Plugin Security Certification (PSC) by CleanTalk

CVE-2025-15380 affects NotificationX and it is an unauthenticated DOM based cross site scripting vulnerability that can execute JavaScript in a victim browser on public pages. The attack does not require a WordPress account and it does not require any special permissions. It abuses a front end preview mechanism where the plugin accepts attacker supplied configuration, decodes it, and renders it directly into the DOM. This matters because NotificationX is installed specifically to show attention grabbing UI elements like notification bars and press bars. If the preview path can be triggered by anyone, then any attacker can weaponize it to run script on the site origin and steal session data, run actions in the background, or plant further attacks through social engineering. Even a single successful execution can be enough to compromise administrators if they browse the front end while logged in.

CVE-2025-15370 affects Shield Security and it is a privilege boundary failure that weakens authentication rather than changing content or reading data. The vulnerability allows any authenticated user, including a Subscriber, to target another account and toggle that account’s Google Authenticator setting through a request parameter. That matters because MFA is one of the most important compensating controls in WordPress. When a plugin that is meant to harden security can be used by low privilege users to disable MFA on administrators, it becomes a security downgrade primitive. The practical consequence is that attackers only need a second ingredient like a password leak or phishing success to turn this downgrade into a full admin takeover.

CVE-2026-4267 affects Query Monitor and it is a reflected cross site scripting vulnerability that can be triggered by an unauthenticated attacker and executed in the browser of a logged in user who can view Query Monitor output. Query Monitor is often installed on development and staging sites, but it is also frequently left enabled on production environments during troubleshooting, which increases the chance that administrators will have it active while browsing the dashboard. The bug is dangerous because it sits inside a diagnostic panel that administrators trust. Once script execution is achieved in an admin session, the attacker can move from a simple reflected injection to nonce theft and privileged state changing actions in the WordPress backend.

CVE-2026-1710 affects WooPayments and it is an unauthenticated cache poisoning and denial of service vulnerability that targets the checkout payment UI rather than the WordPress admin. The core issue is that a public AJAX endpoint allows any visitor to submit attacker controlled Stripe Elements appearance configuration, and the plugin stores that data in globally shared transients that are later consumed by all shoppers. This transforms a single anonymous request into site wide persistent checkout manipulation that can last for up to a day. On stores where card payments are a primary revenue path, disrupting the payment form is operationally severe because it blocks checkout completion for real customers while looking like a normal front end glitch.

CVE-2026-3098 affects Smart Slider 3 and it enables an authenticated low privilege user to turn normal slider and image management flows into an arbitrary local file read. The practical impact is not limited to viewing a file inside the WordPress UI. The vulnerability chain can package the contents of server files into an exported Smart Slider archive, which the attacker can then download and inspect offline. This is dangerous because the exported artifact becomes a clean exfiltration channel for configuration files, credentials, and application secrets that should never leave the server. With an install base around 800k plus, this is a realistic risk for many sites where Subscriber accounts exist through registration, memberships, or WooCommerce, and where plugin permissions are often assumed to be safe by default.