Plugin Security Certification (PSC) by CleanTalk

Plugin Security Certification (PSC-2026-64603): “Google for WooCommerce” – Version 3.5.2

Google for WooCommerce (v3.5.2) is a commerce-focused extension that connects your WooCommerce store to Google’s ecosystem—most importantly Google Merchant Center, Google Ads (Performance Max), and Google tag / conversion tracking—so product data stays synchronized and campaigns can be launched and optimized from within WordPress. Because this plugin touches high-value surfaces (product feeds, pricing/inventory updates, ad attribution, and privacy-conscious conversion signals), security and data integrity are essential. That’s why it matters that Google for WooCommerce v3.5.2 has passed CleanTalk’s Plugin Security Certification (PSC-2026-64603), confirming the plugin was evaluated for secure coding practices and validated against a wide range of critical vulnerability classes.

Plugin Security Certification (PSC-2026-64602): “File Manager” – Version 8.0.2

File Manager (v8.0.2) is one of the most powerful WordPress file management plugins, enabling administrators to edit, upload, download, copy/move, rename, delete, archive/extract, and otherwise manage files and folders directly from the WordPress dashboard—reducing dependency on FTP or hosting control panels. Because

Plugin Security Certification (PSC-2026-64601): “Disable Gutenberg” – Version 3.3

Disable Gutenberg (v3.3) is a lightweight, highly configurable plugin that removes the Gutenberg/Block Editor and restores the classic WordPress editing experience (TinyMCE, meta boxes, custom fields, quicktags, and the original “Edit Post” screen). It’s widely used by site owners who rely on legacy workflows, Classic Editor-compatible extensions, or page builders like Elementor/Composer—and it does so without collecting user data, setting cookies, or calling third-party services. With Plugin Security Certification (PSC-2026-64601) by CleanTalk, Disable Gutenberg is now formally verified not only for performance and compatibility, but also for secure coding practices and resilience against modern WordPress plugin attack vectors.

CVE-2025-13891 – Image Gallery – Photo Grid & Video Gallery (Modula) – Authenticated Path Traversal / Directory Enumeration (via “file browser” AJAX) – POC

CVE-2025-13891 impacts the WordPress plugin Image Gallery – Photo Grid & Video Gallery (Modula) and is a path traversal / directory enumeration weakness in the plugin’s “file browser” AJAX functionality. The public CVE records describe that all versions up to and including 2.13.3 are affected, and that the vulnerable AJAX endpoint is modula_list_folders, which accepts a user-supplied directory path and fails to enforce a safe base directory restriction, enabling an authenticated user to enumerate arbitrary server directories.

CVE-2025-13922 – TaxoPress (Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI) – Authenticated (Contributor+) SQL Injection – POC

CVE-2025-13922 is an authenticated, time-based blind SQL injection affecting the WordPress plugin TaxoPress (plugin slug simple-tags). The issue sits in the TaxoPress AI preview feature and is triggered through an AJAX workflow, allowing a logged-in user with Contributor-level access (or higher) and AI metabox permissions to inject SQL into an ORDER BY clause, commonly demonstrated with delay payloads such as SLEEP() for observable timing impact. According to National Vulnerability Database, the vulnerable parameter is existing_terms_orderby, and the issue affects all versions up to and including 3.40.1. The plugin’s deployment footprint is significant – WordPress.org reports 50,000+ active installations – so even a “PR:L” authenticated SQLi matters in the real world where Contributor/Author accounts are common in editorial sites.

Plugin Security Certification (PSC-2026-64600): ” WP Armour – Honeypot Anti Spam” – Version 2.3.04: Use Anti-Spam Features with Enhanced Security

With Plugin Security Certification (PSC-2026-64600) from CleanTalk, WP Armour v2.3.04 has been formally validated for secure coding practices and resilience against major vulnerability classes. That matters because anti-spam plugins often hook into multiple sensitive areas (login, registration, comments, checkout) and operate on untrusted input at high volume. Certification confirms that WP Armour’s defenses don’t introduce new security risks.

Plugin Security Certification (PSC-2026-64599): “MC4WP: Mailchimp for WordPress” – Version 4.11.1: Use Newsletters with Enhanced Security

Email marketing remains one of the most effective and measurable growth channels for WordPress sites—whether you run an eCommerce store, a content site, a SaaS landing page, or a community. But newsletter plugins sit right on top of sensitive surfaces: public-facing forms, user identity fields, third-party API tokens, and deep integrations with checkout, registration, and contact systems. That combination makes security non-negotiable.
MC4WP: Mailchimp for WordPress (v4.11.1) is widely recognized as the #1 Mailchimp integration plugin for WordPress, providing flexible signup forms and broad compatibility with popular form and commerce plugins. With Plugin Security Certification (PSC-2026-64599) from CleanTalk, MC4WP is now formally validated for secure operation in real-world WordPress environments—especially important when handling subscriber data and Mailchimp connectivity.

CVE-2025-13620 – Wp Social Login and Register Social Counter – issing Authorization in Cache REST Endpoints to Social Counter Tampering – POC

CVE-2025-13620 affects the WordPress plugin “Wp Social Login and Register Social Counter” (plugin: wp-social) and is a Missing Authorization / Improper Authorization issue in multiple REST API routes that are exposed without authentication. The vulnerability is caused by REST routes being registered with permission_callback set to __return_true, combined with handlers that perform state-changing cache operations without any capability check or nonce validation. As a result, an unauthenticated attacker can clear and overwrite the plugin’s cached social counter values (notably Instagram), which directly influences the front-end widget output and can be abused to display incorrect follower counts or otherwise disrupt the counter feature.

Plugin Security Certification (PSC-2026-64598): “WP Multibyte Patch” – Version 2.9.3: Use Patching with Enhanced Security

WP Multibyte Patch v2.9.3 has successfully passed the CleanTalk Plugin Security Certification (PSC-2025-64598). This certification confirms that the plugin’s codebase was reviewed and validated against a broad range of high-impact vulnerability classes, ensuring it can be used confidently in production environments.

CVE-2025-12971 – Folders – Incorrect Authorization on Folder Assignment lets Authors modify other users’ posts (IDOR) – POC

CVE-2025-12971 affects the WordPress plugin “Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager” (plugin slug: folders), which is widely deployed and reported at roughly 90,000+ active installations in the WordPress.org ecosystem (often referenced as “100k+” in rounded terms). The vulnerability is an incorrect authorization / object-level access control failure in AJAX handlers used to assign “folder” taxonomy terms to posts and pages. In effect, a low-privileged authenticated user can modify folder assignments on content they do not own by directly calling the AJAX endpoints with a victim post_id, bypassing the normal WordPress UI restrictions that would otherwise block edits to another author’s post.

« Previous