CVE-2025-11369 – Essential Blocks – Missing Auth to Sensitive Data Exposure (API keys of Instagram) Author+ – POC

CVE-2025-11369 – Essential Blocks – Missing Auth to Sensitive Data Exposure (API keys of Instagram) Author+ – POC

CVE-2025-11369 impacts the WordPress plugin Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns (“Essential Blocks”) and is a classic Missing / Incorrect Capability Check issue that results in unauthorized access to sensitive configuration data. The vulnerability allows authenticated users with Author-level access and above to retrieve API keys and tokens configured for external services, because several plugin entry points validate only a weak or incorrect permission boundary rather than a strict administrative capability. NVD summarizes the root cause precisely: missing or incorrect capability checks in functions associated with Instagram, Google Maps, and site info retrieval in all versions up to and including 5.7.2, enabling authenticated Author+ users to view API keys for external services. Because Essential Blocks has a large deployment footprint (200,000+ active installations on WordPress.org), the real-world impact is not niche—multi-author sites that grant Author roles routinely (editors, guest authors, content teams) are exactly the environments where this exposure becomes operationally relevant.

Plugin Security Certification (PSC-2026-64607): “Code Snippets” – Version 3.9.5

Plugin Security Certification (PSC-2026-64607): “Code Snippets” – Version 3.9.5

Code Snippets (v3.9.5) is one of the most practical productivity plugins in the WordPress ecosystem because it lets site owners add and manage custom functionality as “mini-plugins” without touching functions.php – and now it also comes with verified trust: it has earned CleanTalk’s Plugin Security Certification (PSC-2026-64607), confirming that its codebase and security boundaries hold up under real-world scrutiny, even though it operates in a category (code execution / site customization) where security discipline matters more than anywhere else.

CVE-2025-13794 – Auto Featured Image – Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification – POC

CVE-2025-13794 – Auto Featured Image – Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification – POC

CVE-2025-13794 is an Incorrect Authorization / Missing Authorization (CWE-862) vulnerability in the WordPress plugin Auto Featured Image (Auto Post Thumbnail) that breaks WordPress’ object-level access control for post thumbnails when bulk actions are used from the Posts list screen. The vulnerability affects all versions up to and including 4.2.1, and it allows authenticated attackers with Contributor-level access or higher to delete or generate featured images on posts they do not own, effectively enabling cross-user content tampering without the normal “can you edit this specific post?” gate. Because the plugin is widely deployed (WordPress.org shows 50,000+ active installations), this kind of low-privilege workflow bypass has real operational impact on multi-author sites, editorial teams, and any WordPress environment that relies on role separation to protect content integrity.

Plugin Security Certification (PSC-2026-64606): “WP Fastest Cache” – Version 1.4.6

Plugin Security Certification (PSC-2026-64606): “WP Fastest Cache” – Version 1.4.6

WP Fastest Cache (v1.4.6) is a performance-focused WordPress caching and optimization plugin built to reduce server load, accelerate page delivery, and improve real-world metrics like Google PageSpeed and Core Web Vitals—and now it has also proven its security posture by successfully earning CleanTalk’s Plugin Security Certification (PSC-2026-64606), confirming that speed gains don’t come at the cost of safe code, safe defaults, and hardened behavior in high-traffic environments.

CVE-2025-15527 – WP Recipe Maker – Authenticated (Contributor+) Private Post Title & Featured Image Disclosure via REST – POC

CVE-2025-15527 – WP Recipe Maker – Authenticated (Contributor+) Private Post Title & Featured Image Disclosure via REST – POC

CVE-2025-15527 is an information exposure vulnerability in the WordPress plugin WP Recipe Maker that breaks WordPress’ expected post privacy model for low-privileged editorial accounts. The core issue is a REST API endpoint that returns post metadata for any arbitrary post ID, while authorizing access using a broad capability check (edit_posts) rather than an object-level read permission check tied to the specific post being requested. In affected versions up to and including 10.2.2, this enables authenticated users with Contributor-level access and above to retrieve the title and featured image URL of posts they should not be able to view, including draft, private, and password-protected posts owned by other users.

