Security

The WP Cost Calculator Builder is a widely used WordPress plugin that allows website owners to create dynamic pricing and estimation forms using an intuitive drag-and-drop interface. With over 20 flexible form elements and deep integration into e-commerce platforms like WooCommerce, it serves as a powerful tool for businesses that want to provide cost estimation on their services and products.

However, versions up to 3.2.74 of the plugin are vulnerable to a Stored Cross-Site Scripting (XSS) attack that allows malicious JavaScript code to be injected and persistently executed in the browser of any visitor who views the infected form.

The Category Posts Widget is a popular WordPress plugin that allows users to display posts from specified categories in a widget format. It is often used to enhance the user experience by providing dynamic content related to specific categories. However, a critical vulnerability has been discovered—CVE-2025-1453—that allows attackers to exploit stored XSS within the widget’s settings. This vulnerability enables attackers with editor-level permissions to inject malicious JavaScript, leading to potential backdoor creation and full account takeover.

Email Subscribers is a widely used plugin in WordPress, allowing users to manage email subscriptions, newsletters, and automated email campaigns. It is a valuable tool for website administrators looking to engage with their users via email marketing. However, CVE-2025-0671, a stored Cross-Site Scripting (XSS) vulnerability, has been discovered in the plugin that enables an attacker to inject malicious JavaScript into the site. This stored XSS vulnerability could lead to the creation of backdoors for attackers, potentially resulting in full site compromise, including admin account takeover.

Vulnerability was discovered in the widely-used WordPress plugin Post Slider and Carousel with Widget, which allows site owners to display posts in sliders or carousels. This plugin is favored for its ease of use and flexibility, especially for non-technical users.

The vulnerability, now identified as CVE-2025-4567, affects plugin versions below 3.2.10 and allows an authenticated user (with access to widget settings) to inject stored JavaScript code into a field that is later rendered on the front-end — leading to persistent Cross-Site Scripting (XSS) and the potential creation of a JavaScript backdoor.

Email Subscribers is a WordPress plugin designed to simplify the process of managing email subscriptions, newsletters, and automated email campaigns. With over 80,000 active installations, it is widely used by website administrators for email marketing and user engagement. However, a critical vulnerability, CVE-2024-11924, has been identified within the plugin that allows for the implementation of stored Cross-Site Scripting (XSS). This vulnerability enables an attacker with editor-level access to inject malicious JavaScript, leading to a potential backdoor creation and full admin account takeover.

The Real Cookie Banner plugin is a powerful consent management tool for WordPress, widely used to help website administrators comply with the GDPR and ePrivacy directives. With features like customizable cookie banners, content blockers, and consent documentation, the plugin plays a key role in user privacy and legal compliance. However, in version below 5.1.6, a Stored Cross-Site Scripting (XSS) vulnerability was discovered that can be exploited by authenticated users with access to the plugin’s customization features.

This article explores the vulnerability in detail, demonstrates how it can be exploited, and outlines practical recommendations for mitigating similar security risks in WordPress environments.

MapPress Maps for WordPress is a widely used plugin for adding Google Maps to WordPress websites. It offers users the ability to create maps with custom markers, locations, and settings, providing an interactive experience for visitors. However, a critical vulnerability—CVE-2025-2162—has been discovered that allows attackers to inject malicious JavaScript into maps, leading to the creation of backdoors that can compromise admin accounts. This stored XSS vulnerability is particularly dangerous as it affects users with editor-level access, enabling attackers to escalate their privileges and potentially take over the site.

Form Maker by 10Web is a popular WordPress plugin designed to simplify the process of creating and managing forms. With over 50,000 active installations, it provides a versatile and user-friendly interface for adding various types of forms to WordPress websites. However, a critical vulnerability, CVE-2024-10680, has been discovered in the plugin that allows attackers to exploit stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious scripts, potentially giving them access to admin accounts and creating backdoors in the system.

MapPress Maps for WordPress is a popular plugin used to create and manage maps on WordPress sites. It allows users to easily embed maps and display locations using the Google Maps API. With over 50,000 active installations, it is a widely trusted tool for website owners looking to add interactive maps to their pages. However, a critical vulnerability—CVE-2025-2055—has been discovered in the plugin that allows an attacker to exploit stored Cross-Site Scripting (XSS), which could lead to account takeover and privilege escalation, potentially giving an attacker admin access. This issue is particularly concerning for websites that use MapPress to display sensitive location-based data.

Ditty is a WordPress plugin used to display custom content in various formats such as lists, sliders, and tickers. With over 50,000 active installations, Ditty has become a widely used tool for WordPress users who wish to showcase dynamic, rotating content on their websites. However, a critical vulnerability, CVE-2024-13357, has been discovered that allows attackers to exploit the plugin’s functionality to execute a Stored Cross-Site Scripting (XSS) attack, which can lead to account takeover and backdoor creation. This vulnerability specifically affects users with Author+ roles, allowing them to escalate their privileges and create an admin account.