Plugin Security Certification (PSC-2025-64567): “Simple Custom CSS and JS” – Version 3.50: Use CSS and JS with Enhanced Security

Plugin Security Certification (PSC-2025-64567): “Simple Custom CSS and JS” – Version 3.50: Use CSS and JS with Enhanced Security

Simple Custom CSS and JS is a lightweight yet powerful WordPress plugin that empowers users to inject custom CSS and JavaScript into their websites without altering core theme or plugin files. This plugin is an essential tool for developers and site administrators who require flexibility in styling or scripting, while ensuring a clean and maintainable WordPress environment.

Thanks to its intuitive interface and code editor with syntax highlighting, Simple Custom CSS and JS makes code management straightforward and efficient. Furthermore, the plugin has undergone rigorous security testing and proudly carries the Plugin Security Certification (PSC-2025-64567) issued by CleanTalk, validating its compliance with modern secure coding standards.

Plugin Security Certification (PSC-2025-64566): “Joinchat” – Version 5.2.4: Use Chat with Enhanced Security

Plugin Security Certification (PSC-2025-64566): “Joinchat” – Version 5.2.4: Use Chat with Enhanced Security

JoinChat is a powerful communication plugin designed to enhance user engagement by integrating WhatsApp and other chat platforms directly into your WordPress website. With its intuitive interface, JoinChat enables site owners to place a floating contact button that connects users to WhatsApp on mobile and desktop, delivering real-time, personalized support. JoinChat supports multiple customization options, analytics integration, WooCommerce compatibility, and dynamic content for each page or product.

Beyond functionality, JoinChat stands out with its emphasis on code quality and security. The plugin has successfully passed a full-scale security audit and has been awarded the Plugin Security Certification (PSC-2025-645656 by CleanTalk, assuring WordPress site owners of a safe and robust integration with modern messaging tools.

CVE-2024-13486- Icegram Engage – Stored XSS to JS Backdoor Creation – POC

CVE-2024-13486- Icegram Engage – Stored XSS to JS Backdoor Creation – POC

Icegram Engage is a popular WordPress plugin designed to create popups, opt-in forms, and other interactive elements to engage visitors. With over 30,000 active installations, it is widely used to enhance user experience on WordPress sites. However, a critical vulnerability (CVE-2024-13486) has been identified within the plugin that allows an attacker to execute stored Cross-Site Scripting (XSS) attacks. This vulnerability can be exploited by attackers to inject malicious JavaScript code, potentially leading to backdoor creation and unauthorized account takeover.

Plugin Security Certification (PSC-2024-64565): “WooCommerce Shipping & Tax” – Version 2.8.9: Use Shipping with Enhanced Security

Plugin Security Certification (PSC-2024-64565): “WooCommerce Shipping & Tax” – Version 2.8.9: Use Shipping with Enhanced Security

WooCommerce Shipping & Tax is a vital extension for any WooCommerce-powered store that simplifies two of the most complex parts of running an eCommerce business: shipping and taxes. This plugin offloads critical services such as label generation and tax calculation to Automattic’s robust and secure cloud infrastructure. By doing so, it minimizes dependency on your own hosting environment, ensuring faster response times and increased platform stability.

With the ability to instantly print USPS and DHL shipping labels and automatically calculate accurate tax rates at checkout, WooCommerce Shipping & Tax is designed to save store owners time, money, and resources. The plugin has successfully passed a comprehensive security review and has been awarded the Plugin Security Certification (PSC-2025-64565) by CleanTalk, confirming its reliability and code integrity.

