Plugin Security Certification (PSC-2025-64576): “EWWW Image Optimizer” – Version 8.1.4: Use Optimizer Plugin with Enhanced Security

Plugin Security Certification (PSC-2025-64576): “EWWW Image Optimizer” – Version 8.1.4: Use Optimizer Plugin with Enhanced Security

EWWW Image Optimizer (EWWW IO) is a high-performance WordPress plugin designed to enhance site speed and SEO by automatically optimizing image files across your entire website. Whether you’re dealing with the WordPress Media Library, theme assets, or third-party plugin images, EWWW IO ensures that every image is compressed efficiently without compromising quality. The plugin supports a wide range of formats, including JPG, PNG, WebP, SVG, PDF, and the next-gen AVIF, with adaptive and intelligent conversion to deliver optimal file types for every use case.

EWWW IO can perform all optimizations locally on your server using powerful image processing tools or offload them to specialized servers via Easy IO CDN. With features such as lazy loading, bulk optimization, WebP/AVIF conversion, and comprehensive plugin compatibility, it serves as a complete image performance suite. EWWW IO is not only built for speed but also engineered with strong security practices, having earned the Plugin Security Certification (PSC) from CleanTalk.

Plugin Security Certification (PSC-2024-64575): “Table of Contents Plus” – Version 2411.1: Use Content Plugin with Enhanced Security

Plugin Security Certification (PSC-2024-64575): “Table of Contents Plus” – Version 2411.1: Use Content Plugin with Enhanced Security

Table of Contents Plus is a powerful and user-friendly WordPress plugin designed to automatically generate structured, context-specific tables of contents (TOC) for long-form content and custom post types. Inspired by Wikipedia’s navigation standards, the plugin enhances readability and SEO by providing a logical content structure for users and search engines alike. Beyond a traditional TOC, it also offers built-in support for generating sitemaps of pages, categories, and posts across the site. With seamless shortcode functionality, advanced customization options, and robust theme compatibility, Table of Contents Plus is ideal for content-heavy websites and blogs seeking to improve user experience and page navigation.

After undergoing rigorous security testing and static code analysis, the plugin has successfully obtained the Plugin Security Certification (PSC) from CleanTalk, ensuring its compliance with high-level security standards and safe deployment on any WordPress installation.

CVE-2025-3584 – Newsletter – Stored XSS to JS Backdoor Creation – POC

CVE-2025-3584 – Newsletter – Stored XSS to JS Backdoor Creation – POC

The Newsletter plugin for WordPress, with over 300,000 active installations, is widely adopted for managing subscriptions, creating automated campaigns, and personalizing subscriber experiences. However, a severe security flaw—CVE-2025-3584—has been discovered in the plugin’s subscription settings, specifically in its “Welcome page content” feature. This vulnerability allows users with Editor privileges to inject malicious JavaScript into the global “Welcome page” template. When unsuspecting visitors or administrators land on any post or page displaying the Welcome content, the injected script executes, opening the door to full account takeover via a persistent backdoor.

CVE-2025-2560 – Ninja Forms – Stored XSS to JS Backdoor Creation – POC

CVE-2025-2560 – Ninja Forms – Stored XSS to JS Backdoor Creation – POC

Ninja Forms is a leading WordPress plugin enabling site owners to build advanced forms without coding, with over 700,000 active installations. Despite its popularity and feature richness, a critical vulnerability—CVE-2025-2560—was discovered, allowing users with Editor-level privileges to inject persistent JavaScript into form configurations. This stored XSS can escalate to a full account takeover backdoor, jeopardizing the security of any site using Ninja Forms.

CVE-2025-2524 – Ninja Forms – Stored XSS to JS Backdoor Creation – POC

CVE-2025-2524 – Ninja Forms – Stored XSS to JS Backdoor Creation – POC

Ninja Forms is one of the most widely used WordPress plugins for creating contact forms with over 700,000 active installations. Its user-friendly drag-and-drop interface makes it a favorite among both developers and non-technical users. However, in the process of a routine plugin security audit, we discovered a critical vulnerability that permits Stored Cross-Site Scripting (XSS), allowing a contributor or editor to inject malicious JavaScript and potentially establish a persistent backdoor, leading to complete account takeover.

CVE-2025-3201 – Kali Forms – Stored XSS to Admin Account Creation (Contributor+) – POC

CVE-2025-3201 – Kali Forms – Stored XSS to Admin Account Creation (Contributor+) – POC

WordPress plugins play a vital role in extending the platform’s capabilities, yet they are frequently a weak point in site security. One such case is the Kali Forms plugin, a drag-and-drop form builder currently active on over 30,000 installations. A critical vulnerability, now assigned CVE-2025-3201, was discovered in the plugin that permits users with only Contributor-level privileges to inject and store malicious JavaScript. This XSS payload can be used to hijack administrator sessions, ultimately leading to the creation of rogue admin accounts and full site compromise.

CVE-2025-5730 – Easy Contact Form Lite < 1.1.29 – Contributor+ Stored XSS

CVE-2025-5730 – Easy Contact Form Lite < 1.1.29 – Contributor+ Stored XSS

Cross-Site Scripting (XSS) remains one of the most prevalent and dangerous vulnerabilities affecting WordPress plugins, especially those that allow user-generated content. In the Easy Contact Form Lite plugin (versions prior to 1.1.29), a stored XSS vulnerability was discovered that allows Contributor-level users to inject persistent JavaScript into the form’s placeholder field. This can lead to session hijacking, site defacement, and privilege escalation attacks if exploited by a malicious user.

CVE-2025-3583 – Newsletter – Stored XSS to JS Backdoor Creation – POC

CVE-2025-3583 – Newsletter – Stored XSS to JS Backdoor Creation – POC

The WordPress ecosystem is vast, with thousands of plugins extending its core functionality. However, the flexibility of these plugins can come at the cost of security if developers don’t adhere to strict input sanitization and output escaping practices. One such vulnerability was discovered in the popular Newsletter plugin, which is installed on over 300,000 websites. The issue, now identified as CVE-2025-3583, allows for Stored Cross-Site Scripting (XSS) that can be weaponized into a JavaScript backdoor, enabling attackers to hijack administrator accounts and compromise the entire site.

CVE-2025-5194 – WP Map Block by aBlocks < 2.0.3 – Contributor+ Stored XSS via Marker – POC

CVE-2025-5194 – WP Map Block by aBlocks < 2.0.3 – Contributor+ Stored XSS via Marker – POC

Stored Cross-Site Scripting (XSS) vulnerabilities continue to pose significant risks to WordPress websites, especially those utilizing Gutenberg-compatible plugins for dynamic content embedding. A critical stored XSS vulnerability (CVE-2025-5194) was recently discovered in the WP Map Block plugin, which has since merged with aBlocks. The flaw allows users with Contributor or higher privileges to inject persistent JavaScript payloads through the map marker content, potentially compromising site integrity and administrative accounts.

CVE-2025-3471 – SureForms – Broken Access Control to Settings Updating (Contributor +) – POC

CVE-2025-3471 – SureForms – Broken Access Control to Settings Updating (Contributor +) – POC

In the modern WordPress ecosystem, the principle of least privilege is critical for maintaining site security. It ensures that users can only perform actions strictly necessary for their roles. However, when plugins break this fundamental principle, even seemingly harmless user roles such as “Contributor” can exploit the system and execute powerful administrative actions. This is precisely the case with CVE-2025-3471—a Broken Access Control vulnerability discovered in the SureForms plugin.