During a recent security test, a vulnerability identified as CVE-2024-8983 was discovered in Custom Twitter Feeds, a popular plugin. This vulnerability allows you to embed saved cross-site scripts (XSS) on the site, which can potentially lead to the creation of a backdoor and account hijacking.
Plugin Security Certification (PSC-2024-64528): “SiteOrigin CSS” – Version 1.5.11: Use CSS with Enhanced Security
SiteOrigin CSS is an advanced, feature-rich CSS editor that empowers WordPress users to customize their website’s design in real time, without needing to master complex coding. Trusted by thousands of users, this powerful plugin simplifies the process of modifying the visual aspects of your WordPress site, offering ease of use for both beginners and advanced users. With Plugin Security Certification (PSC-2024-64528) by CleanTalk, you can now confidently use SiteOrigin CSS with the assurance of enhanced security and protection against vulnerabilities.
CVE-2024-6887 – Giveaways and Contests by RafflePress – Stored XSS to JS Backdoor Creation – POC
CVE-2024-6887 exposes a critical Stored Cross-Site Scripting (XSS) vulnerability in the Giveaways and Contests by RafflePress plugin, used by over 30,000 WordPress installations to run giveaways and contests. This vulnerability allows attackers to inject malicious JavaScript (JS) through the plugin’s settings. The attack can be initiated by users with editor-level access, resulting in account takeover, backdoor creation, and potentially long-term control over the affected WordPress site. The flaw resides in the plugin’s failure to properly sanitize inputs, particularly in the “Button color” field.
CVE-2024-7761 – Simple Job Board – Stored XSS to JS Backdoor Creation – POC
CVE-2024-7761 exposes a critical flaw in the Simple Job Board plugin, widely used by WordPress sites to manage job listings and applications. With over 40,000 installations, this vulnerability allows attackers to exploit a Stored Cross-Site Scripting (XSS) flaw, enabling them to inject malicious JavaScript code. When executed, this can lead to account takeover, backdoor creation, and potentially long-term control over the site. The vulnerability stems from insufficient input validation, particularly in the plugin’s widget settings, making it an appealing target for attackers.
CVE-2024-3899 – Envira Gallery – Stored XSS to Admin Account Creation (Contributor+) – POC
CVE-2024-3899 is a severe vulnerability found in the Envira Gallery plugin, a popular WordPress plugin used by over 100,000 websites to create image galleries. This vulnerability allows contributors (or users with higher privileges) to execute stored Cross-Site Scripting (XSS) attacks by embedding malicious JavaScript code in the “Title” field of image settings. When exploited, this flaw can lead to the creation of unauthorized admin accounts, giving attackers complete control over the website.
CVE-2024-5561 – Popup Maker – Stored XSS to backdoor creation – POC
CVE-2024-5561 highlights a critical flaw in the Popup Maker plugin, a popular WordPress plugin used by over 700,000 websites to create and manage popups. This vulnerability allows attackers to execute stored Cross-Site Scripting (XSS) attacks by embedding malicious JavaScript (JS) code. Exploited by someone with editor-level permissions, this flaw can result in complete account takeover and the creation of backdoors, leading to long-term control over the compromised WordPress site.
CVE-2024-7315 – Migration, Backup, Staging – WPvivid – Unauth Sensitive Data Exposure and Database password leak – POC
A critical vulnerability, designated as CVE-2024-7315, has been discovered in the WPvivid plugin, widely used for migration, backup, and staging in WordPress with over 500,000 installations. This flaw exposes highly sensitive data, including database passwords and site configuration details, by exploiting a specific directory (./wp-content/wpvividbackups/wpvivid_log/). If left unpatched, the vulnerability can lead to complete site compromise through brute force attacks on password hashes or direct access to sensitive information.
CVE-2024-8617 – Quiz Maker – Stored XSS to Backdoor Creation – POC
CVE-2024-8617 detects a stored XSS vulnerability in the popular QuizMaker plugin for WordPress, which allows users to create various quizzes with different types of questions. Although it offers extensive functionality for creating quizzes, it also contains a critical security flaw
CVE-2024-7758 – Stylish Price List – Stored XSS(Contributor+) – POC
Vulnerability CVE-2024-7758 affects the Stylish Price List plugin, which is used in companies such as beauty salons, spas, restaurants, etc. This plugin allows users to create elegant price lists, helping to convert visitors into customers. However, this vulnerability opens up the possibility for attackers to inject malicious code into a website, leading to potential account hijacking or other serious security breaches.
Plugin Security Certification (PSC-2024-64527): “Security & Malware scan by CleanTalk” – Version 2.141: Enhanced Protection from ALL
The Security & Malware Scan by CleanTalk plugin (version 2.141) has received the prestigious Plugin Security Certification (PSC) from CleanTalk. This powerful plugin provides comprehensive protection to WordPress websites by scanning for malware, blocking brute-force attacks, filtering unwanted traffic, and protecting your site from online threats. CleanTalk ensures that your website remains secure, fast, and fully optimized by combining a robust set of features to stop malicious attacks before they happen.