056. This flaw allows attackers with editor privileges to inject malicious JavaScript code into the plugin’s settings, which could then be executed when interacting with the form. The vulnerability can lead to account takeover and backdoor creation, posing significant risks to WordPress websites using WPForms. With over 6 million active installations, this vulnerability affects a vast number of websites, making it a serious concern.

The NextGEN Gallery plugin, a widely used WordPress plugin for managing and displaying image galleries, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-6393. This flaw allows attackers with editor privileges to inject malicious JavaScript code into gallery settings. This malicious code can be executed when the gallery is viewed, resulting in potential account takeover and backdoor creation. With over 500,000 installations, this vulnerability poses a serious security risk to WordPress sites utilizing NextGEN Gallery.

The Salon Booking System plugin for WordPress is a widely-used tool that allows businesses to manage appointments and bookings online. However, a serious vulnerability, CVE-2024-9882, has been discovered that enables attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw allows attackers to inject malicious JavaScript code into the plugin’s service settings, leading to potential account takeover and the creation of a backdoor.

The Ditty plugin, designed for displaying custom feeds and lists of posts in WordPress, has been found to contain a critical vulnerability that allows an attacker to exploit a Stored Cross-Site Scripting (XSS) flaw. This vulnerability, identified as CVE-2024-9600, can be used by contributors to inject malicious JavaScript code into new posts, which upon interaction can lead to the creation of an admin account. With approximately 50,000 active installations, this vulnerability poses a serious risk to WordPress sites utilizing the Ditty plugin.

The Squirrly SEO plugin, a popular tool for search engine optimization in WordPress, has been found to harbor a critical vulnerability, CVE-2024-10515. This flaw allows attackers to exploit a Stored Cross-Site Scripting (XSS) vulnerability through the plugin’s SEO settings. By embedding malicious JavaScript code into the “Meta Keywords” field in the SEO Snippet settings, attackers can execute arbitrary scripts, leading to account takeover and backdoor creation. With over 100,000 active installations, this vulnerability poses a serious risk to WordPress sites using the plugin.

The MailPoet plugin, widely used for newsletter management, email marketing, and automation in WordPress, has been found to contain a severe security vulnerability. This vulnerability, identified as CVE-2024-10103, allows an attacker to execute a Stored Cross-Site Scripting (XSS) attack through the “Custom HTML” block when creating a new form. The flaw grants the attacker the ability to embed malicious JavaScript code, leading to account takeover and backdoor creation. With over 700,000 active installations, this vulnerability poses a significant risk to WordPress sites that utilize the plugin.

The WP Booking Calendar plugin, widely utilized for managing appointments and bookings on WordPress sites, has been found to contain a critical security vulnerability. This flaw allows attackers to exploit the widget feature through a Stored Cross-Site Scripting (XSS) attack, ultimately leading to account takeover and the creation of backdoors. As the plugin boasts approximately 50,000 installations, it is vital for users to understand the implications of this vulnerability and take necessary precautions.

CVE-2024-7879 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the WP-ULike plugin, a popular WordPress plugin with over 100,000 active installations used for tracking user reactions. This flaw allows attackers with editor-level permissions to inject malicious JavaScript into the