Plugin Security Certification (PSC-2026-64605): “Translate WordPress with GTranslate” – Version 3.0.9

Plugin Security Certification (PSC-2026-64605): “Translate WordPress with GTranslate” – Version 3.0.9

Translate WordPress with GTranslate (v3.0.9) is a multilingual WordPress solution that uses Google Translate automatic translation to make a site available in 103 languages, dramatically expanding reach to more than 99% of internet users. Since GTranslate has been providing website translation services since 2008, the plugin is built around a mature translation platform and a cloud-based approach that aims to keep the WordPress site fast—translations are delivered without heavy on-site processing. In paid editions, GTranslate adds full multilingual SEO capabilities (subdomains/subdirectories, indexable translations, translated metadata, hreflang, and more), helping websites grow international traffic and sales. Because translation plugins operate on nearly every frontend pageview, output user-visible content dynamically, and may modify SEO metadata and URL structures, security must be treated as a primary requirement. That’s why it’s important that GTranslate v3.0.9 has passed CleanTalk Plugin Security Certification (PSC-2026-64605), confirming the plugin was reviewed and validated against critical vulnerability classes and secure-coding expectations.

Plugin Security Certification (PSC-2026-64604): “Wordfence Security” – Version 8.1.4

Plugin Security Certification (PSC-2026-64604): “Wordfence Security” – Version 8.1.4

Wordfence Security (v8.1.4) is one of the most widely deployed WordPress security plugins, combining an endpoint Web Application Firewall (WAF), malware scanning, login hardening (including 2FA), and centralized monitoring capabilities through Wordfence Central. Because a security plugin operates at the most sensitive layers of a WordPress site—authentication flows, request filtering, filesystem integrity checks, and threat detection—its own code integrity and safety are absolutely crucial. That’s why Wordfence Security v8.1.4 achieving CleanTalk Plugin Security Certification (PSC-2026-64604) matters: it indicates the plugin has been audited and validated to meet strong secure-coding expectations and to resist major exploit classes that commonly affect WordPress plugins.

CVE-2025-10583 – WP Fastest Cache – Missing Authorization to Authenticated (Subscriber+) Blind Server-Side Request Forgery – POC

CVE-2025-10583 – WP Fastest Cache – Missing Authorization to Authenticated (Subscriber+) Blind Server-Side Request Forgery – POC

CVE-2025-10583 is an authenticated Server-Side Request Forgery (SSRF) vulnerability in the WordPress plugin WP Fastest Cache, affecting versions up to and including 1.7.4 according to the NVD record. What makes this issue especially operationally relevant is the plugin’s adoption: the WordPress.org listing shows 1+ million active installations, so any low-privilege-to-network-recon bug has immediate “real internet” consequences across a large attack surface. The core impact is not a direct data exfiltration primitive by itself, but rather a reliable way for a low-privileged authenticated user to coerce the server into making outbound connections, which can be weaponized for internal network discovery, firewall bypass, and chaining into higher-impact compromises.

Plugin Security Certification (PSC-2026-64603): “Google for WooCommerce” – Version 3.5.2

Plugin Security Certification (PSC-2026-64603): “Google for WooCommerce” – Version 3.5.2

Google for WooCommerce (v3.5.2) is a commerce-focused extension that connects your WooCommerce store to Google’s ecosystem—most importantly Google Merchant Center, Google Ads (Performance Max), and Google tag / conversion tracking—so product data stays synchronized and campaigns can be launched and optimized from within WordPress. Because this plugin touches high-value surfaces (product feeds, pricing/inventory updates, ad attribution, and privacy-conscious conversion signals), security and data integrity are essential. That’s why it matters that Google for WooCommerce v3.5.2 has passed CleanTalk’s Plugin Security Certification (PSC-2026-64603), confirming the plugin was evaluated for secure coding practices and validated against a wide range of critical vulnerability classes.