Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

WP Blog and Widgets

Source -

CNA

CNA CVEs -

2

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
2Vulnerabilities found
CVE-2026-6443
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.06% / 18.27%
||
7 Day CHG~0.00%
Published-17 Apr, 2026 | 06:44
Updated-22 Apr, 2026 | 20:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Essentialplugin Plugins (Various Versions) - Injected Backdoor

All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites.

Action-Not Available
Vendor-essentialplugin
Product-Blog Designer – Post and WidgetFeatured Post CreativeWP Featured Content and SliderTestimonial Grid and Testimonial Slider plus Carousel with Rotator WidgetWP Responsive Recent Post Slider/CarouselPost grid and filter ultimateWP Slick Slider and Image CarouselWP responsive FAQ with category pluginPortfolio and ProjectsWP Logo Showcase Responsive Slider and CarouselWP Blog and WidgetsTeam Slider and Team Grid Showcase plus Team CarouselCountdown Timer UltimateAccordion and Accordion SliderTrending/Popular Post Slider and WidgetAlbum and Image Gallery Plus LightboxMeta Slider and Carousel with LightboxPost Ticker UltimateVideo gallery and PlayerWP News and Scrolling WidgetsTimeline and History sliderPopup Maker and Popup Anything – Popup for opt-ins and Lead Generation Conversions
CWE ID-CWE-506
Embedded Malicious Code
CVE-2022-4824
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-5.4||MEDIUM
EPSS-0.25% / 48.56%
||
7 Day CHG~0.00%
Published-06 Feb, 2023 | 19:59
Updated-26 Mar, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Blog and Widget < 2.3.1 - Contributor+ Stored XSS via Shortcode

The WP Blog and Widgets WordPress plugin before 2.3.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

Action-Not Available
Vendor-essentialpluginUnknown
Product-wp_blog_and_widgetWP Blog and Widgets
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')