Security

CVE-2024-9599 brings to light a critical Stored Cross-Site Scripting (XSS) vulnerability within the WordPress Popup Box plugin, a popular tool used to create a variety of popups for websites. This plugin allows users to add visually appealing and engaging popups, ranging from promotional notifications to subscription forms, without requiring extensive technical knowledge. However, an identified flaw in the way the plugin handles input parameters allows malicious users to inject JavaScript code, leading to the potential creation of backdoors within the WordPress environment. The implications of this vulnerability could lead to unauthorized access and control over affected websites.

CVE-2024-4091 highlights a significant Stored Cross-Site Scripting (XSS) vulnerability within the Responsive Gallery Grid (RGG) plugin for WordPress, a tool installed on numerous WordPress sites to transform the native WordPress gallery into a responsive layout. The plugin, which integrates well with other third-party lightbox plugins, offers WordPress users an enhanced way to showcase their images while keeping responsive image proportions. However, a flaw in the settings configuration allows contributors or editors with access to plugin settings to inject malicious JavaScript (JS) code into the Margin parameter of the gallery settings. If exploited, this vulnerability can provide attackers with persistent control over the site via a JavaScript backdoor.

CVE-2024-4004 is a newly discovered Stored Cross-Site Scripting (XSS) vulnerability in the widely used WordPress plugin Advanced Cron Manager. This plugin, essential for managing WP Cron events and schedules, offers extensive functionality to WordPress site administrators. It allows them to view, search, execute, add, pause, and delete scheduled tasks, as well as customize PHP cron events. With over 30,000 installations, Advanced Cron Manager provides a streamlined approach to scheduling but, unfortunately, also introduces a vulnerability exploitable by users with access to the admin panel. This vulnerability allows attackers to inject malicious JavaScript code into the Cron Manager’s settings, potentially leading to a backdoor on the site.

CVE-2024-8670 reveals a critical Stored Cross-Site Scripting (XSS) vulnerability in the Photo Gallery by 10Web plugin, a popular WordPress plugin with over 200,000 installations. This vulnerability allows contributors or editors to inject malicious JavaScript (JS) into the gallery settings, specifically in the “Title” field. Exploiting this vulnerability can lead to admin account hijacking, persistent backdoor creation, and potential long-term control of the WordPress site.

CVE-2024-10104 is a critical Stored Cross-Site Scripting (XSS) vulnerability affecting the Jobs for WordPress plugin, widely used to manage and display job postings on WordPress sites. This vulnerability allows users with Contributor or higher permissions to inject malicious JavaScript (JS) code into the job posting settings, specifically in the “Working Hours” field. Once exploited, the vulnerability can lead to admin account takeovers, unauthorized backdoor installations, and long-term control over the WordPress site.

CVE-2024-8542 is a critical Stored Cross-Site Scripting (XSS) vulnerability affecting the Everest Forms plugin, used by over 100,000 WordPress installations to create forms. This flaw allows contributors or editors to inject malicious JavaScript (JS) into the form’s settings, specifically in the “No field” section of the YES/NO block. Once exploited, the vulnerability can lead to admin account takeovers, the creation of backdoors, and long-term control of the WordPress site.

CVE-2024-8284 represents a critical Stored Cross-Site Scripting (XSS) vulnerability discovered in the Download Manager plugin, which is used by over 100,000 WordPress installations to manage and protect downloadable files. This flaw allows attackers with editor-level permissions to inject malicious JavaScript (JS) into the plugin’s settings, specifically in the “Login Required Message” field. Exploiting this vulnerability can result in the creation of backdoors, admin account takeover, and long-term control of the WordPress site.

CVE-2024-5968 is a critical vulnerability affecting the Photo Gallery by 10Web plugin, which has over 200,000 active installations. The flaw enables attackers to execute Stored Cross-Site Scripting (XSS) by injecting malicious JavaScript (JS) code into the plugin’s settings. When exploited, this vulnerability allows for admin account takeover, backdoor creation, and potentially long-term control over the WordPress site.