Plugin Security Certification (PSC) by CleanTalk

WordPress plugins that enhance user experience often expose administrative configuration fields that directly influence frontend rendering. When these fields are not properly sanitized, they can become a serious attack surface. CVE-2026-2687 affects the Reading Progressbar plugin, a lightweight tool that displays a reading progress indicator using an HTML5 element and JavaScript.

A stored Cross-Site Scripting (XSS) vulnerability was identified in the plugin’s settings panel, allowing an attacker to inject malicious JavaScript that is permanently stored and later executed in visitors’ or administrators’ browsers. This flaw can be leveraged to compromise administrator sessions, inject backdoors, or fully take over affected WordPress sites.

CVE-2025-14371 affects TaxoPress and it breaks a core WordPress safety boundary where a user may have access to an editor feature but should not be able to change content they cannot edit. The vulnerability allows any authenticated user who is permitted to use the TaxoPress AI metabox, typically Contributor or Author and above, to add or remove tags on posts they do not own by supplying a victim post ID. This becomes a direct content integrity issue because tags and other taxonomy terms drive search relevance, internal navigation, feeds, and SEO surfaces, meaning a low privilege account can silently reshape how content is discovered even when the same user cannot open the post editor for the target post. Install base is significant at 50k plus, so multi author environments where Contributors exist are realistic targets rather than edge cases.

CVE-2025-14163 is a Cross Site Request Forgery weakness in Premium Addons for Elementor that turns a normal authenticated workflow into a silent action a victim performs on an attacker’s behalf. The core problem is simple but dangerous in real operations a logged in user can be tricked into creating a new Elementor template without clicking anything and without seeing a warning, because the plugin’s AJAX action accepts a state changing request that lacks any CSRF protection. Even though the action requires a user who has edit_posts, that still covers a wide range of common roles on real sites such as Author and Editor, which means this is not limited to administrators and can be triggered against typical editorial staff who routinely browse the web while logged in.

CVE-2025-14155 is an unauthenticated information disclosure vulnerability in Premium Addons for Elementor – Powerful Elementor Templates & Widgets, where an external attacker can retrieve the rendered HTML of Elementor templates that were never meant to be publicly readable. The National Vulnerability Database (NVD) describes the root cause as a missing capability check in the plugin’s get_template_content function, enabling unauthenticated attackers to view the contents of private, draft, and pending templates in all versions up to and including 4.11.53. This matters in real deployments because Elementor templates often contain unpublished landing pages, internal copy, experiment variants, marketing plans, gated offers, or “coming soon” pages that site owners assume are only visible inside the editor/dashboard until explicitly published or embedded.