CVE-2024-11272 – Contact Form & SMTP Plugin for WordPress by PirateForms – Stored XSS to JS Backdoor Creation – POC

CVE-2024-11272 – Contact Form & SMTP Plugin for WordPress by PirateForms – Stored XSS to JS Backdoor Creation – POC

The Contact Form & SMTP Plugin for WordPress by PirateForms is widely used to add customizable contact forms and SMTP email configurations to WordPress sites. With over 50,000 active installations, the plugin provides a convenient solution for website owners to manage user interactions. However, a critical vulnerability (CVE-2024-11272) has been discovered in the plugin that exposes WordPress sites to a serious security risk. The vulnerability allows attackers to inject malicious JavaScript into the plugin’s settings via the “Submit button” field. This can lead to account takeover, backdoor creation, and a wide range of other security risks.

CVE-2024-11273 – Contact Form & SMTP Plugin for WordPress by PirateForms – Stored XSS to JS Backdoor Creation – POC

CVE-2024-11273 – Contact Form & SMTP Plugin for WordPress by PirateForms – Stored XSS to JS Backdoor Creation – POC

The Contact Form & SMTP Plugin for WordPress by PirateForms is widely used to implement contact forms and handle email submissions through SMTP. With over 50,000 active installations, this plugin offers a simple and efficient way to manage user inquiries. However, a critical vulnerability—CVE-2024-11273—has been discovered in the plugin, which allows for Stored Cross-Site Scripting (XSS) attacks. This flaw enables attackers to inject malicious JavaScript code into the plugin’s settings, leading to the creation of backdoors and allowing attackers to take over admin accounts.

CVE-2024-12769 – Simple Banner – Stored XSS to JS Backdoor Creation – POC

CVE-2024-12769 – Simple Banner – Stored XSS to JS Backdoor Creation – POC

The Simple Banner plugin is a popular WordPress plugin used by website owners to display customizable banners at the top of their pages. With over 50,000 active installations, the plugin allows users to manage and configure banner content easily. While the plugin provides useful features, a critical vulnerability—CVE-2024-12769—was discovered during testing, which allows attackers to inject malicious JavaScript (JS) into the banner settings. This vulnerability enables attackers to execute stored XSS attacks, ultimately leading to the creation of a backdoor and account takeover by an attacker. This security flaw underscores the importance of input validation and sanitization, especially for plugins that manage dynamic content.

Plugin Security Certification (PSC-2025-64563): “Autoptimize” – Version 6.0.1: Use Optimization with Enhanced Security

Plugin Security Certification (PSC-2025-64563): “Autoptimize” – Version 6.0.1: Use Optimization with Enhanced Security

Autoptimize 3.1.13 is a high-performance optimization plugin for WordPress designed to dramatically speed up your website. By aggregating, minifying, and caching JavaScript, CSS, and HTML code, the plugin ensures leaner and faster page loads. It also enhances performance by inlining critical CSS, deferring script execution, and supporting modern image formats like WebP and AVIF. Built with flexibility and extensibility in mind, Autoptimize provides a robust API, enabling developers to fine-tune optimizations based on specific site requirements. With Autoptimize Pro, users can access premium features such as image CDN, page caching, critical CSS automation, and more.

Autoptimize has undergone rigorous code review and security testing, achieving the Plugin Security Certification (PSC-2025-64563) from CleanTalk, ensuring peace of mind for site owners and developers who prioritize security.

CVE-2024-10679 – Quiz and Survey Master (QSM) – Stored XSS to Admin Account Creation – POC

CVE-2024-10679 – Quiz and Survey Master (QSM) – Stored XSS to Admin Account Creation – POC

Quiz and Survey Master (QSM) is a popular WordPress plugin used by website owners and content creators to design and implement quizzes, surveys, and polls on their websites. With over 50,000 active installations, it provides a versatile platform for gathering feedback and engaging users. However, a critical vulnerability—CVE-2024-10679—has been identified in the plugin that exposes WordPress sites to a serious risk. The vulnerability allows attackers to execute a Stored Cross-Site Scripting (XSS) attack via the plugin’s settings, enabling attackers to escalate privileges and create an admin account. This vulnerability is particularly dangerous because it allows attackers to exploit low-level user roles, such as contributors, to gain full control over the WordPress site.