Plugin Security Certification (PSC-2025-64552): “Breadcrumb NavXT” – Version 7.4.1: Use Breadcrumb with Enhanced Security

Plugin Security Certification (PSC-2025-64552): “Breadcrumb NavXT” – Version 7.4.1: Use  Breadcrumb with Enhanced Security

Breadcrumb NavXT is a powerful WordPress plugin designed to generate breadcrumb trails for websites, providing users with a clear navigational structure. As the successor to Breadcrumb Navigation XT, it has been completely rebuilt to offer greater customization, performance, and compatibility with modern web standards. The plugin integrates seamlessly with WordPress themes, allowing both administrators and developers to configure breadcrumb settings effortlessly.

CVE-2024-9645 – Post Grid Gutenberg Blocks (Combo Blocks) – Stored XSS to Admin Creation – POC

CVE-2024-9645 – Post Grid Gutenberg Blocks (Combo Blocks) – Stored XSS to Admin Creation – POC

The Post Grid Gutenberg Blocks (Combo Blocks) plugin for WordPress allows users to display posts in a grid format with various customizations, making it a popular choice among WordPress users. However, a critical Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the plugin, identified as CVE-2024-9645. This flaw allows an attacker with contributor-level access to inject malicious JavaScript into the plugin’s shortcode, which can be executed when the post is viewed. The attacker can exploit this vulnerability to create a backdoor admin account, potentially giving them full control of the website. With over 50,000 active installations, this vulnerability presents a significant security risk to sites using this plugin.

CVE-2024-9020 – List Category Posts – Stored XSS to JS Admin Creation – POC

CVE-2024-9020 – List Category Posts – Stored XSS to JS Admin Creation – POC

List Category Posts is a widely used WordPress plugin that allows site owners to display posts from specific categories in a list format. However, CVE-2024-9020 has been identified as a critical Stored Cross-Site Scripting (XSS) vulnerability within the plugin. This vulnerability enables attackers with contributor-level privileges to inject malicious JavaScript into post excerpts, which can lead to the creation of a backdoor admin account. With over 100,000 active installations, this flaw presents a significant security risk for websites using the List Category Posts plugin.

CVE-2024-13314 – Carousel, Slider, Gallery by WP Carousel – Stored XSS to JS Backdoor Creation – POC

CVE-2024-13314 – Carousel, Slider, Gallery by WP Carousel – Stored XSS to JS Backdoor Creation – POC

The WP Carousel plugin is a popular WordPress plugin that allows users to create beautiful image, post, and WooCommerce product carousels effortlessly. With its user-friendly interface and extensive features, it has become a preferred choice for many WordPress site owners. However, a vulnerability (CVE-2024-13314) has been discovered in versions below 2.7.4, allowing attackers to exploit Stored Cross-Site Scripting (XSS), posing a significant security risk.

Plugin Security Certification (PSC-2024-64551): “ManageWP Worker” – Version 4.9.20: Use Management tool with Enhanced Security

Plugin Security Certification (PSC-2024-64551): “ManageWP Worker” – Version 4.9.20: Use Management tool with Enhanced Security

The ManageWP Worker plugin, with over 1 million downloads, is a powerful tool for managing multiple WordPress websites from a single dashboard. It offers features such as automated backups, security monitoring, bulk updates, and website cloning. However, from a security standpoint, plugins with administrative control over multiple sites require strict scrutiny to ensure data integrity and prevent potential exploitation.

CVE-2024-13208 – WP Google Map – Stored XSS to JS Backdoor Creation – POC

CVE-2024-13208 – WP Google Map – Stored XSS to JS Backdoor Creation – POC

Google Maps is an essential feature for many websites, enabling businesses and organizations to display interactive maps for better user engagement. WP Google Map is a WordPress plugin designed to simplify the integration of Google Maps into websites. This user-friendly tool provides extensive customization options, making it a favorite among WordPress users. However, recent security research uncovered a critical stored Cross-Site Scripting (XSS) vulnerability in the plugin, identified as CVE-2024-13208. This vulnerability has the potential to compromise the security of websites using the plugin, highlighting the importance of robust security measures.

Plugin Security Certification (PSC-2024-64549): “Antispam Bee” – Version 2.11.7: Use Antispam with Enhanced Security

Plugin Security Certification (PSC-2024-64549): “Antispam Bee” – Version 2.11.7: Use Antispam with Enhanced Security

AntiSpam Bee is a plugin that removes spam in comments on your blogs on WordPress sites. The plugin is popular and has 700 thousand users worldwide. AntiSpam Bee effectively removes spam comments and trackbacks. During the verification of the plugin for vulnerabilities and errors by the Cleantalk team, the plugin receives the PSC-2024-64549 certificate.

CVE-2024-12568 – Email Subscribers by Icegram Express – Stored XSS to JS Backdoor Creation – POC

CVE-2024-12568 – Email Subscribers by Icegram Express – Stored XSS to JS Backdoor Creation – POC

Email Subscribers by Icegram Express is a popular WordPress plugin designed to help website administrators manage email subscriptions and send automated notifications, such as confirmation emails and newsletters. However, CVE-2024-125678 has been identified as a critical vulnerability in the plugin that allows attackers to inject malicious JavaScript into the email content field of a new workflow. The injected script can lead to a backdoor creation, allowing attackers to hijack admin sessions or escalate their privileges to take full control of the WordPress site. With over 100,000 active installations, this vulnerability poses a significant risk to WordPress websites that rely on Email Subscribers for their subscription management.

CVE-2024-12567 – Email Subscribers by Icegram Express – Stored XSS to JS Backdoor Creation – POC

CVE-2024-12567 – Email Subscribers by Icegram Express – Stored XSS to JS Backdoor Creation – POC

Email Subscribers by Icegram Express is a widely used WordPress plugin for collecting and managing email subscribers, as well as sending newsletters, notifications, and other updates. A critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12567, has been discovered in this plugin. The vulnerability allows attackers to inject malicious JavaScript into form fields, which can lead to account takeover and the creation of a backdoor admin account. With over 100,000 active installations, this flaw represents a significant security risk to WordPress websites using the Email Subscribers plugin.