cleantalk
Vulnerabilities and Security Researches

BLAZE Retail Widget, 5aa63b7aac05249d22e77bf0bcbe643aaba6f01b

CVE, Research URL

5aa63b7aac05249d22e77bf0bcbe643aaba6f01b

Home page URL

Security reports for BLAZE Retail Widget

Application

BLAZE Retail Widget

Published on
Jun 24, 2024
Research Description
BLAZE Retail Widget [blaze-widget] >= 2.2.5 - <= 2.5.2 (closed) Several WordPress.org Plugins <= Various Versions - Injected Backdoor Several plugins for WordPress hosted on WordPress.org have been compromised and injected with malicious PHP scripts. A malicious threat actor compromised the source code of various plugins and injected code that exfiltrates database credentials and is used to create new, malicious, administrator users and send that data back to a server. All plugins have received updates reverting any added malicious code. Simply Show Hooks affected version (1.2.1) is the same as the patched version (1.2.1) - it does not appear that the malicious copy was ever officially released, so sites running 1.2.1 should be unaffected, though it is a good idea to run a complete Wordfence scan and verify that there are no rogue administrator accounts present.
Affected versions
Min 2.2.5, max 2.5.2.
Status
vulnerable
Previous vulnerability researches
BLAZE Retail Widget (CVE-2024-6297) , Jul 22, 2024
BLAZE Retail Widget (5aa63b7aac05249d22e77bf0bcbe643aaba6f01b) , Jun 26, 2024
New vulnerability
Product Notes for WooCommerce (CVE-2025-48239) , May 21, 2025
TI WooCommerce Wishlist (CVE-2025-47577) , May 20, 2025
TI WooCommerce Wishlist (CVE-2025-32920) , May 20, 2025
Header Footer Code Manager , May 20, 2025
WPAdverts &#8211; Classifieds Plugin (CVE-2025-48269) , May 20, 2025