Plugin Security Certification (PSC) by CleanTalk

Quiz and Survey Master (QSM) is a popular WordPress plugin used by website owners and content creators to design and implement quizzes, surveys, and polls on their websites. With over 50,000 active installations, it provides a versatile platform for gathering feedback and engaging users. However, a critical vulnerability—CVE-2024-10679—has been identified in the plugin that exposes WordPress sites to a serious risk. The vulnerability allows attackers to execute a Stored Cross-Site Scripting (XSS) attack via the plugin’s settings, enabling attackers to escalate privileges and create an admin account. This vulnerability is particularly dangerous because it allows attackers to exploit low-level user roles, such as contributors, to gain full control over the WordPress site.

Form Maker by 10Web is a popular WordPress plugin that allows users to create custom forms for their websites. With over 50,000 active installations, it’s used widely for collecting data, including user registrations, feedback, and other forms of submission. However, a critical vulnerability, CVE-2024-10560, has been discovered within the plugin. This stored Cross-Site Scripting (XSS) vulnerability allows attackers to inject and execute malicious JavaScript in a form’s description field. Once this script is executed, it enables attackers to gain control over the site by creating backdoors, potentially escalating privileges to admin-level access.

The Slider by 10Web plugin is a widely used WordPress tool designed to create visually engaging image sliders. With over 30,000 active installations, this plugin provides an easy way for users to display images, video, and content in a slideshow format. While the plugin offers many beneficial features, a critical vulnerability, CVE-2024-10565, has been discovered that allows attackers to exploit stored Cross-Site Scripting (XSS) within the plugin’s settings. This vulnerability enables attackers to inject malicious JavaScript into a website, which could result in a backdoor creation, allowing unauthorized access to the site’s admin functions.

The Ultimate Dashboard plugin is a popular tool for customizing the WordPress admin dashboard, used by site owners and developers to enhance the client experience with personalized widgets, custom admin pages, and visual tweaks. However, in versions prior to 3.8.6, the plugin was affected by a Stored Cross-Site Scripting (XSS) vulnerability that could lead to privilege escalation, including unauthorized admin account creation.

This vulnerability, tracked as CVE-2025-1524, represents a critical example of how seemingly innocuous customization features can become attack vectors when proper sanitization is not enforced.

The Slider by 10Web plugin is a popular WordPress plugin used for creating responsive image sliders, enhancing the visual appeal of websites. With over 30,000 active installations, this plugin has been widely adopted for its ease of use and feature-rich

The Ultimate Dashboard plugin is a popular tool for customizing the WordPress admin dashboard, used by site owners and developers to enhance the client experience with personalized widgets, custom admin pages, and visual tweaks. However, in versions prior to 3.8.6, the plugin was affected by a Stored Cross-Site Scripting (XSS) vulnerability that could lead to privilege escalation, including unauthorized admin account creation.

This vulnerability, tracked as CVE-2025-1523, represents a critical example of how seemingly innocuous customization features can become attack vectors when proper sanitization is not enforced.

The Photo Gallery, Images, Slider in Rbs Image Gallery plugin is a widely used tool for managing and displaying galleries, sliders, and images within WordPress websites. This plugin offers a variety of features to enhance the visual experience of WordPress sites, with over 50,000 active installations. However, a critical security vulnerability—CVE-2024-10144—has been discovered, allowing attackers to inject malicious JavaScript (JS) code. This vulnerability enables attackers to escalate their privileges, resulting in the potential creation of an admin account through a stored XSS attack. This vulnerability exposes sites to a range of malicious activities, including unauthorized access and potential data breaches.

The Giveaways and Contests by RafflePress plugin is a popular tool used by WordPress site owners to manage and run contests, sweepstakes, and giveaways. With over 30,000 active installations, it allows users to boost engagement and traffic by offering incentives to participants. However, a critical vulnerability—CVE-2024-100107—was discovered during testing, which exposes the plugin to a Stored Cross-Site Scripting (XSS) attack. This vulnerability allows malicious actors to inject and execute JavaScript code, enabling them to potentially gain unauthorized access to the site and create backdoors that could compromise the entire platform.

In April 2024, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the popular WordPress plugin Widget for Social Page Feeds (formerly known as “Facebook Page Like Widget”). This plugin is installed on over 80,000 WordPress sites and is widely used to display Facebook page feeds in sidebars and other widget areas. The vulnerability, assigned CVE-2024-13207, affects all plugin versions below 6.4.2 and can allow attackers to inject malicious JavaScript, potentially leading to full site compromise.