CVE-2024-10560 – Form Maker by 10Web – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10560 – Form Maker by 10Web – Stored XSS to JS Backdoor Creation – POC

Form Maker by 10Web is a popular WordPress plugin that allows users to create custom forms for their websites. With over 50,000 active installations, it’s used widely for collecting data, including user registrations, feedback, and other forms of submission. However, a critical vulnerability, CVE-2024-10560, has been discovered within the plugin. This stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject and execute malicious JavaScript in a form’s description field. Once this script is executed, it enables attackers to gain control over the site by creating backdoors, potentially escalating privileges to admin-level access.

CVE-2024-10565 – Slider by 10Web – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10565 – Slider by 10Web – Stored XSS to JS Backdoor Creation – POC

The Slider by 10Web plugin is a widely used WordPress tool designed to create visually engaging image sliders. With over 30,000 active installations, this plugin provides an easy way for users to display images, video, and content in a slideshow format. While the plugin offers many beneficial features, a critical vulnerability, CVE-2024-10565, has been discovered that allows attackers to exploit stored Cross-Site Scripting (XSS) within the plugin’s settings. This vulnerability enables attackers to inject malicious JavaScript into a website, which could result in a backdoor creation, allowing unauthorized access to the site’s admin functions.

CVE-2025-1524 – Ultimate Dashboard < 3.8.6 – Stored XSS to Admin Creation – POC

CVE-2025-1524 – Ultimate Dashboard < 3.8.6 – Stored XSS to Admin Creation – POC

The Ultimate Dashboard plugin is a popular tool for customizing the WordPress admin dashboard, used by site owners and developers to enhance the client experience with personalized widgets, custom admin pages, and visual tweaks. However, in versions prior to 3.8.6, the plugin was affected by a Stored Cross-Site Scripting (XSS) vulnerability that could lead to privilege escalation, including unauthorized admin account creation.

This vulnerability, tracked as CVE-2025-1524, represents a critical example of how seemingly innocuous customization features can become attack vectors when proper sanitization is not enforced.

Plugin Security Certification (PSC-2025-64562): “Redux Framework” – Version 4.5.7: Use Framework with Enhanced Security

Plugin Security Certification (PSC-2025-64562): “Redux Framework” – Version 4.5.7: Use Framework with Enhanced Security

Redux Framework is a robust and developer-centric options framework for WordPress, designed to streamline and simplify theme and plugin development. Instead of reinventing the wheel with each project, Redux provides a scalable, extensible foundation for building powerful admin panels using a single, well-documented configuration file. Supporting a wide array of field types, integrated Google Fonts, compiler hooks, and validation mechanisms, Redux is a complete toolkit built for innovation.

With full responsiveness and WordPress-native integration, Redux accelerates development without compromising code quality. It enables developers to build powerful options panels faster, while also maintaining structured, secure, and maintainable code. Redux has undergone extensive security auditing and proudly holds the Plugin Security Certification (PSC-2025-64562) from CleanTalk, ensuring a secure development experience.

CVE-2025-1523 – Ultimate Dashboard < 3.8.6 – Stored XSS to Admin Creation – POC

CVE-2025-1523 – Ultimate Dashboard < 3.8.6 – Stored XSS to Admin Creation – POC

The Ultimate Dashboard plugin is a popular tool for customizing the WordPress admin dashboard, used by site owners and developers to enhance the client experience with personalized widgets, custom admin pages, and visual tweaks. However, in versions prior to 3.8.6, the plugin was affected by a Stored Cross-Site Scripting (XSS) vulnerability that could lead to privilege escalation, including unauthorized admin account creation.

This vulnerability, tracked as CVE-2025-1523, represents a critical example of how seemingly innocuous customization features can become attack vectors when proper sanitization is not enforced.

CVE-2024-10144 – Photo Gallery, Images, Slider in Rbs Image Gallery – Stored XSS to Admin Creation (Contributor+) – POC

CVE-2024-10144 – Photo Gallery, Images, Slider in Rbs Image Gallery – Stored XSS to Admin Creation (Contributor+) – POC

The Photo Gallery, Images, Slider in Rbs Image Gallery plugin is a widely used tool for managing and displaying galleries, sliders, and images within WordPress websites. This plugin offers a variety of features to enhance the visual experience of WordPress sites, with over 50,000 active installations. However, a critical security vulnerability—CVE-2024-10144—has been discovered, allowing attackers to inject malicious JavaScript (JS) code. This vulnerability enables attackers to escalate their privileges, resulting in the potential creation of an admin account through a stored XSS attack. This vulnerability exposes sites to a range of malicious activities, including unauthorized access and potential data breaches.

CVE-2024-10107 – Giveaways and Contests by RafflePress – Stored XSS to JS Backdoor Creation – POC

CVE-2024-10107 – Giveaways and Contests by RafflePress – Stored XSS to JS Backdoor Creation – POC

The Giveaways and Contests by RafflePress plugin is a popular tool used by WordPress site owners to manage and run contests, sweepstakes, and giveaways. With over 30,000 active installations, it allows users to boost engagement and traffic by offering incentives to participants. However, a critical vulnerability—CVE-2024-100107—was discovered during testing, which exposes the plugin to a Stored Cross-Site Scripting (XSS) attack. This vulnerability allows malicious actors to inject and execute JavaScript code, enabling them to potentially gain unauthorized access to the site and create backdoors that could compromise the entire platform.

CVE-2024-13207 – Widget for Social Page Feeds < 6.4.2 – Stored XSS to Backdoor Creation – POC

CVE-2024-13207 – Widget for Social Page Feeds < 6.4.2 – Stored XSS to Backdoor Creation – POC

In April 2024, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the popular WordPress plugin Widget for Social Page Feeds (formerly known as “Facebook Page Like Widget”). This plugin is installed on over 80,000 WordPress sites and is widely used to display Facebook page feeds in sidebars and other widget areas. The vulnerability, assigned CVE-2024-13207, affects all plugin versions below 6.4.2 and can allow attackers to inject malicious JavaScript, potentially leading to full site compromise.

CVE-2024-13610 – Simple Social Media Share Buttons < 6.0.0 – Stored XSS to Backdoor Creation – POC

CVE-2024-13610 – Simple Social Media Share Buttons < 6.0.0 – Stored XSS to Backdoor Creation – POC

In early 2024, a security flaw was identified in the popular WordPress plugin Simple Social Media Share Buttons, used on thousands of websites to enhance social media engagement. The vulnerability, now tracked as CVE-2024-13610, allows attackers to inject persistent JavaScript (Stored XSS) into the admin panel via the YouTube Channel ID field inside the widget settings. In the worst-case scenario, this could lead to the creation of backdoor admin accounts, full site compromise, or even malware distribution to site visitors.