CVE-2024-0757 – Insert or Embed Articulate Content into WordPress – RCE via zip bypass (Contributor+) Critical-High – POC

CVE-2024-0757 – Insert or Embed Articulate Content into WordPress – RCE via zip bypass (Contributor+) Critical-High – POC

In recent times, WordPress has become a predominant platform for website development due to its user-friendly interface and extensive plugin ecosystem. However, this popularity also makes it a prime target for security vulnerabilities. One such critical vulnerability, identified as CVE-2024-0757, allows remote code execution (RCE) through insecure file uploads in a zip archive by users with contributor rights in Insert or Embed Articulate Content into WordPress plugin. This article delves into the discovery, exploitation, and potential impact of this vulnerability, along with recommendations for securing WordPress installations.

Plugin Security Certification: “Social Icons Widget & Block by WPZOOM” – Version 4.5.1: Add Social Icons with Enhanced Security

Plugin Security Certification: “Social Icons Widget & Block by WPZOOM” – Version 4.5.1: Add Social Icons with Enhanced Security

Version 4.5.1 of the Social Icons Widget & Block by WPZOOM plugin offers a secure and efficient solution for tracking visitor statistics on your WordPress site. With a focus on privacy compliance and transparent data handling, Social Icons Widget & Block by WPZOOM provides valuable insights without compromising user privacy or security.

Plugin Security Certification: “Better Search Replace” – Version 1.4.10: Search/Replace What You Want with Enhanced Security

Plugin Security Certification: “Better Search Replace” – Version 1.4.10: Search/Replace What You Want with Enhanced Security

The “Better Search Replace” plugin has achieved the prestigious Plugin Security Certification (PSC) from CleanTalk, affirming its commitment to security and reliability. This certification ensures that the plugin adheres to the highest security standards, providing users with a secure and efficient tool for managing database operations during site migrations or other significant changes.

CVE-2024-4469 – WP-Staging | Migration Backup Restore – SSRF – POC

CVE-2024-4469 – WP-Staging | Migration Backup Restore – SSRF – POC

In the ever-evolving landscape of web security, the discovery of new vulnerabilities is a constant reminder of the necessity for vigilance. Recently, during the testing of the widely-used WP-Staging | Migration Backup Restore plugin for WordPress, a Server-Side Request Forgery (SSRF) vulnerability, designated as CVE-2024-4469, was identified. This vulnerability poses significant risks, as it can be exploited to scan local ports on the host server, potentially leading to further security breaches.

CVE-2024-4057 – Gutenberg Blocks by Kadence Blocks – Stored XSS to Admin Account Creation (Contributor+) Critical-High – POC

CVE-2024-4057 – Gutenberg Blocks by Kadence Blocks – Stored XSS to Admin Account Creation (Contributor+) Critical-High – POC

In the ever-evolving landscape of web security, vulnerabilities in popular plugins can have widespread and severe consequences. A recent vulnerability, identified as CVE-2024-4057, has been discovered in the Gutenberg Blocks by Kadence Blocks plugin, a widely used tool with over 400,000 active installations. This critical-high vulnerability allows attackers to execute Stored Cross-Site Scripting (XSS) attacks, leading to admin account creation and potentially compromising the entire website.

CVE-2024-2220 – Button contact VR – Stored XSS to JS backdoor creation – POC

CVE-2024-2220 – Button contact VR – Stored XSS to JS backdoor creation – POC

In today’s digital age, security vulnerabilities in web applications can lead to severe consequences, including unauthorized access, data breaches, and loss of trust. One such critical vulnerability is the Stored Cross-Site Scripting (XSS) attack. This article explores a newly discovered Stored XSS vulnerability in the “Button Contact VR” WordPress plugin, identified as CVE-2024-2220. This flaw can allow attackers to embed malicious scripts, creating backdoors for account takeover, posing significant risks to website integrity and user data. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

CVE-2024-4372 – Carousel Slider – Stored XSS to JS backdoor creation – POC

CVE-2024-4372 – Carousel Slider – Stored XSS to JS backdoor creation – POC

In a recent security assessment, a critical vulnerability, CVE-2024-4372, was discovered within the Carousel Slider WordPress plugin. This flaw exposes an alarming risk of Stored Cross-Site Scripting (XSS), paving the way for unauthorized access and potential website compromise. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).

CVE-2024-3939 – Ditty – Stored XSS to JS backdoor creation – POC

CVE-2024-3939 – Ditty – Stored XSS to JS backdoor creation – POC

A critical security vulnerability CVE-2024-3939 was discovered in the WordPress plugin Ditty, which was downloaded by more than 40k users. This vulnerability exposes websites to the risk of attacks using stored cross-site scripting (XSS), which can potentially lead to account hijacking and violation of the integrity of the website. (if an attacker has previously hacked into an administrator or editor account, they can use the backdoor to restore access)

CVE-2024-2189 – Social Icons Widget & Block – Stored XSS to JS backdoor creation – POC

CVE-2024-2189 – Social Icons Widget & Block – Stored XSS to JS backdoor creation – POC

A critical security vulnerability, CVE-2024-2189, has been identified in the Social Icons Widget & Block WordPress plugin, which boasts over 100k installations. This vulnerability exposes websites to the risk of Stored Cross-Site Scripting (XSS) attacks, potentially leading to account takeover and compromising website integrity. (if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back).