Certification ID: PSC-2025-64591 | Verified by CleanTalk Security Audit The Plugin Security Certification (PSC-2025-64591) highlights a previously identified WordPress nonce validation issue, discovered and patched during internal security testing in March 2025. Developers can fix WordPress nonce error by ensuring
CVE-2025-11705 – Anti-Malware Security and Brute-Force Firewall – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read – POC

The Anti-Malware Security and Brute-Force Firewall plugin is installed on over 100,000 WordPress sites to detect, quarantine, and remove malicious code, as well as to prevent brute-force login attempts. Central to its functionality is a quarantine system that logs suspicious files into a private custom post type (GOTMLS_quarantine) and exposes administrative AJAX endpoints for viewing, scanning, and clearing these quarantined items. However, CVE-2025-11705 reveals a severe broken authorization chain: through the public-facing GOTMLS_View_Quarantine endpoint, any authenticated user—including a Subscriber+—can obtain a valid GOTMLS_mt token, then reuse that token to invoke GOTMLS_scan and read arbitrary filesystem files (e.g., wp-config.php), or call GOTMLS_empty_trash to tamper with quarantine records. This combination of token leakage and missing capability checks constitutes a critical confidentiality and integrity risk.
CVE-2025-8594 – Pz-LinkCard – SSRF – POC

Pz-LinkCard is a WordPress plugin with over 50,000 installations that transforms external URLs into rich, responsive card layouts using the [blogcard] shortcode. By fetching metadata—titles, thumbnails, descriptions—from remote sites, it enhances content engagement. However, a critical vulnerability—CVE-2025-8594—allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF). Because the plugin directly uses the user-supplied url attribute in server-side HTTP requests without any whitelist or validation, an attacker can coerce the server into fetching internal or arbitrary endpoints, risking data exposure, internal network probing, or remote service manipulation.
CVE-2025-8999 – Sydney – Missing Authorization to Authenticated (Subscriber+) Limited Theme Options Update – POC

The Sydney WordPress theme, active on over 100,000 sites, offers modular feature toggles—block templates, custom headers, advanced typography—managed via URL parameters on the Profile page. Unfortunately, a critical vulnerability—CVE-2025-8999—permits Subscriber+ or even unauthenticated users to activate or deactivate these theme modules without proper authorization. By simply visiting a crafted URL or submitting a CSRF form, low-privilege attackers can modify the sydney-modules option, enabling or disabling core theme functionality and potentially weakening site defenses or injecting unwanted features.
CVE-2025-9979 – Maspik – Authenticated (Subscriber+) Missing Authorization to Spam Log Export – POC

Maspik is a spam-logging WordPress plugin used by over 30,000 sites to record and analyze spam submissions across contact forms, checkout pages, and other inputs. It stores detailed records—email addresses, IPs, user agents, country data—in the wp_maspik_spam_logs table. A critical vulnerability—CVE-2025-9979—allows any authenticated user with as little as Subscriber+ privileges to export the entire spam log as a CSV file. This missing authorization on the Maspik_spamlog_download_csv endpoint leads to wholesale disclosure of potentially sensitive data without any nonce or capability checks.
CVE-2025-9888 – Maspik – Cross-Site Request Forgery (CSRF) – POC

Maspik is a WordPress plugin deployed on over 30,000 sites to track and log spam submissions from contact forms and checkout pages. It stores entries in the wp_maspik_spam_logs table, enabling administrators to review and clear logs via the dashboard. However, a critical flaw—CVE-2025-9888—permits any visitor or low-privileged user to trigger a full log wipe via a simple CSRF attack. Because the plugin’s “Clear Logs” action lacks nonce verification and capability checks, an attacker can silently erase all spam records, disrupting site monitoring and potentially masking ongoing attacks.
CVE-2025-9816 – WP Statistics – Unauthenticated Stored Cross-Site Scripting (XSS) – POC

CVE-2025-9816 is a critical stored cross-site scripting vulnerability in the widely used WP Statistics plugin (600k+ installs) that permits an attacker to persist a crafted User-Agent string into the plugin’s device model field and later execute arbitrary JavaScript inside the wp-admin interface when an administrator views the Devices → Device Models report. The root cause is a chain of weak protections: the UA string is lightly normalized by the parser but not fully sanitized or context-escaped before being stored and rendered, and the admin table renders the model value both into a text node and into an HTML attribute (title) without esc_html()/esc_attr() or equivalent context-aware escaping. Because administrators have high privileges and valid nonces in their browser context, any JavaScript that executes there can steal cookies, nonces, or trigger privileged actions—turning a seemingly low-signal analytics record into a direct path to full site takeover.
CVE-2025-10357 – Simple SEO – Stored XSS – POC

Simple SEO is a lightweight WordPress plugin that generates and manages SEO meta tags (title, meta description, keywords), supports quick-edit, sitemap generation and imports from other SEO plugins. In versions up to 2.0.32, the plugin contains a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-10357) that allows a user with Contributor (or higher) privileges to store malicious HTML/JS inside the plugin’s SEO fields (HTML-encoded Title). The injected script executes later when the field is rendered, potentially in the context of administrators or other privileged users.
CVE-2025-8282 – SureForms – Stored XSS – POC

CVE-2025-8282 affects the widely used SureForms plugin, with over 300,000 active installations, and revolves around a stored cross-site scripting flaw that undermines the integrity of form labels. SureForms allows Editors and Administrators to build complex forms using text blocks with customizable labels and placeholders. However, by embedding malicious JavaScript into the “Label” field when the “Use Labels as Placeholders” option is enabled, an attacker with Editor-level permissions can store a payload that executes whenever any user hovers over the affected form element. This vulnerability leverages the high-privilege context granted to Editors, turning a benign form builder feature into a powerful vector for account takeover and persistent backdoors.
CVE-2025-9331 – Spacious [THEME] – Missing Authorization to Autheticated (Subscriber+) Demo Data Import – POC
![CVE-2025-9331 – Spacious [THEME] – Missing Authorization to Autheticated (Subscriber+) Demo Data Import – POC CVE-2025-9331 – Spacious [THEME] – Missing Authorization to Autheticated (Subscriber+) Demo Data Import – POC](https://research.cleantalk.org/wp-content/uploads/2023/10/New_1_not_safe-1.png)
CVE-2025-9331 impacts the widely used Spacious WordPress theme, currently active on over 30,000 sites. At its core lies a missing authorization check in the theme’s demo data import functionality. Normally, executing the “Import Demo Data” operation should be restricted to high-privileged users such as Administrators or Editors. However, due to an exposed nonce delivered via wp_localize_script, even Subscriber-level accounts can trigger the import_button AJAX action, enabling them to import arbitrary demo content and potentially manipulate site configuration or inject malicious data without proper oversight.
