CVE-2025-10357 – Simple SEO – Stored XSS – POC

CVE-2025-10357 – Simple SEO – Stored XSS – POC

Simple SEO is a lightweight WordPress plugin that generates and manages SEO meta tags (title, meta description, keywords), supports quick-edit, sitemap generation and imports from other SEO plugins. In versions up to 2.0.32, the plugin contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-10357) that allows a user with Contributor (or higher) privileges to store malicious HTML/JS inside the plugin’s SEO fields (HTML-encoded Title). The injected script executes later when the field is rendered, potentially in the context of administrators or other privileged users.

CVE-2025-8282 – SureForms – Stored XSS – POC

CVE-2025-8282 – SureForms – Stored XSS – POC

CVE-2025-8282 affects the widely used SureForms plugin, with over 300,000 active installations, and revolves around a stored cross-site scripting flaw that undermines the integrity of form labels. SureForms allows Editors and Administrators to build complex forms using text blocks with customizable labels and placeholders. However, by embedding malicious JavaScript into the “Label” field when the “Use Labels as Placeholders” option is enabled, an attacker with Editor-level permissions can store a payload that executes whenever any user hovers over the affected form element. This vulnerability leverages the high-privilege context granted to Editors, turning a benign form builder feature into a powerful vector for account takeover and persistent backdoors.

CVE-2025-9331 – Spacious [THEME] – Missing Authorization to Autheticated (Subscriber+) Demo Data Import – POC

CVE-2025-9331 – Spacious [THEME] – Missing Authorization to Autheticated (Subscriber+) Demo Data Import – POC

CVE-2025-9331 impacts the widely used Spacious WordPress theme, currently active on over 30,000 sites. At its core lies a missing authorization check in the theme’s demo data import functionality. Normally, executing the “Import Demo Data” operation should be restricted to high-privileged users such as Administrators or Editors. However, due to an exposed nonce delivered via wp_localize_script, even Subscriber-level accounts can trigger the import_button AJAX action, enabling them to import arbitrary demo content and potentially manipulate site configuration or inject malicious data without proper oversight.

Plugin Security Certification (PSC-2025-64597): “Redis Object Cache” – Version 2.6.5: Use Cache with Enhanced Security

Plugin Security Certification (PSC-2025-64597): “Redis Object Cache” – Version 2.6.5: Use Cache with Enhanced Security

Redis Object Cache 2.6.5 is a persistent object cache backend powered by Redis®¹, designed to enhance WordPress performance and scalability. It supports multiple PHP clients such as Predis, PhpRedis (PECL), and Relay, while offering advanced features like replication, sentinels, clustering, and seamless WP-CLI integration.

Plugin Security Certification (PSC-2025-64596): “PDF Embedder” – Version 4.9.2: Use PDF with Enhanced Security

Plugin Security Certification (PSC-2025-64596): “PDF Embedder” – Version 4.9.2: Use PDF with Enhanced Security

PDF Embedder is a powerful WordPress plugin that allows you to upload and embed PDF files directly into posts and pages, offering seamless document presentation with responsive design. Unlike other plugins that rely on iframes, PDF Embedder uses a unique JavaScript-based rendering method that gives site administrators complete control over the look, sizing, and navigation of embedded PDFs.

The plugin ensures that all PDF files and associated scripts are served from your own server, guaranteeing both faster performance and greater reliability, without reliance on third-party services. This approach enhances not only the user experience but also the security of your content.

The free version includes essential embedding functionality, while PDF Embedder Premium extends features with download options, hyperlink support, continuous scrolling, full-screen mode, and advanced mobile-friendly options.

