NIST.gov has just released details on a slew of new security vulnerabilities affecting popular WordPress plugins.

These vulnerabilities range from medium to critical severity and include issues like SQL injection, stored cross-site scripting (XSS), arbitrary file uploads, and even privilege escalation. If you’re running any of these plugins, your site could be at risk of attacks that compromise sensitive data, inject malicious scripts, or even allow remote code execution.

I’ve posted the full list of vulnerabilities over on r/pwnhub , a subreddit dedicated to sharing new attack vectors, exploit techniques, and hacker news. You can check it out here:
👉 Full Vulnerability List on /r/pwnhub

Here’s a quick summary of some of the most critical issues:

• Brizy – Page Builder: Arbitrary file uploads (CVE-2024-10960, 9.9 CRITICAL) and stored XSS (CVE-2024-10322, 6.4 MEDIUM).
• WP Job Board Pro: Privilege escalation allowing unauthenticated attackers to register as admins (CVE-2024-12213, 9.8 CRITICAL).
• Security & Malware Scan by CleanTalk: Arbitrary file uploads via .zip archives (CVE-2024-13365).
• Multiple Freight/Shipping Plugins: SQL injection vulnerabilities (e.g., CVE-2024-13532, 7.5 HIGH) affecting plugins like Small Package Quotes, LTL Freight Quotes, and ShipEngine Shipping Quotes.

What should you do?

1. Check if you’re using any of the affected plugins.
2. Update immediately if a patch is available.
3. If no patch is available, consider disabling the plugin and finding an alternative until the issue is resolved.
4. Monitor your site for any suspicious activity.

Stay vigilant and keep your sites secure!

Disclaimer: This post is based on publicly available information from NIST.gov. Always verify details and consult with a security professional if needed.