Security

A critical vulnerability, designated as CVE-2024-7315, has been discovered in the WPvivid plugin, widely used for migration, backup, and staging in WordPress with over 500,000 installations. This flaw exposes highly sensitive data, including database passwords and site configuration details, by exploiting a specific directory (./wp-content/wpvividbackups/wpvivid_log/). If left unpatched, the vulnerability can lead to complete site compromise through brute force attacks on password hashes or direct access to sensitive information.

CVE-2024-8617 detects a stored XSS vulnerability in the popular QuizMaker plugin for WordPress, which allows users to create various quizzes with different types of questions. Although it offers extensive functionality for creating quizzes, it also contains a critical security flaw

Vulnerability CVE-2024-7758 affects the Stylish Price List plugin, which is used in companies such as beauty salons, spas, restaurants, etc. This plugin allows users to create elegant price lists, helping to convert visitors into customers. However, this vulnerability opens up the possibility for attackers to inject malicious code into a website, leading to potential account hijacking or other serious security breaches.

CVE-2024-6889 exposes a serious vulnerability in the Secure Copy Content Protection and Content Locking plugin, a tool used to prevent unauthorized content copying and to add protection measures on WordPress websites. With this vulnerability, attackers can leverage Stored Cross-Site Scripting (XSS) to inject malicious scripts and create backdoors, leading to full account takeover. The flaw allows editors to inject harmful JavaScript (JS) code into the plugin’s settings, potentially compromising the entire WordPress site.

CVE-2024-7132 exposes a critical flaw in the CoBlocks plugin, a widely used WordPress extension with over 400,000 installations. This Stored XSS vulnerability can be exploited by contributors to embed malicious JavaScript code within posts, leading to unauthorized actions, including the creation of admin accounts. The vulnerability highlights the significant security risks associated with improper input validation in WordPress plugins, particularly in environments where user roles and permissions are not tightly controlled.

CVE-2024-5417 reveals a critical security flaw in the Gutentor plugin, a popular WordPress page builder with over 50,000 installations. This Stored Cross-Site Scripting (XSS) vulnerability enables attackers to inject malicious JavaScript code by exploiting the block embedding process in new posts. The severity of the issue lies in the fact that this vulnerability can be leveraged by a contributor to escalate privileges and create an unauthorized admin account, resulting in full control of the website.

The recently discovered vulnerability in WP Table Builder, tracked as CVE-2024-3282, exposes over 60,000 websites to serious risks. This Stored Cross-Site Scripting (XSS) flaw allows attackers to inject malicious JavaScript through the plugin’s table block creation process, potentially resulting in the takeover of administrator accounts and the installation of backdoors. Due to inadequate input sanitization, an attacker can exploit this vulnerability to execute arbitrary code, compromising both website security and user data.