WordPress Password Leak Protection in CleanTalk Plugin

During testing, a vulnerability was found that allows, through changing the settings, to implement Stored XSS on all pages where there is a mention of the plugin. This vulnerability is available on behalf of the administrator and allows you to leave javascript “backdoor” when capturing an administrative account, which will allow account takeover. Unfiltered_html capability…

While examining the plugin during the testing phase, we uncovered a vulnerability that enables the execution of Stored Cross-Site Scripting (XSS) attacks, accomplished by incorporating a shortcode into a new post. This vulnerability has the potential to lead to the compromise of user accounts, particularly those of contributors. Main info: CVE CVE-2023-4646 Plugin Simple Posts…

During the plugin’s testing phase, a vulnerability was identified that enables the execution of Stored XSS by an attacker who embeds a shortcode in a new post, potentially leading to an account takeover. Main info: CVE CVE-2023-4798 Plugin User Avatar – Reloaded Critical High Publicly Published September 25, 2023 Last Updated September 25, 2023 Researcher…

During testing, a critical vulnerability was discovered in the plugin, namely a vulnerability in the Directory Listings system, which allows an unauthorized user to view and download private files of other users. This vulnerability poses a serious security threat because it allows an attacker to gain access to confidential data and files of other users…