CVE-2025-8592 – Inspiro [THEME] – Unauth CSRF Leads to Arbitrary Plugin Upload and Remote Code Execution – POC

CVE-2025-8592 – Inspiro [THEME] – Unauth CSRF Leads to Arbitrary Plugin Upload and Remote Code Execution – POC

CVE-2025-8592 affects the popular Inspiro WordPress theme, which has amassed over 100,000 active installations. This vulnerability arises from an unauthenticated Cross-Site Request Forgery (CSRF) flaw in the theme’s AJAX handlers, specifically the inspiro_install_plugin action. By tricking an unsuspecting site administrator into visiting a malicious page, an attacker can silently install and activate plugins of their choosing from the official WordPress repository. If the forced plugin contains file-upload capabilities or known security weaknesses, the attacker can achieve full remote code execution (RCE) on the compromised site.

Plugin Security Certification (PSC-2025-64595): “Category Order and Taxonomy Terms Order” – Version 1.9: Use Category Order with Enhanced Security

Plugin Security Certification (PSC-2025-64595): “Category Order and Taxonomy Terms Order” – Version 1.9: Use Category Order with Enhanced Security

Category Order and Taxonomy Terms Order is a lightweight yet powerful WordPress plugin that enables administrators to reorder categories and custom taxonomy terms with a drag-and-drop interface. Developed by Nsp-Code, this plugin enhances site structure and usability without requiring theme or plugin modifications.
While primarily a tool for content organization, it also interacts directly with queries and the WordPress admin environment—areas where poorly implemented code could create vulnerabilities. That’s why CleanTalk’s Plugin Security Certification (PSC-2025-64595) is an important milestone: it validates that this plugin has been extensively audited and is safe to use in production environments.

Plugin Security Certification (PSC-2025-64594): “WP-PageNavi” – Version 2.94.5: Use Fancy Pagination Links with Enhanced Security

Plugin Security Certification (PSC-2025-64594): “WP-PageNavi” – Version 2.94.5: Use Fancy Pagination Links with Enhanced Security

WP-PageNavi is one of the most widely used plugins for adding advanced paging navigation to WordPress. Instead of the basic “Older posts | Newer posts” links, it provides a more user-friendly and customizable pagination interface that improves navigation across archives, blogs, and multipage posts. With a long-standing reputation for reliability, WP-PageNavi is trusted by thousands of site owners to enhance usability.
Now, with the Plugin Security Certification (PSC-2025-64594) by CleanTalk, WP-PageNavi has also been recognized for its secure coding practices and resistance to modern web-based threats. This certification gives WordPress administrators confidence that the plugin is not only functional but also fully aligned with today’s security standards.

CVE-2025-9202 – ColorMag [THEME] – Missing Authorization to Authenticated (Subscriber+) Plugin Installation – POC

CVE-2025-9202 – ColorMag [THEME] – Missing Authorization to Authenticated (Subscriber+) Plugin Installation – POC

ColorMag is a widely used WordPress theme known for its magazine-style layouts and robust customization options, currently active on over 50,000 sites. It offers a seamless “import demo content” feature that loads theme demo data and recommended plugins via an AJAX action named import_button. However, a serious security flaw—CVE-2025-9202—has been discovered: the theme exposes the required nonce to Subscriber+ users through wp_localize_script, yet fails to enforce any capability checks. As a result, low-privileged users can invoke the import routine and install arbitrary plugins without proper authorization.

CVE-2025-8085 – Ditty – Unauthenticated SSRF – POC

CVE-2025-8085 – Ditty – Unauthenticated SSRF – POC

Ditty is a popular WordPress plugin for creating dynamic content displays—tickers, charts, and news feeds—through a user-friendly block editor interface. With over 50,000 active installations, it’s widely used to embed real-time data and media into pages and posts. However, a critical vulnerability—CVE-2025-8085—has been identified in its REST API: an unauthenticated Server-Side Request Forgery (SSRF) flaw in the endpoint wp-json/dittyeditor/v1/displayItems. This allows any unauthenticated visitor to coerce the server into fetching arbitrary external or internal URLs, potentially exposing internal network resources or enabling further exploits like remote code execution or data exfiltration.